On December 1, 2022, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a bulletin warning that commonly used website technologies, including cookies, pixels, and session replay, may result in the impermissible disclosure of Protected Health Information (“PHI”) to third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The bulletin advises that “[r]egulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of Protected Health Information (“PHI”) to tracking technology vendors or any other violations of the HIPAA Rules.” The bulletin is issued amidst a wider national and international privacy landscape that is increasingly focused on regulating the collection and use of personal information through web-based technologies and software that may not be readily apparent to the user.

Continue Reading HHS Warns HIPAA Covered Entities and Business Associates That Use of Website Cookies, Pixels, and Other Tracking Technology May Violate HIPAA Rules

It has been four years since Congress enacted the Eliminating Kickbacks in Recovery Act (“EKRA”), codified at 18 U.S.C. § 220. EKRA initially targeted patient brokering and kickback schemes within the addiction treatment and recovery spaces. However, since EKRA was expansively drafted to also apply to clinical laboratories (it applies to improper referrals for any “service”, regardless of the payor), public as well as private insurance plans and even self-pay patients fall within the reach of the statute.
Continue Reading Four Years After EKRA: Reminders for Clinical Laboratories

The past several years have proven difficult for healthcare entities due to increasing cybersecurity threats, breaches and regulatory enforcement. Following these trends, on April 6, 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a Request for Information (RFI) soliciting public comment on how regulated entities are voluntarily implementing security practices under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act) and also seeking public input on sharing funds collected through enforcement with individuals who are harmed by Health Insurance Portability and Accountability Act of 1996 (HIPAA) rule violations.

Continue Reading HIPAA Enforcers Seek Public Input on Recognized Security Practices and Sharing Enforcement Recoveries with Affected Individuals

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently submitted two reports to Congress setting forth the HIPAA breaches and complaints reported to OCR during calendar year 2020 as well as the enforcement actions taken by OCR in response to those reports. HIPAA covered entities should be aware of the trends identified in these reports and should examine their own compliance in these areas.

Continue Reading HHS OCR Issues Annual HIPAA Reports to Congress

In this episode of the Diagnosing Health Care Podcast:  The Centers for Medicare & Medicaid Services (“CMS”) and the Office of Inspector General (“OIG”) of the Department of Health and Human Services have at last published their long-awaited companion final rules advancing value-based care. The rules present significant changes to the regulatory framework of

The U.S. Supreme Court will consider whether the federal government can approve state programs that force Medicaid participants to work, go to school, or volunteer to get benefits. Both Arkansas and the Justice Department sought review of the issue. Epstein Becker Green attorney Clifford Barnes provides potential paths for the Biden administration to best position itself in the case.


The U.S. Supreme Court will hear oral argument in a case involving the authority of the Department of Health and Human Services to approve Medicaid work requirements programs in Arkansas and New Hampshire that were struck down by the U.S. Court of Appeals for the District of Columbia Circuit.

The high court has agreed to determine whether the HHS can allow states to impose work requirements in its Medicaid program even though all lower courts ruled against HHS’s approval of states’ Section 1115 work requirement waivers, based on the Trump administration’s refusal to consider the impact of the waivers on the core purpose of Medicaid—which is to increase health insurance coverage.

Unlike the narrow question considered by the lower courts, however, the court granted certiorari on a much broader issue. The question presented concerns the entire Section 1115 process and asks whether the HHS secretary has the power to establish additional purposes for Medicaid, beyond coverage.

Should the court rule that the HHS secretary does indeed possess this unbounded power, the entire Section 1115 landscape could shift, potentially allowing states to implement waivers like Arkansas, so long as they meet such additional purpose.

The case establishes an effective deadline for the Biden administration to take action to mitigate or eliminate the work requirements, in light of the administration’s commitment to expanding, rather than rolling back, Medicaid insurance coverage.

Continue Reading How the Biden Administration Can Reverse Trump’s Medicaid Work Requirements

On January 5, 2020, HR 7898, became law amending the Health Information Technology for Economic and Clinical Health Act (HITECH Act), 42 U.S.C. 17931, to require that “recognized cybersecurity practices” be considered by the Secretary of Health and Human Services (HHS) in determining any Health Insurance Portability and Accountability Act (HIPAA) fines, audit

In a previous post, we discussed the appropriate use of the Provider Relief Funds authorized and appropriated by Congress under the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act, Public Health and Social Services Emergency Fund (“Relief Fund”) for healthcare providers and facilities. Within that post, we specifically discussed the limitation imposed on use of the Relief Funds for payment of salaries, a topic of great interest to many recipients. Under the Terms and Conditions, recipients are prohibited from using the funds for salaries in excess of the Senior Executive Service Executive Level II amount – an annual salary of $197,300 – or $16,441 a month. We noted that, although the Department of Health and Human Services (“HHS”) had not spoken to this requirement with respect to the Provider Relief Funds, HHS permits other HHS grant Recipients to pay individuals’ salaries in excess of the $197,300 limit with non-federal funds.[1] Also, HHS’ federal contract regulations similarly limit use of federal contract funds for salary costs to the Executive Level II amount, but allow for amounts in excess of that limit to be paid with non-federal funds.[2]

Continue Reading Acceptable Use of CARES Act Provider Relief Funds – Salary Limitation Update

To address the COVID-19 public health emergency fiscal burdens, Congress authorized and appropriated the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act[1], Public Health and Social Services Emergency Fund (“Relief Fund”) for healthcare providers and facilities. The Department of Health and Human Services (“HHS”) has begun to distribute several tranches of the Relief Funds. All totaled, Congress provided $175 billion to the Public Health and Social Services Emergency Fund (“Relief Fund”) through the CARES Act and the Payroll Protection Program and Health Care Act.[2]

As of May 7, 2020, HHS identified $50 billion for general distribution to Medicare providers. HHS distributed to Medicare providers the Relief Fund’s initial $45 billion tranche in April 2020, and is distributing the Relief Fund’s second $20 billion tranche. Also, HHS allocated Relief Funds to: hospitals in COVID-19 high impact areas ($10 billion); rural providers ($10 billion); Indian Health Services ($400 million), and skilled nursing facilities, dentists, and providers that take solely Medicaid (unidentified amounts).[3]

Continue Reading Appropriate Use of CARES Act Provider Relief Funds

The Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020 (the Act), signed by the President on Friday, March 6, provides $8.3 billion in much needed multi-year funds to battle the coronavirus public health crisis. While there are many important aspects of the Act, below we focus on the Act’s grants for construction, alteration, or renovation