The past three months have ushered in a wave of notable developments in the healthcare space, including new developments to the two highly anticipated final rules to reform the Stark Law and Anti-Kickback Statute regulations, a new COVID-19 pandemic response plan and a rare reversal by the U.S. Court of Appeals for the Fifth Circuit of a civil monetary penalty imposed by the Department of Health and Human Services Office of Civil Rights.
CMS and OIG Issue Final Rules for Anti-Kickback Statute and Stark Law
On November 20, 2020, the Centers for Medicare and Medicaid Services (“CMS”) and Health and Human Services Office of Inspector General (“OIG”), published the long-anticipated final rules modifying and clarifying the implementing regulations of the federal physician-self-referral law, or “Stark Law,” (“Stark”), the federal Anti-Kickback Statute (“AKS”), and the beneficiary inducement provisions of the Civil Monetary Penalties Law (“CMP”) in a coordinated effort to remove regulatory barriers and promote value-based care delivery and payment models.
In promulgating these final rules, CMS and OIG balanced the need to offer the flexibilities needed, and requested, by the industry to promote innovation with the need to ensure that adequate safeguards against fraud, waste and abuse remained in place. While a majority of the changes went into effect on January 19, 2021, the revisions to the Stark group practice regulations at 42 CFR § 411.352(i) will not go into effect until January 1, 2022.
As a general matter, the OIG and CMS each finalized three new safe harbors and exceptions, respectively, which specifically address value-based payments between healthcare participants — from those arrangements involving full financial risk to those that involve no risk. While the OIG and CMS generally sought to align the elements of the value-based safe harbors and exceptions, and even used similar terminology, the OIG’s safe harbors for value-based arrangements are generally more restrictive than their CMS counterparts because AKS is a criminal-intent statute and Stark is a civil, strict-liability statute. The final rules also revised various existing definitions and provisions of AKS and Stark to consider value-based arrangements, including but not limited to revising the definition of a “group practice” with respects to how profits are distributed for group members participating in a value-based enterprise.
The OIG and CMS also used the final rules as an opportunity to “modernize” AKS and Stark. For instance, in light of the rise in cyber-attacks targeting the healthcare industry in recent years, and the cost associated with protecting and fighting against such attacks, the final rules added a new safe harbor and exception that allows for the donation of cybersecurity technology and related services necessary to implement, maintain or reestablish effective cybersecurity.
For a more detailed overview of the various changes to AKS and Stark, please visit our full Alert on the new final rules.
President Biden’s COVID-19 Response Plan
President Biden and the White House have released a plan outlining the U.S.’ strategy and response to the COVID-19 pandemic.1 The plan outlines the goals of the administration, including an effective vaccination campaign, safely reopening schools and businesses, and clearer public health standards. President Biden has also signed Executive Orders that implemented certain portions of this plan. Some highlights from the plan and the related Executive Orders include the following:
- The administration has purchased 600 million doses of vaccines, 300 million each from both Pfizer Inc. and Moderna Inc. Each company is delivering 300 million doses in regular increments through the end of July 2021.2 Starting from February 27, 2021, the Food and Drug Administration has approved and authorized the Johnson & Johnson single dose vaccine.3 Johnson & Johnson has a stated goal of producing 100 million doses by June for the U.S.
- As of March 3, 2021, approximately 53 million people had received one or more doses of the vaccine, and 27 million people had received the full two doses.4
- The administration will end the policy of holding back significant levels of doses, instead holding back a small reserve and monitoring supply to ensure that everyone receives the full regimen as recommended by the FDA.
- Those eligible for the vaccine have the opportunity to be vaccinated at over 40,000 pharmacies across the country through the Federal Retail Pharmacy Program for COVID-19 Vaccination.5
- The federal government will enable state and local governments to reimburse emergency equipment, vaccine supplies and administration expenses, and other services through the FEMA Disaster Relief Fund
- All people in the U.S. can access the vaccine free-of-charge and without cost-sharing when they are eligible for vaccination. The administration will ensure that providers or other entities that receive vaccine doses from the federal government may not bill patients for any expenses associated with the vaccine.
Defense Production Act
- Federal agencies are authorized to use all available legal authorities, including the Defense Production Act, to fill shortfalls in the healthcare supply chain as soon as practicable by acquiring additional stockpiles, improving distribution systems, building market capacity or expanding the industrial base.
- Federal agencies will also review and address the pricing of pandemic response supplies. Agencies can consider using reasonable pricing clauses in Federal contracts and investment agreements or General Services Administration Schedules to purchase pandemic response supplies using Federal supply schedules.
Measures to Protect Worker Health and Safety
- The Secretary of Labor shall issue revised guidance to employers on workplace safety during the COVID-19 pandemic.
- The Secretary of Labor will consider whether any emergency temporary standards on COVID-19, including mandating masks in the workplace, are necessary. Masks are required on federal properties and for federal employees and contractors.
- The Secretary will also review the enforcement efforts of the Occupational Safety and Health Administration ("OSHA") related to COVID-19 and identify any short-, medium- and long-term changes that could be made to better protect workers and ensure equity in enforcement.
- Masks are required when traveling on public transportation.
- International air travelers will be required to produce a negative COVID-19 test prior to departing for the U.S. and to comply with CDC guidelines for self-isolation and self-quarantine upon arrival.
Though specific details regarding government actions have been scarce, the administration’s COVID-19 response plan lays out immediate priorities for federal agencies and created working groups to implement these goals. It will be important to monitor further Executive Orders related to COVID-19 response.
1. See White House, “National Strategy for the COVID-19 Response and Pandemic Preparedness” (Jan. 2021).↩
2. See U.S. Department of Health & Human Services, “Biden Administration purchases additional doses of COVID-19 vaccines from Pfizer and Moderna” (Feb. 11, 2021).↩
3. See U.S. Food & Drug Administration, “FDA Issues Emergency Use Authorization for Third COVID-19 Vaccine” (Feb. 27, 2021).↩
4. See Becker’s Hospital Review, “States ranked by percentage of COVID-19 vaccines administered: Mar. 4” (Mar. 4, 2021).↩
5. See Centers for Disease Control and Prevention, “Understanding the Federal Retail Pharmacy Program for COVID-19 Vaccination” (Feb. 12, 2021).↩
In Rare Move, Fifth Circuit Vacates Multimillion-Dollar HIPAA Penalty
On January 14, 2021, the U.S. Court of Appeals for the Fifth Circuit vacated a civil monetary penalty imposed by the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) against the University of Texas MD Anderson Cancer Center (“MD Anderson”).1 The Fifth Circuit held that OCR’s decision was “arbitrary, capricious, and contrary to law.”
OCR, which is responsible for enforcing HIPAA, levied the $4,348,000 penalty, following the cancer center’s loss of two encrypted flash drives and an unencrypted laptop in 2012 and 2013, which resulted in the unauthorized disclosure of over 33,000 patients’ electronic protected health information (“PHI”). OCR alleged that MD Anderson violated HIPAA’s regulations by failing to implement a mechanism to encrypt electronic PHI and by improperly disclosing PHI, and that MD Anderson had "reasonable cause" to know it had violated such regulations.2
After an administrative law judge (“ALJ”) upheld OCR’s decision, MD Anderson petitioned the Fifth Circuit, which undertook a de novo review. The Fifth Circuit vacated the ALJ’s ruling and held that OCR’s actions were “arbitrary, capricious, and otherwise unlawful” for four independent reasons:
- MD Anderson implemented various mechanisms to encrypt electronic PHI and that “bulletproof protection” is not required. Just because the stolen or lost devices were unencrypted did not mean MD Anderson failed to implement “a mechanism” to encrypt.
- Disclosure of PHI requires an affirmative act and receipt of such information from an individual outside the entity. OCR was unable to provide evidence that MD Anderson took such an act or an outside entity received the PHI at issue.
- OCR was not consistent in its enforcement. The court noted that OCR failed to impose penalties against other covered entities for lost unencrypted mobile devices.
- The applicable HHS regulations exceeded the statutory caps for “reasonable cause” violations. OCR conceded this point and has recommended a reduced penalty of only $450,000.
The Fifth Circuit vacated the penalty and remanded the case for further proceedings. This case not only provides further precedent with respect to interpretation of the applicable regulations and OCR enforcement, but may spur other covered entities or business associates to appeal OCR’s civil monetary penalties.
While the Fifth Circuit decision may have called into question certain of OCR’s enforcement practices, the regulator continues to demonstrate an appetite for enforcement. For example, on February 12, 2021, OCR announced its sixteenth settlement in its “HIPAA Right of Access Initiative.”3 In this particular instance, a California health system agreed to take corrective actions and pay a modest fine in order to settle an alleged violation of HIPAA’s requirement that individuals have a right to timely access their health information at a reasonable cost.
2. See 42 USC § 1320d-5(a)(1)(B).↩
3. See U.S. Department of Health & Human Services, “OCR Settles Sixteenth Investigation in HIPAA Right of Access” (Feb. 12, 2021).↩