The Office for Civil Rights (OCR) of the Department of Health & Human Services has published guidance on what inquiries and disclosures about COVID-19 vaccination status are permitted. The OCR notes that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies only to covered entities and their business associates. (Covered entities are health plans, health care clearinghouses and health care providers that conduct electronic transactions, and business associates are entities that provide various management and related services for covered entities.).
The HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether customers or clients have received a COVID-19 vaccine. This is the case even for businesses that are covered entities or business associates, because the HIPAA Privacy Rule applies to uses and disclosures of protected health information (PHI) by covered entities and business associates, not requests for information. HIPAA also does not prohibit an individual from disclosing whether the individual has been vaccinated.
The OCR points out that the HIPAA Privacy Rule does not apply to employment records (including records held by covered entities or business associates in their capacity as employers). HIPAA does not regulate what information can be requested from employees as a condition of employment. Therefore, employers (including covered entities and business associates) can require their employees to provide documentation of COVID-19 vaccination, to sign an authorization for the employee's health care provider to provide such documentation, to wear a mask while on the employer's premises or in the course of performing their duties, or to disclose whether the employee is vaccinated if a patient asks for that information. The OCR notes, however, that the Americans with Disabilities Act requires that documentation of vaccination, like other employee health information, must be kept confidential and stored separately from personnel files. The OCR also addressed questions relating to employee health services. Health care providers are permitted to disclose PHI relating to an individual's vaccination status to an employer in connection with medical surveillance of the workplace or to evaluate whether the individual has a work-related illness, but only if the health care provider is providing services to the individual at the request of the employer, the individual is notified that PHI related to medical surveillance and work-related illnesses will be disclosed to the employer, and certain other conditions apply.
It is necessary to distinguish between employment records and health records maintained by a health care provider in the course of treatment. The HIPAA Privacy Rule generally requires covered entities, including health care providers, to obtain the patient's authorization in order to disclose information (with certain exceptions, such as disclosures to public health authorities).
- Published: 04 October 2021 04 October 2021
The Centers for Medicare and Medicaid Services (CMS) proposes to repeal the Medicare Coverage of Innovative Technology (MCIT) that was published on January 14, 2021, along with the definition of "reasonable and necessary" published at the same time. The effective date of these rules had previously been delayed to December 15, 2021. The proposal to repeal them will be published in the Federal Register on September 15, 2021.
Under the original MCIT rule, devices designated by the Food and Drug Administration (FDA) as breakthrough devices would be covered under Medicare for four years starting on the date that the FDA authorizes marketing of the device (or a later date if designated by the manufacturer). In proposing to repeal the MCIT rule, CMS notes that it and the FDA operate under different statutes in approving Medicare coverage by CMS, and breakthrough designation by FDA. The standard for Medicare coverage is a determination that a device is reasonable and necessary for the diagnosis or treatment of illness or injury or to improve the functioning of a malformed body part. In making national coverage determinations under this "reasonable and necessary" standard, CMS considers whether the item or service improves health outcomes for Medicare beneficiaries, who are typically older and with more comorbidities than the general population.
Under the FDA's processes for breakthrough designation, a device can be approved for this designation prior to marketing authorization. Under the Breakthrough Devices Program, medical devices and combination products must meet two criteria. First, the device must provide for more effective treatment or diagnosis of life-threatening or irreversibly debilitating diseases or conditions relative to the current standard of care. Second, the device must satisfy one of four elements:
- it represents a breakthrough technology;
- no approved or cleared alternatives exist;
- it offers significant advantages over existing approved or cleared alternatives; or
- device availability is in the best interest of patients.
CMS expressed concern that since the FDA does not require that Medicare beneficiaries be included in clinical studies required for marketing authorization, evidence that the device is reasonable and necessary for the Medicare population may not exist. Also, the MCIT rule would limit CMS's ability to deny coverage if a particular device is found to be harmful to Medicare beneficiaries; CMS could remove coverage only if the FDA removed marketing authorization or issued a warning letter.
The controversial aspect of the definition of reasonable and necessary published on January 14 was the extension of the appropriateness criteria to commercial insurers. CMS proposes to repeal this rule as well, but invites comment on this aspect. CMS invites comments on how to provide improved access to innovative technologies for Medicare patients. Comments are due within 30 days after the publication of the proposed rule on September 15.
- Published: 14 September 2021 14 September 2021
The Health Resources & Services Administration (HRSA) awarded $19 million in grants to 36 recipients to improve telehealth in rural and underserved communities. The largest awards of $3,250,000 each went to two academic medical centers (the University of Mississippi Medical Center and the Medical University of South Carolina) for the establishment of telehealth centers of excellence (COEs). The intent is that the COEs will assess strategies to use telehealth to improve health care in rural medically underserved areas, establish an evidence base for telehealth programs, serve as incubators to pilot new telehealth services and publish research on outcomes for telehealth.
Applicants for the Telehealth Technology-Enabled Learning Program were awarded $4,242,350 to build sustainable tele-mentoring programs and networks in rural and medically underserved communities. The purpose of the program is to connect specialists at academic medical centers with primary care providers in rural and other underserved areas to help treat patients with complex conditions, including long-haul COVID and substance use disorders. These awards will go to the American Academy of Pediatrics and eight academic and research institutions. Two national telehealth resource centers in Alaska and California each received $325,000 in grants, with twelve awards totaling $3,900,000 going to regional telehealth resource centers. The two national centers will provide expert resources on telehealth policy (including reimbursement, licensing and privacy) and telehealth technology. The regional resource centers will provide assistance to organizations providing telehealth services to patients, focusing on local community needs. Finally, eleven awards totaling $3,812,826 will be directed to the Evidence-Based Direct to Consumer Telehealth Network Program.
- Published: 18 August 2021 18 August 2021
The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued a report dated June 2021 on oversight by the Centers for Medicare and Medicaid (CMS) of hospitals' cybersecurity controls for networked medical devices. The OIG concluded that consistent oversight was lacking. CMS's survey protocols do not explicitly address cybersecurity, nor do audit practices of the accreditation organizations (AOs). The OIG points out that hospitals have increasingly become targets of ransomware attacks. While most such attacks have affected electronic health record (EHR) systems, there was a ransomware attack in 2017 that infected radiology equipment. Because many radiology, laboratory and other systems connect to the EHR, malignant code introduced into networked devices can affect the entire EHR system.
Direct responsibility for hospital surveys rests with the AOs as well as the state survey agencies (typically, the state department of health). State survey agencies follow guidelines in CMS's State Operations Manual, including Appendix A applicable to hospital surveys, which includes the Medicare Conditions of Participation (CoPs) for hospitals and the Interpretive Guidelines, which provide more detailed instructions on application of the CoPs. The AOs establish their own audit guidelines, which are required to be at least as stringent as those contained in the State Operations Manual.
- Published: 26 June 2021 26 June 2021