In light of the president’s nation-wide emergency declaration on Friday, the Department of Health and Human Services (DHHS) announced waivers of various compliance requirements related to the Medicare, Medicaid and CHIP programs as well as certain HIPAA requirements for hospitals. These waivers took effect on March 15, 2020 but have a retroactive effective date of March 1, 2020.
With respect to compliance with Medicare, Medicaid and CHIP program requirements, DHHS empowered the Centers for Medicare and Medicaid Services (CMS) to waive requirements to the extent necessary “to ensure that sufficient health care items and services are available to meet the needs of individuals enrolled” in those programs. To be excused from compliance, providers must still provide items and services in good faith and not engage in fraud or abuse.
DHHS identified the following areas eligible for waivers as deemed necessary by CMS:
- Certain Medicare, Medicaid and CHIP program and enrollment requirements, including conditions of participation and certification requirements;
- Requirements that providers must hold a license in the state in which they provide services if the provider holds an equivalent, active and unrestricted license in another state;
- Certain Emergency Medical Treatment and Labor Act (EMTALA) provisions relating to relocating or transferring an individual related to the COVID-19 pandemic;
- Sanctions relating to limitations on physician referrals; and
- Limitations on payments for items and services provided to an individual enrolled in Medicare Advantage by a provider not included in the plan’s network.
As the Social Security Act does not allow for waiver of deadlines and timetables for the performance of required activities under the Medicare, Medicaid and CHIP programs, DHHS further empowered CMS to modify program deadlines and timetables as necessary to ensure that items and services are available to enrolled individuals and to ensure that providers who furnish those items or services in good faith are reimbursed and not sanctioned for noncompliance.
In a press release, CMS publicized the following waivers and flexibilities related to providers:
- a temporary suspension of some of the Medicare enrollment screening requirements including site visits and fingerprinting;
- providers may render services outside their state of enrollment;
- providers may obtain temporary Medicare billing privileges through a toll-free hotline that CMS will establish; and
- a temporary suspension of non-emergency survey inspections and enforcement activities.
CMS has a site dedicated to waivers and flexibilities where more information can be found. Waiver information is also available on DHHS’ ASPR site.
As for HIPAA waivers, DHHS announced that hospitals that have instituted a disaster protocol will get relief from certain HIPAA requirements for up to 72 hours after implementing its disaster protocol. For those hospitals, DHHS is waiving the following HIPAA requirements:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;
- the requirement to honor a request to opt out of the facility directory;
- the requirement to distribute a notice of privacy practices;
- the patient’s right to request privacy restrictions; and
- the patient’s right to request confidential communications.
Obviously, these waivers are designed to reduce the administrative and operational burdens related to the compliance areas above. Covered hospitals should note the limited timeframe of the applicable waiver.
We are likely to see more waivers over the coming days and weeks. For providers, it is most important to act in good faith and do the best that they can during these challenging times. I believe that sanctions or enforcement activities related to conduct during this pandemic will be reserved for the most egregious conduct and that those providers acting reasonably and in good faith will be spared.