U.S. Department of Health & Human Services

On December 27, 2024, the U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), issued proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule (the Proposed Rule) to strengthen the cybersecurity protections that HIPAA-regulated entities are required to maintain for electronic protected health information (ePHI).

Keypoint: With the increased frequency and severity of cyberattacks against healthcare systems, state and federal agencies strive to improve cybersecurity controls with varied success.

In November 2023, New York Governor Kathy Hochul announced proposed regulations that would be the first state regulations for hospitals in New York. The governor described the proposed regulation as a “nation-leading blueprint” that would complement the federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule enforced by the U.S. Department of Health and Human Services (HHS).

On September 9, 2024, the U.S. Department of Labor (DOL), Health and Human Services (HHS), and Treasury (collectively, the Departments) issued a Final Rule clarifying and adding additional requirements on health plans to provide equitable access to health insurance coverage for treatment of mental health and substance use disorders (SUDs), as required by the Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) and implementing regulations at 45 C.F.R. Part 146 and 147 (the 2024 Final Rule).

MHPAEA is a federal law that prevents group health plans and health insurance issuers (collectively, Health Plans) that provide mental health or substance use disorder benefits from imposing less favorable benefit limitations on those benefits than it does for a medical condition or surgical procedure. This means that Health Plans cannot impose additional financial requirements or apply non-quantitative treatment limitations (NQTLs) to these benefits more stringently than those applied to medical/surgical benefits.

What Are the Changes?

On April 26, 2024, the U.S. Department of Health and Human Services (“HHS”) issued a final rule (the “Final Rule”) along with guidance updating the Health Insurance Portability and Accountability Act (“HIPAA”) regulations at 45 C.F.R. Parts 160 and 164 (the “Privacy Rule”). The Final Rule prohibits the use or disclosure of protected health information (“PHI”) for the purpose of (1) conducting criminal, civil, or administrative investigations into, or (2) imposing criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care that is legal when provided. The Final Rule also prohibits the use or disclosure of PHI in order to (3) identify any person for any of those purposes (the “Prohibition”).[1]

On February 8, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) finalized long-awaited modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 C.F.R. Part 2, which requires individuals or entities that receive federal funding and provide SUD treatment to implement additional privacy protections and obtain specific consent before using and disclosing SUD treatment records (see 42 C.F.R. § 2.11).

On October 14, 2022, President Joe Biden signed Executive Order 14036, directing the Department of Health and Human Services (“HHS”) to consider innovative actions to drive down certain single-source prescription drug costs as the Biden-Harris Administration works to implement the Inflation Reduction Act of 2022 (the “Act”).

On August 4, 2020, the Office of Inspector General for the United States Department of Health and Human Services (OIG) released an FAQ regarding whether a clinical laboratory may provide free antibody testing to federal health care program beneficiaries (e.g. Medicare/Medicaid beneficiaries). In its FAQ, the OIG acknowledged that providing such testing would implicate two federal anti-fraud statutes–the federal Anti-Kickback Statute (AKS) and the federal Civil Monetary Penalties Law (CMPL). However, so long as the laboratory implemented certain safeguards, the arrangement would pose a sufficiently low risk that OIG would not pursue an enforcement action.

On Wednesday, April 8, 2020, the U.S. Department of Health & Human Services (HHS) Office of the Assistant Secretary for Health released guidance authorizing pharmacists to “order and administer COVID-19 tests, including serology tests, that the Food and Drug Administration (FDA) has authorized.”  HHS noted that it recognized that most Americans are relatively close to a retail pharmacy and they interact with pharmacists more frequently than other healthcare professionals. Allowing pharmacists to administer the tests should reduce travel to testing locations – an important mitigation step.  HHS Secretary Alex Azar issued the following statement: