On April 6, 2015, the Centers for Medicare & Medicaid Services (“CMS”) released a proposed rule that would extend provisions of the Mental Health Parity and Addiction Equity Act of 2008 (the “Mental Health Parity Act”) to Medicaid managed care organizations (“MCOs”) and the Children’s Health Insurance Program (“CHIP”). The Mental Health Parity Act requires health plans that provide mental health and substance abuse disorder benefits to ensure that any financial requirements (e.g., co-pays, deductibles) and treatment limitations (e.g., limitations on visits) applicable to those benefits are no more restrictive than the requirements or limitations applied to medical/surgical benefits. The proposed rule was published in the Federal Register on April 10, 2015 at 80 Federal Register 19418. (Proposed rule). Comments to the proposed rule are due on June 9, 2015.

The proposed rule was drafted to ensure that all Medicaid beneficiaries who receive benefits through MCOs or under alternative benefit plans would have access to mental health and substance use disorders benefits regardless of whether they received those benefits through an MCO or another system. In addition, the proposed rule would also apply to CHIP, whether the care is provided through an MCO or a fee-for-service program.

Presently, a number of states that provide medical benefits through Medicaid MCOs carve out mental health and substance abuse services through other arrangements, which can include prepaid inpatient health plans (“PIHPs”), prepaid ambulatory health plans (“PAHPs”), or even fee-for-service. Under the proposed rule, states would continue to have flexibility in selecting different delivery systems to provide services to Medicaid beneficiaries, but would have to ensure that enrollees of a Medicaid MCOs receive the benefit of mental health and substance abuse parity when provided through these alternative models. States, for example, would be required under the proposed rule to include contract provisions requiring compliance with the Mental Health Parity Act in all applicable contracts with Medicaid MCOs and entities providing services through alternative arrangements such as PIHPs and PAHPs. Further, states would have to provide CMS with evidence of compliance with the Mental Health Parity Act in their provision of mental health and substance services to Medicaid beneficiaries.

In addition, the proposed rule would require Medicaid, MCOs, PIHPs, PAHPs and other alternative benefit plans to make their medical necessity criteria for mental health and substance abuse disorder benefits available to any enrollee or contracted provider upon request. Such Medicaid plans must also make available to enrollees the reason for any denial of reimbursement for services related to mental health and substance use disorder benefits.
For further information contact the author Gregory M. Fliszar (Philadelphia, PA) or other members of Cozen O’Connor’s healthcare team.

Coming fresh off the heels of the Anthem data breach Premera Blue Cross announced on March 17^th that it was the victim of a “sophisticated” cyberattack that may have exposed the personal information of approximately 11 million of its members.  Premera has approximately 6 million members residing in the State of Washington, 250,000 members residing in Oregon and 80,000 members residing in Alaska.  Premera stated that the cyberattack began sometime in May of 2014 but was not discovered until the end of January 2015.   According to Premera, the information exposed may include social security numbers, bank account information, and medical and financial information, including clinical information.

Three state insurance commissioners (Washington, Oregon and Alaska) have already launched a joint investigation and a market conduct examination of Premera related to the breach.  The joint investigation will include on-site reviews of Premera’s financial books, records, transactions, and Premera’ cybersecurity.  The Washington Insurance Commissioner has expressed concern over the length of time (approximately six weeks) it took for Premera to notify his office of the attack.  Alaska’s governor ordered all state agencies to review their online security safeguards as well as those put in play by their business associates.  Premera is also conducting an internal forensic investigation by a cybersecurity firm and is cooperating with the FBI in a criminal investigation.

Combined with the cyberattacks on Community Health Systems and Anthem, this is the third large attack on a member of the health care industry announced in the last seven months, and these three breaches may have collectively impacted approximately 95.5 million people.   As these attacks illustrate, health information is now a high priority target for cybercriminals.  Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a wealth of personal information that can be used for identity theft and to file false health insurance claims.  Further, the data security protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to attack by those who view the valuable information as “low hanging fruit.”

Similar to the Anthem and the Community Health Systems breaches, Premera was immediately hit by a proposed class action accusing Premera of negligence and inadequate security.  The March 26, 2015 Complaint alleges that Premera breached its duty of care by failing to secure and safeguard the personal and health information of its members and negligently maintaining a system that it knew was vulnerable to a security breach.  The Complaint further alleges that Premera has a duty to secure and safeguard the personal health information of its members under HIPAA and its failure to implement security and privacy safeguards was a violation of HIPAA.  The Complaint also alleges violations of state consumer protection laws and data disclosure laws.

As evident by the Anthem and Premera breaches, a single security incident resulting in a data breach can have significant consequences for health care companies and business associates that include government investigations, class action lawsuits, and a hit to the organization’s reputation.  To manage this risk, we encourage all companies handling health information to conduct comprehensive risk assessments and to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

The FDA released draft guidelines (“Guidelines”) on Monday, March 9, 2015 establishing recommendations on the use of e-media and processes to obtain informed consent for clinical investigations (trials) of medical products including human drug and biological products, medical devices and combinations. The Guidelines provide useful insight for how the FDA recommends clinical investigators, sponsors and institutional review boards (“IRB”) should use e-informed consent for a clinical trial.

The FDA defines e-informed consent as “using electronic systems and processes that may employ multiple electronic media (e.g., text, graphics, audio, video, podcasts and interactive Web sites, biological recognition devices, and card readers) to convey information related to the study and to obtain and document informed consent.” The FDA reminds clinical investigators and sponsors that informed consent is more than just a subject’s signature.  Informed consent – whether completed electronically or in paper form – includes providing prospective clinical trial participants with enough information regarding the research to enable them to make an informed decision regarding whether to participate in the study. The subjects must have “adequate information” about the research.  Clinical investigators and sponsors may use video conferencing (i.e. Skype) to answer a subject’s questions about the clinical trial.

The Guidelines also include a question and answer section containing 14 inquires such as:

• How information in an e-informed consent should be presented to subjects;
• How/where e-informed consent processes should be conducted; and
• How/when questions from subjects should be answered.

Similar to CMS and states recognizing the authenticity of e-signatures, this guidance demonstrates the FDA’s desire to digitize health care and respond to the increased patient access to clinical trials in states passing “right-to-try” bills.  Right-to-try bills generally permit doctors and terminally ill patients to negotiate directly with drug companies to obtain experimental drugs that have passed Phase-I trials. Stay tuned for a forthcoming Health Law Informer blog announcing the FDA’s release of the e-informed consent final guidelines, which clinical investigators, sponsors and IRBs will want to consider implementing.

For further information contact the Cozen O’Connor’s health care team or the authors Ryan P. Blaney (Washington, DC) and J. Nicole Martin (Philadelphia, PA).

On January 26, 2015, the Secretary of the United States Department of Health and Human Services (“HHS”), Sylvia Mathews Burwell, announced two important goals for the Department:

1. Increase the percentage of Medicare provider payments that are made through alternative payment models based on how well the providers care for patients, rather than the amount of care provided. The percentage goals for these alternative payment models are 30% by 2016 and 50% by 2018.
2. Tie virtually all Medicare fee-for-service payments (85% in 2016 and 90% in 2018) to quality and value.

This announcement puts hard numbers on the goal to move away from traditional fee-for-service Medicare payments that has been stated generally since at least 2010 when the Affordable Care Act was enacted. By clearly delineating specific figures for alternative payment models, such as accountable care organizations and bundled payment arrangements, from those figures for payment methods, HHS has made it clear that providers should be thinking not just about different forms of payment but different forms of organizations and relationships with other providers. Alternative payment models generally require coordination among different types of providers who may not otherwise be related to each other.

While the announced goals focus on the Medicare fee-for-service system, it is clear that HHS intends the impact of these goals to be far broader. Ms. Burwell also announced the creation of a Health Care Payment Learning and Action Network to facilitate a public-private sector partnership to “continue to build on our work with state Medicaid agencies, private payers, employers, consumers and other partners,” while welcoming the fact that “our partners in the private sector have the opportunity to be even more aggressive” in establishing alternative payment models and pay-for-value compensation systems. On the same day as Ms. Burwell’s announcement, the Centers for Medicare and Medicaid Services released a fact sheet stating that it is taking action with a goal to spend “our health dollars” more wisely, citing the importance of the goal for patients, families, providers, tax payers, employers, states and insurance companies, and making it clear that HHS and CMS fully intend to have their efforts to transform health care delivery and payment systems to reverberate well beyond the Medicare program.

December has been a busy month for CMS with respect to the Medicare Shared Savings Program (“MSSP”). Last week CMS announced that eighty-nine (89) more ACOs would begin participating in the MSSP starting in 2015, bringing the total number of ACOs in the program to four-hundred and five (405). Continue reading…

In early December, CMS released a final rule that implements certain provider (i.e., Hospitals, SNFs, physicians, etc.) and supplier (i.e., DME companies, etc.) enrollment requirements  (“Rule”). The goal of CMS’ implementation of the Rule is two-fold: to (i) “[s]trengthen program integrity;” and (ii) “help ensure that fraudulent entities and individuals do not enroll in or maintain their enrollment in the Medicare program.” The new requirements make obtaining and maintaining Medicare billing privileges for providers and suppliers more cumbersome.

For providers or suppliers treating Medicare patients, enrollment in the Medicare program is required in order to obtain Medicare billing privileges. A provider or supplier may enroll electronically using the Provider Enrollment, Chain, and Ownership System, known as PECOS, or by submitting a paper CMS enrollment form. CMS provides specific enrollment forms for institutional providers (CMS Form-855A: i.e., hospitals, SNFs); other providers (CMS Form 855-B: i.e., clinics/group practices); and physicians and other practitioners (CMS Form 855-I). Further, under Section 6401(a) of the Affordable Care Act, Medicare providers and suppliers that enrolled prior to March 25, 2011 are required to undergo a revalidation process in order to maintain their Medicare billing privileges, wherein the providers or suppliers essentially complete the applicable Medicare enrollment application as if they are a “new” provider or supplier enrollee. However, new enrollee providers and suppliers that submitted their enrollment applications on or after March 25, 2011 are exempt from this revalidation process. MACs are continuing to send out revalidation “requests” on a regular basis to enrollees until March 23, 2015.

The following selected updates to the provider and supplier enrollment requirements in the Rule parallel the recent trend of the federal government expanding its existing authority (i.e., the proposed rule to expand the OIG of the HHS’ exclusion authority) and cracking down on impermissible practices:

•  “[a]llowing revocation of Medicare billing privileges if the provider or supplier has a pattern or practice of submitting claims that fail to meet Medicare requirements”;
•  “expanding the instances in which a felony conviction can serve as a basis for denial or revocation of a provider[’s] or supplier’s enrollment”;
• “if certain criteria are met, enabling [Medicare] to deny enrollment if the enrolling provider, supplier, or owner thereof had an ownership relationship with a previously enrolled provider or supplier that had a Medicare debt”;  and
• “enabling [Medicare] to revoke Medicare billing privileges if [Medicare] determine[s] that the provider or supplier has a pattern or practice of submitting claims that fail to meet Medicare requirements.”

In addition, CMS clarified in the Rule that any final decision regarding the revocation of a provider’s or supplier’s Medicare billing privileges would come from the “CMS central office” rather than the provider’s or supplier’s MAC. CMS further explained that the re-enrollment bar does not apply to a provider’s or supplier’s failure to timely respond to a revalidation request or request for other information.

The regulations implementing this Rule will be effective February 3, 2015. For additional information regarding the new provider and supplier enrollment requirements under the Rule, contact Cozen O’Connor’s health law team.

In early October, the Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) released a proposed rule that included, among other provisions, a proposed gainsharing regulation (“Proposed Rule”), and a specific request for comments on a definition of what it means to “reduce or limit services” under the statutory prohibition against certain “gainsharing” arrangements among hospitals and physicians. The OIG’s goal with this Proposed Rule and subsequent final rule is to “interpret the statutory [gainsharing] prohibition broadly enough to protect beneficiaries and the Federal health care programs, but narrowly enough to allow low risk programs that further the goal of delivering high quality health care at a lower cost.” More specifically, the OIG seeks to implement a “narrower interpretation of the phrase “reduce or limit services.” Industry analysts are touting the final regulation as a potential game changer in the battle to deliver “high quality health care at a lower cost.”

The existing gainsharing civil monetary penalty statute (“Gainsharing CMP”) is a law that broadly “prohibits hospitals and critical access hospitals from knowingly paying a physician to induce the physician to reduce or limit services provided to Medicare or Medicaid beneficiaries who are under the physician’s direct care.” Violation of the Gainsharing CMP by a hospital that makes such payment, and a physician that in turn knowingly accepts the payment, results in CMPs that are no greater than $2,000 per each beneficiary for whom such payment is made.

Determining what does and what does not constitute a payment designed to reduce or limit services can be difficult, particularly because, as HHS has taken pains to point out, the statute technically prohibits payments from hospitals to physicians to limit any services, not just medically necessary services. However, as far back as 2005 the Medicare Payment Advisory Commission and the Chief Counsel to the OIG have supported gainsharing when safeguards are in place to evaluate risks posed by such programs, including “measures that promote accountability, adequate quality controls, and controls on payments that may change referral patterns,” and to date, the OIG has approved 16 gainsharing arrangements through the advisory opinion process.

More recently, under Section 3022 of the Affordable Care Act, the secretary of HHS established  waivers under the Medicare Shared Savings Program (MSSP) with respect to the Gainsharing CMP under certain conditions. These waivers have limited applicability as they apply only to accountable care organizations that participate in the MSSP. The final gainsharing regulations presumably will cover all hospitals and could potentially have a much broader impact upon hospital physician compensation arrangements. Overall, the Proposed Rule and the OIG’s request for comments on what should and should not constitute prohibited payments from hospitals to physicians to reduce or limit services is yet another example of how the regulatory  landscape is changing to adapt to a reimbursement model that is evolving from a fee-for-service dominated model to one in which pay-for-performance will play a much larger role.

The comment period closed under the Proposed Rule in early December, and the final rule is expected in 2015.

On October 31, 2014, The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its Work Plan for fiscal year (FY) 2015.  The Work Plan summarizes “new and ongoing reviews of activities that OIG plans to pursue with respect to HHS programs and operations during the current fiscal year and beyond.”  In the Work Plan OIG identified several areas related to HIPAA and/or information technology that it will examine and address during FY 2015.

As a new addition to the Work Plan, OIG will determine the extent to which hospitals comply with the contingency requirements of HIPAA.  HIPAA’s Security Rule requires covered entities and their business associates to have in place a contingency plan that establishes policies and procedures for responding to an emergency or other event (such as, for example, natural disasters, system failures, terrorism) that damages systems containing electronic protected health information (ePHI).  These policies and procedures must, at a minimum, include data backup plans, data recovery plans and plans to continue to protect the security of ePHI while operating in emergency operations mode.  In the Work Plan OIG advises that it will compare contingency plans used by hospitals with government and industry recommended practices. 

As part of the Work Plan, OIG will continue to examine whether the Centers for Medicare & Medicaid Services’ (CMS) oversight of hospitals’ security controls over networked medical devices is sufficient to protect ePHI.   The OIG noted that computerized medical devices such as dialysis machines, radiology systems and medication dispensing systems that use hardware, software and networks to monitor a patient’s condition and transmit and/or receive data using wired or wireless communications pose a growing threat to the security and privacy of personal health information. 

OIG also plans to continue to perform audits of covered entities receiving incentive payments for the use of electronic health records (EHRs) and their business associates (including cloud providers) to determine whether they are adequately protecting ePHI created or maintained by certified EHR technology.  In addition, OIG will review the adequacy of CMS’ oversight of states’ Medicaid system and information controls.  Prior OIG audits found that states often fail to have in place adequate security features, potentially exposing Medicaid beneficiary information to unauthorized access.

As to future endeavors, the Work Plan stated that other areas under consideration for new work include the security of electronic data, the use and exchange of health information technology, and emergency preparedness and response efforts.  In addition, OIG advises that in FY 2015 and beyond, it will continue to focus on IT systems security vulnerabilities in health care reform programs such as health insurance marketplaces. 

The Centers for Medicare and Medicaid Services (“CMS”) released proposed  regulations for the Medicare Shared Savings Program (“MSSP”) on Monday December 1, 2014.  The proposed regulations are scheduled to be published in the Federal Register on December 8, 2014, and those wishing to submit comments to the agency will have sixty days after their publication in the Federal Register to do so. CMS stated that the regulations will generally be effective sixty days after they are published in final form.

CMS’ discussion and the proposed regulations span over 400 pages and cover many   operational details of the MSSP.  Some selected highlights are noted below:

• CMS proposes to permit ACOs currently enrolled in the MSSP’s “upside risk only” model to continue to participate in the “upside risk only” model for a second “agreement period” with a reduced shared savings rate.

• CMS proposes to create a new “track 3” “upside/downside” risk model with higher rates of savings and the prospective attribution of beneficiaries.

• CMS proposes to place a “greater emphasis on primary care services delivered by nurse practitioners, physician assistants and clinical nurse specialists in the beneficiary assignment process, and to eliminate the exclusivity requirement for certain specialists that were previously required to be exclusive to one ACO on the basis that they render some services that are considered primary care services.

• CMS proposes to eliminate the requirement that ACOs send out data sharing “opt out” letters to beneficiaries and would require beneficiaries to opt out of data sharing exclusively by contacting CMS as opposed having the option to opt out by contacting the ACOs directly.

The health care industry will be digesting CMS’ voluminous and in some cases highly technical proposed changes to the MSSP over the next 60 days and the Health Law Informer will continue to provide more details regarding these regulations and the industry’s reaction to them.

To read the complete text of the proposed regulations click here.

On October 8, 2014, the Centers for Medicare & Medicaid Services (“CMS”) withdrew its Notice of Proposed Rule Making (“NPRM”) from the Office of Management and Budget that was to address how Medicare’s future interests should be protected pursuant to the Medicare Secondary Payer (“MSP”) Act (42 U.S.C. § 1395y(b)(2)) in workers’ compensation, liability (including self-insurance), automobile and no-fault insurance cases (see Notice).  While it is expected that CMS will submit another proposed rule, it does not seem likely that an ultimate final rule will be forthcoming anytime soon.

Although CMS has published guidelines for how to address claims in workers’ compensation cases where future medical expenses are claimed or released in a settlement judgment or other award, it has not released much guidance on addressing future medical expenses in liability, self-insurance, automobile and no-fault insurance cases.  The resulting lack of any clear guidance has resulted in many settlements being prolonged or even coming to a grinding halt as the parties differed over how—or whether— to address Medicare’s interest in future medical expenses.  It was hoped this would change after CMS released an Advance Notice of Proposed Rulemaking in June of 2012 addressing the issue of protecting Medicare’s interest in future medical expenses.  Yet, the recent notice that CMS has withdrawn its proposed rule is disappointing to the stakeholders, including claimants, insurers and attorneys looking for clarity and guidance from CMS on this issue.  Even without guidance addressing future medicals, parties to a settlement must still fulfill their MSP obligations, which include addressing Medicare’s interests in future medical expenses.