HHS recently issued a request for information to get insight on stakeholders’ cybersecurity practices as part of its enforcement of the HITECH Act.
Recent updates involving the U.S. Department of Health and Human Services (HHS) include an extension of the COVID-19 public health emergency (PHE), progress in making court-ordered reductions to a massive Medicare appeals backlog, and an initiative to better understand hospitals’ cybersecurity practices.
HHS Secretary Xavier Becerra on April 12 signed a 90-day extension of the PHE, pushing the expiration date to mid-July. There’s been speculation in policy circles that this extension would be the last unless another hospitalization surge happens over the next month or so. HHS has said it will give stakeholders a 60-day notice before allowing the PHE to expire.
Key provisions of the PHE include waivers that allow Medicare to broadly cover telehealth and hospital-at-home services. In legislation that passed in March to fund the federal government for the rest of FY22, Congress included a provision that extends the telehealth waivers for five months past the end of the PHE.
Progress being made in reducing a vast Medicare appeals backlog
The American Hospital Association (AHA) posted an update showing that HHS has met court-ordered targets for reducing the volume of Medicare appeals on file with the Office of Medicare Hearings and Appeals.
In a federal court procedure brought by the AHA and several hospitals, HHS was ordered to meet annual targets over a four-year period in eliminating a backlog that totaled more than 425,000 appeals at the time of the court order in 2018. A primary source of the backlog was a shortage of administrative law judges. The shortfall was eased by a congressional infusion of funding in ’18.
HHS has met annual targets and, through Dec. 31, 2021, had reduced the number of pending appeals to 52,641, according to recently released data. The court order requires the backlog to be eliminated by the end of September, which marks the end of the current fiscal year.
RFI seeks stakeholder comments on cybersecurity practices
HHS’s Office for Civil Rights is seeking public comments on two requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021.
The request for information (RFI) comes in part as a response to intensifying cybersecurity threats that are “driving the need for enhanced safeguards of electronic protected health information,” according to a news release.
The RFI seeks information on cybersecurity practices of entities covered by the HITECH Act — including health plans and most providers — and their business associates. HHS will use the feedback to determine “potential fines, audit results or other remedies for resolving potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule pursuant to an investigation, compliance review or audit.”
The other part of the RFI is to be used to establish a methodology through which individuals who are harmed by potential HIPAA violations may receive a percentage of any resulting civil monetary penalty (CMP) or monetary settlement.
“The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies,” according to the news release.
More information about the RFI, including how to submit comments, is available in this Federal Register article.