Legislative Weekly

June 10, 2024

1. No Surprises Act (NSA) and Transparency Rules (TinC)
2. Cybersecurity, AI, & Tech 1
3. DC and Federal Update
4. The States
5. The Industry

HIGHLIGHTS: Court says providers can’t sue for NSA IDR awards; Audits, SIEs and other gov’t actions on cybersecurity; Providers and others push FTC to hold off on non-compete ban; 70% of hospitals participate in healthcare interoperability.

No Surprises Act & TinC

A U.S. district court judge ruled that the NSA does not provide the right for providers to sue over IDR payment determinations.

• The case, brought by air ambulance companies, was filed after a health system failed to pay after an IDR payment determination. The air ambulance companies intend to appeal the decision.
• The ruling indicates that the only remedy for late or unpaid NSA “final payments” would be an appeal with CMS.
• HOWEVER, the ruling conflicts with an earlier New Jersey federal court decision that, in contrast, did enforce an IDR award just last year. So… the “jury is still out” on a concrete policy on whether providers can leverage the courts on NSA IDR decisions and payments.

Cybersecurity, AI, & Tech

Cybersecurity Word of the Day: SIE. The administration published a memorandum requiring the Cybersecurity and Infrastructure Security Agency (CISA) to identify Systemically Important Entities (SIEs). SIEs are entities whose infrastructure, if disrupted, would cause significant impacts to the U.S. security and economy. Summary of the memo found here. ?Good overview of the gov’t’s SIE strategy in this blog.

?

HHS appears to be working on pinpointing healthcare SIEs: This week, the Wall Street Journal reports that HHS is creating a map of “single points of failure” in healthcare; i.e., the agency is charting the risks in having a single, dominant technology supplier in certain areas. “The project could eventually name which specific companies are chokepoints,” the WSJ reports.

?

Also on the bandwagon, Senate Finance Committee chair Sen. Wyden (D-Ore.) sent a letter to HHS this week calling the agency’s approach to cybersecurity “woefully inadequate” and demanding it implement changes, including establishing minimum cybersecurity standards for SIEs and setting resiliency requirements for SIEs.

?

Finally, a ?recent report by the Foundation for Defense of Democracies says that the healthcare industry doesn’t need reactive regulations to protect it from cyberattacks; instead, the gov’t “needs a proactive, collaborative approach” which includes HHS reassessing its SIE list.

?

Relatedly, Bloomberg reports that HHS is considering issuing new enforceable cybersecurity standards for healthcare. HHS has not released any enforcement specifics, but “actions would likely be based on voluntary cybersecurity performance goals” released earlier this year—things like reducing email security risks, adding multifactor authentication, and setting security requirements for outside vendors.

?

And HHS’ Office of Civil Rights (OCR) announced it will restart periodic audits of HIPAA-covered entities this year, focusing on HIPAA Security Rule compliance. OCR has not conducted the audits since 2017.

DC and Federal Update

Nearly 230 associations asked the FTC to hold off on implementation of its new noncompete ban — including the American Hospital Association.? The ban creates “substantial uncertainty for businesses and employees” due to a lack of guidance from the agency, according to the coalition of associations.

• The U.S. Chamber of Commerce sued the FTC over the ban, stating that it is acting outside its authority.
• House Republicans have tacked on a provision in spending bills that would allow the chamber’s medical providers to work outside of Congress like other members, with a typical cap of $30,000 in annual income.

The States

According to a Fitch Ratings report, state healthcare cost caps — which limit increases in charges to patients and payers based on economic indicators — could stifle nonprofit hospitals’ revenue as they attempt to recover from C19.

• Fitch says this has been observed already in Connecticut, Maryland, Massachusetts, Nevada, New Jersey, Oregon, Rhode Island, and Washington.
• This comes as KFF reports that California has become the latest state to set annual health spending targets — albeit with certain exceptions in cases where higher spending might be justified.

?

A U.S. district judge tossed out a lawsuit filed by the state of Florida that sought to challenge federal guidelines that prevent states from cutting off Medicaid coverage for children due to nonpayment of premiums.

• The judge ruled that Florida should pursue a CMS administrative challenge rather than a lawsuit.

?

Amazon has officially entered the California pharmacy business with its opening of the first Amazon Pharmacy in the state-one of only 12 locations nationwide.

• The pharmacy plans to be able to deliver medication to those around the Los Angeles area, and over 1,000 medications are available. The pharmacy plans to give price estimates to customers before they hit the order button.

?

Meanwhile in California, Gov. Newsom has signed legislation postponing the start of healthcare worker minimum wage increases by one month.

• Supposed to begin June 1 of this year, the estimated price of the increases will be $4 billion in the 2024-25 fiscal year alone. Negotiations are still ongoing.

The Industry

According to a report from HHS’ Office of the National Coordinator for Health Information Technology (ONC), 70% of hospitals participate in healthcare interoperability. However, health information exchange gaps persist. Additional highlights from the brief include:

• While there’s been a ~50% increase in hospitals that routinely engaged in interoperable exchange since 2018, only about 40% “routinely engaged” in interoperable exchange, while ~30% “sometimes engaged.”
• ~70% of hospitals reported routine access to necessary clinical information from outside providers, but only ~40% indicated that clinicians routinely use it when treating patients.
• Only 16% of hospitals reported sending summary of care records to most or all long-term/post-acute care providers. ?

?

Ro, a direct-to-consumer health care company, launched an online GLP-1 supply tracker to allow consumers to track shortages and know when the drug is available in their area.? It also assists with the submission of drug shortage reports to the FDA.

?

The average duration of drug shortages has increased by close to an entire year by the end of 2023 according to a new report.?

• Shortages now last, on average, 3 years compared to about two years in 2020. Factors identified to lead to drug shortages include low prices, geographic concentration, manufacturing complexity, and quality concerns.

?

Becker’s Hospital Review has published a list of recent incidents of healthcare billing fraud here.

This update is solely for informational purposes and should not be relied upon as legal advice.????????