In a previous post, we discussed the appropriate use of the Provider Relief Funds authorized and appropriated by Congress under the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act, Public Health and Social Services Emergency Fund (“Relief Fund”) for healthcare providers and facilities. Within that post, we specifically discussed the limitation imposed on use of the Relief Funds for payment of salaries, a topic of great interest to many recipients. Under the Terms and Conditions, recipients are prohibited from using the funds for salaries in excess of the Senior Executive Service Executive Level II amount – an annual salary of $197,300 – or $16,441 a month. We noted that, although the Department of Health and Human Services (“HHS”) had not spoken to this requirement with respect to the Provider Relief Funds, HHS permits other HHS grant Recipients to pay individuals’ salaries in excess of the $197,300 limit with non-federal funds.[1] Also, HHS’ federal contract regulations similarly limit use of federal contract funds for salary costs to the Executive Level II amount, but allow for amounts in excess of that limit to be paid with non-federal funds.[2]

Continue Reading Acceptable Use of CARES Act Provider Relief Funds – Salary Limitation Update

To address the COVID-19 public health emergency fiscal burdens, Congress authorized and appropriated the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act[1], Public Health and Social Services Emergency Fund (“Relief Fund”) for healthcare providers and facilities. The Department of Health and Human Services (“HHS”) has begun to distribute several tranches of the Relief Funds. All totaled, Congress provided $175 billion to the Public Health and Social Services Emergency Fund (“Relief Fund”) through the CARES Act and the Payroll Protection Program and Health Care Act.[2]

As of May 7, 2020, HHS identified $50 billion for general distribution to Medicare providers. HHS distributed to Medicare providers the Relief Fund’s initial $45 billion tranche in April 2020, and is distributing the Relief Fund’s second $20 billion tranche. Also, HHS allocated Relief Funds to: hospitals in COVID-19 high impact areas ($10 billion); rural providers ($10 billion); Indian Health Services ($400 million), and skilled nursing facilities, dentists, and providers that take solely Medicaid (unidentified amounts).[3]


Continue Reading Appropriate Use of CARES Act Provider Relief Funds

The Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020 (the Act), signed by the President on Friday, March 6, provides $8.3 billion in much needed multi-year funds to battle the coronavirus public health crisis. While there are many important aspects of the Act, below we focus on the Act’s grants for construction, alteration, or renovation

As discussed in an earlier blog post, the New York state Stop Hacks and Improve Electronic Data Security Act (or “SHIELD Act”), was signed into law on July 25, 2019.  A potential unintended side effect of the SHIELD Act may require health care companies to provide notification to the NY Attorney General for events that occurred well before its enforcement date. While the SHIELD Act’s data security requirements, which are covered under §4, will not come into effect until March 21, 2020, all other requirements, including the breach notification requirement, became effective on October 23, 2019.  The notification enforcement date is important for any Covered Entity, as defined by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), that has suffered a Breach, as defined by HIPAA, involving fewer than 500 individuals (“Minor HHS Breach”), was a breach of computerized data, and involved a New York resident.
Continue Reading Annual Breach Reporting Required Under NY SHIELD Act for Some Health Care Companies

On January 28, 2020, the Department of Health & Human Services (“HHS”) Office for Civil Rights (“OCR”) addressed a federal court’s January 23rd invalidation of certain provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) rule relating to the third-party requests for patient records. In Ciox Health, LLC v. Azar,[1] the court invalidated the 2013 Omnibus Rule’s mandate that all protected health information (“PHI”) maintained in any format (not just that in the electronic health record) by a covered entity be delivered to third parties at the request of an individual, as well as the 2016 limitation on fees that can be charged to third parties for copies of protected health information (“PHI”).

As enacted, HIPAA’s Privacy Rule limits what covered entities (or business associates acting on behalf of covered entities)[2] may charge an “individual” requesting a copy of their medical record to a “reasonable, cost-based fee”[3] (the “Patient Rate”). The Privacy Rule did not, however, place limitations on the fees that can be charged to other requestors of this information, such as other covered entities that need copies of the records for treatment purposes or for disclosures to attorneys or other third parties.  In order for some of these third parties to obtain the records, the patient would have to provide the covered entity with a valid HIPAA authorization.  
Continue Reading HHS Addresses Federal Court Invalidation of Certain Provisions of the HIPAA Rule Relating to the Third-Party Requests for Patient Records

In an effort to address the challenge of increasing drug prices for patients and families, the U.S. Food and Drug Administration (“FDA”) and the U.S. Department of Health and Human Services (“HHS”) recently outlined a proposal for facilitating the importation of pharmaceuticals originally intended for foreign markets.  The Safe Importation Action Plan (the “Action Plan”),

On Friday April 26, 2019, the US Department of Health and Human Services (“HHS”) issued a notification regarding HHS’ use of Civil Monetary Penalties (“CMP”) under the Health Insurance Portability and Accountability Act (“HIPAA”) as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  https://www.federalregister.gov/documents/2019/04/30/2019-08530/enforcement-discretion-regarding-hipaa-civil-money-penalties.  The notice provides: “As a

The healthcare industry is still struggling to address its cybersecurity issues as 31 data breaches were reported in February 2019, exposing data from more than 2 million people.  However, the emergence of artificial intelligence (AI) may provide tools to reduce cyber risk.

AI cybersecurity tools can enable organizations to improve data security by detecting

Recently, the U.S. Department of Health & Human Services (“HHS”) issued guidance for healthcare cybersecurity best practices.  As required under the Cybersecurity Act (CSA) of 2015, this four-part guidance was generated by a Task Group charged with the following:

  1. Examining current cybersecurity threats affecting the healthcare and public health sector;
  2. Identifying specific weaknesses that

On November 30, 2018, the Department for Health and Human Services (“HHS”) Health Resources and Services Administration (“HRSA”) will publish its final rule to change the effective date for its 340B Drug Pricing Program ceiling price and manufacturer civil monetary penalty final rule to January 1, 2019.

After two years of proposed rulemaking, HHS published