On September 15, 2021, CMS published a proposed rule that would repeal a final rule that created an expedited pathway for Medicare coverage of breakthrough devices and established formal criteria for applying the “reasonable and necessary” standard for coverage in Section 1862(a)(1)(A) of the Social Security Act, which has been the basic standard for coverage since the inception of the Medicare program.[1]  CMS has set a short period for comments, and interested parties must submit comments by October 15, 2021.

The new proposed rule reflects a significant policy change.  Where the initial rule focused on expanding access to new innovations, the current approach focuses more on Medicare program goals and outcomes data. Continue Reading CMS Proposes to Reverse Course and Repeal Its Final Rule Expediting Medicare Coverage of Breakthrough Devices and Defining the Medicare “Reasonable and Necessary” Coverage Standard

The New Jersey Department of Health (the “Department”) recently finalized regulations initially proposed in April 2020 that will now require all telehealth organizations providing telemedicine services to patients located in New Jersey to register their business with the Department before October 15, 2021, and annually thereafter.  In addition to annual registrations, telehealth companies will also be required to submit annual reports on activity and encounter data. Continue Reading Navigating New Jersey’s Telemedicine Business Registry

On Tuesday, August 24, 2021, California Attorney General Rob Bonta issued a guidance bulletin (the “Guidance”) to health care providers reminding them of their compliance obligations under California’s health data privacy laws, and urging providers to take proactive steps to protect against cybersecurity threats. This Guidance comes, in part, as a response to federal regulators sounding the alarm over an uptick in cybercrime against hospitals and other health providers. The Guidance follows an October 2020 Joint Cybersecurity Advisory issued by the Cybersecurity and Infrastructure Agency,[1] the Department of Justice, and the Federal Bureau of Investigation, which assessed that malicious actors are targeting the Healthcare and Public Health Sector through ransomware attacks, data theft, and other disruption tactics on the healthcare sector.

The Guidance also arrives in the wake of a recent spike in ransomware attacks directed at healthcare providers, many of which were not reported to the Office of the Attorney General. Ransomware is malicious software that encrypts data and servers to block access to a network until a “ransom” is paid. Oftentimes, it may not be immediately clear whether protected health information has been compromised following a ransomware attack, though providers should treat a successful attack as a presumed breach, thereby triggering the requirement to conduct an internal breach investigation under the federal Health Information Portability and Accountability Act (“HIPAA”). The Guidance notes that timely reporting is critical to help affected Californians “mitigate the potential losses that could result from the fraudulent use of their personal information[.]” Under California law, entities that are required to notify more than 500 Californians of a data breach must also report the breach to the Office of the Attorney General, who then notifies the general public.[2]

Citing HIPAA and the California Confidentiality of Medical Information Act (“CMIA”), the Guidance further reminds providers to implement reasonable administrative, technical, and physical security measures to prevent and mitigate against ransomware and other cybersecurity attacks. The California Consumer Privacy Act (“CCPA”) also establishes data protection requirements for data not otherwise subject to CMIA or HIPAA. CCPA guidance issued in 2016 recommended that California companies implement the twenty data security controls published by the Center for Internet Security to provide reasonable security. The recent Guidance outlines the minimum preventative measures that California health care providers, specifically, should implement in order to protect their data systems from cyberattacks:

  • keep all operating systems and software housing health data current with the latest security patches;
  • install and maintain virus protection software;
  • provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;
  • restrict users from downloading, installing, and running unapproved software; and
  • maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.

The failure to implement the aforementioned measures could render California providers vulnerable to liability.

Attorneys in Epstein, Becker & Green’s Privacy, Cybersecurity, and Data Asset Management practice group have extensive experience in advising healthcare providers how to protect against an increase in cybersecurity threats, conducting internal investigations in response to a presumed breach, notifying state and federal regulators in the event of a breach, and responding to government inquiries. For any questions about these or other related issues, contact the authors or your regular EBG Attorney.

Download Epstein Becker Green’s Ransomware Checklist for tips to proactively mitigate ransomware risk and for reactive measures to respond to a ransomware attack.


[1] See also Cybersecurity & Infrastructure Agency, Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches (Aug. 2021), https://www.cisa.gov/sites/default/files/publications/CISA_Fact_Sheet-Protecting_Sensitive_and_Personal_Information_from_Ransomware-Caused_Data_Breaches-508C.pdf (encouraging organizations to adopt a “heightened state of awareness” and implement certain recommendations to reduce risk of ransomware attacks).

[2] See California Civil Code section 1798.82.

On August 30, 2021, the DOJ announced a $90 million dollar settlement with Sutter Health and affiliates[1] (“Sutter Health”) to settle False Claims Act (“FCA”) allegations brought by qui tam relator, Kathy Ormsby, related to the Center for Medicare & Medicaid Services’ (“CMS”) MA Program.[2] Sutter Health elected to settle with DOJ and the relator without an admission of liability. As part of the Settlement Agreement, the Office of Inspector General (“OIG”) required Sutter Health to enter into a Corporate Integrity Agreement. Continue Reading The Department of Justice (“DOJ”) Continues its Medicare Advantage (“MA”) Enforcement Efforts with a $90 Million Dollar Settlement Against Downstream Provider Sutter Health

On June 21, 2021, Florida Governor Ron DeSantis signed into law a bill requiring genetic counselors to be licensed by the Florida Department of Health (“FLDOH”).  The new law, known as the Genetic Counseling Workforce Act (“GCWA”), became effective on July 1, 2021.  FLDOH has announced a 90 day enforcement moratorium to allow counselors time to become appropriately licensed in the State.  Florida now joins a growing number of states that regulate the work of genetic counselors.

Continue Reading Florida Joins a Growing Number of States Requiring Licensure of Genetic Counselors

In this episode of the Diagnosing Health Care PodcastAlthough the COVID-19 pandemic exposed cybersecurity vulnerabilities across sectors, it has particularly challenged the resilience of information systems for health care and life sciences companies. Because ransomware attacks have the potential to cripple access to important data, expose patient health records, and shut down machinery and life-saving equipment, it’s no surprise that health care executives continue to lose sleep thinking about potential ransomware or other similar malicious attacks.

Epstein Becker Green attorneys Alaap B. Shah and Jessika Tuazon are joined by Andrew Morrison, principal at Deloitte & Touche LLP and Cyber Risk Services Strategy, Defense & Response solution leader for Deloitte Risk & Financial Advisory. Together, they discuss the impact of ransomware attacks on the health care and life sciences industries, and considerations for companies to strengthen their cybersecurity posture.

The Diagnosing Health Care podcast series examines the business opportunities and solutions that exist despite the high-stakes legal, policy, and regulatory issues that the health care industry faces. Subscribe on your favorite podcast platform.

Listen on Apple PodcastsGoogle Podcasts,
Overcast, Spotify, Stitcher, Vimeo, YouTube.

On May 26, 2021, the Department of Justice (“DOJ”) announced a coordinated law enforcement action against 14 telehealth executives, physicians, marketers, and healthcare business owners for their alleged fraudulent COVID-19 related Medicare claims resulting in over $143 million in false billing.[1] This coordinated effort highlights the increased scrutiny telehealth providers are facing as rapid expansion efforts due to COVID-19 shape industry standards.

Since the outset of the COVID-19 pandemic, the DOJ has prioritized identifying and prosecuting COVID-19 related fraudulent conduct, particularly in regards to the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act[2] financial assistance programs. However, before this latest health care fraud takedown, the DOJ announced relatively little enforcement activity specific to federal healthcare programs. This renewed enforcement action may spark an increased effort by the DOJ to manage pandemic-related fraud as it relates to healthcare programs.

In addition to the DOJ criminal charges, the Center for Program Integrity (“CPI”), Centers of Medicare and Medicaid (“CMS”) separately announced penalties for over 50 medical providers for their involvement in health care fraud schemes related to the pandemic and abuse of CMS programs.[3] The CPI/CMS charges in conjunction with DOJ’s healthcare fraud takedown provide insight into DOJ’s current enforcement patterns related to the pandemic which include:

  • Telehealth Waivers: In an effort to expand patient access during the pandemic, CMS broadened the services it reimbursed for telemedicine practices while federal officials also relaxed privacy guidelines that restricted types of devices that qualified to administer telehealth services. CMS also waived patient deductibles and copayments, which otherwise would have been construed as kickbacks if used for unnecessary services. The cases announced by both the DOJ and CMS allegedly sought to exploit these expanded policies by submitting false claims to Medicare for telemedicine encounters that never actually occurred. Additionally, DOJ charged medical professionals in these cases with allegedly accepting bribes in exchange for referrals of medically unnecessary testing.[4]
  • Bundled COVID-19 Testing: In addition to filing medically unnecessary Medicare claims, the DOJ charged defendants in these cases with bundling COVID-19 testing claims with Medicare claims for additional, often more expensive laboratory tests, such as cancer genetic testing, allergy screenings, and respiratory pathogen panel tests. In many of these cases, these tests were medically unnecessary or were not even provided to the patients.[5]
  • Provider Relief Funds: The recent law enforcement activity included the third criminal case in the country targeting misuse of Provider Relief Funds. The CARES Act created this funding to support patients with healthcare related expenses or lost revenue attributable to COVID-19. In this case, the DOJ alleged that the owner of a home health agency misappropriated Provider Relief Funds for his own benefit.[6]

While the DOJ’s May announcement focused on criminal healthcare fraud actions related to COVID-19, we can expect that the DOJ’s Civil Division will also make telehealth enforcement a priority. In a February address to the Federal Bar Association’s Qui Tam conference, Acting Assistant Attorney General Brian M. Boynton stated, “I also expect a continued focus on telehealth schemes, particularly given the expansion of telehealth during the pandemic.”[7] It is likely that the expansion of telehealth services and waivers will cause the Department to see a rise in qui tam actions filed by whistleblowers, as well as False Claims Act cases as the year progresses and the economy continues to recover from the pandemic.


[1] Press Release, DOJ Announces Coordinated Law Enforcement Action to Combat Health Care Fraud Related to COVID-19, Department of Justice (May 26, 2021), https://www.justice.gov/opa/pr/doj-announces-coordinated-law-enforcement-action-combat-health-care-fraud-related-covid-19.

[2] The CARES Act, Pub. L. No. 116-136 (2020).

[3] Press Release, DOJ Announces Coordinated Law Enforcement Action to Combat Health Care Fraud Related to COVID-19, Department of Justice (May 26, 2021), https://www.justice.gov/opa/pr/doj-announces-coordinated-law-enforcement-action-combat-health-care-fraud-related-covid-19.

[4] U.S. v. Stein et al., 1:21-CR-20321-CMA (S.D. Fla. May 25, 2021).

[5] U.S. v. Taylor, 2:21-MJ-02003-MEF (W.D. Ark. May 21, 2021); U.S. v. Ruis et al., 9:21-CR-80080 (S.D. Fla. May 24, 2021); U.S. v. Clarkin, 3:21-CR-00438 (D.N.J. May 24, 2021).

[6] U.S. v. Hannesyan, 2:21-MJ-02562 (C.D. Cal. May 24, 2021).

[7] Press Release, Acting Assistant Attorney General Brian M. Boynton Delivers Remarks at the Federal Bar Association Qui Tam Conference, Department of Justice (February 17, 2021), https://www.justice.gov/opa/speech/acting-assistant-attorney-general-brian-m-boynton-delivers-remarks-federal-bar.

Only a few days remain before the enforcement delay that the Centers for Medicare & Medicaid Services (CMS) exercised due to COVID-19 will end and the agency will require certain payors to publish a Patient Access application programming interface (“API”) and a Provider Directory API under the requirements of the CMS Interoperability and Patient Access Final Rule. Starting on July 1, 2021, all health plans that offer Medicare Advantage, Medicaid and Children’s Health Insurance Program (CHIP) and most Qualified Health Plans offered through the Federally-facilitated Exchange will be required to make enrollee electronic health information held by the payor and the health plan’s Provider Directory (QHP Issuers on the FFEs are required to make a Provider Directory under a different CMS rule, not under this rule) available through application programming interfaces (“Open APIs”). CMS is also hopeful that when these payors see the benefit of offering easy access for their federally subsidized health care program enrollees to use and exchange their electronic protected health information, the payors will offer the same opportunity for enrollees in their commercial and Employer Sponsored plans.

The interactions between the Patient Access and Provider Directory APIs were designed to ensure that claims, encounter and certain clinical information held by payors becomes easily accessible to health plan enrollees to make it easier for them to identify which providers are in a plan’s network and to assist them in making the right care choices. However, publishing Open APIs is only one part and one step towards building the infrastructure that is needed to integrate information from multiple sources that will be able to impact both the quality and cost of health care.

Other rules, including the ONC Interoperability and Information Blocking Rules, the Hospital Transparency and Transparency in Coverage Rules, OCR’s Proposed Modifications to the HIPAA Privacy Rule and the Proposed No Surprises Act Rules also play a part in providing patients with access to a complete picture of their electronic health information and will influence the future that patient centered access plays in driving innovation, improving care, managing cost, and ensuring equitable care into the future.

While researchers have recognized the value of using claims, encounter and other health plan data in their analyses and studies for many years, individuals have rarely sought access to their own health histories through their health plan data. Payor data was considered difficult to use and consumers typically don’t find their claims histories helpful for making decisions about their future care. Through the implementation of Blue Button 2.0, CMS recognized that the longitudinal view of health plan data along with the clinical information from providers offers a complete view of a patient’s profile. Together, these data sets can inform care and benefit coordination in a way that can have a meaningful impact on both the cost and quality of care. With health care costs rising and individuals bearing responsibility for a larger portion of out-of-pocket expenses (e.g., co-pays, co-insurance and deductibles), having an integrated view of both clinical and cost information has become more important to consumers.

In addition to publishing Patient Access and Provider Directory APIs, payors are expected to develop or to engage with third parties to develop the software that will help transform health plan data that is currently hard to use and siloed, into meaningful information to enable patients, providers and payors to make the best health care choices possible. As covered entities under the Health Insurance Portability and Accountability Act (HIPAA), health plans are obligated to make an enrollee’s protected health information available to them under the HIPAA Right of Access rules.

As long as payors are developing or engaging developers directly, HIPAA would protect the electronic protected health information being collected and combined. However, Open APIs also offer the opportunity to third party developers who are not necessarily covered entities nor business associates of covered entities to offer their services directly to individuals. With the proper consent or authorization and the Patient Access API, a third party application developer acting on behalf of an individual can obtain access to that individual’s electronic protected health information and, once accessed, the HIPAA Privacy and Security Rules are no longer applicable.

Introducing third party applications that are not regulated under HIPAA as the vehicle that streamlines individuals’ access to and exchange of their electronic protected health information shifts the paradigm from covered entities deciding with whom to share protected health information to consumers making those decisions. Unless consumers know that the application they choose is not covered under HIPAA, there is the potential for them to unwittingly authorize their sensitive health information to be over-shared or to be used in ways they had not intended or anticipated. Although third-party application developers are responsible for obtaining the appropriate consent and/or authorization from individuals choosing their apps, payors may want to make sure that their enrollees are educated, informed and know what to look for from an app developer that might take advantage or hide behind convoluted language in a consent/authorization or Privacy Policy. Furthermore, to build trust with their enrollees, payors may want to collect some basic background information about the application developer that offers services to its enrollees and may be exchanging information with the payor. Some payors may offer application developers the opportunity to test their technologies and in doing so will be able to learn about the security and privacy posture of the application so that the payor can assist enrollees in choosing applications that will be beneficial to them and not put their sensitive health information at risk. Ultimately, payors should try to use this first phase of compliance with the Patient Access and Provider Directory APIs to connect and engage with enrollees and to prepare for the next step that will take place on January 1, 2022, when payors will be required to implement a payor-to-payor API to encourage more seamless information sharing between health plans at an enrollee’s request.

If you or your organization haven’t fully considered the intersections and implications of the CMS Interoperability and Patient Access Rules, with the ONC Interoperability and Information Blocking Rules, the Price Transparency Rules (Hospital and Payor), the Proposed Modifications to the HIPAA Privacy Rule and the Proposed No Surprises Act that are expected to be released soon, please contact the Epstein Becker & Green, P.C. attorney who regularly handles your legal matters, or one of the authors of this blog post.

Our colleagues Alaap Shah and Stuart Gerson of Epstein Becker Green have written an Expert Analysis on Law360 that will be of interest to our readers: “Health Cos. Must Prepare for Growing Ransomware Threat.”

The following is an excerpt (see below to download the full version in PDF format):

Ransomware attacks have become big business, and they are on the rise. And entities in the health care and life sciences space have become primary targets of opportunity for attackers.

As the recent Colonial Pipeline Co. ransomware event illustrates, a small group of black hat hackers, living in protected status in nation states hostile to U.S. interests, can create massive disruption in our country’s infrastructure and well-being, and significant economic and other benefit for themselves and for the governments that support them.

Why is it that health care is such a prime target? The reason lies in the nature of the data that health care and life sciences companies and institutions create and store, and their relative vulnerability in the way they maintain and communicate it.

Health care entities are a treasure trove of cutting-edge research and information regarding pharmaceuticals, medical devices and other intellectual property that command great value. The protected health information that they store is of immense value, less with respect to identity theft, as is the popular notion, than it is as an enabler of fraudulent billing schemes that can quickly produce millions in revenue for hacking organizations.

And in the broadest sense, imagine, for example, the societal dislocation that a hostile digital intruder, or its sponsors, could cause if hospitals couldn’t provide services because their patient records were made inaccessible by ransomware encryption code. That kind of potentiality has been the reason why so many institutions and companies have caved in to ransomware demands.

Download Epstein Becker Green’s Ransomware Checklist for tips to proactively mitigate ransomware risk and for reactive measures to respond to a ransomware attack.

Download the full article in PDF format.

The roll out of the Office of the National Coordinator’s (ONC) 21st Century Cures Act Interoperability and Information Blocking Rules is reminiscent of the way HIPAA has rolled out over the course of the past 25 years. As of May 1, 2021, Actors have been required to comply with the Information Blocking rules. However, it will take some time before all Actors know who they are and for complaints of Information Blocking to be determined to be actual instances of Information Blocking, by which time the penalties that have not yet been finalized may also need to be adjusted.

While ONC defined Actors as health care providers, health IT developers of certified health IT and health information exchanges or networks in the Final Rule and published guidance on their website, there is still uncertainty as to whom the Information Blocking Rules apply. The confusion may emanate from the lack of familiarity some health care providers and health IT developers have as never having been regulated or overseen by the ONC. There also appears to be overlap between what the ONC Information Blocking Rules protect against and what and how the Office for Civil Rights protects under the HIPAA Privacy Rule. Furthermore, providers and payers are typically regulated and overseen by CMS, however, CMS has not addressed any of the potential “dis-incentives” that providers would be subject to for Information Blocking violations and payers have never been required to use certified electronic health records. 

It is understandable that the Information Blocking prohibitions would apply to a health IT developer that develops or offers health information technology that is certified under the ONC Certification Program. In the Rules, ONC clarified that the Information Blocking prohibitions apply to a health IT developer as long as the developer has one or more health IT Modules certified under the ONC Health IT Certification Program at the time it engages in a practice that is the subject of an information blocking claim. However, ONC carved out an exception for health care providers that have developed their own health IT for its own use.

When ONC defined health care provider based on the definition provided under the Public Health Services Act (42 U.S.C. 300jj) (“PHSA definition”) it included a significant number of providers that were never before regulated by the ONC. Many of the types of health care providers that were swept into the definition of Actor and subject to the Information Blocking provisions were not included in the incentive programs that made funding available for the purchase of certified electronic health records (e.g., ambulatory surgical centers, long-term care facilities and therapists), there aren’t quality payment incentive programs for them to participate in and some don’t use certified EHRs. Health care providers should be aware that in addition to the guidance ONC published clarifying that Information Blocking applies to any health care provider that meet the definition under the PHSA regardless of whether any of the health IT the provider uses is certified under the ONC Health IT Certification Program, the “catch-all” clause at the end of the PHSA definition allows any other category of health care facility, entity, practitioner, or clinician determined appropriate by the HHS Secretary to be swept into the definition of Actor.

In the Final Rule, ONC combined two categories of Actors, health information exchange and health information networks and adopted one functional definition for both. A health information network or exchange refers to an entity that connects and exercises control over the technologies and services that enable the exchange of information between and among more than two other unaffiliated entities for treatment, payment or health care operations. Considering all the health IT developers, cloud service providers and data aggregators that are offering services to support Interoperability and communication to support health e-commerce, including care and benefit coordination, patient engagement and advancing social determinants of health to achieve care equality, there are a myriad of entities that are connecting multiple provider and/or payer organizations to coordinate the care or benefits of patients. These entities could unwittingly be performing the functions described in the definition of health information exchange or network without even knowing that they are considered Actors under the Information Blocking Rules.

If you or your organization aren’t sure if you fit into one of the definitions of Actor, or if you have any other questions about Interoperability, Information Blocking, ONC Health IT Certification, please contact the Epstein Becker & Green, P.C. attorney who regularly handles your legal matters, or one of the authors of this blog post: Karen Mandelbaum or Patricia Wagner.