On September 30, 2021, the Provider Reimbursement Review Board (the “Board”) issued a revised set of rules that become effective November 1, 2021. These new and revised rules affect all new and some pending Medicare Part A provider appeals. These rules clarify several aspects of Board appeals and simplify some of the Board’s complex procedures.

The most significant change is the requirement that all submissions to the Board must be made electronically through the Office of Hearings Case and Document Management System (“OH-CDMS”) unless the provider or representative submits a request to the Board for an exemption and the Board grants that request. If an exemption is necessary, a provider or representative may communicate with the Board at a new email address (PRRB@cms.hhs.gov).   In order to file documents electronically, providers or their representatives should register with OH-CDMS in advance of any filing date.

In addition to the shift to electronic filing, the Board adopted several changes that are intended to simplify the appeals process and promote greater disclosure.  The most significant changes are summarized below.

  • If a provider designates a representative, it must do so in a letter on the provider’s letterhead. However, if the provider is under the ownership or control of a parent entity, then the representation letter must be on the parent organization’s letterhead and signed by an authorized official of the parent organization.
  • Similarly, a new rule requires that if a provider is owned or controlled by a parent organization, the appeal request must identify the name and address of the parent organization for the year under appeal. This is a departure from past practice, which identified only the legal entity that had been granted a Medicare provider number.
  • The Board clarified the requirements for appeals of self-disallowed and protested costs, and now requires that the provider specify the disputed item in its cost report in order to preserve the claim for review.
  • A new rule obligates the Medicare Administrative Contractor (“MAC”) to ensure that any evidence the MAC, CMS, or the Secretary considered in making its determination is included in the case record. This new rule may reduce the necessity for discovery requests and delays in resolving appeals.
  • For group appeals, the Board added a new requirement that a group representative must report to the Board that a group is either complete or provide reasons why the group should be held open.
  • A new rule that applies to appeals filed after August 29, 2018 would give providers the option of relying on their preliminary position paper and waive the filing of a final position paper. Providers would have to submit all of their arguments and exhibits with the preliminary position paper, and could elect to submit a rebuttal to the MAC’s position paper. This step would avoid duplicating arguments, and may reduce the number of appeals dismissed based on a failure to file a timely final position paper.
  • The new rules also revise the Board procedures when a party requests expedited judicial review (“EJR”) that involves a challenge to a statute, regulation, or CMS ruling. If a MAC opposes a provider’s request for EJR, then it must now file any jurisdictional challenge within five days of the date that the EJR request is filed.
  • The Board revised its rules governing substantive claim challenges to specify that when any party questions whether a cost report included an appropriate claim for reimbursement, that challenge must be filed no later than the filing deadline for the MAC’s preliminary position paper. If the matter involves a request for EJR, then any substantive claim challenge must be filed within five business days of the EJR request. This would allow for better coordination of proceedings before the Board before any decision to allow the provider to bypass the Board and seek judicial review.

The changes made by the Board in this version of its procedural rules continue the trend of requiring additional specificity and clarity when providers prepare their cost reports, and obligate the MACs to disclose more information earlier in the appeal process. With the adoption of these new rules, providers must plan and consider potential appeal issues during the cost report filing stage to ensure that their appeal rights are protected.

In this column, in the coming months we are going to dig into the data regarding FDA regulation of medical products, deeper than the averages that FDA publishes in connection with its user fee obligations.  For many averages, there’s a high degree of variability, and it’s important for industry to have a deeper understanding.  In each case, we will offer a few preliminary observations on the data, but we would encourage a conversation around what others see in the data.


This is an interactive chart that you can explore by clicking on the colors in the legend to see how specific therapeutic areas stack up against the average.


We want to understand FDA’s performance generally with regard to review times associated with 510(k)s across all medical devices.  Using data available from openFDA, we selected the data for the last almost 12 years, from January 1, 2010 until September 1, 2021, based on the date FDA receives the premarket notification.  Data older than that are probably not terribly relevant.  We further filtered for traditional 510(k)s because special and abbreviated submissions have different review processes, and likewise we removed any that had received expedited review.  We then removed any product codes that had three or fewer submissions during that time.  We wanted to get rid of anything that was simply too anecdotal, too noisy.  That sorting left us with just over 25,000 submissions, and 852 pro codes used.

To calculate the review time, we used the difference between date received and date decided, although we realize that FDA has additional data that it uses to calculate its actual review time in a more nuanced way, differentiating between time at FDA and time where the clock is turned off because the manufacturer is supposed to be doing something.  We calculated averages for each individual pro code.  The x-axis in the graph is simply all of the product codes sorted by average review time from the quickest to the longest.

We wanted to add in an average, and the most natural probably would’ve been the average of the pro code averages included in the graphic.  But that ignores the fact that some pro codes have lots more products than others.  The average of the pro code averages was 176.5 days.  The average of all the 25,000 submissions was 163.5 days.  It’s apparently lower because some of the quicker pro codes apparently have more devices in them.  In the chart, we went with the simple average of submissions, as that is most akin to the data that FDA typically publishes.


We would note that we aren’t entirely sure the range of factors that drive review times.  Certainly it would seem that higher risk and complexity would be likely to lead to higher review times.  But in the years that we’ve been doing this work, those are not by themselves reliable predictors of how long a review will take.  Novelty is also important, although novelty is less of a factor in the 510(k) process because the process is based on a substantial equivalence claim.  But it’s also pretty obvious that a lot of administrative circumstances impact review times, such as high reviewer turnover in a branch.  At any rate, this data does not give us information on why certain product codes would have higher review times.  We will leave that to future inquiry.  Here we just want to tease apart the variance.

Big Picture

At each end of the graph, we see sharp nonlinear growth, presumably for what are in a sense outliers.  On the left-hand side, we have rapid acceleration from the quickest reviews of about 50 days up to about 100.  At the other side, we have a quick increase from 300 to the very top at over 500 days.  But in between those two extremes, from about a review time of 100 days to about 300, it’s a pretty steady linear climb.  That’s a bit surprising, and it reveals that really there is no such thing as an average.  There is no plateau among the review times around the mathematical average.  Indeed, we don’t see any plateaus at all.  Apparently, it really does matter what product we are talking about when trying to predict a review time.

Therapeutic Areas

Remember that in FDA’s organizational chart, reviews within the Office of Device Evaluation (“ODE”) are organized by therapeutic area.  That makes sense, as you want the same people generally with therapeutic expertise reviewing devices in that therapeutic area.  In this graph, product codes are assigned to an applicable therapeutic area.

Notice that really none of the product codes in a given therapeutic areas are extremely clustered, either low or high.  That suggests that no particular therapeutic review branch is substantially quicker than the rest.  But within that general observation, there are definitely some small clusters of review times for product codes within the different therapeutic areas.

It would actually be pretty remarkable if an organization the size of ODE could achieve uniformity of review times across all review branches.  But this is unexpectedly evenhanded.

In this episode of the Diagnosing Health Care Podcast:  On December 27, 2020, President Trump signed into law the No Surprises Act as part of the $2.3 billion Consolidated Appropriations Act. Recently, the Biden administration issued its first interim final rule in order to implement this act, which will go into effect on January 1, 2022. While the goal is to protect patients from surprise billing, the law will also impose significant compliance burdens on plans, providers, and facilities.

Epstein Becker Green attorneys Helaine FingoldBob Hearn, and Alexis Boaz discuss the key areas health care companies need to keep in mind as they prepare to comply with the No Surprises Act.

Visit Epstein Becker Green’s No Surprises Act page for ongoing coverage.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts, Overcast, Spotify, Stitcher, Vimeo, YouTube.

Starting in 2022, Ohio will require owners of tax-exempt real property to notify the county auditor if the exempt property ceases to qualify for exemption.

This is a substantial departure from current law, which had left the role of monitoring changes in exempt properties’ uses to the county auditors or Ohio’s tax commissioner; under the new law, health care entities that own property in the state must determine whether or not their property continues to qualify for exemption.

Ohio’s recent Budget Bill – House Bill 110 – created the new reporting requirement, which will be codified at section 5713.083 of the Ohio Revised Code.  The change will require those who own real estate that is exempt from property tax to notify the county auditor by December 31 of the year in which the property ceases to qualify for exemption.

Property owners who do not comply with this new requirement will face a monetary penalty equivalent to up to five years of tax savings that they received while the property was treated as exempt, even though it had ceased to qualify for exemption. The five-year look-back will be limited to years in which the current owner held title to the property.

It is still unclear what test property owners are supposed to use to determine whether their properties have ceased to qualify for exemption.  In Ohio, property owners must apply to receive exemption for their property, and the Ohio Tax Commissioner is typically the official who grants exemption to real estate.  Ohio law does not require owners to disclose changes in use, or leases of property, so property owners may struggle to determine whether or not their exempt property’s qualification for exemption has ended. It is also unclear how the county auditors across Ohio are going to review the existing exempt properties in order to enforce the monetary penalties.  The Ohio Tax Commissioner will promulgate forms that property owners can use to attempt to comply with the law, but those forms are not yet available.

While that form remains in the works, prudent property owners may wish to review their inventory of exempt real estate, and to compare their current uses of those properties with the use of the property when they applied for and received exemption.

On September 15, 2021, CMS published a proposed rule that would repeal a final rule that created an expedited pathway for Medicare coverage of breakthrough devices and established formal criteria for applying the “reasonable and necessary” standard for coverage in Section 1862(a)(1)(A) of the Social Security Act, which has been the basic standard for coverage since the inception of the Medicare program.[1]  CMS has set a short period for comments, and interested parties must submit comments by October 15, 2021.

The new proposed rule reflects a significant policy change.  Where the initial rule focused on expanding access to new innovations, the current approach focuses more on Medicare program goals and outcomes data. Continue Reading CMS Proposes to Reverse Course and Repeal Its Final Rule Expediting Medicare Coverage of Breakthrough Devices and Defining the Medicare “Reasonable and Necessary” Coverage Standard

The New Jersey Department of Health (the “Department”) recently finalized regulations initially proposed in April 2020 that will now require all telehealth organizations providing telemedicine services to patients located in New Jersey to register their business with the Department before October 15, 2021, and annually thereafter.  In addition to annual registrations, telehealth companies will also be required to submit annual reports on activity and encounter data. Continue Reading Navigating New Jersey’s Telemedicine Business Registry

On Tuesday, August 24, 2021, California Attorney General Rob Bonta issued a guidance bulletin (the “Guidance”) to health care providers reminding them of their compliance obligations under California’s health data privacy laws, and urging providers to take proactive steps to protect against cybersecurity threats. This Guidance comes, in part, as a response to federal regulators sounding the alarm over an uptick in cybercrime against hospitals and other health providers. The Guidance follows an October 2020 Joint Cybersecurity Advisory issued by the Cybersecurity and Infrastructure Agency,[1] the Department of Justice, and the Federal Bureau of Investigation, which assessed that malicious actors are targeting the Healthcare and Public Health Sector through ransomware attacks, data theft, and other disruption tactics on the healthcare sector.

The Guidance also arrives in the wake of a recent spike in ransomware attacks directed at healthcare providers, many of which were not reported to the Office of the Attorney General. Ransomware is malicious software that encrypts data and servers to block access to a network until a “ransom” is paid. Oftentimes, it may not be immediately clear whether protected health information has been compromised following a ransomware attack, though providers should treat a successful attack as a presumed breach, thereby triggering the requirement to conduct an internal breach investigation under the federal Health Information Portability and Accountability Act (“HIPAA”). The Guidance notes that timely reporting is critical to help affected Californians “mitigate the potential losses that could result from the fraudulent use of their personal information[.]” Under California law, entities that are required to notify more than 500 Californians of a data breach must also report the breach to the Office of the Attorney General, who then notifies the general public.[2]

Citing HIPAA and the California Confidentiality of Medical Information Act (“CMIA”), the Guidance further reminds providers to implement reasonable administrative, technical, and physical security measures to prevent and mitigate against ransomware and other cybersecurity attacks. The California Consumer Privacy Act (“CCPA”) also establishes data protection requirements for data not otherwise subject to CMIA or HIPAA. CCPA guidance issued in 2016 recommended that California companies implement the twenty data security controls published by the Center for Internet Security to provide reasonable security. The recent Guidance outlines the minimum preventative measures that California health care providers, specifically, should implement in order to protect their data systems from cyberattacks:

  • keep all operating systems and software housing health data current with the latest security patches;
  • install and maintain virus protection software;
  • provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
  • restrict users from downloading, installing, and running unapproved software; and
  • maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.

The failure to implement the aforementioned measures could render California providers vulnerable to liability.

Attorneys in Epstein, Becker & Green’s Privacy, Cybersecurity, and Data Asset Management practice group have extensive experience in advising healthcare providers how to protect against an increase in cybersecurity threats, conducting internal investigations in response to a presumed breach, notifying state and federal regulators in the event of a breach, and responding to government inquiries. For any questions about these or other related issues, contact the authors or your regular EBG Attorney.

Download Epstein Becker Green’s Ransomware Checklist for tips to proactively mitigate ransomware risk and for reactive measures to respond to a ransomware attack.


[1] See also Cybersecurity & Infrastructure Agency, Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches (Aug. 2021), https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf (encouraging organizations to adopt a “heightened state of awareness” and implement certain recommendations to reduce risk of ransomware attacks).

[2] See California Civil Code section 1798.82.

On August 30, 2021, the DOJ announced a $90 million dollar settlement with Sutter Health and affiliates[1] (“Sutter Health”) to settle False Claims Act (“FCA”) allegations brought by qui tam relator, Kathy Ormsby, related to the Center for Medicare & Medicaid Services’ (“CMS”) MA Program.[2] Sutter Health elected to settle with DOJ and the relator without an admission of liability. As part of the Settlement Agreement, the Office of Inspector General (“OIG”) required Sutter Health to enter into a Corporate Integrity Agreement. Continue Reading The Department of Justice (“DOJ”) Continues its Medicare Advantage (“MA”) Enforcement Efforts with a $90 Million Dollar Settlement Against Downstream Provider Sutter Health

On June 21, 2021, Florida Governor Ron DeSantis signed into law a bill requiring genetic counselors to be licensed by the Florida Department of Health (“FLDOH”).  The new law, known as the Genetic Counseling Workforce Act (“GCWA”), became effective on July 1, 2021.  FLDOH has announced a 90 day enforcement moratorium to allow counselors time to become appropriately licensed in the State.  Florida now joins a growing number of states that regulate the work of genetic counselors.

Continue Reading Florida Joins a Growing Number of States Requiring Licensure of Genetic Counselors

In this episode of the Diagnosing Health Care PodcastAlthough the COVID-19 pandemic exposed cybersecurity vulnerabilities across sectors, it has particularly challenged the resilience of information systems for health care and life sciences companies. Because ransomware attacks have the potential to cripple access to important data, expose patient health records, and shut down machinery and life-saving equipment, it’s no surprise that health care executives continue to lose sleep thinking about potential ransomware or other similar malicious attacks.

Epstein Becker Green attorneys Alaap B. Shah and Jessika Tuazon are joined by Andrew Morrison, principal at Deloitte & Touche LLP and Cyber Risk Services Strategy, Defense & Response solution leader for Deloitte Risk & Financial Advisory. Together, they discuss the impact of ransomware attacks on the health care and life sciences industries, and considerations for companies to strengthen their cybersecurity posture.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts,
Overcast, Spotify, Stitcher, Vimeo, YouTube.