RISE summarizes recent regulatory-related headlines.
CMS warns it will stop states that provide Medicaid to undocumented immigrants
The Centers for Medicare & Medicaid Services (CMS) said it will increase financial oversight to stop states from misusing federal Medicaid dollars to cover health care for individuals who are in the country illegally. The agency will conduct focused evaluations of select state Medicaid spending reports, in-depth reviews of select states’ financial management systems, and assessments of existing eligibility rules and policies to close loopholes and strengthen enforcement.
CMS Administrator Dr. Mehmet Oz said that under federal law, Medicaid funding is generally only available for emergency medical services for noncitizens with unsatisfactory immigration status who would otherwise be Medicaid-eligible, but some states have pushed the boundaries, putting taxpayers on the hook for benefits that are not allowed.
“Medicaid is not, and cannot be, a backdoor pathway to subsidize open borders,” Dr. Oz said in an announcement. “States have a duty to uphold the law and protect taxpayer funds. We are putting them on notice—CMS will not allow federal dollars to be diverted to cover those who are not lawfully eligible.”
CMS urges all states to immediately examine and update internal controls, eligibility systems, and cost allocation policies to ensure full compliance with federal law. The agency said it will plan to recoup the federal share if there was any improper spending on noncitizens.
CMS seeks information from hospitals that provide pediatric transgender procedures
Hospitals that perform “pediatric sex trait modification procedures” received a letter on Wednesday from CMS outlining “urgent concerns” with both the quality standards adherence and profits related to the procedures.
“These are irreversible, high-risk procedures being conducted on vulnerable children, often at taxpayer expense,” said Oz in an announcement. “Hospitals accepting federal funds are expected to meet rigorous quality standards and uphold the highest level of stewardship when it comes to public resources—we will not turn a blind eye to procedures that lack a solid foundation of evidence and may result in lifelong harm.”
CMS has concerns over what it describes as a lack of reliable clinical evidence supporting the quality and safety of puberty blockers, cross-sex hormones, and sex trait modification surgeries for minors. These procedures, the agency said, raise serious questions about informed consent protocols, adverse outcomes, and financial incentives that may be reimbursed by federal health care programs.
The CMS letter focuses on
- Detailed explanations of how informed consent is obtained for pediatric patients and whether parental involvement is mandatory
- Any planned updates to clinical guidelines considering comprehensive review of scientific research
- Documentation requirements for adverse outcomes, including cases involving regret or de-transition
- Provider financials, including billing codes utilized for sex trait modifications, facility and provider-level revenue, facility and provider-level profits, and projected revenue for these service lines.
Hospitals are expected to respond within 30 days.
Kidney Care Choices Model gets an update, extension
CMS this week announced a set of changes to the Kidney Care Choices (KCC) model beginning in performance year 2026. The changes aim to improve the model’s sustainability. CMS said it will:
· Extend the model by one year through 2027
· Expand core-based statistical area (CBSA) rules to include other U.S. territories
· Add a 1 percent discount for CKD benchmarks beginning in performance year 2026 for participants in the global risk track
· Add a 1 percent discount for CKD and ESRD benchmarks, separately, beginning performance year 2026
· Reduce the chronic kidney disease quarterly capitation payment by 50 percent
· Eliminate the kidney transplant bonus beginning performance year 2026
· End the Kidney Care First option at the end of performance year 2025, one year earlier than planned
OCR settles with Florida provider over potential HIPAA security rule failures
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)
has settled with BayCare Health System, a Florida health care provider, over concerns with potential violations of the HIPAA Security Rule. The settlement resolves an OCR investigation triggered by a 2018 complaint over impermissible access to an individual’s electronic protected health information (ePHI).
“In an era of hacking and ransomware attacks, HIPAA-regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs,” said OCR Acting Director Anthony Archeval in the announcement. “Allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”
A patient who received treatment at a BayCare facility said she was contacted by an unknown individual who had photographs of her printed medical records, as well as a video of someone scrolling through her medical records on a computer screen. The investigation determined that the credentials used to access the patient’s medical record belonged to a non-clinical former staff member of a physician’s practice, which had access to BayCare’s electronic medical records.
The OCR investigation found BayCare potentially violated multiple HIPAA Security Rule requirements, including failure to:
- Implement policies and procedures for authorizing access to ePHI that are consistent with the applicable requirements of the HIPAA Privacy Rule
- Reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level
- Regularly review records of information system activity
Under the terms of the settlement, BayCare agreed to implement a corrective action plan that OCR will monitor for two years and pay OCR $800,000. As part of the corrective action plan, BayCare will take steps to resolve its potential violations of the HIPAA Security Rule and to protect the privacy and security of ePHI, including:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI
- Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis
- Revise, as necessary, its written policies and procedures to comply with the HIPAA Rules
- Train its workforce that has access to ePHI on its HIPAA policies and procedures