COVID-19 PHE Renewed

Originally published in the January 12, 2023, issue of MGMA’s Washington Connection
Reprinted with permission from MGMA

U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra renewed the COVID-19 public health emergency (PHE) yesterday. This renewal extends the PHE through mid-April 2023 and has implications for Medicare telehealth, COVID-19 testing, and other waivers. HHS has reiterated its promise to give a 60 days’ notice before letting the PHE expire.

While many telehealth flexibilities are tied to the PHE, it is important to note that the recently passed Consolidated Appropriations Act, 2023, does ensure certain ones will remain in effect through Dec. 31, 2024, regardless of PHE status.

More information may be found in MGMA Government Affairs’ newly updated telehealth resource.

Changes Are Coming to the HIPAA Privacy Rule: Are You Prepared?

By Laura M. Cascella, MA, CPHRM

2022 Alliance sponsor article provided courtesy of MedPro Group

With a turn of the calendar year, 2022 will likely usher in the most significant changes to the HIPAA Privacy Rule in almost a decade. These changes will come on the heels of several years of information-gathering, proposals, and public comments, which kicked off December 2018 when the U.S. Department of Health and Human Services (HHS) Office for Civil Rights issued a request for information on HIPAA rules. HHS subsequently released and published the Notice of Proposed Rulemaking (NPRM) in December 2020 and January 2021, respectively. A public comment period on the NPRM followed, which concluded May 6, 2021.¹

The proposed changes to the HIPAA Privacy Rule are targeted at helping fulfill HHS’ Regulatory Sprint to Coordinated Care by breaking down barriers to care coordination, information-sharing, and interoperability (in alignment with the 21st Cures Act and the HITECH Act); supporting value-based care; enhancing patient engagement and right of access; and reducing unnecessary administrative and regulatory burdens.²

Some of the significant provisions of the Proposed Rule include introducing and modifying key definitions, strengthening patients’ rights to access their information, supporting information sharing and care coordination, allowing broader disclosures, and modifying policies and information associated with the Notice of Privacy Practices (NPP).

Key Definitions

As part of the Proposed Rule, HHS seeks to add definitions for two key terms — electronic health record (EHR) and personal health application (PHA). Neither of these terms currently is defined in the HIPAA Privacy Rule, although the HITECH Act does include a definition of EHR.

The Proposed Rule seeks to expand on and clarify the HITECH definition, defining EHR as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”³

Likewise, the Proposed Rule aims to build on HITECH’s definition of personal health record by defining PHA as “an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual . . .”⁴

The addition of both of these definitions — EHR and PHA — to the Privacy Rule are intended to address the gap in current regulatory definitions as well as clarify and support individuals’ right of access related to electronic protected health information (ePHI).⁵

The Proposed Rule also addresses confusion regarding the term “healthcare operations.” The current Privacy Rule permits uses and disclosures of PHI for treatment, payment, and healthcare operations without patient authorization. The definitions of treatment and healthcare operations overlap to some extent in terms of the type of activity and who is performing it — for example, case management activities performed by a healthcare provider (treatment) vs. a health plan (healthcare operations). However, the definition of healthcare operations specifically mentions population-based activities but not individual-level care. Thus, HHS proposes to clarify that healthcare operations includes both individual-level and population-based care coordination and case management activities.⁶

Right of Access

A predominant focus in healthcare legislation and reform is giving patients more access to and control over their health information. The proposed changes to the HIPAA Privacy Rule reflect this goal and aim to enhance patients’ right of access through various provisions, including:

• Strengthening patients’ right to inspect their PHI in person. The Proposed Rule would allow patients to take notes and use personal resources (e.g., smartphones) to capture images of their PHI, as long as it does not pose unacceptable security risks. However, providers are not required to let patients connect personal devices to their information systems.
• Condensing the current timeline to respond to requests for PHI. Providers currently have 30 days to response to patients’ requests for PHI, with an optional 30-day extension. The Proposed Rule seeks to shorten the timeframe to 15 days with an optional 15-day extension.
• Clarifying patients’ right to receive their PHI in the form and format requested, if it is readily producible. Under the Proposed Rule, “readily producible” copies of PHI would include ePHI requested through secure, standards-based application programming interfaces (APIs), using applications chosen by individuals. Providers also would be required to provide copies of PHI in any form and format required by applicable state and other laws.
• Easing identity verification requirements. Although verifying individuals’ identities is a crucial step when responding to requests for PHI, unreasonable or onerous identity verification requirements can create barriers to patients’ right of access. The Proposed Rule would prohibit covered entities from imposing unreasonable verification measures, such as requiring a notarized signature or showing proof of identification in person (when another credible, more convenient method is available).
• Providing more information about fees associated with obtaining PHI. The Proposed Rule specifies when PHI must be provided free of charge (e.g., during in-person viewing) and amends fees related to responding to requests to send PHI to third-parties. Providers also would be required to (a) post estimated fee schedules on their websites, (b) offer individualized fee estimates, and (c) provide itemized bills for completed requests.⁷

Information Sharing and Care Coordination

Certain aspects of the current HIPAA Privacy Rule can be construed as restrictive or limiting the ability of providers to share information in the pursuit of comprehensive, coordinated care for patients. The Proposed Rule seeks to address this issue and break down some of the barriers to information sharing.

As noted earlier, the more detailed definition of healthcare operations facilitates the sharing of individual patient data to support individual-level care coordination and case management. The Proposed Rule also establishes a pathway for patients to direct sharing of ePHI among providers and health plans by allowing patients to request that a provider or health plan submit an access request for PHI in an EHR to another healthcare provider.⁸ The provider or health plan (the “requester-recipient”) would facilitate requesting the information from the other provider (the “discloser”) and receive an electronic copy of the PHI.

The proposed changes also modify the rules related to “minimum necessary standard.” Under the current Privacy Rule, covered entities must use, disclose, or request only the minimum PHI that is required to accomplish the task at hand. The Proposed Rule makes an exception to the minimum necessary standard for use by, disclosure to, or requests from a covered entity for care coordination and case management.

The Proposed Rule also permits covered entities to disclose PHI to third-party organizations that provide health-related services for the purposes of individual-level care coordination and case management (for treatment or healthcare operations). Examples of such third parties include social service agencies, community-based organizations, home-based and community-based service providers, and other similar organizations. HHS notes that, in some cases, these organizations might not be subject to HIPAA.

Expanded Disclosures

In addition to supporting measures that facilitate sharing information and coordinating care, the Proposed Rule also aims to increase flexibility around the disclosure of PHI to an individual’s family members or other caregivers who are trying to assist the individual with a serious condition or emergency situation. Examples of such conditions and situations include substance use disorders, serious mental illnesses, incapacitation, and health-related emergencies.

To do this, HHS proposes replacing the “exercise of professional judgment” standard with a “good faith belief” standard, which would permit certain uses and disclosures of PHI if they are in the best interests of individuals. HHS also notes that the exercise of professional judgment standard implies disclosure by a licensed healthcare provider, while the good faith belief standard “may be exercised by other workforce members who are trained on the covered entity’s HIPAA policies and procedures and who are acting within the scope of their authority.”⁹

Five areas of the Privacy Rule would be amended based on this proposal. Those areas relate to disclosing information (1) to parents, guardians, or others acting in loco parentis; (2) for facility directories; (3) when the individual is present; (4) when the individual is not present due to incapacitation or an emergency; and (5) in relation to verification requirements.¹⁰

HHS also proposes to increase flexibility in relation to disclosing PHI to family, friends, and caregivers for the purposes of avoiding harm. The current Privacy Rule allows a covered entity to disclose PHI when a threat to health and safety is “serious and imminent.” HHS acknowledges that determining with certainty whether a threat is imminent may be impossible; thus, the Proposed Rule would permit disclosure of PHI when the threat to health and safety is “serious and reasonably foreseeable.” The proposed change would include a definition of “reasonably foreseeable” to help guide decision-making about disclosure.

Notice of Privacy Practices

To help eliminate an administrative burden of the current HIPAA Privacy Rule, the Proposed Rule eliminates the requirement for direct healthcare providers to obtain — or to document their good faith efforts to obtain — patients’ written acknowledgment of receipt of the providers’ NPP. However, to ensure that patients are able to understand and act on information in the NPP, they would have the right to discuss the NPP with a person whom the healthcare provider designates.

Further, HHS proposes modifying the header of the NPP to specify that the notice provides individuals with information about how to access their information, how to file a HIPAA complaint, and their right to receive a copy of the notice. The NPP header also would need to include a phone number and email address for the designated contact person.¹¹

Next Steps

Although the changes detailed in this article are still proposed and not final, healthcare providers (and other covered entities) should be aware of them and their potential implications. These changes will require providers to update their policies, procedures, NPP, authorization and disclosure materials, and contracts.¹² Further, the significance and breadth of these modifications will necessitate retraining staff on the HIPAA Privacy Rule.

The proposed changes will become effective 60 days after the Final Rule is published, and providers will have 180 days following the effective date to comply. With less than a year to implement these modifications, taking a proactive approach before the Proposed Rule is finalized can help providers prepare for the changes and identify any issues with current or future processes that could hinder implementation or compliance.

The following strategies may prove helpful:

• Make sure your current policies and procedures for the HIPAA Privacy, Security, and Breach Notification Rules are complete and up to date. Doing so will make implementing the proposed changes more straightforward and help avoid confusion.
• Review your current processes related to patients’ requests to inspect and obtain copies of their PHI to determine how well they work and what will need to change based on the Proposed Rule.
• Be aware of any state laws related to the release or disclosure of PHI. HHS notes that the Privacy Rule does not preempt other law that is more protective of individuals’ privacy.
• Make sure your identity verification process to access PHI does not impose unreasonable measures on patients, such as requiring a notarized authorization or other burdensome requirements.
• Consider how the shortened timeframe to respond to patients’ requests for PHI (from 30 days to 15 days) will affect workflow processes. Review your current process and ability to comply with 30-day timeframe to identify potential obstacles for future compliance.
• Review your current forms, materials, and contracts affected by the Privacy Rule to consider what changes will need to be made and the best way to approach those changes. Consider also what updates you will need to make to your website information.
• Begin to educate staff members about the changes in the Proposed Rule, and include them in planning efforts and discussions about new processes and workflows.¹³

More Information

For more complete information and details about all of the proposed changes to the HIPAA Privacy Rule, see the Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement published in the Federal Register on January 21, 2021.

Endnotes

1 Linna, A., & Ishee, J. (2021, October 14). Preparing for major HIPAA changes in 2022 [Webinar]. McGuireWoods. Retrieved from http://www.mcguirewoods.com/events/firm-events/2021/10/preparing-for-major-hipaa-changes-in-2022; Sheppard Mullin Richter & Hampton LLP. (2021, May 24). HIPAA Privacy Rule modification – removing barriers and promoting coordinated care at what cost? SheppardMullin Healthcare Law Blog. Retrieved from
http://www.jdsupra.com/legalnews/hipaa-privacy-rule-modification-7104453/
2 Ibid; Hales, M. (2021, June 1). HIPAA changes ahead. The HIPAA E-Tool. Retrieved from
https://thehipaaetool.com/hipaa-changes-ahead/; Allen, A. L. (2021, August 16). HIPAA at 25 remains a work in progress. The Regulatory Review. Retrieved from http://www.theregreview.org/2021/08/16/allen-hipaa-at-25-remains-a-work-in-progress/
3 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446 (Jan. 21, 2021) (to be codified at 45 CFR pts. 160 & 164).
4 Ibid.
5 Ibid; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
6 Linna, et al., Preparing for major HIPAA changes in 2022. Hales, HIPAA changes ahead; Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446.
7 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Linna, et al., Preparing for major HIPAA changes in 2022; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Hales, HIPAA changes ahead; Compliancy Group. (n.d.). Proposed changes to HIPAA Privacy Rule for 2021 announced by HHS. Retrieved from
https://compliancy-group.com/proposed-changes-to-hipaa-privacy-rule/
8 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Linna, et al., Preparing for major HIPAA changes in 2022; Compliancy Group, Proposed changes to HIPAA Privacy Rule for 2021 announced by HHS.
9 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446.
10 Ibid; Linna, et al., Preparing for major HIPAA changes in 2022.
11 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
12 Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
13 Hales, HIPAA changes ahead; Linna, et al., Preparing for major HIPAA changes in 2022.

Medicare Telehealth Waivers

Updated March 1, 2022 Courtesy of MGMA

In 2020, the Department of Health & Human Services (HHS) instituted flexibilities that waived many of the generally applicable rules governing Medicare telehealth services in response to the COVID-19 pandemic. Many of these waivers are in effect through the duration of the COVID-19 public health emergency (PHE). Once the PHE concludes, many of these flexibilities will end without further congressional or regulatory action. The COVID-19 PHE is currently in effect through April 16, 2022. Please keep in mind that this resource addresses Medicare payment policy, and that Medicaid and commercial payers may institute their own payment rules.

View the complete waivers document

The HIPAA Privacy Rule’s Right of Access

2020 Alliance sponsor feature article courtesy of Total Medical Compliance

One of the key goals of The Health Insurance Portability & Accountability Act of 1996 (HIPAA) is to ensure patients have the ability to access their protected health information (PHI) in a timely manner and in the format most convenient for them. Some providers have implemented electronic health record systems that offer patients the ability to view and download their health records at any time. However, patients do not always take advantage of that option. Some rather have a hardcopy of their records, or certain records might not be stored electronically. In these cases, a patient will submit a request for a copy of their health records.

HIPAA requires a provider to respond to a request from a patient for their health records (with some exceptions, like psychotherapy notes) as quickly as possible. The provider has up to 30 days to respond to the request, but The U.S. Department of Health & Human Services (HHS) strongly encourages providers to respond sooner, especially if the information is already in electronic format. An extension of 30 additional days is permitted, but the patient must be provided notice of the extension in writing along with the reason for the extension within the first 30 days. Some state laws require requests to be addressed in a shorter period of time.

A provider cannot refuse a patient’s request to send health records to them via unencrypted email if the patient has been informed of and has accepted the risk associated with the unencrypted transmission of their health record. The provider’s access request form should include an area where the patient can acknowledge that they accept the risk of having their records sent via unencrypted email.

Last year, HHS launched an initiative to “vigorously enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice.” Since then, the HHS Office for Civil Rights (OCR) has settled 2 cases regarding a patient’s right to access health records. The most recent one was in December 2019. A penalty of $85,000 and a 1-year corrective action plan were imposed by the OCR. The first enforcement action was in September 2019 under the same terms. The decision emphasized, “This right to patient records extends to parents who seek medical information about their minor children.” It is hard to say whether that will be the OCR’s standard enforcement arrangement, but history shows that generally, penalties have been decided on a case by case basis.

A reasonable, cost-based fee can be assessed, but HHS encourages providers to give records (especially if in electronic format) to patients at no cost when possible. It is important to note, though, that a patient does not lose their right to access their health record even if they have an outstanding balance with a provider. The fundamental point is clear: a patient’s access to their health record may not be obstructed or delayed by a provider, so it is important to be diligent and address a patient’s request as soon as possible.

HHS to reopen Provider Relief Fund applications for certain Medicare providers

Originally published in the August 6, 2020 issue of MGMA’s Washington Connection. Reprinted with permission from MGMA.

HHS announced it will allow a second opportunity for Medicare providers to access payments from the CARES Act Provider Relief Fund (PRF). Starting the week of Aug. 10, HHS will permit Medicare providers that missed the opportunity to apply for additional funding from the $20 billion second tranche of the $50 billion Medicare General Distribution. This opportunity will also be opened to Medicare providers that experienced a change in ownership in 2020 and therefore failed to receive a PRF payment based on 2019 CMS claims data. Both groups of providers will have until Aug. 28 to submit their revenue information to be considered for additional funding. Additional information on this second funding opportunity is expected via the PRF webpage next week.

The 411 on HITECH and HIPAA IT Compliance

By Judi Grassi

2020 Alliance sponsor feature article courtesy of Carolinas IT: A Logically Company

Most group practices and clinics have adopted the Electronic Health Record (EHR). If you’re one of these organizations, you know how imperative it is to keep your Electronic Protected Health Information (EPHI) safe. Both HIPAA and the HITECH Act lay out very specific requirements about data protection and regardless of your size, you are required to keep your Protected Health Information (PHI) data secure. This is especially imperative if your organization electronically transmits health information for financial or administrative reasons, such as claims processing, benefit eligibility, referral authorization requests, and other transactions defined under the HIPAA Transactions Rule.

Three Areas of HIPAA IT Compliance

HIPAA IT compliance is the responsibility of every administrative and clinical staff member in your organization. To make compliance requirements easier to digest, HHS established three areas of HIPAA IT compliance.

1. 1. Administrative — These measures ensure the integrity of patient data and accessibility only to authorized parties. It requires HCOs to:
      • Implement a security management process that identifies potential risks to EPHI and appropriate security measures to reduce risks and vulnerabilities.
      • Designate a security official who is responsible for ensuring HIPAA and HITECH compliance.
      • Identify who has authorized access to EPHI.
      • Provide appropriate security training to employees and follow through with appropriate sanctions against any employee who violates security policies.
      • Perform a periodic assessment to assess the effectiveness of your security policies.
   2. Physical — These measures ensure the security of facilities and devices that contain EPHI. It provides HCOs to:
      • Limit physical access to their facilities to authorized personnel only and protect against physical intrusion.
      • Ensure secure access to workstations and electronic media. This includes procedures for the transfer, removal, disposal, and re-use of electronic media to ensure appropriate protection of EPHI.
   3. Technical — These measures ensure that your IT systems and networks are secure from data breaches and unauthorized access. It requires HCOs to:
      • Protect their IT systems against digital intrusion and ensure that EPHI is transmitted over a secure network.
      • Only allow authorized individuals to access EPHI and ensure IT systems provide an audit trail to track EPHI access.
      • Ensure EPHI is not improperly or erroneously altered or destroyed.

HITECH Compliance

The HITECH Act of 2009 shored up these privacy and security provisions:

• HCOs, business associates, and service providers are all responsible for the security of EPHI.
• HCOs must promptly notify affected individuals whose PHI was compromised.
• HCOs must report any security breach that affects more than 500 individuals to the HHS Secretary.
• HCO business associates must notify the HCO of any breach at or by the business associate.
• Breaches affecting fewer than 500 individuals must be reported to the HHS Secretary on an annual basis.

How to Comply with HIPAA and HITECH Technical Measures
Whether you are a hospital, clinic, medical practice, HCO business associate, or HCO service provider, you will need to address the following in order to comply with HIPAA and HITECH technical measures.

• Develop policies and procedures for data backup and recovery.
• Back up your data on a regular, frequent basis and ensure you can retrieve exact copies of EPHI and restore any lost data. Follow the 3-2-1 backup rule: 3 copies of your data across 2 media with 1 copy stored offsite.
• Establish acceptable but aggressive Recover Time Objectives (RTOs) and Recovery Point Objectives (RPOs) and develop a disaster recovery plan that meets these objectives.
• Periodically test your disaster recovery plan to be sure it works before a real disaster happens.
• Perform an annual risk assessment to determine whether your systems and data are a security risk and how vulnerable you are to attack.
• Develop a data breach response plan to identify who is responsible for what when a breach occurs, how to communicate with individuals whose PHI was compromised, how to handle the media, minimize further data loss, and remediate the breach.
• Encrypt EPHI data in transit and at rest.
• Ensure HCO business associates and service providers meet HIPAA and HITECH security requirements.

Noncompliance Fines
If you are found in noncompliance with HIPAA and HITECH regulations, it can cost you. Fines are based on the violation category or level of perceived negligence and can range from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for each violation (see Figure 1).

Figure 1

If you are breached and fined, your organization is listed on the HHS Office for Civil Rights (OCR) Breach Portal and “Wall of Shame” if the breach involves 500 or more individuals. If your organization has a breach of this magnitude, the name of your HCO will be permanently listed.

Final Thoughts

HCOs have two choices when it comes to HIPAA IT compliance requirements: DIY (Do It Yourself) or hire an IT Managed Service Provider (MSP). Whether you are a large or small HCO, you may find that you have limited IT resources and/or skills in-house to ensure your EPHI is private and secure. Therefore, many HCOs look to HIPAA-compliant MSPs to back up their systems, ensure the privacy of EPHI, and provide the best protection from security breaches.

Figure 1: Categories of Violations and Respective Penalty Amounts Available. Source: https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the#h-95

CARES Act Provider Relief Fund

Providers can use the portals below to sign an attestation, accept or return the funds, agree to terms and conditions, submit revenue information, and request reimbursement. Read the descriptions below to find the appropriate portal.

Click Here To Access Portal

Take action now: Tell Congress to extend Medicare Telehealth Waivers

Once the Secretary of Health & Human Services (HHS) lifts the COVID-19 public health emergency (PHE) declaration, many of the telehealth flexibilities allowed during the PHE will end. Since declaring the end of a PHE is at the sole discretion of the Secretary, it is difficult to predict when he will exercise that authority. It is possible that he could end it before patients feel comfortable or safe seeking treatment in an office. To avoid a situation where providers can no longer treat patients via telehealth regardless of their location, Congress must act soon. MGMA drafted a template letter that members can send to their congressional representatives urging them to extend the Medicare telehealth flexibilities beyond the conclusion of the PHE. Since the letter is editable, we encourage members to include anecdotes on how telehealth flexibilities during the COVID-19 PHE have benefited their practices and their ability to treat patients. You can access the letter here or through our Contact Congress portal.

$15B More in Relief Available for Those Participating in Medicaid/CHIP

Today, the U.S. Department of Health and Human Services (HHS), through the Health Resources and Services Administration (HRSA), announced additional distributions from the Provider Relief Fund to eligible Medicaid and Children’s Health Insurance Program (CHIP) providers who participate in state Medicaid and CHIP programs. HHS expects to distribute approximately $15 billion to these eligible clinicians who have not already received a payment from the Provider Relief Fund General Allocation.

Tomorrow, Wednesday, June 10, HHS is launching an enhanced Provider Relief Fund Payment Portal that will allow eligible Medicaid and CHIP providers to report their annual patient revenue, which will be used as a factor in determining their Provider Relief Fund payment. The payment to each provider will be at least 2 percent of reported gross revenue from patient care; the final amount will be determined after the data is submitted, including information about the number of Medicaid patients served.

The initial General Distribution provided payments to approximately 62 percent of all those participating in state Medicaid and CHIP programs. This Medicaid and CHIP Targeted distribution will make the Provider Relief Fund available to the remaining 38 percent. HHS has already provided relief funding to over one million providers, and today’s announcement is expected to reach several hundred thousand more, many of whom are safety net providers operating on thin margins.

This funding offers relief to those experiencing lost revenues or increased expenses due to COVID-19. Examples of providers, serving Medicaid/CHIP beneficiaries, possibly eligible for this funding include pediatricians, obstetrician-gynecologists, dentists, opioid treatment and behavioral health providers, assisted living facilities and other home and community-based services providers.

To be eligible for this funding, health care providers must not have received payments from the $50 billion Provider Relief Fund General Distribution and either have directly billed their state Medicaid/CHIP programs for health care-related services between January 1, 2018, to May 31, 2020. Close to one million health care providers may be eligible for this funding.

Read the announcement.

Learn more about eligibility and the application process here. 

HHS also announced the distribution of $10 billion in Provider Relief Funds to safety net hospitals. The safety net distribution will occur this week. For updated information and data on the Provider Relief Fund, visit hhs.gov/providerrelief

MGMA to Congress: Lift the ban on unique patient identifier

MGMA joined 68 leading healthcare organizations calling on Congress to reject the inclusion of outdated language in Fiscal Year 2021 Appropriations legislation that prohibits HHS from spending any federal dollars to adopt a national unique patient identifier (UPI). Last year, the US House of Representatives voted to remove the ban but the Senate opposed the measure. Removing the prohibition will permit HHS to evaluate a range of solutions that protects patient privacy and is cost-effective, scalable, and secure. Deployment of a UPI would allow practices to more effectively match patient records, decrease medical errors, and facilitate EHR interoperability.