InfoBytes Blog

HHS releases health care cybersecurity guide

On March 8, the Department of Health and Human Services (HHS) released a cybersecurity implementation guide to assist public and private health care sectors prevent cybersecurity incidents. The Cybersecurity Framework Implementation Guide was developed jointly with the Administration for Strategic Preparedness and Response and the Health Sector Coordinating Council Cybersecurity Working Group. Substantial contributions to the guide were also provided by the National Institute for Standards and Technology (NIST) and other federal agencies. HHS explained that the guide is intended to help health care organizations implement the 2018 NIST Framework for Improving Critical Infrastructure Cybersecurity using their existing security measures, stating that the guide should be used to assess current cybersecurity practices and risks and identify gaps for remediation. Among other things, the guide (i) outlines risk management principles and best practices; (ii) provides common language for addressing and managing cyber risk; (iii) lays out a structure for applying cyber risk management; and (iv) identifies “effective standards, guidelines, and practices to manage cybersecurity risk cost-effectively based on business needs.”

Privacy, Cyber Risk & Data Security Agency Rule-Making & Guidance Federal Issues Department of Health and Human Services NIST

Biden orders agency action on medical debt

On April 11, the Biden administration released a Fact Sheet regarding an initiative to decrease “malicious” and “predatory” billing and collection practices related to medical debts, including holding medical providers and debt collectors “accountable for harmful practices.” According to the Fact Sheet, the administration has ordered several agencies to take actions intended to “lessen the burden of medical debt and increase consumer protection.” The Fact Sheet provides “guidance to all agencies to eliminate medical debt as a factor for underwriting in credit programs,” and states, among other things, that the: (i) FHFA is reviewing the credit models that Fannie Mae and Freddie Mac use; (ii) USDA is discontinuing “the inclusion of any recurring medical debts into borrower repayment calculations”; and (iii) VA is reviewing its underwriting guidelines to ensure it minimizes or eliminates medical debt reporting as a proxy for creditworthiness. Additionally, the Fact Sheet noted that the Department of Health and Human Services is requesting data from over 2,000 providers on medical bill collection practices, lawsuits against patients, financial assistance, financial product offerings, and third party contracting or debt buying practices. The Fact Sheet also noted that the CFPB “will investigate credit reporting companies and debt collectors” in regard to “patients’ and families’ rights,” which includes targeting “coercive credit reporting” and determining whether medical debts should be included in consumer credit reports.

Federal Issues Biden Consumer Finance Medical Debt FHFA Freddie Mac Fannie Mae USDA Department of Veterans Affairs Department of Health and Human Services

CFPB looks at removing medical debt from credit reports

On March 1, the CFPB announced plans to review whether data on unpaid medical bills should be included in consumer credit reports. The Bureau stated in its report, Medical Debt Burden in the United States, that research found $88 billion in medical debt on consumer credit reports, accounting for 58 percent of all uncollected debt tradelines reported to credit reporting agencies (CRAs). “Our credit reporting system is too often used as a tool to coerce and extort patients into paying medical bills they may not even owe,” CFPB Director Rohit Chopra said in a statement.

The Bureau noted that medical debt is often less transparent than other types of debt, due to opaque pricing, complicated insurance, charity care coverage, and pricing rules, reporting that in many instances, consumers may not even sign a billing agreement until after receiving treatment. Medical debts often end up in collections, the Bureau added, which can cause far-ranging repercussions even if the bill itself is inaccurate or erroneous. The report noted additional challenges for uninsured consumers, as well as for Black and Latino families, consumers with low incomes, veterans, older adults, and young adults of all races and ethnicities. The report further stated that the Covid-19 pandemic has exacerbated the situation, with costs and medical debt expected to increase post-pandemic, and found that medical debt weakens underwriting accuracy, as it is less predictive of future repayment than reporting on traditional credit obligations. The Bureau pointed out that it has seen dramatic effects when newer credit scoring models weigh medical collections tradelines less heavily, but noted that there has been very little adoption of this approach so far.

The Bureau stated it intends to examine CRAs to ensure they are collecting accurate information from medical debt collectors and expects CRAs to take action against furnishers who routinely report inaccurate information, including cutting off their access to the system. The Bureau also plans to work with the Department of Health and Human Services to make sure consumers are not forced to pay more than the amount due for medical debt. A January compliance bulletin reminded debt collectors and CRAs of their legal obligations under the FDCPA and the FCRA when collecting, furnishing information about, and reporting medical debts covered by the No Surprises Act. The Bureau also recently supported changes by the Department of Veterans Affairs to amend its regulations related to the conditions by which VA benefit debts or medical debts are reported to CRAs. (Covered by InfoBytes here and here.)

Federal Issues CFPB Consumer Finance Medical Debt Credit Reporting Agency Covid-19 FDCPA FCRA Department of Veterans Affairs Department of Health and Human Services Debt Collection

Supreme Court blocks OSHA mandate

On January 13, a divided U.S. Supreme Court issued an order blocking a Department of Labor’s Occupational Safety and Health Administration (OSHA) rule mandating that employers with 100 or more employees require employees to be fully vaccinated or be subject to a weekly Covid-19 test at their own expense. However, in a separate order the Court allowed a separate rule issued by the Department of Health and Human Services requiring Covid-19 vaccinations for health care workers (unless exempt for medical or religious reasons) at Medicare- and Medicaid-certified providers and suppliers to take effect.

In November, the U.S. Court of Appeals for the Fifth Circuit issued a nationwide stay on the emergency temporary standard (ETS) that included the mandate to employers, describing enforcement of the ETS illegitimate and calling the OSHA rule “unlawful” and “likely unconstitutional.” (Covered by InfoBytes here.) However, last month, the 6th Circuit lifted the stay in a 2-1 ruling, stating that “[b]ased on [OSHA’s] language, structure and Congressional approval, OSHA has long asserted its authority to protect workers against infectious diseases.” (Covered by InfoBytes here.) The applicants, seeking emergency relief from the Court to reinstate the stay, argued that the rule exceeded OSHA’s statutory authority and is otherwise unlawful.

In agreeing that the applicants are likely to prevail, the Court majority granted the application for relief and stayed the OSHA rule pending disposition of the applicants’ petitions for review in the 6th Circuit, as well as disposition of any timely petitions for writs of certiorari. “Although Congress has indisputably given OSHA the power to regulate occupational dangers, it has not given that agency the power to regulate public health more broadly,” the majority wrote. Adding that the ETS is a “blunt instrument” that “draws no distinctions based on industry or risk of exposure to COVID-19,” the majority stated that the Occupational Safety and Health Act does not plainly authorize the rule.

The dissenting judges argued that the majority’s decision “stymies the Federal Government’s ability to counter the unparalleled threat that COVID–19 poses to our Nation’s workers. Acting outside of its competence and without legal basis, the Court displaces the judgments of the Government officials given the responsibility to respond to workplace health emergencies.”

With respect to the Department of Health and Human Services rule, the Government applied to stay injunctions issued by two district courts preventing the rule from taking effect. In granting the application and staying the injunctions, the majority of the Court found that one of the Department’s basic functions authorized by Congress “is to ensure that the healthcare providers who care for Medicare and Medicaid patients protect their patients’ health and safety,” concluding that “[h]ealthcare workers around the country are ordinarily required to be vaccinated for diseases” and that “addressing infection problems in Medicare and Medicaid facilities is what [the Secretary] does.” 

In dissent, four justices argued that the efficacy or importance of Covid-19 vaccines was not at issue in assessing the injunctions, stating that the district court cases were about “whether [the Centers for Medicare and Medicaid Services] has the statutory authority to force healthcare workers, by coercing their employers, to undergo a medical procedure they do not want and cannot undo,” and arguing that “the Government has not made a strong showing that Congress gave CMS that broad authority.”

Courts U.S. Supreme Court Appellate Sixth Circuit OSHA Covid-19 Department of Labor Department of Health and Human Services Fifth Circuit