Recommended Alerts

Sign Up For Alerts

Medicare Expands Coverage of “Breakthrough” Medical Devices and Codifies “Reasonable and Necessary” Standard

On January 14, 2021, the Centers for Medicare and Medicaid Services (“CMS”) published a final rule that significantly alters the Medicare reimbursement landscape for medical devices approved under the Food and Drug Administration’s (“FDA”) “Breakthrough Devices Program.” The rule, which represents the culmination of years of advocacy by the medical device industry and patient and provider interest groups, finalizes a September 1, 2020 proposed rule that aimed to address the substantial time lag between FDA authorization of medical devices and Medicare coverage of the same. Specifically, the rule establishes a Medicare Coverage of Innovative Technology (“MCIT”) pathway for Medicare coverage of Breakthrough Devices and related medical procedures during a four-year period that begins immediately upon FDA marketing authorization. The final rule also codifies the definition of the “reasonable and necessary” standard that is used to determine when other items and services (and MCIT devices after the four-year period) may be covered by the Medicare program. The new rule becomes effective March 15, 2021.

Read More

California Imposes Additional Privacy Protection Obligations on Hospitals, Clinics, Home Health Agencies, and Hospices

Time to Read: 2 minutes Practices: Health Care, Litigation, Data, Privacy & Cybersecurity

Printer-Friendly Version

On January 1, 2009, California hospitals, clinics, home health agencies, and hospices (collectively “health facilities”) must comply with new privacy requirements requiring reporting of breaches and prohibiting certain activities (S.B. 541 and A.B. 211).

Reporting Breaches

Under S.B. 541, health facilities must report any unlawful or unauthorized access, use, or disclosure of patient medical information to both the California Department of Public Health (DPH) and the affected patient. The notification must be made no later than five days after the health facility detects the breach. This is a change from existing law, which requires only that notification be made without unreasonable delay and does not require reporting to DPH. In addition to the new notification requirements, these laws cover medical information in any medium or form, including hard copy. This is an expansion from existing law, which limits coverage to electronic personal information.

Prohibiting Unauthorized Access

Existing state law, the Confidentiality of Medical Information Act, already prohibits unlawful use or disclosure of patient medical information. The new laws additionally prohibit any unauthorized access, use, or disclosure of medical information. While “unauthorized” is not defined comprehensively in the statute, it includes inappropriate access, review, or viewing of a patient’s medical information without a direct need for medical diagnosis, treatment, or other lawful use. In other words, the new laws cover “snooping” even when patient information is not used or disclosed.

New Enforcement

S.B. 541 and A.B. 211 establish a new state enforcement agency, the Office of Health Information Integrity (OHII), mandate new security safeguards, and greatly increase penalties for violations. OHII will have authority to make regulations and the power to assess and impose penalties for patient privacy violations. Existing law allows only the Attorney General or a district, county, or city attorney to bring an action for a breach of medical information confidentiality. Health facilities’ privacy protocols may come under heightened scrutiny and the likelihood of enforcement against violators may increase. Since the new state reporting requirements and prohibitions are more stringent than standards under the Health Insurance Portability and Accountability Act, they will not be preempted by federal law.

Action Steps

In response, health facilities in California should review their reporting procedures to ensure that they can provide notification to DPH and the patient within the five-day window. Health facilities should also confirm that their written policies adequately restrict access as well as use and disclosure of patient medical information. In addition, administrative, technical, and physical safeguards to protect the privacy of medical information may need to be established, confirmed, or enhanced.

If you have questions or would like further information, please contact any of the attorneys listed on this page.

Printer-Friendly Version

Cookie Settings