Federal Update, Including a New HIPAA Safe Harbor

For more information about this blog post, please contact Khaled J. KleleRyan M. MageeLabinot Alexander BerlajolliBrianna J. Santolli, or Daniel J. Parziale.

HIPAA Safe Harbor Bill Becomes Law, Providing Protections to Entities That Have Taken Appropriate Safeguards 

On January 5, 2021, H.R. 7898 became law. The law benefits covered entities and business associates that are subject to the Health and Human Services ("HHS") investigations as a result of a security incident but have taken steps to document their compliance with the HIPAA Security Rule and other standardized security practices. For example, the law amends the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to require the Secretary of HHS to consider certain “recognized security practices” of covered entities and business associates when making determinations to issue fines or penalties under the HIPAA Security Rule. The law directs HHS to take into account a covered entity’s or business associate’s use of industry-standard security practices within the course of 12 months when investigating and undertaking HIPAA enforcement actions. It is anticipated that HHS will go through the notice and rulemaking process to develop regulations to implement the law.

CMS Issues Final Rule Speeding Up Coverage for “Breakthrough” Medical Devices

The Centers for Medicare & Medicaid Services (“CMS”) recently issued its final rule, 86 FR 2987, known as The Medicare Coverage of Innovative Technology (“MCIT”), which shortens the time period that Medicare beneficiaries will have access to a device that the Food and Drug Administration (“FDA”) deems a “breakthrough” medical device. Under previous regulations, after comprehensive and lengthy testing from the FDA, CMS would then proceed with its own lengthy and costly process prior to approving the medical device for Medicare coverage. Now, under MCIT, CMS will create an accelerated Medicare coverage pathway for innovative products that the FDA deems to be a “breakthrough” and for which the FDA has approved on an expedited basis. Moreover, CMS will provide national coverage for such “breakthrough” medical devices simultaneously with FDA approval for up to four years. After the four-year period has elapsed, CMS will then reevaluate the medical device based on clinical and real-world evidence of health outcome improvements among Medicare beneficiaries.

CMS Issues Final Rule Expanding Privatization of Health Insurance Exchanges and Expanding States’ Abilities to Develop Their Own Programs to Support Local Needs

CMS recently issued its final rule, 86 FR 6138, known as Notice of Benefit and Payment Parameters for 2022. As part of the final rule, CMS will reduce the user fee for qualified health plans (“QHPs”) sold through a federally-facilitated Exchange from 3.0% to 2.25% of premium. The final rule also provides options for states to develop next generation Exchanges that leverage web-brokers and insurance issuers for the direct purchase of QHPs. The Exchanges, however, would retain responsibility for ensuring that participating web brokers and insurers meet all applicable consumer protections, as well as remain responsible for making all eligibility determinations, performing required verifications of consumer application information, and meeting all statutory and regulatory requirements for operating an Exchange. In addition, implemented through 1332 waivers, the final rule solidifies an important opportunity for states to waive certain statutory requirements to create health programs tailored to their own citizens, subject to federal approval.

DEA Issues Proposed Rule Regarding Online Applications

This notice of proposed rule would amend the Drug Enforcement Administration (“DEA”) regulations to require all initial and renewal applications for DEA registration to be submitted online. Currently, DEA regulations permit DEA Registration Forms (224/224a, 225/225a, 363/363a, and 510/510a) to be submitted either through the secure online database, or by paper forms delivered to DEA Headquarters. This proposed rule will amend DEA regulations to require that all registration and renewal applications be submitted through the secure online database, and that paper forms will no longer be accepted. Comments are due by March 8, 2021.

Final Rule on Transparency in Civil Enforcement Actions

On January 14, 2021, HHS issued a final rule, 86 FR 3010, promulgating regulations to promote transparency and fairness in civil enforcement actions. The final rule is intended to ensure that regulated parties receive fair notice of laws and regulations they are subject to, and have an opportunity to contest an agency determination prior to the agency taking an action that has a legal consequence.

FDA Releases Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan

The FDA issued an AI/ML-Based Software as a Medical Device Action Plan (“Action Plan”) intended to embrace AI/ML-driven software changes to medical devices. Medical device manufacturers have increasingly employed the use of AI/ML technologies to innovate their products. However, the FDA’s traditional paradigm of medical device regulation was not designed for adaptive AI and ML technologies. Under the FDA’s current approach to software modifications, the FDA anticipates that many of these AI/ML-driven software changes to devices may necessitate premarket review. On April 2, 2019, the FDA published a discussion paper describing the FDA’s foundation for a potential approach to premarket review for AI/ML-driven software modifications. 

The FDA’s most recent Action Plan seeks to update the framework of that discussion paper and outlines a five-part Action Plan. Specifically, the Action Plan proposes (1) a tailored regulatory framework for AI/ML-based SaMD, (2) good ML practices through FDA participation, (3) a patient-centered approach emphasizing transparency to users, (4) regulatory science methods related to algorithm bias and robustness, and (5) real-world performance pilots.

New Resources for Health IT Developers

On January 4, 2021, the HHS Office of the National Coordinator for Health IT released new resources to help health IT developers understand ONC Cures Act final rule requirements. The new resources include an overview of key compliance dates, a criterion-by-criterion resource for the 2015 Edition Cures Update, and an application programming interface (API) Resource Guide intended for health IT developers seeking ONC certification.