With the goal of enhancing health care quality and outcomes for individuals with moderate to severe behavioral health conditions and substance use disorders (SUD), the Centers for Medicare & Medicaid Services (CMS) recently announced it will launch the state-based, voluntary Innovation in Behavioral Health (IBH) Model in fall of 2024.

CMS will circulate a Notice of Funding Opportunity (NOFO) in spring of 2024 and select up to eight states to participate in the IBH Model, which is expected to last for eight years. Selected states will align with their respective state Medicaid agencies (SMAs) on clinical policies for integrated care and work with Medicaid Managed Care Organizations (MCOs) or other partners for model development and implementation. 

The Department of Health and Human Services (HHS) was tasked with formalizing and coordinating efforts to regulate artificial intelligence (AI) in health care under the November 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI EO) and has already begun its regulation of AI within certain certified health IT.  HHS and Office of the National Coordinator for Health Information Technology (ONC) recently published the Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule.

The U.S. Department of Health and Human Services (HHS) released a concept paper on December 6, 2023 outlining its action plan to enhance cyber resiliency in the health care sector by proposing certain voluntary cybersecurity actions and standards that may ultimately become requirements. For health care organizations such as hospitals, “cyber resiliency” generally means how organizations anticipate, operate during, respond to, and recover from cyber attacks such as ransomware attacks, cloud exploitations, phishing or spear-phishing attacks, software and zero-day vulnerabilities, or distributed denial of service attacks.

Governor Newsom signed 890 bills and vetoed 156 bills in 2023. Every year, California passes multiple laws that impact health care practitioners and health facilities and, as further described below, 2023 is no exception. From physician assistant supervision to nursing facility informed consent requirements, these laws will present various new compliance considerations for health care practitioners and health facilities as soon as January 1, 2024.

In coordination with the Centers for Medicare & Medicaid Services (CMS), the Department of Health and Human Services (HHS) and Office of the National Coordinator for Health Information Technology (ONC) proposed a much-anticipated framework to establish and manage “appropriate disincentives” for health care providers under the Information Blocking Rules. As described in more detail in the blog post, the proposed rule (Appropriate Disincentives Proposed Rule) includes proposed disincentives for (i) hospitals and critical access hospitals (CAHs) participating in the Medicare Promoting Interoperability Program; health care providers eligible for Merit-Based Incentive Payment System (MIPS) adjustments; and health care providers participating in the Medicare Shared Savings Program (MSSP).

On October 30, 2023, the Biden Administration released and signed an Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (Executive Order) that articulates White House priorities and policies related to the use and development of artificial intelligence (AI) across different sectors, including health care.

The Office for Civil Rights (OCR) recently offered covered entities and business associates (Regulated Entities) not-so-subtle reminders in its October 2023 Cybersecurity Newsletter that effective sanction policies can encourage HIPAA compliance. Regulated Entities are required by HIPAA to implement sanction policies in which they impose “appropriate sanctions” against their respective workforce members who fail to comply with the Privacy Rule or Security Rule, the Regulated Entity’s privacy policies and procedures, and/or the Regulated Entity’s security policies and procedures, as applicable. These sanction policies are important administrative safeguards meant to ensure there are objective, documented consequences for HIPAA non-compliance among workforce members. The recent proliferation of social engineering attacks and increasingly sophisticated nature of external cybersecurity threats in health care underscore the importance of Regulated Entities consistently reviewing and applying sanction policies.

Mintz’s PBM & Pharmacy practice is proud to present the Mintz IRA Update, a regular publication that delves into the spectrum of developments under the Inflation Reduction Act of 2022 (“IRA”) impacting the health care industry.

Though there has been much speculation and commentary among industry stakeholders, the Office of Inspector General (OIG) and the Office of the National Coordinator for Health Information Technology (ONC) have not yet begun enforcing statutory penalties associated with violations of the Information Blocking Rules. On July 3, 2023, OIG and Department of Health and Human Services (HHS) took a significant step toward enforcement of these penalties when they published long-awaited civil monetary penalty (CMP) final rule (CMP Final Rule) for certain Information Blocking Actors in the Federal Register.