Health Law Informer

It has been a busy summer so far for the Centers for Medicare & Medicaid Services (CMS) with respect to Accountable Care Organizations (ACOs), as the agency has proposed altering the quality reporting measures under the Medicare Shared Savings Program (“MSSP”) for 2015 and beyond.  Expect an even busier fall as other, potentially broader, proposed rule changes for ACOs are analyzed by the Office of Management and Budget (OMB) and both sets of proposals wind their way through the public comment process.

The proposed changes concerning quality reporting would revise and update the measures used to evaluate MSSP ACOs’ performance. Overall, the CMS says it would like to focus more on outcome-based measures (as opposed to process-based measures), reduce duplicative measures, and reflect current clinical practices without increasing ACO’s reporting burden.

More specifically, the CMS proposes to add 12 new measures and remove eight, which would increase the total number of quality measures from 33 to 37. The new measures relate to “avoidable” admissions for patients with multiple chronic conditions, heart failure, and diabetes; depression readmission; readmissions to skilled nursing facilities; patient discussion of prescription costs; and updated composite measures for diabetes and coronary artery disease.

The CMS would like to modify the scoring system to award bonus points toward shared savings to ACOs that make year-over-year improvements on individual measures. Moreover, the agency would like to modify its benchmarking methodology to use flat percentages to establish the benchmark for a measure when the national FSS data results in the 90^th percentile being greater than or equal to 95 percent. And, finally, the CMS proposes several ways to align MSSP reporting requirements with other reporting programs, including Medicare’s Electronic Health Records Incentive Program and the Physician Quality Reporting System.

Fewer details are available about the next set of proposed rules changes, which were submitted to OMB on June 26 and will be printed in the Federal Register after review. It is expected that these regulations will include changes to the MSSP’s payment provisions. The proposed changes would apply to existing ACOs and approved ACO applicants starting January 1, 2016. As soon as the text of the rule becomes publicly available, the Health Law Informer will provide more information.

Daily news stories about data breaches and enforcement actions seem to be the new norm, so it’s no surprise that people may start to believe that hackers have won the war and that no personal health information is safe. But exactly how many breaches have been reported in the last several years? And were the breaches the result of nefarious plots or just plain incompetence? About how many HIPAA investigations has the government actually launched?

Rest assured, Congress has been asking similar questions as well. The HITECH Act requires the Department of Health and Human Services Office for Civil Rights (OCR) to submit annual reports to Congress that provide contextualized information about incident rates and government action; OCR published its most recent two reports on Breaches of Unsecured Protected Health Information (Breach Report) and HIPAA Privacy, Security, and Breach Notification Rule Compliance (HIPAA Compliance Report).  In addition to including cumulative data, the reports cover relevant activities that occurred between January 1, 2011, and December 31, 2012. Continue reading…

It has been over three years since the Centers for Medicare and Medicaid Services (CMS) announced its proposed rule and guidance on the development and implementation of Accountable Care Organizations.  About four million Medicare beneficiaries are now in an ACO, and over 400 provider groups are participating in ACOs.  See February 19, 2013 Health Affairs Blog. An estimated 14% of the U.S. population is being treated within an ACO. See April 16, 2014 Kaiser Health News.

By all indications, these numbers will continue to grow as the US health system moves away from the fee-for-service model to pay for value models that reward quality and cost savings and require clinical coordination among different types of providers, in many cases providers who are unrelated other than through an ACO or other similar arrangement.  The seamless sharing of data, patient information and collaboration among large, medium and small physician practices, hospitals, post-acute providers, and even private companies like pharmacy chains is critical to the success of these organizations. Continue reading…

It has been 18 years in coming, and the time is finally here. All Controlling Health Plans (CHPs) must obtain a unique Health Plan Identifier (HPID). A CHP is a health plan that controls its own business activities, actions, or policies, or is controlled by entities that are not health plans. The HPID is a unique 10-digit, all-numeric identifier that will be assigned to every qualifying health plan.

The Health Insurance Portability and Accountability Act (HIPAA) first indicated the need for HPIDs back in 1996. Almost a decade later, the Department of Health and Human Services (HHS) issued a final rule mandating HPID adoption. Now the important part: the deadline for most providers to register for an HPID is November 5, 2014. (Small health plans, those with annual claims paid of $5 million or less, have until November 5, 2015 to register.)

The primary purpose of HPIDs is standardization, which should make the exchange of electronic data more efficient and more accurate. Among other improvements, HPIDs will drastically decrease the instances of misrouted transactions or rejected transactions due to insurance identification errors. HHS has said that universal adoption of HPIDs is expected to save $6 billion over the next ten years.

While CHPs are required to register, sub-health plan affiliates may register for a HPID or may choose to use the number of its CHP parent. Self-insured group health plans that fit the definition of a CHP will be required to have an HPID. If a health plan engages a business associate to conduct standard transactions on its behalf, the business associate must use the health plan’s HPID in every field where the health plan is identified.

In addition to registering for the HPID, CHPs must disclose their HPID when requested and communicate any changes to the required data elements in the HPID Enumeration System within 30 days of the change.

The HPID will be used for all “standard transactions,” as defined by HIPAA, as well as for other lawful purposes, including: identification on health plans’ internal files; health insurance cards; cross-referencing in health care fraud and abuse files; and identification of health plans on Health Information Exchanges, and federal and state insurance exchanges.

Health Plans can complete their HPID application here.

HHS provides videos to assist Health Plans in the application process and a 111-page User Manual published by CMS here.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is not the only government arm that enforces data breaches. The Federal Trade Commission (FTC) has broad authority to regulate the security of consumer information and hold companies liable for a failure to use adequate data security practices. In August 2013, the FTC targeted LabMD, a medical testing laboratory, which maintains personal financial and health information for nearly one million consumers. The FTC alleged that LabMD failed to “provide reasonable and appropriate security for personal information on its computer networks,” which resulted in the data of thousands of consumers being leaked on to the peer-to-peer file-sharing network LimeWire, the black-market and in the hands of illegal data brokers.

Until recently the FTC enforced its breach authority under the Act without pushback, so a company facing allegations would simply settle. However, LabMD became the second company to challenge the FTC’s enforcement of data breaches (a hotel chain company was the first to challenge the FTC’s authority). LabMD attempted to stop the investigation by filing appeals to federal district and appellate courts and the FTC. The appeals were based primarily on two arguments: (i) the FTC does not have the statutory authority to set data security standards for companies; and (ii) LabMD is already subject to the OCR’s enforcement authority under HIPAA’s security regulations, so it should not also be subject to the FTC’s enforcement authority.

Despite LabMD’s best efforts, two Eleventh Circuit judges refused to intervene before the FTC issued its final order, the FTC rejected LabMD’s motion to dismiss and it moved forward with the administrative proceedings. However, LabMD continues to fightback. Recently, LabMD filed a motion to dismiss with the FTC, and contended that the FTC had not proven that the data breach caused injury, specifically, that it did not present evidence that there was substantial harm or likely to be substantial harm to consumers as a result of the breach.

During trial, Michael Daugherty, CEO of LabMD, testified that the effect of the FTC’s allegations and subsequent probe has placed the company in a “very deep coma” and that he “can’t understate how damaging and confusing and sideswiping [the matter is] to the attitude, energy and morale of [LabMD’s] management staff.”

Interestingly, the trial has been on recess since May 30 when the administrative law judge delayed the proceeding until June 12 in response to an announcement that the House Committee on Oversight and Government Reform was investigating Tiversa Inc., the cyber-intelligence firm that played a central role in the FTC’s case against LabMD. In a separate lawsuit, LabMD is alleging that Tiversa provided the FTC with patient information files that it stole from LabMD.

When trial resumes on June 12, the focus will continue to be on whether LabMD’s data security standards that it used to protect consumers’ personal information were reasonable. It will be interesting whether developments from the Tiversa investigation impact the outcome of the trial. For more information about this proceeding go to the FTC website.

Practice Tip: Ensure that your security policies and procedures are being implemented and followed in accordance with HIPAA security requirements because inadequate security safeguards may lead to enforcement actions by the OCR and the FTC.

A report recently released by the Federal Trade Commission (FTC) concludes that data brokers currently operate so far below the radar screen that most consumers are unable to exercise any real control over the collection and use of their personal information. In addition to shedding light on the data broker marketplace and its practices, the report also provides recommendations to Congress about legislation that could better protect consumers and begin to regulate this poorly understood industry.

Data Brokers: A Call for Transparency and Accountability is based on an in-depth study of nine leading data brokers, companies that collect consumers’ personal information and resell or share that information with others in the form of marketing, risk management, or people search products. Combined, data brokers currently collect and store billions of bits of data about nearly every consumer in the United States. According to the FTC, “Because few consumers know about the existence of data brokers, meaningful notice from the data source provides an important opportunity for consumers to learn that their data is shared with data brokers and how to exercise control over the use of their data.”

In order to promote transparency, the Commission recommended that Congress consider legislation:

– Enabling consumers to easily identify which data brokers may have data about them and where they should go to access such information and exercise opt-out rights.

– Requiring data brokers to clearly disclose to consumers that they not only use raw data (such as a person’s name, address, age, and income range), but that they also use data they derive with that information.

– Requiring data brokers to disclose the names and/or categories of their sources of data, so that consumers are better able to determine if they need to correct their data with an original public record source; require data brokers to allow consumers to correct erroneous information in their private databases.

– Mandating that consumer-facing entities to provide a prominent notice to consumers that they share consumer data with data brokers and provide consumers with choices about the use of their data, such as the ability to opt-out of sharing their information with data brokers.

More generally, the Commission called on the data broker industry to adopt several best practices:

– Implement privacy-by-design, considering privacy issues at every stage of product development.

– Refrain from collecting information from children and teens, particularly in marketing products.

– Take reasonable precautions to ensure that downstream users of their data do not use it for eligibility determinations or for unlawful discriminatory purposes.

Cozen O’Connor’s Health Law Informer will continue to monitor Congress and the data broker industry’s response to the FTC report.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled for the collective amount of $1,975,220 with Concentra Health Services (Concentra) and QCA Health Plan, Inc. (QCA). The settlements stem from OCR investigations in 2011 and 2012 related to each of the companies reporting a single stolen laptop; Concentra also had a laptop stolen in 2009.

In its press release, HHS stated that after further investigating Concentra it found that Concentra was aware prior to the most recent laptop theft that not all of its laptops, desktop computers, medical equipment, tablets and other devices that contained ePHI were encrypted. But despite Concentra’s discoveries as a result of risk analyses that it had conducted, it failed to remedy the critical risks and did not encrypt all of the devices. OCR also found that Concentra had insufficient security management processes. OCR’s investigation of QCA revealed that in addition to the unencrypted laptop, QCA failed to comply with numerous HIPAA privacy and security requirements for several years.

Susan McAndrew, OCR’s Deputy Director of Health Information Privacy, reiterated the significance of encryption and the obligations of covered entities and business associates to adequately secure mobile devices when she stated that OCR’s message to covered entities and business associates is simple: “encryption is your best defense against these incidents.” Ms. McAndrew’s statement is significant and a shift from the view that although security is an obligation, encryption is not required under the HIPAA Security Rule. In light of these two settlements and the Deputy Director’s commentary it is evident that OCR views encryption as an essential security safeguard for laptops, desktop computers, medical equipment, tablets and other mobile devices. In light of these two settlements and the Deputy Director’s commentary it is evident that OCR views encryption as an essential security safeguard for laptops, desktop computers, medical equipment, tablets and other mobile devices.

Concentra has agreed to pay HHS a monetary settlement of $1,725,220 and QCA has agreed to pay $250,000. Both entities have also agreed to each undertake a corrective action plan (CAP),  which CAPs include risk analyses, development of risk management plans, policy and procedure revisions, staff training and certification of staff training. Concentra’s CAP contains more onerous requirements, including the continued submission of additional documents, reports and encryption status updates to HHS. Concentra’s CAP may be more extensive than QCA’s because it already had a laptop that contained ePHI stolen in 2009 and because it failed to remedy the encryption issue it discovered during the risk analyses it performed prior to the second laptop being stolen. OCR also noted that QCA did encrypt its devices after the laptop was stolen and it discovered the breach.

For more information about the settlements and the CAPs, see the Concentra Resolution Agreement and the QCA Resolution Agreement.

Practice Tip: Audit your encryption policies and practices for all mobile devices to adequately secure your company’s mobile devices.

In the largest HIPAA enforcement action to date, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) extracted $4.8 million from two leading New York institutions, New York-Presbyterian Hospital (NYP) and Columbia University (CU), despite NYP and CU’s self-disclosure of the breach. OCR charged NYP and CU jointly with failing to secure 6,800 patients’ electronic protected health information (ePHI), which resulted in a 2010 breach. NYP and CU did not learn of the breach until a complaint was filed by a representative of a deceased former NYP patient whose ePHI was found on the Internet. The patient data included status, vital signs, medications and laboratory results.

Larger, more frequent fines may be the new normal as OCR launches its major new audit program. In its press release, HHS wrote that “neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.” OCR has made clear that risk assessment will be a priority in the upcoming audits. OCR will not be satisfied with “glossy” HIPAA policies and procedures if they are not followed in practice.

To make the point even more explicit, Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, said, “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”

OCR’s investigation began after NYP and CU self-disclosed an inadvertent leakage of certain ePHI to Internet search engines when a computer server was errantly reconfigured. The source of the breach was a CU physician who had tried to deactivate a personally owned computer server on the network containing information on hospital patients. NYP and CU failed to implement technical safeguards for the deactivation of computer servers, so the attempted deactivation resulted in ePHI being posted online.

NYP has agreed to pay HHS a monetary settlement of $3.3 million and CU has agreed to pay $1.5 million. Both entities have also agreed to each undertake a substantive corrective action plan (CAP), which includes a risk analysis, development of a risk management plan, policy and procedure revisions, staff training and regular progress reports. For more information about the settlements and the CAPs, see the NYP Resolution Agreement and the CU Resolution Agreement.

HIPAA Practice Tip: Now is the time to ensure that your HIPAA policies and procedures are being implemented and followed.

The Department of Health and Human Services (HHS) recently released a new security risk assessment (SRA) tool for small- to medium-sized health care providers. HIPAA requires covered entities to conduct periodic assessments of the administrative, physical, and technical safeguards in their handling of protected health information. This new tool will help health care providers conduct and document risk assessments and produce a report that can be provided to potential auditors.

The tool was created jointly by the HHS Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office of Civil Rights (OCR), and its release precedes OCR’s expected launch of a permanent HIPAA audit program. The OCR has previously identified security risk assessments as an area of consistent weakness among covered entities and has said it will be a particular focus for auditors.

Entities using the new tool will be asked 156 “yes” or “no” questions. Each question addresses a specific HIPAA requirement, and additional resources are provided with each question to help providers better understand the language and requirements of the associated HIPAA security rule. In the event that a provider answers “no” or cannot answer an applicable question, the provider must note the need for corrective action and implement a plan immediately.

Providers can download the SRA Tool and additional guidance here. The ONC plans to make updates and improvements to the tool after an initial period of use. Comments regarding the SRA Tool may be submitted here until June 2, 2014.

The Department of Health and Human Services (HHS) is expected to launch its long-awaited HIPAA audit program sometime in 2014. The audit program will be run by HHS’ Office of Civil Rights (OCR), which is likely eager to get the program going after being criticized in a report from HHS’ Office of Inspector General (OIG) last year for not conducting sufficient audits as mandated by the HITECH Act. This public reprimand gives OCR an added incentive to make sure its HIPAA audit program is active and effective.

In terms of how the permanent audit program will operate, OCR has indicated that it will differ from the pilot program that ran from 2011 to 2012. During the pilot, 115 covered entities were audited, and each of them endured lengthy and detailed investigations into the entity’s compliance with nearly all aspects of the HIPAA rules. The director of OCR, Leon Rodriguez, has said that the plan moving forward is to audit many more entities, including business associates, but to make each audit narrower and more targeted. A note of caution, however, is that OCR has previously stated that audits that uncover significant noncompliance with HIPAA could prompt an investigation by OCR.

So what are the big areas of interest for OCR? This will become clearer as the audits get underway, but we do know at least two of the topics that have OCR’s attention: security risk analysis and business associate compliance. Director Rodriguez has said that risk analysis was an area of consistent weakness among entities audited during the pilot program and that “one focus in the audits will be on risk analysis.” Every covered entity and business associate must conduct a thorough review of the security of PHI in its organization and examine all facilities and operations to see where PHI flows in and where it flows out. Everything from computer encryption to office traffic patterns to off-hours use of mobile devices has to be analyzed and plans must be put in place to address any holes in security.

For more information about the audit program: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html