Regulatory roundup: Federal gender nondiscrimination rule put on hold; Fed judge pauses CMS caps to MA brokers, agents pay; and more

RISE summarizes recent regulatory-related headlines.

Federal gender nondiscrimination rule put on hold

It didn’t take long for the health care industry to face repercussions of the Supreme Court’s recent decision to overturn the “Chevron deference,” a landmark ruling that has weakened the authority of federal agencies.

Earlier this week a federal judge in Mississippi issued a nationwide preliminary injunction to prevent the implementation of a final rule to advance protections against discrimination in health care while a lawsuit over the rule moves through the courts. The final rule by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights and the Centers for Medicare & Medicaid Services was supposed to take effect on July 5. The injunction prevents the federal agencies from enforcing or implementing provisions that were meant to prohibit discrimination based on sex to include sexual orientation and gender identity.

U.S. District Judge Louis Guirola Jr. of the Southern District of Mississippi sided with the 15 states that claim the agencies exceeded its statutory authority with the rule. The states argue the rule, which implements Section 1557 of the Affordable Care Act but references Title IX of the Education Amendments of 1972, would require them to use taxpayer funds to pay for gender-transition surgeries and that failure to do so could threaten federal funding. Guirola determined that since the word “sex” is not defined in Title IX, courts must interpret the term according to its meaning in or around 1972, when the statute was enacted. HHS acted unreasonably when it conflated the phrase “on the basis of six” with the phrase “on the basis of gender identify.”

Fed judge pauses CMS caps to MA brokers, agents pay

In another case, a U.S. District Judge Reed O’Connor of the Northern District of Texas Fort Worth Division has placed a stay on the Centers for Medicare & Medicaid Services’ (CMS) plans to cap administrative payments and restrict contract terms.

CMS’ 2025 Medicare Advantage final rule aimed to set fixed amounts that insurers pay agents and brokers regardless of the Medicare Advantage or Part D plan an individual enrolls in. The agency wanted to crack down on bonuses that some insurers offered to brokers or agents to steer consumers to their plans even if they didn’t meet the individuals’ needs.

Americans for Beneficiary Choice, Council for Medicare Choice, Senior Security Benefits, LLC, Fort Worth Association of Health Underwriters, Inc., and Vogue Insurance Agency argued that the caps and contract restrictions are arbitrary and capricious, failed to substantiate key parts of the final rule, did not sufficiently address reliance interests, did not provide fair notice of what was prohibited in contract-terms restrictions, did not sufficiently respond to public comments, and the agency did not adequately explain how and why it reached the fixed fee amount.

In the opinion and order, O’Connor said the plaintiffs do face more severe harm than CMS. Furthermore, he is not convinced that the compensation framework that had been in place for over 15 years is so flawed that it must be instituted now. Therefore, he granted a stay of the effective date the fixed fee and contract term restrictions. He ordered all parties to submit a summary judgement schedule by July 17.

OIG: Independent Health Associates, Inc. received $7M in overpayments in 2016 and 2017

A recent Office of Inspector General (OIG) audit estimated that Independent Health Associates, Inc. (IHA) received at least $7 million in overpayments for 2016 and 2017 for submitting high-risk diagnosis codes not supported in medical records. OIG based the audit on a sample of 247 enrollees that had high-risk codes and for which IHA received the higher payments. Auditors limited the review to payments associated with the high-risk diagnosis codes, which totaled $744,772. OIG found that 230 medical records of 247 didn’t support the diagnosis codes and resulted in $646,217 in overpayments. Based on the sample, OIG estimated that IHA received $7 million in overpayments. However, due to CMS regulations that only allow the recoupment of extrapolated overpayments beginning with payment year 2018, OIG only recommends a refund of $646,2177. In addition, OIG recommends that IHA investigate similar instances of noncompliance that occurred before or after the audit period and refund any resulting overpayments to the federal government. It also wants IHA to continue to examine existing compliance procedures to identify areas where it can make improvements to ensure high-risk diagnosis codes aren’t miscoded.

GOP lawmakers urge watchdog agencies to review potential fraud in ACA plans

House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.), House Ways and Means Committee Chair Jason Smith (R-Mo.), and House Judiciary Committee Chair Jim Jordan (R-Ohio) are urging the HHS Inspector General and Government Accountability Office (GAO) Comptroller General to conduct systemic reviews of enrollment to determine improper enrollments in Affordable Care Act (ACA) plans.

The requests come in the wake of a release of a paper from Paragon Health Institute, which estimates that four to five million people are improperly enrolled in fully-subsidized ACA plans at a cost of $15 to $26 billion per year to taxpayers. The letters say the problem appears to be particularly acute in certain states, with some reporting hundreds of thousands, and, in one case, millions more individuals enrolled in these plans than are reasonably likely to be eligible. More than half of all enrollees in the federal exchange now report incomes between 100 and 150 percent of FPL—notably higher than the historical average of roughly 40 percent—further demonstrating the breadth of the enrollment incongruity. Estimates show the cost of improperly enrolled individuals in “zero-premium” plans are $15 billion to $20 billion per year and potentially as high as $26 billion per year. If these estimates are accurate, it implies that these improper payments represent more than half the cost of making the expanded subsidies permanent.

OIG to investigate MA’s use of prior authorization for post-acute care

OIG has announced plans to examine Medicare Advantage (MA) organization’s use of prior authorization in post-acute settings. Prior investigations revealed that MA organizations sometimes denied prior authorization requests for post-acute care after a qualifying hospital stay even though the requests met Medicare coverage rules. OIG said it will examine selected MA organization’s processes for reviewing prior authorization requests for post-acute care in long-term acute care hospitals, inpatient rehabilitation facilities, and skilled nursing facilities. It expects to issue a report in FY 2026.

HHS, FBI warn health care providers about phishing, ransomware attacks

The Federal Bureau of Investigation (FBI) and HHS released a joint cybersecurity advisory about phishing and ransomware attacks targeting health care, public health entities, and providers. The phishing schemes steal login credentials for initial access and then divert automated clearinghouse payments to US bank accounts.

The advisory notes that health care organizations are attractive targets due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions. To combat the likelihood of an incident, the FBI and HHS urge organizations to put into effect the following recommendations:

  • Implement multi-factor authentication for every account 
  • Train IT Help Desk employees on multi-factor authentication bypasses 
  • Audit remote access tools on your network to identify currently used and/or authorized software 
  • Review logs for execution of remote access software to detect abnormal use of programs running as a portable executable
  • Use security software to detect instances of remote access software being loaded only in memory 
  • Require authorized remote access solutions to be used only from within your network over approved remote access solutions, such as virtual private networks or virtual desktop interfaces 
  • Block both inbound and outbound connections on common remote access software ports and protocols at the network perimeter

HHS OCR settles HIPAA Security Rule failures for $950K

HHS Office for Civil Rights (OCR) announced a settlement with Heritage Valley Health System concerning violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, following a ransomware attack. The organization, which provides care in Pennsylvania, Ohio, and West Virginia, agreed to pay $950,000 and implement a corrective action plan that will be monitored by OCR for three years. Heritage Valley will also take steps to resolve potential violations of the HIPAA Security Rule and protect the security of electronic protected health information. Since 2018, there has been a 264 percent increase in large breaches reported to OCR involving ransomware attacks. “Hacking and ransomware are the most common type of cyberattacks within the health care sector. Failure to implement the HIPAA Security Rule requirements leaves health care entities vulnerable and makes them attractive targets to cyber criminals,” said OCR Director Melanie Fontes Rainer in the announcements. “Safeguarding patient protected health information protects privacy and ensures continuity of care, which is our top priority. We remind and urge health care entities to protect their records systems and patients from cyberattacks.”

OCR encourages health care organizations to take the following steps to prevent cyberthreats:

  • Train their workforce on their HIPAA policies and procedures
  • Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations
  • Integrate risk analysis and risk management into business processes; conducted regularly and when new technologies and business operations are planned
  • Ensure audit controls are in place to record and examine information system activity
  • Implement regular review of information system activity
  • Use multi-factor authentication to ensure only authorized users are accessing electronic protected health information (ePHI)
  • Encrypt ePHI to guard against unauthorized access to ePHI
  • Incorporate lessons learned from incidents into the overall security management process
  • Provide training specific to organization and job responsibilities and on regular basis; reinforce workforce members’ critical role in protecting privacy and security

HHS issues proposed rule to improve patient engagement, information sharing, and public health interoperability

HHS, through the Office of the National Coordinator for Health Information Technology (ONC), has released a proposed rule to advance interoperability and improve information sharing among patients, providers, payers, and public health authorities.

The Health Data, Technology, and Interoperability: Patient Engagement, Information Sharing, and Public Health Interoperability (HTI-2) proposed rule includes two sets of new certification criteria designed to enable health IT for public health as well as health IT for payers to be certified under the ONC Health IT Certification Program. The new criteria aim to improve public health response and advance the delivery of value-based care. It focuses heavily on standards-based application programming interfaces to improve end-to-end interoperability between data exchange partners (health care providers and public health organizations or payers).

The proposed rule would also create a new “Protecting Care Access” information blocking exception, which would address concerns about potential information blocking consequences if an entity chooses to limit sharing of a patient’s reproductive health care information in certain circumstances. This proposal builds on other key steps HHS has taken to strengthen patient and provider privacy, including for those seeking or providing lawful reproductive care. The proposed rule is expected to be published in the Federal Register in the upcoming week and will be open for public comment for 60 days. ONC said it will host a series of information sessions about the proposed rule in the coming weeks.