CMS Finalizes New Rules for Medicare Advantage Marketing and Prior Authorizations

Centers for Medicare & Medicaid Services (“CMS”) recently finalized new rules (88 FR 22120) seeking to streamline Medicare Advantage (“MA”) and Medicare Part D prior authorizations and further penalize misleading marketing practices. The final rule takes effect on June 5, 2023.

Regarding prior authorizations, coordinated care plan prior authorization policies may only be used to confirm the presence of diagnoses or other medical criteria and/or ensure that an item or service is medically necessary. Coordinated care plans must also provide a minimum 90-day transition period when a beneficiary undergoing treatment switches to a new MA plan, during which the new plan cannot require prior authorization for the active course of treatment. All MA plans are required under the new rule to establish utilization management committees to review policies annually and ensure consistency with traditional Medicare national and local coverage decisions and guidelines. However, prior authorization approvals are still required to meet CMS’s medically reasonable and necessary standard.

To address misleading marketing practices, CMS has instituted a prohibition on advertisements that do not mention a specific plan name or that use words and imagery that may confuse beneficiaries. CMS has further instituted a prohibition on advertisements from using Medicare logos in ways that are misleading, confusing, or misrepresent the plan.

A fact sheet for the new rule can be found here.

HHS’s 90-Day Grace Period and Other Cybersecurity Efforts Impacting Healthcare

Following the expiration of the COVID-19 federal public health emergency on May 11, 2023, the Department of Health and Human Services' ("HHS") Office for Civil Rights ("OCR") will no longer refrain from imposing potential penalties for violations for certain provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") privacy rule for uses and disclosures of protected health information ("PHI") by business associates. However, the OCR announced that there will be a 90-calendar day transition period for covered healthcare providers to come into compliance with HIPAA with respect to their provision of telehealth using non-public-facing remote communication technologies. Such transition period went into effect on May 12, 2023, and will expire at 11:59 p.m. on August 9, 2023.

Following the announcement of the end of the public health emergency, HHS, through the Administration for Strategic Preparedness and Response and the Health Sector Coordinating Counsel Joint Cybersecurity Working Group, released a cybersecurity framework implementation guide to help both the public and private healthcare sectors prevent cybersecurity incidents. The Cybersecurity Framework Implementation Guide provides specific steps that healthcare organizations can take immediately to manage cyber risks to their information technology systems.

Around the same time, the Biden Administration issued its National Cybersecurity Strategy. Specifically, the Strategy aims at rebalancing responsibility to defend cyberspace by shifting the burden for cybersecurity onto organizations that are most capable. The Strategy has significant implications for critical infrastructure entities, including the healthcare sector. The Strategy will be overseen by the Office of the National Cyber Director, which has already begun the implementation process.