Providers want to dodge data breach reporting

Presented by PhRMA: Delivered daily by 10 a.m., Pulse examines the latest news in health care politics and policy.

May 22, 2024 View in browser   By Chelsea Cirruzzo and Ben Leonard Presented by  With David Lim  Driving The Day Health care providers affected by the Change Healthcare cyberattack are asking HHS to clarify who is responsible for contacting patients victimized by the breach. | Saul Loeb/AFP via Getty Images WHO GETS THE CHANGE BLAME? Hundreds of providers are lobbying HHS to be exempted from reporting data breaches in the Change Healthcare cyberattack — though one cybersecurity expert says letting them “off the hook” could set a precedent. Provider groups — including the American Medical Association, the College of Healthcare Information Management Executives and the American Health Information Management Association — wrote to HHS and the Office for Civil Rights earlier this week to request clarity on who is responsible for reporting breaches of personal health information to federal officials and individuals whose data was breached. Federal law mandates that entities covered under HIPAA report breaches within 60 days of the breach’s discovery. According to the provider groups, this is Change’s responsibility, not theirs. Cybercriminals attacked Change Healthcare, a large medical bill clearing house, in February, disrupting provider payments. UnitedHealth Group, which owns Change, has offered to notify affected patients on behalf of providers. A spokesperson for UnitedHealth pointed Pulse to testimony by the company’s CEO, Andrew Witty, earlier this month when he told Congress that United is “working closely with HHS’s Office [for] Civil Rights to make sure our notice is effective, useful and complies with the law.” In April, OCR wrote in an FAQ after the attack that the covered entity — Change wasn't named — is “ultimately responsible for ensuring individuals are notified” but “may delegate the responsibility of providing individual notices” to their business associates, which could include providers. Providers are concerned OCR’s language is too ambiguous.  “The worry is that this is going to fall to the providers to have to report the breach. … This would be incredibly burdensome to have to do,” Mari Savickis, vice president of public policy at CHIME, told Pulse. While Savickis said she hasn’t heard of providers being asked to provide notice, “we really need OCR to step in,” she said. “If there’s another big attack, we can point back to [OCR’s guidance],” she said. Toby Gouker, a chief security officer at First Health Advisory, which provides cybersecurity consulting to the industry, told Pulse that OCR’s guidance suggests that Change Healthcare and the providers affected by the attack are business associates — which creates a gray zone of responsibility. “If [Change] is a business associate of a hospital, then the hospital itself is responsible for everything,” Gouker said. Why it matters: Shifting the responsibility for breach notifications on one entity like Change — as providers want — “is a big deal in health care because there are going to be many more situations” like this, Gouker said, especially as federal authorities warn of foreign entities specifically targeting the health care sector. “This clears up a definition of who is responsible,” he said, setting a precedent that providers can refer back to after future attacks, which could keep them from taking on escalating fines if they fail to report a breach. “A lawyer [for a hospital] could say, ‘Hey, you let them off the hook,’” Gouker added. OCR referred Pulse to its earlier guidance on the Change attack when asked about the letter. WELCOME TO WEDNESDAY PULSE. Our health team has very different opinions on their favorite (and least favorite) places to work in the U.S. Capitol. For me, it’s wherever is closest to &pizza. Send your tips, scoops and feedback to ccirruzzo@politico.com and bleonard@politico.com and follow along @ChelseaCirruzzo and @_BenLeonard_.   A message from PhRMA: The size of the 340B drug pricing program has ballooned in recent years, but patients aren’t seeing the benefit. Instead, hospital systems, chain pharmacies and PBMs are exploiting the program to generate massive profits. Let’s fix 340B so it better helps patients.   BIRD FLU The CDC's principal deputy director, Dr. Nirav Shah, is calling for more flu surveillance to detect any presence of avian flu. | Mike Groll/AP CDC: KEEP UP FLU TESTING — Top CDC officials told public health groups Tuesday to keep operating overall flu surveillance systems “at elevated levels” this summer to help detect rare cases of human bird flu infections, David reports. Dr. Nirav Shah, the CDC’s principal deputy director, pushed state and local officials, including those from the Association of State and Territorial Health Officials and the National Association of County and City Health Officials, to increase their flu sample submissions to labs to detect any avian flu cases. Jennifer Nuzzo, director of the Pandemic Center at the Brown University School of Public Health, said she was glad to hear that the CDC is pushing for continued flu surveillance. “So many of our data points and response options are predicated on being able to find cases, and there are currently many holes in our ability to do that,” Nuzzo said.   THE GOLD STANDARD OF HEALTHCARE POLICY REPORTING & INTELLIGENCE: POLITICO has more than 500 journalists delivering unrivaled reporting and illuminating the policy and regulatory landscape for those who need to know what’s next. Throughout the election and the legislative and regulatory pushes that will follow, POLITICO Pro is indispensable to those who need to make informed decisions fast. The Pro platform dives deeper into critical and quickly evolving sectors and industries, like healthcare, equipping policymakers and those who shape legislation and regulation with essential news and intelligence from the world’s best politics and policy journalists. Our newsroom is deeper, more experienced and better sourced than any other. Our healthcare reporting team—including Alice Miranda Ollstein, Megan Messerly and Robert King—is embedded with the market-moving legislative committees and agencies in Washington and across states, delivering unparalleled coverage of health policy and the healthcare industry. We bring subscribers inside the conversations that determine policy outcomes and the future of industries, providing insight that cannot be found anywhere else. Get the premier news and policy intelligence service, SUBSCRIBE TO POLITICO PRO TODAY.     NURSING HOMES STATE NURSING HOME STAFFING VARIES — Fewer than 1 in 4 nursing home facilities in 28 states meet all three staffing requirements in the new federal staffing rule, according to a KFF analysis. The controversial rule, finalized last month, requires 24-hour nursing and mandates minimum staffing ratios for all caregivers, such as nurses and nursing aides. The mandate takes effect in three years for urban homes and five years for rural facilities. Why it matters: The nursing home industry has pushed back on the rule, citing the cost and challenge of meeting the staffing requirements. The state-level analysis of nearly 14,500 nursing homes by KFF, a health policy think tank, found the share of facilities that meet all requirements ranges from 5 percent or lower in some states — Arkansas, Louisiana, Tennessee and Texas — to 50 percent or higher in others — Alaska, Hawaii, Maine, North Dakota and Oregon. One of the biggest challenges for facilities is meeting the requirement for nurse and nursing aide staffing. According to KFF, 49 percent of facilities meet the minimum hours for registered nurses and 30 percent meet the minimum for nurse aides. “Facilities that need to hire new RNs to comply with the final rule may find it difficult to compete with hospitals, many of which are also trying to increase the number of RNs they employ. The rule estimates that to meet both [requirements], facilities would need to hire about 16,000 RNs,” the analysis said.   A message from PhRMA:   AROUND THE AGENCIES COURT 340B RULING — A D.C. Circuit Court of Appeals sided Tuesday with drug manufacturers that want to impose limits on the number of 340B program pharmacies they ship to. The 340B program requires drug manufacturers that participate in Medicare and Medicaid to sell certain drugs at a discount to so-called safety-net health care providers. In 2020, some manufacturers said they would restrict which pharmacies they’d send drugs to, citing fears of abuse by pharmacies. In response, HHS warned manufacturers that setting contractual limits on certain pharmacies would violate the 340B law —leading to several federal lawsuits. In early 2023, the Third Circuit upheld an appeal by drug manufacturers, allowing them to set contractual limits. The D.C. court also sided with drug manufacturers on Tuesday, writing that 340B “does not prohibit manufacturers from limiting the distribution of discounted drugs by contract.” What’s next: A third appeal is still before the Seventh Circuit. ER PATIENT RIGHTS — A new HHS web page aims to educate patients about their rights under a federal law requiring hospitals to offer emergency treatment — including abortion — to people experiencing a medical crisis. The new site also includes a portal to file a complaint when violations of the law, known as the Emergency Medical Treatment and Labor Act, or EMTALA, occur — although a pending Supreme Court case leaves those complaints in flux. The court is expected to rule in June on whether federal law requires emergency room doctors in Idaho to perform abortions when needed to stabilize pregnant patients despite the state’s near-total prohibition of the procedure. HHS has interpreted the law to say that emergency care under EMTALA can, in some cases, include abortion care. The page, unveiled Tuesday, speaks directly to patients. “You have rights in an emergency room. It’s the law,” the page reads.   A message from PhRMA: A recent report from the Berkeley Research Group shows the 340B program is the second largest federal drug program for another year in a row. Despite its massive size, 340B has zero reporting requirements and zero patient protections to ensure the program is working as it should. Let’s fix 340B so it better helps patients.   Names in the News Irina Ridley is now the chief legal officer at Aerin Medical. She most recently was at medtech company NeuroPace, which she helped take public in 2021. WHAT WE'RE READING POLITICO’s Nick Reisman reports on a New York court decision upholding an abortion coverage policy. POLITICO’s Megan Messerly reports that the Louisiana House approved a bill criminalizing abortion pill protections. NPR reports on the hidden segment of caregivers: Black men.   LISTEN TO POLITICO'S ENERGY PODCAST: Check out our daily five-minute brief on the latest energy and environmental politics and policy news. Don't miss out on the must-know stories, candid insights, and analysis from POLITICO's energy team. Listen today.       Follow us on Twitter Dan Goldberg @dancgoldberg Chelsea Cirruzzo @chelseacirruzzo Lauren Gardner @Gardner_LM Sophie Gardner @sophie_gardnerj Kelly Hooper @kelhoops Robert King @rking_19 Ben Leonard @_BenLeonard_ David Lim @davidalim Megan Messerly @meganmesserly Alice Miranda Ollstein @aliceollstein Carmen Paun @carmenpaun Daniel Payne @_daniel_payne Ruth Reader @RuthReader Erin Schumaker @erinlschumaker Megan R. Wilson @misswilson   Follow us

To change your alert settings, please log in at https://login.politico.com/?redirect=https%3A%2F%2Fwww.politico.com/settings This email was sent to edwardlorilla1986.paxforex@blogger.com by: POLITICO, LLC 1000 Wilson Blvd. Arlington, VA, 22209, USA Unsubscribe | Privacy Policy | Terms of Service