For more information about this blog post, please contact Khaled J. Klele, Ryan M. Magee, Ryan L. O’Neill, Connor Breza, William R. Meiselas or Labinot Alexander Berlajolli.

HHS Extends Good Faith Estimate Enforcement Discretion Period Under No Surprises Act

The Centers for Medicare & Medicaid Services ("CMS") recently announced in an FAQ that the U.S. Department of Health and Human Services (“HHS”) is extending enforcement discretion, pending future rulemaking, for situations where Good Faith Estimates (“GFEs”) for uninsured or self-pay individuals under the No Surprises Act do not include expected charges from co-providers or co-facilities.

Under the No Surprises Act’s 2021 Interim Final Rule, a “convening provider/facility” (as defined under the No Surprises Act) is responsible for providing a GFE that must include the charges reasonably expected from any co-providers or co-facilities involved in the patient’s treatment. The Interim Final Rule set the enforcement discretion period for this requirement to expire on January 1, 2023.

According to CMS,

“this exercise of enforcement discretion was necessary to allow time for providers and facilities to develop mechanisms for convening providers and facilities to request, and co-providers and co-facilities to provide, complete and accurate pricing information for the convening provider or facility to incorporate into the GFE for uninsured (or self-pay) individuals.”

Furthermore, per CMS’s announcement,

“By extending this exercise of enforcement discretion, HHS aims to promote further interoperability across the health care industry and encourage providers, facilities, and other industry members to focus resources towards adopting interoperable processes for exchanging information.”

CMS has provided additional FAQs for uninsured and self-pay patients found here.

HHS Issues Bulletin on HIPAA Compliance Obligations for Tracking Technology

The HHS Office for Civil Rights (“OCR”) issued a Bulletin highlighting the obligations of covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Breach Notification Rules when using online tracking technologies.

In its Bulletin, HHS explains that:

“a tracking technology is a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app. After information is collected through tracking technologies from websites or mobile apps, it is then analyzed by owners of the website or mobile app (“website owner” or “mobile app owner”), or third parties, to create insights about users’ online activities. Such insights could be used in beneficial ways to help improve care or the patient experience.  However, this tracking information could also be misused to promote misinformation, identity theft, stalking, and harassment.”

The Bulletin makes clear that both user-authenticated and unauthenticated webpages and mobile apps that use tracking technology could put various regulated healthcare entities at risk of violations under the HIPAA privacy rule. As such, HHS lists the following compliance obligations regulated entities must observe under the HIPAA Privacy, Security, and Breach Notification including:

• Ensuring that all disclosures of protected health information ("PHI") to tracking technology vendors are specifically permitted by the Privacy Rule and that, unless an exception applies, only the minimum necessary PHI to achieve the intended purpose is disclosed.
• Establishing a Business Associate Agreement (“BAA”) with a tracking technology vendor that meets the definition of a “business associate.”
• Addressing the use of tracking technologies in the regulated entity’s Risk Analysis and Risk Management processes, as well as implementing other administrative, physical, and technical safeguards in accordance with the Security Rule (g., encrypting ePHI that is transmitted to the tracking technology vendor; enabling and using appropriate authentication, access, encryption, and audit controls when accessing ePHI maintained in the tracking technology vendor's infrastructure) to protect the ePHI.
• Providing breach notification to affected individuals, the Secretary, and the media (when applicable) of an impermissible disclosure of PHI to a tracking technology vendor that compromises the security or privacy of PHI when there is no Privacy Rule requirement or permission to disclose PHI and there is no BAA with the vendor. In such instances, there is a presumption that there has been a breach of unsecured PHI unless the regulated entity can demonstrate that there is a low probability that the PHI has been compromised.

Note that a regulated entity’s failure to comply with the HIPAA Rules may result in a civil money penalty.