Capitol Insights Newsletter

Authors: Luke Schwartz & Matt Reiter

What happened in Congress this week?

On Tuesday, June 4th, the House Energy & Commerce Investigation and Oversight Subcommittee held a hearing on the 340B Drug Discount Program. Congress was divided, with some Members arguing that the additional 340B revenue earned by safety net hospitals is not being utilized as intended to make drugs more affordable for low-income patients while other Members contended that the program is essential for maintaining affordable drug prices for patients treated at these hospitals.

The Joint Economic Committee held a hearing on how artificial intelligence can lead to economic growth. The hearing touched upon how AI can be used to make healthcare more efficient and drive down costs without eroding the labor force. Congress is very engaged in AI development and its possible uses to lower costs for public health insurance.

Providers Can Delegate Cyberattack Breach Notification Requirements to Change Healthcare

Last Friday evening, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) clarified that covered entities can delegate patient notification requirements from the Change Healthcare breach to Change Healthcare.

OCR Director Melanie Fontes Rainer says in the announcement, “Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”

A strict interpretation of the HIPAA breach patient notification regulations would have required both Change Healthcare and medical practices to notify patients. This interpretation was reaffirmed in an OCR FAQ document earlier this month, prompting physician organizations nationwide to ask CMS to limit the notification burden to Change Healthcare. CMS ultimately updated its guidance accordingly.

During a recent Congressional hearing on the cyberattack, UnitedHealth Group (UHG) CEO Andrew Witty testified that UHG (which owns Change Healthcare) would be willing to facilitate patient notifications related to the breach but needed clarification from regulators to allow it to take that burden away from providers. Last Friday’s announcement provided this clarification.

However, each practice/business’s contract with Change Healthcare is different. Contracts might include language about how each party is responsible for patient privacy breach notifications.

The new and updated FAQs on the Change Healthcare Cybersecurity Incident may be viewed at: https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html.

Top Stories in Healthcare Policy

A lawsuit brought by air ambulance companies against Health Care Service Corp. for failing to pay No Surprises Act awards was thrown out by a federal district court in Texas.

Ten states are joining a Medicaid initiative that funds 24/7 crisis services for mental health and substance use treatments.

Ron Wyden, Chair of the Senate Finance Committee, wrote a letter to HHS calling on them to implement cybersecurity measures for healthcare firms in order to participate in Medicare.

The Federal Trade Commission was unable to block a $320 million deal by Novant Health Inc. to buy two hospitals in North Carolina.