Healthcare Compliance Updates to be Aware of in 2023

The healthcare industry may have garnered a reputation as a slow adopter in some operational aspects, but that’s not the case when it comes to regulations. Compliance requires fast and full adherence to changes in this highly regulated space. Aside from poor outcomes, regulatory noncompliance can result in financial penalties, lower reimbursements, unwanted oversight, and negative media attention.  

As a result, symplr compiled this update to help you stay apprised of the newest legislation, legal settlements, and compliance best practices as the new year gets underway. 

HIPAA Right of Access 

The HIPAA Right of Access Initiative was launched in 2019 and focuses on a patient’s right to prompt access to their medical records without being inappropriately charged by the covered entity. As HIPAA regulations exist today: 

  • A covered entity has 30 days to provide the patient or the patient's representative with access to medical records information when it’s requested, in most cases. 
  • There is the potential for the covered entity to request a 30-day extension. 
  • The covered entity can charge a reasonable fee for the copying of records requested.

However, the proposed modifications to the HIPAA Privacy Rule include shortening the response time to be “as soon as practical,” but in no case exceeding 15 calendar days from receipt of the request, with an optional extension.

Another potential change proposes that covered entities establish written policies for prioritizing urgent or other high-priority access requests, to limit the need to use the 15 day-extension. Additionally, the proposed modifications include changes related to fees associated with access. As of January 3, 2023, 43 cases have been resolved under this new initiative. 

The No Surprises Act 

The No Surprises Act establishes protection for patients insured by certain health plans from receiving surprise medical bills when receiving care from out-of-network providers at in-network facilities. It also establishes a federal independent dispute resolution (IDR) process for payment disputes between plans and providers. 

Blog: What Does the No Surprises Act Mean for Providers? 
Blog: What Does the No Surprises Act Mean for Payer Organizations? 
Webinar: Ask Our Attorneys: Payers & Providers Prep for the No Surprises Act

When the No Surprises Act went into effect on January 1, 2022, legal challenges arose almost immediately. The challenges largely revolve around the defined IDR process. As originally drafted, the No Surprises Act established that the IDR entities’ determination would start with the qualifying payment amount (QPA) and the presumption that the qualifying payment amount is appropriate. As such, the IDR entity would generally select the offer that was going to be closest to the QPA. 

However, in August 2022, a new final rule was issued, removing the QPA presumption. While the QPA is still to be considered, this new rule established that the QPA would now carry equal weight along with other permissible factors as outlined within the final rule. IDR entities are now required to select the offer that they determine best represents the value of the qualified IDR item or service as the out-of-network rate. 

In all cases, an IDR entity is required to provide a written decision that includes its rationale and information considered in its decision making, including the weight that it gave to the QPA. Prior to the final rule, the IDR entity was only required to provide a written explanation when the QPA was not chosen. The goal of this new requirement is to provide transparency and improve the consistency of the IDR entities’ decision making. 

As it stands today, the August 2022 final rule did not end the uncertainty of the No Surprises Act. The legislation is still in effect; however, litigation continues to challenge the IDR process and could result in additional changes to the No Surprises Act. Most recently, the Texas Medical Association filed a lawsuit against the Biden Administration, arguing that the interim final rule on surprise billing goes against the intent of Congress and will ultimately harm patients.  

HIPAA Privacy Rule & The Dobbs decision 

The Dobbs vs. Jackson Women’s Health Organization decision (Dobbs) by the Supreme Court held that the Constitution does not confer a right to abortion, and in doing so created confusion around the HIPAA Privacy Rule and what a healthcare professional can and cannot do moving forward. The confusion centered on disclosing protected health information (PHI) without patient authorization for non-healthcare-related purposes, such as disclosure to law enforcement. In response, the Department of Health and Human Services (HHS) issued guidance in June 2022 to clarify how the HIPAA Privacy Rule limits access to private medical information related to abortion and other sexual and reproductive healthcare held by HIPAA-covered entities: 

  • The guidance reminded covered entities and business associates that PHI can be used and disclosed without an individual’s signed authorization only as expressly permitted or required by the Privacy Rule.  
  • An explanation was provided on the Privacy Rule restrictions on disclosure of PHI when required by law for law enforcement purposes and to avert a serious threat to health or safety. In the absence of a mandate enforceable in a court of law, the Privacy Rule’s permissions to disclose PHI to law enforcement purposes does not permit a disclosure to law enforcement by the covered entity or its workforce member to report an individual’s abortion or other reproductive healthcare.  
  • The Privacy Rule permits but does not require a covered entity, with applicable law and standards of ethical conduct, to disclose PHI if the covered entity in good faith believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person who is reasonably able to prevent or lessen the threat.

Future guidance may be provided regarding the HIPAA Privacy Rule post-Dobbs, especially considering an executive order that directed HHS to consider additional guidance on protecting the privacy of information regarding reproductive healthcare. 

EMTALA compliance following Dobbs 

The Emergency Medical Treatment and Labor Act (EMTALA) provides access to emergency medical services regardless of a patient’s ability to pay. In response to the Dobbs decision, the Centers for Medicare & Medicaid Services (CMS) issued a memorandum to address EMTALA obligations specific to patients who are pregnant or are experiencing pregnancy loss. Hospitals were reminded of their federal obligations under EMTALA as they relate to reproductive healthcare and to emphasize that EMTALA obligations under federal law preempt state law: 

  • All patients must receive an appropriate medical screening exam, stabilizing treatment, and transfer, if necessary, regardless of any state laws or mandates that apply to specific procedures.  
  • If a physician believes that a pregnant patient presenting at the emergency department is experiencing an emergency medical condition as defined by EMTALA, and that abortion is the stabilizing treatment necessary to resolve that condition, the physician must provide that treatment.  
  • When a state law prohibits abortion and does not include an exception for the life and health of the pregnant person or draws the exception more narrowly than EMTALA’s emergency medical condition definition, that state law is preempted.

Lawsuits have been brought forward challenging the CMS guidance on enforcing EMTALA and preempting state law. Courts in Texas and Idaho have issued opposing preliminary injunctions regarding enforcement of the EMTALA guidance, creating further complications. Continued litigation is ongoing and will likely shape the enforcement of EMTALA post Dobbs. 

Planning for the end of the Public Health Emergency 

A Public Health Emergency (PHE) stemming from COVID-19 was declared on January 27, 2020. The PHE has been renewed every 90 days since, with the most recent renewal by HHS Secretary Xavier Becerra on January 11, 2023. The PHE declaration and renewals result in emergency waivers, regulations, and changes in enforcement. 

The PHE may finally end in 2023 with effects across healthcare. HHS has indicated that it will provide healthcare officials with at least 60 days’ notice before concluding the PHE. Many of the COVID-19 waivers and flexibilities will terminate at the of the PHE, as these waivers were never intended to permanently replace existing requirements. Health systems and providers should begin preparing for the end of the PHE and its resulting effects on their organizations. 

You can learn more about these compliance updates, details on their impact, and how to prepare by watching our recent compliance webinar with Lynne Rinehimer. Rinehimer is an attorney with expertise and more than 24 years of experience in healthcare governance, risk management, and compliance.

Does your compliance program protect you from financial and other consequences of noncompliance?

Estimate the value symplr Compliance can offer your healthcare organization today. 

Calculate your value potential

Request a Demo