On April 6, 2015, the Centers for Medicare & Medicaid Services (“CMS”) released a proposed rule that would extend provisions of the Mental Health Parity and Addiction Equity Act of 2008 (the “Mental Health Parity Act”) to Medicaid managed care organizations (“MCOs”) and the Children’s Health Insurance Program (“CHIP”). The Mental Health Parity Act requires health plans that provide mental health and substance abuse disorder benefits to ensure that any financial requirements (e.g., co-pays, deductibles) and treatment limitations (e.g., limitations on visits) applicable to those benefits are no more restrictive than the requirements or limitations applied to medical/surgical benefits. The proposed rule was published in the Federal Register on April 10, 2015 at 80 Federal Register 19418. (Proposed rule). Comments to the proposed rule are due on June 9, 2015.

The proposed rule was drafted to ensure that all Medicaid beneficiaries who receive benefits through MCOs or under alternative benefit plans would have access to mental health and substance use disorders benefits regardless of whether they received those benefits through an MCO or another system. In addition, the proposed rule would also apply to CHIP, whether the care is provided through an MCO or a fee-for-service program.

Presently, a number of states that provide medical benefits through Medicaid MCOs carve out mental health and substance abuse services through other arrangements, which can include prepaid inpatient health plans (“PIHPs”), prepaid ambulatory health plans (“PAHPs”), or even fee-for-service. Under the proposed rule, states would continue to have flexibility in selecting different delivery systems to provide services to Medicaid beneficiaries, but would have to ensure that enrollees of a Medicaid MCOs receive the benefit of mental health and substance abuse parity when provided through these alternative models. States, for example, would be required under the proposed rule to include contract provisions requiring compliance with the Mental Health Parity Act in all applicable contracts with Medicaid MCOs and entities providing services through alternative arrangements such as PIHPs and PAHPs. Further, states would have to provide CMS with evidence of compliance with the Mental Health Parity Act in their provision of mental health and substance services to Medicaid beneficiaries.

In addition, the proposed rule would require Medicaid, MCOs, PIHPs, PAHPs and other alternative benefit plans to make their medical necessity criteria for mental health and substance abuse disorder benefits available to any enrollee or contracted provider upon request. Such Medicaid plans must also make available to enrollees the reason for any denial of reimbursement for services related to mental health and substance use disorder benefits.
For further information contact the author Gregory M. Fliszar (Philadelphia, PA) or other members of Cozen O’Connor’s healthcare team.

Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17^th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members.  Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska.  Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015.   According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.

Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach.  The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity.  The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack.  Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates.  Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.

Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people.   As these attacks illustrate, health information is now a high priority target for cybercriminals.  Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims.  Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”

Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security.  The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach.  The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA.  The Complaint also alleges violations of state consumer protection laws and data disclosure laws.

As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation.  To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

Health care providers, insurers and all who handle information on their behalf were put on notice last week that cybersecurity must be a high priority for their organizations. Anthem, Inc. (“Anthem”), the nation’s second largest health insurer, revealed on February 4, 2015 that its information technology (“IT”) system was victimized by a “very sophisticated” cyberattack that exposed the birthdates, social security numbers, street and email addresses and employee data (including income information) of approximately 80 million customers and employees. Anthem noted that the hackers apparently did not get any health information or credit card numbers in the attack, but that the hack did yield medical information numbers. Anthem discovered the breach on its own on January 29^th and contacted the FBI, which has started an investigation into the matter.

Large hospitals and health insurers are not the only ones at risk. As the Anthem attack illustrates, health information is a high priority target for cybercriminals. Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a treasure trove of personal information that can be used for identity theft and to file false health insurance claims. Further, the cybersecurity protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to cyberattacks by criminals who view the information as “low hanging fruit.”

Failure to have robust cybersecurity programs in place can have a devastating effect on any organization that experiences a data breach. Anthem has already been hit with putative class action lawsuits in Alabama, California, Georgia and Indiana alleging that Anthem did not have adequate security procedures in place to protect its customers and it is likely that more suits will follow. In addition to the FBI’s investigation into attack, Attorney Generals in New York, Connecticut and Massachusetts have indicated that they will be reaching out to Anthem for more information about the attack, the company’s security measures and how it plans to prevent future attacks.

The Anthem breach was the largest in the health care industry so far and may be a harbinger of things to come. The FBI and other security experts have been warning that the health care industry is a key target for cybercriminals, and a single security incident resulting in a data breach can have significant and immediate consequences that include government investigations, class action lawsuits, and a hit to the organization’s reputation. To manage this risk, we encourage all companies handling health information to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

To learn more about strategies you can use to manage your exposure, join me at the upcoming panel discussion on “Cybersecurity and Healthcare: The Key to Limiting Your Risk is being Informed” at the Greater Philadelphia Alliance of Capital and Technologies seminar on Thursday, February 26, 2015 in West Conshohocken, Pennsylvania. Click here to register.

If you cannot make the event or would like to discuss your cybersecurity needs with me directly, please contact me, Greg Fliszar, at gfliszar@cozen.com.

On October 31, 2014, The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its Work Plan for fiscal year (FY) 2015.  The Work Plan summarizes “new and ongoing reviews of activities that OIG plans to pursue with respect to HHS programs and operations during the current fiscal year and beyond.”  In the Work Plan OIG identified several areas related to HIPAA and/or information technology that it will examine and address during FY 2015.

As a new addition to the Work Plan, OIG will determine the extent to which hospitals comply with the contingency requirements of HIPAA.  HIPAA’s Security Rule requires covered entities and their business associates to have in place a contingency plan that establishes policies and procedures for responding to an emergency or other event (such as, for example, natural disasters, system failures, terrorism) that damages systems containing electronic protected health information (ePHI).  These policies and procedures must, at a minimum, include data backup plans, data recovery plans and plans to continue to protect the security of ePHI while operating in emergency operations mode.  In the Work Plan OIG advises that it will compare contingency plans used by hospitals with government and industry recommended practices. 

As part of the Work Plan, OIG will continue to examine whether the Centers for Medicare & Medicaid Services’ (CMS) oversight of hospitals’ security controls over networked medical devices is sufficient to protect ePHI.   The OIG noted that computerized medical devices such as dialysis machines, radiology systems and medication dispensing systems that use hardware, software and networks to monitor a patient’s condition and transmit and/or receive data using wired or wireless communications pose a growing threat to the security and privacy of personal health information. 

OIG also plans to continue to perform audits of covered entities receiving incentive payments for the use of electronic health records (EHRs) and their business associates (including cloud providers) to determine whether they are adequately protecting ePHI created or maintained by certified EHR technology.  In addition, OIG will review the adequacy of CMS’ oversight of states’ Medicaid system and information controls.  Prior OIG audits found that states often fail to have in place adequate security features, potentially exposing Medicaid beneficiary information to unauthorized access.

As to future endeavors, the Work Plan stated that other areas under consideration for new work include the security of electronic data, the use and exchange of health information technology, and emergency preparedness and response efforts.  In addition, OIG advises that in FY 2015 and beyond, it will continue to focus on IT systems security vulnerabilities in health care reform programs such as health insurance marketplaces. 

On October 8, 2014, the Centers for Medicare & Medicaid Services (“CMS”) withdrew its Notice of Proposed Rule Making (“NPRM”) from the Office of Management and Budget that was to address how Medicare’s future interests should be protected pursuant to the Medicare Secondary Payer (“MSP”) Act (42 U.S.C. § 1395y(b)(2)) in workers’ compensation, liability (including self-insurance), automobile and no-fault insurance cases (see Notice).  While it is expected that CMS will submit another proposed rule, it does not seem likely that an ultimate final rule will be forthcoming anytime soon.

Although CMS has published guidelines for how to address claims in workers’ compensation cases where future medical expenses are claimed or released in a settlement judgment or other award, it has not released much guidance on addressing future medical expenses in liability, self-insurance, automobile and no-fault insurance cases.  The resulting lack of any clear guidance has resulted in many settlements being prolonged or even coming to a grinding halt as the parties differed over how—or whether— to address Medicare’s interest in future medical expenses.  It was hoped this would change after CMS released an Advance Notice of Proposed Rulemaking in June of 2012 addressing the issue of protecting Medicare’s interest in future medical expenses.  Yet, the recent notice that CMS has withdrawn its proposed rule is disappointing to the stakeholders, including claimants, insurers and attorneys looking for clarity and guidance from CMS on this issue.  Even without guidance addressing future medicals, parties to a settlement must still fulfill their MSP obligations, which include addressing Medicare’s interests in future medical expenses.

The Department of Health and Human Services (HHS) recently released a new security risk assessment (SRA) tool for small- to medium-sized health care providers. HIPAA requires covered entities to conduct periodic assessments of the administrative, physical, and technical safeguards in their handling of protected health information. This new tool will help health care providers conduct and document risk assessments and produce a report that can be provided to potential auditors.

The tool was created jointly by the HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office of Civil Rights (OCR), and its release precedes OCR’s expected launch of a permanent HIPAA audit program. The OCR has previously identified security risk assessments as an area of consistent weakness among covered entities and has said it will be a particular focus for auditors.

Entities using the new tool will be asked 156 “yes” or “no” questions. Each question addresses a specific HIPAA requirement, and additional resources are provided with each question to help providers better understand the language and requirements of the associated HIPAA security rule. In the event that a provider answers “no” or cannot answer an applicable question, the provider must note the need for corrective action and implement a plan immediately.

Providers can download the SRA Tool and additional guidance here. The ONC plans to make updates and improvements to the tool after an initial period of use. Comments regarding the SRA Tool may be submitted here until June 2, 2014.

The Department of Health and Human Services (HHS) is expected to launch its long-awaited HIPAA audit program sometime in 2014. The audit program will be run by HHS’ Office of Civil Rights (OCR), which is likely eager to get the program going after being criticized in a report from HHS’ Office of Inspector General (OIG) last year for not conducting sufficient audits as mandated by the HITECH Act. This public reprimand gives OCR an added incentive to make sure its HIPAA audit program is active and effective.

In terms of how the permanent audit program will operate, OCR has indicated that it will differ from the pilot program that ran from 2011 to 2012. During the pilot, 115 covered entities were audited, and each of them endured lengthy and detailed investigations into the entity’s compliance with nearly all aspects of the HIPAA rules. The director of OCR, Leon Rodriguez, has said that the plan moving forward is to audit many more entities, including business associates, but to make each audit narrower and more targeted. A note of caution, however, is that OCR has previously stated that audits that uncover significant noncompliance with HIPAA could prompt an investigation by OCR.

So what are the big areas of interest for OCR? This will become clearer as the audits get underway, but we do know at least two of the topics that have OCR’s attention: security risk analysis and business associate compliance. Director Rodriguez has said that risk analysis was an area of consistent weakness among entities audited during the pilot program and that “one focus in the audits will be on risk analysis.” Every covered entity and business associate must conduct a thorough review of the security of PHI in its organization and examine all facilities and operations to see where PHI flows in and where it flows out. Everything from computer encryption to office traffic patterns to off-hours use of mobile devices has to be analyzed and plans must be put in place to address any holes in security.

For more information about the audit program: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html

On December 11, 2013 the Centers for Medicare & Medicaid Services (CMS) published an advance notice of proposed rulemaking concerning the circumstances under which civil money penalties may be imposed for failure to comply with Medicare Secondary Payer Act (the “MSP Act”) Section 111 reporting requirements.  Section 111 of the Medicare, Medicaid, and SCHIP Extension Act of 2007 amended the MSP Act by establishing  mandatory reporting requirements for certain group health plans (GHPs) and for liability insurance (including self-insurance) no fault insurance and workers compensation (collectively NGHPs) arrangements.  The Section 111 amendments require GHPs and NGHPs to notify CMS when they pay a claim on behalf of a Medicare beneficiary.  Failure to comply with the reporting requirements resulted in a civil monetary penalty of $1,000 for each day of noncompliance.

The Strengthening Medicare and Repaying Taxpayers Act of 2012 (the “SMART Act”) amended the penalty provision of the Section 111 reporting requirements by stating that applicable plans that fail to comply with the reporting requirements may be subject to a civil monetary penalty of up to $1,000 per day of non-compliance.  Thus, the SMART Act made the penalty discretionary instead of mandatory and allowed for penalties below $1,000.  As a result,  CMS is soliciting public comments and proposals on the practices for which civil monetary penalties may or may not be imposed.  Specifically, CMS is seeking comments on how to define “noncompliance” with reporting requirements; what mechanisms and criteria should be used to evaluate whether a civil money penalty can be imposed; what methods should be used to determine the dollar amount of such a penalty; and what actions on the part of a primary payer would constitute a “good faith effort” to identify a Medicare beneficiary for purposes of reporting under the MSP Act.  Comments can be submitted to CMS until February 10, 2014.

On January 25, 2013, the Office of Civil Rights (OCR) of the Department of Health & Human Services (HHS) published the long-awaited omnibus final regulation governing health data privacy, security and enforcement (Omnibus Rule).[i]  The Omnibus Rule is a group of regulations that finalizes four sets of proposed or interim final rules, including changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act[ii] and proposed in 2010;[iii] changes to the interim final breach notification rule;[iv] modifications to the interim final enforcement rule; and implementation of changes to the Genetic Information Nondiscrimination Act of 2008 (GINA).  The Omnibus Rule goes into effect on March 26, 2013, and compliance is required by September 23, 2013.  As expected, the Omnibus Rule did not finalize the May 31, 2011 proposed regulation regarding accounting for disclosures. Continue reading…

On January 10, 2013, President Obama signed into law H.R. 1845, which includes the Strengthening Medicare and Repaying Taxpayers Act of 2011 (SMART Act).[1] The SMART Act,  amends several portions of the Medicare Secondary Payer (MSP) Act that apply to non-group health plans, including liability (including self-insurance) and no-fault insurance and workers’ compensation plans (together, NGHPs).  Although the SMART Act makes significant substantive and procedural amendments to the MSP Act, many practical issues will continue to bedevil parties who are trying to settle a personal injury claim. Continue reading…