With both chambers returning from recess this week, attention is focused on Senate consideration of the House-passed bill to permanently repeal Medicare’s physician payment system. While the last “doc fix” expired March 31, the Centers for Medicare and Medicaid Services (CMS) indicated it would hold claims for two weeks to allow Congress to return from the district work period and resume consideration of the legislation. The Senate has until Wednesday to take action on the bill to avoid steep cuts to physicians’ reimbursement rates, though an additional short-term patch may be utilized in order to consider Senate amendments to the House-passed legislative package.
While there is concern that changing any of the House language could slow down and undermine the viability of the legislation, there are key modifications that would bolster support in the Senate. Some Democrats are advocating for a four-year funding extension for the Children’s Health Insurance Program (CHIP), as opposed to the two-year extension included in the House-passed bill, and some Republicans are seeking out ways to fully offset the entire cost of the legislation.
This Week’s Hearings:
- Tuesday, April 14: The House Committee on Education and the Workforce Subcommittee on Health, Employment, Labor, and Pensions will hold a hearing titled “Five Years of Broken Promises: How the President’s Health Care Law is Affecting America’s Workplaces.”
- Tuesday, April 14: The House Committee on Appropriations Subcommittee on Defense will hold a hearing titled “Defense Health Program Budget.”
- Tuesday, April 14: The House Committee on Ways and Means Subcommittee on Health will hold a hearing on the individual and employer mandates in the President’s health care law.
- Tuesday, April 14: The Senate Committee on Finance will hold a hearing titled “Creating a More Efficient and Level Playing Field: Audit and Appeals Issues in Medicare.”
- Wednesday, April 15: The House Committee on Appropriations Subcommittee on Labor, Health and Human Services, Education, and Related Agencies will hold a budget hearing on Ebola.
- Wednesday, April 15: The House Committee on Veterans’ Affairs will hold a hearing titled “Denver VA Medical Center: Constructing a Way Forward.”
- Wednesday, April 15: The House Committee on Foreign Affairs Subcommittee on Africa, Global Health, Global Human Rights, and International Organizations will hold a hearing titled “The Continuing Threat of Neglected Tropical Diseases.”
- Thursday, April 16: The House Committee on Energy and Commerce Subcommittee on Health will hold a hearing titled “Medicare Post Acute Care Delivery and Options to Improve It.”
Another month, another round of data breaches – seem like a familiar refrain when healthcare providers, health plans and their counsel think about cybersecurity? But what if instead we could get organized and manage this growing business risk in a more proactive manner?
It sounds like a good idea, but for many counsel, who view themselves as less than tech-savvy, it is hard to put together the pieces and formulate a strategy. And for highly regulated industries, holding highly sensitive personal information, like healthcare, making mistakes is costly. Here, we have laid out a simple set of key steps for thinking about cybersecurity at the organizational level. Keep an eye out for future postings where we will explore cybersecurity in more detail – and we promise, no computer science degree or extensive IT experience required!
Key Steps for a Sound Cybersecurity Program – first, it is critical that organizations consider cybersecurity (or “information security,” or “data protection,” if you prefer) to be a program, an ongoing part of the business that demands leadership and commitment, and not a one-time project. Successful organizations develop sound practices and then maintain constant vigilance, using a risk management mindset. Next, a few key steps help organize the work and provide a structure for regular leadership discussions.
- Know Your Information Assets. It’s as simple as this: if you don’t know about it, you cannot protect it. For many organizations, information technology (IT) infrastructures grow organically and over time through individual business unit activities, discrete projects and acquisitions/changes in business structure. Taking an overarching view of the IT infrastructure (sometimes called an “enterprise architecture” view), helps identify how and where sensitive information is stored, and who needs access. A well-maintained asset inventory, including the data maintained, can also help the information security program recognize asset and risk categories, as well as affinities among business groups – improving their risk assessment capabilities. These categories can also help to better segment your internal network and limit access to only those who have a need-to-know. Segmentation is a valuable cybersecurity strategy, because it can limit the damage hackers (internal or external) can do when your environment is compromised.
- Recognize and Understand Legal Obligations. Healthcare organizations often equate cybersecurity with the HIPAA Security Rule, but HIPAA is just one of many legal obligations in the information security area (and such thinking can leave serious risks unaddressed, since the HIPAA regulations were primarily developed before external, Internet-based threats became a common part of our world). At the federal level, healthcare groups should also understand and track the Federal Trade Commission’s (FTC) current activities in data privacy and information security, as well as Congressional efforts aimed at improving information sharing and standardizing breach notification. The Food & Drug Administration (FDA) has also issued guidelines to improve cybersecurity for medical devices, and the White House recently proposed legislation in support of its Consumer Privacy Bill of Rights. From a state-level perspective, it is critical for healthcare organizations to understand general data protection and breach notification requirements, in addition to healthcare-specific laws. For example, organizations that hold certain personally identifiable information for Massachusetts residents (whether patients, members, employees or others) must implement and document a proactive information security program that includes specific safeguards and vendor governance – similar requirements have arguably become the industry-wide de facto standard of care.
- Implement & Maintain a Standards-Based Information Security Program. A risk management based information security program should have clear executive ownership and address people, process, policy and technical controls. Treating cybersecurity as just another IT project or “IT’s problem” invites serious gaps and significant risk. Moreover, as technical controls become increasingly sophisticated, people become more common targets through e-mail phishing and social engineering. Cybersecurity – like patient care, customer service and expense management – is an issue for every team member. A variety of resources are available to structure (and measure) your comprehensive cybersecurity program. Two great places to start are the National Institute of Standard & Technology’s (NIST) Cybersecurity Framework – a product of the Administration’s 2013 Executive Order 13636, Improving Critical Infrastructure Cybersecurity – and HITRUST’s Common Security Framework (CSF), while others, such as the ISO 27000 Series of information security program standards, NIST’s 800-53 controls for federal systems, under the Federal Information Security Management Act (FISMA), the Top 20 Critical Security Controls (also known as the Consensus Audit Guidelines, or CAG), ISACA’s Control Objectives for IT (COBIT) and the Payment Card Industry Data Security Standards (PCI-DSS), can also be invaluable, according to specific organization needs.
- Seek External Review / Certification. A variety of external reviews and certifications are available to assess an organization’s cybersecurity program. Independent, third-party reviews against industry standards can provide an unbiased view of current status and opportunities, while certifications (such as those from HITRUST and others) can provide market differentiation by offering assurances to business partners and customers. Increasingly, underwriters also require such assessments to obtain cyberinsurance coverage – another key component in the cybersecurity risk management toolbox.
- Monitor & Report. Finally, ongoing monitoring and reporting for your cybersecurity program allow for continuous improvement and leadership visibility. NIST’s Cybersecurity Framework provides a concept (and structure) for “profiles” that help organizations describe and communicate their current (“as is”) state as well as a target (or “to be”) state – helping to lay out a strategy and maintain focus.
Finally, healthcare organizations may wish to seek out opportunities to share information and collaborate with others in trusted forums, as they develop and maintain their cybersecurity programs, whether through standards organizations, or an information sharing and analysis center, like the National Health ISAC (NH-ISAC). For more details on furthering development of Information Sharing and Analysis Organizations (ISAOs), see Executive Order, Promoting Private Sector Cybersecurity Information Sharing.
Lawmakers Continue Negotiations on Doc Fix Package, Working Framework Announced
With the current patch expiring on March 31, lawmakers continued over the weekend to negotiate a legislative package to permanently repeal Medicare’s automatic payment cut to physicians. H.R. 1470 is very similar to the bipartisan legislation that key committees in both chambers approved last year. It provides an annual pay increase of 0.5 percent to physicians through 2019 and establishes an incentive payment program, titled “Merit-Based Incentive Payment System” (MIPS), to assess eligible professionals in quality, resource use, electronic health record (EHR) Meaningful Use (MU), and clinical practice improvement activities. It consolidates three current incentive programs – the Physician Quality Reporting System (PQRS), the Value-Based Modifier, and MU of EHRs. The legislation also provides financial incentives for professionals to become involved in alternative payment models.
Other provisions of H.R. 1470 address care management for individuals with chronic care needs, transparency of utilization and payment data for physicians and professionals, expansion of claims data availability, automatic renewal for professionals who opt-out of Medicare, and the reporting of such professional characteristics. The bill requires EHRs to be interoperable by 2018 and prohibits the purposeful blocking of information sharing with other EHR vendor products. The Secretary of the Department of Health and Human Services is required to issue a report providing recommendations on a permanent physician-hospital gainsharing program, as well as a report to examine the feasibility of establishing mechanisms to assist providers in comparing and selecting EHR technology products. The Government Accountability Office is to report on aspects of telehealth and remote patient monitoring services.
The working summary of the SGR package released by the House committee leaders includes fully funding the Children’s Health Insurance Program (CHIP) through September 30, 2017. It extends all of the extenders in the current patch, in addition to funding for Community Health Centers, through 2017. The framework would permanently extend the Qualifying Individual Program and the Transitional Medical Assistance program, and the Tennessee Disproportionate Share Hospital (DSH) Allotment would be extended through 2015. The legislation also includes two Medicare bills: H.R. 284, the Medicare DMEPOs Competitive Bidding Improvement Act and H.R. 1021, the Protecting Integrity to Medicare Act.
The policies that reduce the legislation’s cost that are provided in the working framework include: income-related Medicare Part B and D premium adjustments, Medigap reforms, an increase of levy authority on payments to Medicare providers with delinquent tax debt, an incremental phase-in of the 3.2 percentage point adjustment to hospital’s base payment rate in FY 2018, a delay of Medicaid DSH changes until FY 2018 and extension of the policy through 2025, and a 1 percent market basket update for post-acute care providers.
Negotiations are steadily making progress, and the House could consider the legislation as early as this week. Notably, Democrats on the Senate Committee on Finance have expressed concerns about the current package, including the two-year extension of the Children’s Health Insurance Program (CHIP) (where they would like a four-year extension), offsets that would increase costs to beneficiaries, and the impact of health centers language on women’s health services. On the other side of the aisle, some conservative lawmakers remain concerned about the cost of the total proposed package and the potential approach that would only provide for partial offsets.
This Week’s Hearings:
- Tuesday, March 24: The House Committee on Ways and Means Subcommittee on Oversight will hold a hearing titled “The Use of Data to Stop Medicare Fraud.”
- Tuesday, March 24: The House Committee on Agriculture will hold a hearing titled “Examination of the Costs and Impacts of Mandatory Biotechnology Laws.”
- Tuesday, March 24: The House Committee on Energy and Commerce Subcommittee on Health will hold a hearing titled “Examining the 340B Drug Pricing Program.”
- Tuesday, March 24: The Senate Committee on Health, Education, Labor, and Pensions (HELP) will hold a hearing titled “Continuing America’s Leadership: Advancing Research and Development for Patients.”
- Tuesday, March 24: The Senate Committee on Veterans’ Affairs will hold a hearing titled “The Veterans Choice Act – Exploring the Distance Criteria.”
- Wednesday, March 25: The House Committee on Appropriations Subcommittee on Labor, Health and Human Services, Education, and Related Agencies will hold a hearing titled “Centers for Disease Control and Prevention Budget.”
- Wednesday, March 25: The House Committee on Veterans’ Affairs will hold a hearing titled “Examining Access and Quality of Care and Services for Women Veterans.”
- Wednesday, March 25: The Senate Committee on Appropriations Subcommittee on Defense will hold a hearing to review the FY 2016 funding request and budget justification for the Defense Health Program.
- Wednesday, March 25: The Senate Committee on Aging will hold a hearing titled “The Fight Against Alzheimer’s Disease: Are We on Track to a Treatment by 2025?”
- Thursday, March 26: The House Committee on Energy and Commerce Subcommittee on Oversight and Investigations will hold a hearing titled “Examining the Growing Problems of Prescription Drug and Heroin Abuse: State and Local Perspectives.”
- Thursday, March 26: The House Committee on Appropriations Subcommittee on Commerce, Justice, Science, and Related Agencies will hold a hearing titled “Federal Investments in Neuroscience and Neurotechnology Oversight.”
- Thursday, March 26: The Senate Committee on Veterans’ Affairs will hold a hearing titled “VA Opioid Prescription Policy, Practice, and Procedures.”
Congressmen Negotiate SGR Package
Lawmakers on the House side of the Capitol continue to negotiate a package that would prevent an anticipated cut to Medicare physician payments and include a permanent repeal of payment system. Bipartisan leaders on the House Committee on Ways and Means and the House Committee on Energy and Commerce released joint statements on Friday afternoon confirming ongoing discussions to permanently repeal the Sustainable Growth Rate (SGR) formula. If the negotiations are fruitful, legislation could be released in the House this coming week. Some conservative lawmakers have expressed concern over the cost of the proposed package and a potential approach that would only provide for partial offsets. Senate Democrats have also expressed concern over various elements of the package, including offsets that would cut Medicare benefits and a short-term extension of the Children’s Health Insurance Program (CHIP). The current patch expires on March 31.
House Considers Trauma Bills
On Monday, the House will consider several health care bills under suspension of the rules: H.R. 639, Improving Regulatory Transparency for New Medical Therapies Act, as amended; H.R. 647, Access to Life-Saving Trauma Care for All Americans Act; H.R. 648, Trauma Systems and Regionalization of Emergency Care Reauthorization Act; H.R. 284, Medicare DMEPOS Competitive Bidding Improvement Act of 2015, as amended; and H.R. 876, Notice of Observation Treatment and Implication for Care eligibility Act, as amended.
This Week’s Hearings:
- Tuesday, March 17: The Senate Committee on Health, Education, Labor, and Pensions (HELP) will hold a hearing titled “America’s Health IT Transformation: Translating the Promise of Electronic Health Records Into Better Care.”
- Thursday, March 19: The Senate Committee on Finance will hold a hearing titled “The Affordable Care Act at Five Years.”
This morning, the U.S. Supreme Court heard oral argument in King v. Burwell, which raises the issue of whether the federal government can provide tax subsidies to people who buy insurance on the federal exchange because their state declined to establish its own insurance exchange. Our earlier post details the arguments at play. SCOTUS Blog has extensive analysis of the oral argument and what can be read into the various questions and answers. In addition, Reuters speculates that the four Democratic appointees to the Court will rule in favor of the subsidies, and of the five Republican appointees, Chief Justice Roberts and Justice Kennedy are potential swing votes that could tip the scales one way or the other.
The written transcript will be available today. On Friday, audio of the argument will be available here after being released by the Court, which notably declined requests to release the audio the same day as the argument like it did in the constitutionality cases. But, only the Justices and their clerks will know the outcome until June, when a decision is expected to be issued in the final days of the Court’s term.
Commentary on the case is everywhere (the SCOTUS blog has a good collection in their Wednesday round-up), ranging from forecasts of who might win, how the individual Justices may vote, what might happen to exchange coverage if the subsidies are taken away, and whether Congress or the Obama administration have contingency plans if the subsidies disappear. The periodic barrage of commentary is likely to continue in the press until a decision comes out. In the meantime, insurers will certainly be doing contingency planning of their own, though it will likely be quieter than the political debate.
All Eyes On The Supreme Court
On Wednesday, March 4, the attention of many lawmakers will turn to the Supreme Court, where oral arguments are slated for the statutory interpretation case of King v. Burwell. The issue in this case is whether the Affordable Care Act (ACA) provides tax subsidies to individuals who purchase insurance through the federal exchange, in addition to the subsidies for those who purchase insurance through state-based exchanges, which is explicitly stated in the law. Since implementation of the ACA, individuals meeting certain income levels who buy insurance through either a state- or federally-administered exchange have been receiving tax subsidies, pursuant to Internal Revenue Service (IRS) interpretation. However, the plaintiffs in King argue that the statute only provides subsidies to people who purchase insurance from “an Exchange established by the State,” as written in plain English in the health reform law. The government contends that the legislative intent of the law was to treat all exchanges in the same manner with regard to subsidies and that this one cited phrase is contradicted by the rest of the law.
It has been estimated that seven to eight million people would lose their subsidies if the Supreme Court rules against the Administration. This decision could be a detriment to Republican legislators, who are eager to see the ACA repealed but do not want to face the wrath of voters losing their health insurance. While the Administration insists it does not have a contingency plan if the federal subsidies are indeed found to be outside of statutory authority, Republicans such as House Committee on Ways and Means Chairman Paul Ryan (R-WI) and Senate Committee on Finance Chairman Orrin Hatch (R-UT) have publicly stated the need for and their intent to form a contingency plan.
This Week’s Hearings:
- Tuesday, March 3: The House Committee on Appropriations Subcommittee on Labor, Health and Human Services, Education, and Related Agencies will hold a hearing on “National Institutes of Health.”
- Wednesday, March 4: The House Committee on Appropriations Subcommittee on Agriculture, Rural Development, Food and Drug Administration, and Related Agencies will hold a hearing on “Food and Drug Administration Budget.”
- Thursday, March 5: The House Committee on Energy and Commerce Subcommittee on Health will hold a hearing titled “Examining the 340B Drug Pricing Program.”
- Thursday, March 5: The Senate Committee on Health, Education, Labor, and Pensions (HELP) will hold a hearing titled “America’s Health IT Transformation: Translating the Promise of Electronic Health Records Into Better Care.”
The Centers for Medicare and Medicaid Services (CMS) continues to mull over the knotty problem of what it means to identify an overpayment from the government. Healthcare providers do not have the same luxury.
Five years ago, the Affordable Care Act required a provider that received an overpayment from the government to report and repay it within 60 days of identifying the overpayment. 42 U.S.C. 1320a-7(k)(d). Not satisfied with simply requiring prompt repayment, Congress also decreed that failure to make repayment within the 60-day limit creates potential liability under the False Claims Act. 80 FR 8248. In 2012, CMS stirred up controversy when it issued draft guidance implementing the 60-day rule. 77 FR 9179. The proposal was never finalized. 80 FR 8248. In an unusual move, CMS recently announced that it will postpone its rulemaking for yet another year beyond the normal three year limit. 80 FR 8247.
Like CMS, each provider must grapple with the question of whether an overpayment has been identified, even though that term is not defined in the statute. Whatever its details, the CMS rulemaking is certain to require an organization to make a reasonable inquiry into information it has received about an overpayment rather than hide its head in the sand (known legally as deliberate ignorance or willful blindness).
Although CMS may have postponed its implementing regulations, the statutory mandate is in effect. 80 FR 8248. Relators and the government have begun seeking up to treble damages by litigating against providers for failure to make timely repayment. For example, the government recently intervened after a relator sued Continuum Health Partners, Inc. in New York. See Complaint.
That litigation illustrates that relators and the Department of Justice are not waiting for CMS and neither can you. Despite uncertainty about how the regulations will try to incorporate the incredible variety of situations possible in health care, each provider must remain vigilant about identifying and returning overpayments it may have received from the government or face the enhanced penalties that may result.
News of the data breach suffered by Anthem continues to dominate the news (here, here, and here for example). And, further raising the stakes, class action lawsuits from individuals whose information has potentially been compromised are beginning to roll into courthouses across the country (California, Alabama, Indiana, Georgia, California (again), and California (again)). Because health care data is such a hot commodity on the black market, hackers often target health care providers and other entities who have health care data. Data breaches aimed at health care information were way up last year, and attempted data breaches are only expected to increase.
Encryption, which Anthem didn’t have according to news reports, goes a long way toward securing this sensitive data. However, even with encryption, it is worthwhile for providers large and small to review existing data security/breach response policies or institute new ones targeted at current technologies. Considerations include:
- Organize your data network and know what information you have and where it is (including technologies like cloud computing, printer/copiers, and employees’ mobile devices);
- Update encryption, password, and remote access policies and ensure they are followed;
- Perform a risk assessment (and document it);
- Create a protocol to monitor unauthorized attempts to access data;
- Develop a plan to respond to a data breach, including technical, legal, and business continuation considerations;
- Plan for disclosures to employees, shareholders, individuals effected, media, and/or federal regulators as required
- Review state laws that may apply for additional reporting or safeguard requirements
For additional discussion, you can access recordings of our two-part webinar series on data security planning and response for healthcare providers, presented by Tom Zeno and Emily Root, along with Thomas Hibarger (Managing Director of Stroz Friedberg), and Justin Root, Special Agent – Cyber Crimes with the Office of Ohio Attorney General:
What Keeps You Up at Night: My Data’s Been Stolen: Now What? – Part I (materials and recording)
What Keeps You Up at Night: My Data’s Been Stolen: Now What? – Part II (materials and recording)
In 2004, the FDA promulgated requirements for drug print advertisements. FDA, 69 Fed. Reg. 6307 (May 10, 2004). Those regulations required “the entire risk-related sections of the FDA-approved professional labeling.” The FDA is now significantly changing its course because of “recent social science research” indicating that non-material information should be omitted from drug advertisements in print in order to be more effective for consumers. FDA, 80 Fed. Reg. 6998-99 (Feb. 9, 2015). Instead of listing all risks, the FDA is recommending that any print advertisement display:
- The most serious and the most common risks associated with the product, while omitting less important information.
- The indication for the use being promoted.
- The information regarding patient directives (such as “discuss with your health care provider any pre-existing conditions” or “tell your health care provider if you are taking any medications”).
- A statement that more comprehensive information can be obtained from various sources, including the manufacturer.
In addition to focusing on the most important risks, the FDA wants the information “presented in a way most likely to be understood by consumers.” However, the draft recommendation does not provide much guidance to manufacturers on how to do that. The burden will be on manufacturers to sort out what risks can be omitted and how to write in plain language “most likely to be understood by consumers.” 80 Fed. Reg. 6999.
These requirements would be permissive, and drug manufacturers could include more information if they desire. The FDA is currently seeking comments on the proposal.
The FDA’s revised draft guidance document, Brief Summary and Adequate Directions for Use: Disclosing Risk Information in Consumer-Directed Print Advertisements and Promotional Labeling for Human Prescription Drugs, details the proposed changes.
Just before the ball dropped to start the new year, the Centers for Medicare & Medicaid Services approved the Recovery Audit Contractor (RAC) to identify and recoup improper payments for durable medical equipment, home health and hospice care on a national basis (known as region 5). The contract, dated December 30, 2014, is the first one issued since Recovery Audit contracts were halted last summer. Providers must be vigilant when responding to an audit both because of the value of claims being questioned, but also because these audits can lead to civil and criminal fraud investigations.
Fortunately, the new contract incorporates changes addressing provider concerns with prior RAC arrangements, and these changes will apply to all future contracts with RACs. Other contracts have been delayed because of contract protest litigation.
Notable changes to the contracts will include:
- Limiting the size of Additional Document Requests based upon the denial record of the provider; lower denial rates mean lower document limits;
- Limiting the look back-period to six months from the date of service for hospital claims submitted within three months of the date of service;
- Imposing a 30 day delay to allow for a discussion request by the provider before a RAC can send a denial to be processed by the Medicare Administrative Contractor;
- Withholding payment of the contingency fee to the RAC until after a claim has gone through the second level of appeals; and
- Requiring RACs to maintain an accuracy rate of at least 95% and penalizing RACs for high overturn rates on appeal.
A detailed list of the changes can be found here.