Photo of Ashton Harris

Ashton provides regulatory counsel to healthcare providers and industry partners, helping them navigate complex and frequently-changing rules.

Keypoint: With the increased frequency and severity of cyberattacks against healthcare systems, state and federal agencies strive to improve cybersecurity controls with varied success.

In November 2023, New York Governor Kathy Hochul announced proposed regulations that would be the first state regulations for hospitals in New York. The governor described the proposed regulation as a “nation-leading blueprint” that would complement the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule enforced by the U.S. Department of Health and Human Services (HHS).

This post is the first in a series dedicated to Colorado’s Medicaid finance and payment systems, challenges faced by those programs, and opportunities for expansion.

The Colorado Healthcare Affordability and Sustainability Enterprise (CHASE) oversees Colorado’s hospital provider tax and the use of those taxes to support Medicaid supplemental payments. CHASE uses the largest portion of those taxes to generate payments targeting the cost shortfalls from treating Medicaid and uninsured patients. Broadly speaking, federal regulations (see 42 C.F.R. §§ 447.272, 447.321) allow each class of institutional providers to be paid for Medicaid services (on a fee-for-service basis) to a level that approximates what could have been paid under Medicare payment principles. This is known as the Upper Payment Limit (UPL). For the past several years, CHASE has limited these payments to less than the full amount permitted by federal law out of concerns about potential overpayments and statewide recoupment risks. The Colorado Hospital Association (CHA) is currently advocating for CHASE to increase payments to 100% of the UPL—i.e. “the full UPL.”

What Are the Changes?

On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) issued a final rule (the “Final Rule”) along with guidance updating the Health Insurance Portability and Accountability Act (“HIPAA”) regulations at 45 C.F.R. Parts 160 and 164 (the “Privacy Rule”). The Final Rule prohibits the use or disclosure of protected health information (“PHI”) for the purpose of (1) conducting criminal, civil, or administrative investigations into, or (2) imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is legal when provided. The Final Rule also prohibits the use or disclosure of PHI in order to (3) identify any person for any of those purposes (the “Prohibition”).[1]