Loading...

Follow C&M Health Law on Feedspot

Continue with Google
Continue with Facebook
or

Valid

The HHS Office of Civil Rights (“OCR”) closed out the month of April with some updates to HIPAA civil monetary penalty (“CMP”) limits and clarifications to OCR’s stance on the Privacy Rule’s application to transfers of electronic protected health information (“ePHI”) to third-party applications and application programming interfaces (“APIs”).

Differential CMP Caps Based on Enforcement Discretion

Under the current HIPAA Enforcement Rule, HHS employs a four-tier level of culpability scale in line with the HITECH Act. These four tiers correspond to appropriate CMPs ranges for violations by covered entities and business associates of the HIPAA Privacy and Security Rules. These penalty tiers are adjusted for inflation pursuant to the cost-of-living formula set forth in the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.

For instance, if a person did not know and, by exercising reasonable diligence, would not have known that the person violated the applicable HIPAA provision, the CMP range the person could be levied was $100-$50,000 for each identical violation, up to a maximum of $1.5 million for all such violations annually (before adjusted for inflation). The $1.5 million annual cap on CMPs for HIPAA violations applied across all four tiers, even though the minimum penalties for each tier increased in amount.

Since HHS began using this four-tier structure, however, there has been debate about whether the HITECH Act mandates different annual CMP caps for each of the tiers. OCR’s April 30, 2019 Federal Register Notice changes HHS’s prior position on this, and now imposes the following annual caps on CMPs for HIPAA violations:.

  • $25,000 (Tier 1 – no knowledge)
  • $100,000 (Tier 2 – reasonable cause)
  • $250,000 (Tier 3 – willful neglect/corrected)
  • $1.5 million (Tier 4 – willful neglect/not corrected).

What is odd is that the maximum penalty for each tier remains at $50,000 as of the date of the Federal Register Notice. This does not appear to make sense given that the annual limit for Tier 1 violations is $25,000. Nevertheless, HHS will follow this structure “until further notice,” which means there still may be some cleaning up to do.

New FAQ Responses to Clarify Patient Access Rights Under HIPAA

On April 18, 2019, OCR published responses to five Frequently Asked Questions (the “FAQs”) regarding the analysis of a patient’s right of access to his or her ePHI through third-party apps and APIs. Covered entities should take these FAQs into account when responding to the proposed rules on information blocking released by the Office of the National Coordinator for Health Information Technology (“ONC”) and the Centers for Medicare & Medicaid Services’ proposed rules on Interoperability and Patient Access, which are now due June 3, 2019. These proposed rules encourage patient access to ePHI via APIs and the FAQs attempt to address some of the questions OCR has received regarding how to balance HIPAA compliance with patient access via new transmission and storage modalities for ePHI.

Overall, the FAQs clarify the scope of covered entities’ responsibility to comply with patients’ requests to direct their ePHI to third parties pursuant to 45 CFR § 164.524 and their liability for any breaches to that ePHI after its transfer. The main points that covered entities should glean from the FAQs are:

  • Covered entities cannot refuse to disclose ePHI to an app chosen by an individual because of concerns about how the app will use or disclose the ePHI it receives.
  • Covered entities or their business associates (e.g., an EHR system developer) that did not develop or provide a third-party app that “creates receives, maintains, or transmits ePHI on behalf of the covered entity”:
      • are not required to enter into a business associate agreement (“BAA”) with the third-party app or API developer; and
      • are not liable under the HIPAA Rules for a subsequent impermissible disclosure by the third-party app or API.
  • Covered entities would not be responsible for unauthorized access to the individual’s ePHI while in transmission to a third-party app or API, even if it is transferred via an unsecure manner or unsecure channel.

The new FAQs became necessary as patients increasingly sought to have ready access to their ePHI and related data through mobile apps and devices that are distinct from those provided by covered entities. Covered entities, in an abundance of caution, often refused to send ePHI to third-party apps and APIs because they were concerned about being liable to breaches of any ePHI after it was transferred.

With these new FAQs, covered entities and their business associates have more clarity regarding their obligations under the HIPAA Privacy Rules. Moreover, it is arguable that the release of the FAQs provides constructive notice to covered entities, and developers of third-party apps and APIs that engaging in practices that contradict OCR’s responses could constitute information blocking, which we have profiled in numerous previous posts.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
C&M Health Law by Jodi G. Daniel And Amber Mulcare - 3M ago

On March 27, 2019, the Centers for Medicare & Medicaid Services (CMS) announced a $1.65 million competition to accelerate development of AI solutions in health care. The Artificial Intelligence (AI) Health Outcomes challenge seeks innovative, AI-driven solutions that can predict unplanned hospital and skilled nursing facility (SNF) admissions and adverse events.

The challenge is a 1-year, three stage competition; the Launch State is open to the public and seeks to attract a wide range of ideas and solutions.

Stage 1 will be comprised of 20 participants and will focus on the development of algorithms that predict health outcomes using Medicare fee-for-service data as well as strategies for building clinician trust in the solutions. 5 participants will be awarded $80,000 and will advance to Stage 2.

Stage 2 will ask for finalists to refine their algorithm and run a number of analyses on more than 5 years of CMS claims data to demonstrate proof-of-concept. The grand prize winner will be awarded up to $1 million.

Economists have debated the use of prize systems for technological innovation. While some argue that the use of medical prize funds will lower prices and widen the availability of research results, others are skeptical of claims regarding the role of prize funds in inducing technological innovation. CMS is in a unique position to offer prizes for innovative solutions; as the country’s single largest payer for health care, it may be the one of the best entities to evaluate the efficacy of the proposals and can offer innovators with the data needed to develop their algorithms

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Nearly 20,000 comments have been submitted in response to the Department of Health and Human Services January 31, 2019 notice of proposed rulemaking eliminating discount safe harbor protection for reductions in price to prescription pharmaceutical products (or rebates) provided by manufacturers to plan sponsors under Medicare Part D and Medicaid managed care organizations (MCOs), whether negotiated by the plan or by pharmacy benefit managers (PBM) or paid through a PBM to the plan or Medicaid MCO. Most of the comments appear to be relatively short, text box comments submitted by individuals through patient or business advocacy groups.  The following is a very high level summary of the several hundred comments posted (so far) from health plans, manufacturers, pharmacies, their respective associations, and policy oriented groups:

  1. Manufacturers and pharmacies and their respective associations, including some large chains (i.e., Walgreens) strongly favor eliminating rebates, and curtailing the flexibility of “middlemen” who negotiate rebates and administer the system, noting the perverse incentives that rebates cause for plans and PBMs with respect to drugs that have high list prices.
  2. Many comments from health plans and a number from others (e.g., the AHA and AARP) take the view that is summed up in this paragraph in the comment submitted by the American Federation of State, County, and Municipal Employees (AFSCME):
      1. While we agree with the broad goals of the rule, we have significant concerns about the impact it will have. The proposed rule is a shot in the dark, with deep uncertainty about whether it will further these goals. This uncertainty includes unanswered questions about whether beneficiaries on average (and which individuals in particular) will ultimately pay less out of pocket in combined cost-sharing and Part D premiums, and whether list prices, net prices and overall costs will decrease.
  3. AARP also has some pithy language about the uncertainty of the projections made by the agency, a sentiment that is expressed in many other comments:
      1. Throughout the proposed rule, HHS makes it clear that it does not know whether prescription drug prices will increase, decrease, or stay at the same levels if rebates are eliminated. Similarly, the alternative scenarios present a broad range of possible impacts on drug prices. In some scenarios, manufacturers replace rebates with discounts. In others, manufacturers partially replace rebates with discounts. In at least one scenario, manufacturers respond by raising drug prices.  Given that prescription drug price trends are already widely viewed as unsustainable, we find this high degree of uncertainty to be extremely concerning. Moreover, it is a strong indication that this proposal is not directed at the root cause of the problem that it is trying to address—the pricing behavior of drug manufacturers
  4. Most health plans note that rebate negotiation is a key tool used to lower net prices for plans that serve Medicare beneficiaries, and several note that rebates were a response to high list prices for drugs, and not the cause of high list prices, as stated in the proposed rule.
  5. Most commenters voiced significant reservations about implementing the changes as contemplated by January 1, 2020.
  6. Comments from several patient advocacy groups expressed concern over potential unintended consequences to patients, such as benefit plan changes that might place products on higher formulary tiers or eliminate flat fee cost sharing.
  7. A lot of comments make the point that most drugs do not generate rebates, including generics and the highest cost brand name drugs for which no substitute exists.
  8. Several comments from think tanks or research institutes (e.g., MedPAC, Pew Charitable Trust) comment on the uncertainty of the savings for beneficiaries, and the likelihood of increased costs for the Medicare program under the proposed changes, and suggest alternative strategies that would more directly address high prescription drug prices.
  9. A lot of comments raised the resulting uncertainty for value based arrangements, which almost by definition require retrospective changes in pricing (e.g., pricing depends on whether the product has or has not met the value proposition being tested).
  10. Many comments noted the harm that will result for the Medicaid program because out of pocket costs of Medicaid beneficiaries are usually low, fixed payments, but plans and the state do depend on rebates to lower overall costs.
  11. Some comments hinted at the potential legal theories that will be used to challenge the final rule—but especially whether the rule conflicts with the “non-interference” statute that Congress adopted to prevent the agency from controlling price negotiations between manufacturers and Part D plans.
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Last week the Centers for Medicare & Medicaid Services (CMS) announced significant policy changes for Medicare Advantage (MA) and Part D programs. On April 1, 2019, CMS released the calendar year 2020 Rate Announcement and Call Letter, and on April 5, 2019, CMS release the unpublished version of a final rule revising the MA and Part D program regulations for 2020 and 2021 (scheduled to be published April 16, 2019). These documents include many important policy changes for MA plans—including opportunities to offer broadened supplemental benefits packages and expanded telehealth services.

Supplemental Benefits for the Chronically Ill

Traditionally, CMS has interpreted section 1853(a) of the Social Security Act to allow MA plans to offer supplemental benefits (items or services not covered by original Medicare) when they are “primarily health related,” offered uniformly to all enrollees, and result in the MA plan incurring a non-zero direct medical cost. “Primarily health related” means an item or service that is “used to diagnose, compensate for physical impairments, acts to ameliorate the functional/psychological impact of injuries or health conditions, or reduces avoidable emergency and healthcare utilization.” For 2019, CMS introduced new flexibility into the uniformity requirement by allowing MA plans to offer supplemental benefits to some—but not all—vulnerable enrollees.

In the Bipartisan Budget Act of 2018, Congress amended section 1852(a) of the Social Security Act to allow MA plans to offer chronically ill enrollees supplemental benefits that are neither primarily health related nor uniformly offered. As amended, a chronically ill enrollee is an individual who: (i) has “one or more comorbid and medically complex chronic conditions that is life threatening or significantly limits the overall health or function of the enrollee;” (ii) has a “high risk of hospitalization or other adverse health outcomes;” and (iii) requires “intensive care coordination.” Congress also specified that supplemental benefits must provide a reasonable expectation of improving or maintaining a chronically ill person’s health or overall functioning before they can be offered.

CMS will allow MA plans to offer supplemental benefits to individuals identified by their plan as meeting the statutory definition of chronically ill beginning in 2020. Supplemental benefits may include (but are not limited to) meal delivery, transportation for non-medical needs, pest control, indoor air quality equipment and services, benefits to address social needs, and structural improvements such as ramps or the widening of hallways. Initially, CMS will consider any enrollee with a chronic condition described in section 20.1.2 of Chapter 16b of the Medicare Managed Care Manual to qualify as having a “comorbid and medically complex” condition as required by statute. A technical advisory panel will be formed to periodically update this list for future years. MA plans will have broad discretion to determine which supplemental benefits provide a reasonable expectation of improving or maintaining a chronically ill person’s health.

Expanded Telehealth Services

Historically, telehealth services were only available through original Medicare to seniors living in rural areas. That changed this year when seniors living in urban and rural areas gained the option to pay for virtual check-ins with their doctors.

Compared to original Medicare, MA plans have always had the ability to offer comparatively more telehealth services to enrollees through supplemental benefits packages. The Bipartisan Budget Action of 2018 created new section 1852(m) of the Social Security Act which empowers MA plans to offer “additional telehealth benefits” as part of their basic Medicare benefits package, rather than solely as a supplemental benefit. The statute limits these additional telehealth benefits to those available through Medicare Part B.

In the final rule released last week, CMS leveraged this new statutory authority to grant MA plans broader flexibility around telehealth services. Beginning in 2020, MA plans can offer Part B telehealth benefits as part of their basic benefits package. Plans cannot replace in-person visits with telehealth visits—if a plan offers a Part B services as an additional telehealth benefit, it must provide access to the service through in-person visits as well. Additionally, MA plans can continue to offer supplemental telehealth benefits for services that don’t qualify for this expanded coverage either because they aren’t covered under Part B or original Medicare.

This push for more access to telehealth services reflects CMS’s intent to foster more innovation and competition into MA plans’ offerings. CMS expects this flexibility to result in more plans offering expanded telehealth services, regardless of what part of the country enrollees live in.

*             *             *             *             *

Additional rulemaking finalizing proposed changes to protected classes of drugs and potential flexibility for MA plans using prior authorization and step therapy for Part B drugs is expected soon. Further guidance regarding proposed changes to the rebate safe harbor also will arrive in the coming months. Stay tuned for future updates and analysis.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

In Gresham v. Azar, United States District Court for the District of Columbia Judge James E. Boasberg “[found] its guiding principle in Yogi Berra’s aphorism, ‘It’s déjà vu all over again.’” No. CV 18-1900 (JEB), 2019 WL 1375241, at *7 (D.D.C. Mar. 27, 2019). In striking down the Department of Health and Human Services (“HHS”) approval of Arkansas’s Medicaid work requirements as “arbitrary and capricious,” Judge Boasberg noted that the agency’s failures were “nearly identical” to those in Stewart v. Azar I, 313 F.Supp.3d 237, 243 (D.D.C. 2018), where he vacated the agency’s approval of Kentucky’s Medicaid Work requirements back in June 2018. The same day the Court issued Gresham, Judge Boasburg declared “[t]he bell now rings for round two” and again vacated Kentucky’s Medicaid work requirements finding the agency’s reaproval “arbitrary and capricious” in Stewart v. Azar II. No. CV 18-152 (JEB), 2019 WL 1375496, at *1 (D.D.C. Mar. 27, 2019).

Under Section 1115 of the Social Security Act, HHS may approve a state’s waiver application and allow a state to waive certain Medicaid program requirements. Such waivers include “experimental, pilot, or demonstration project[s]” that “in the judgment of the Secretary, [are] likely to assist in promoting the [Medicaid Act’s] objectives.” 42 U.S.C. § 1315(a). In March 2017, Seema Verma, the Administrator for the Centers for Medicare & Medicaid Services (“CMS”), along with HHS Secretary at the time, Thomas Price, sent a letter to state governors clarifying the agency’s “intent to use existing Section 1115 demonstration authority to review and approve” Medicaid work requirements. Heeding this call, the governor of Kentucky applied for a Section 1115 waiver to implement an experimental program which includes work requirements as a condition of Medicaid coverage. Under these work requirements, many adults must complete 80 hours of employment or other qualifying activities every month or lose their Medicaid coverage. These requirements primarily target the Medicaid expansion population (individuals who obtained coverage after states expanded eligibility under the Affordable Care Act). Arkansas’ program—which took effect last June as the first work requirements in the history of Medicaid—is substantially similar to the Kentucky program. The Kentucky work requirements had yet to take effect.

Plaintiffs in both cases sued the Secretary of HHS arguing that HHS’s approval of these new work requirements violated the Administrative Procedure Act (“APA”). More specifically, Plaintiffs argued that the Secretary’s conclusion that the Arkansas and Kentucky Medicaid work requirements were “likely to assist in promoting the [Medicaid Act’s] objectives” was arbitrary and capricious. The Court agreed. Just as it had ruled in Stewart I, in Gresham, the Court explained that “the Secretary’s approval of the Arkansas [work requirements] is arbitrary and capricious because it did not address — despite receiving substantial comments on the matter — whether and how the project would implicate the ‘core’ objective of Medicaid: the provision of medical coverage to the needy.” Gresham, 2019 WL 1375241, at *12. The Court reached the same conclusion regarding the Secretary’s reapproval of the Kentucky program. This time around, Kentucky posited a new argument: “although [Kentucky’s work requirements] may cause nearly 100,000 people to lose coverage, that number will be dwarfed by the approximately 450,000 people who would suffer that fate if Kentucky ends its coverage entirely of those who have joined the Medicaid rolls via the Affordable Care Act, as it has threatened to do if this project is not approved.” Stewart II, 2019 WL 1375496 at *1. The Court rejected this fiscal-sustainability argument because, taken to its logical extreme, “any waiver would be coverage promoting compared to a world in which the state offers no coverage at all . . . Could a state decide it did not wish to cover pregnant women? The blind? All but 100 people currently on its Medicaid rolls? The Secretary offers no reason that his position would not allow for any of those results.” Id. at *19.

HHS approved Medicaid work requirement waivers in six other states: Arizona, Wisconsin, Michigan, Indiana, Ohio, and New Hampshire. A challenge to the New Hampshire requirements was filed on March 20, 2019. Philbrick v. Azar, No. CV 18-00773 (JEB). Seven other states already submitted work requirement waiver applications. Judge Boasberg’s twin rulings last week do not directly impact any other states’ programs. But given these opinions, plaintiffs in other states may be emboldened to challenge their state’s Medicaid work requirements. Because each suit would involve an APA challenge to HHS approval of such work requirements, plaintiffs can continue filing suit in the United States District Court for the District of Columbia. In fact, as did the plaintiffs in Gresham, the plaintiffs in the recently filed New Hampshire case, Philbrick, designated their case as a “related case” to Stewart I because it “involve[es] common issues of fact.”  Sure enough, that case has been assigned to Judge Boasberg.  It thus appears it will continue to be “déjà vu all over again” for Judge Boasberg. Consequently, this issue is unlikely to be finally resolved until it reaches the United States Court of Appeals for the District of Columbia Circuit, and possibly even the Supreme Court.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

On March 22, 2019 CMS issued new guidance to State Medicaid Directors on implementation of the 2014 Home and Community Based Services (HCBS) rule. The 2014 HCBS rule required states to scrutinize facilities, including an assisted living facilities or group homes, receiving HCBS funding to make sure they met certain standards. The 2014 rule aimed to define the characteristic of “community based” to move these settings and facilities away from the qualities of an “institution.” In May of 2017, CMS delayed implementation of the rule and in response to concerns regarding the transition process, a three year extension was granted. The transition period for states to ensure provider compliance with the criteria for settings in which a transition period applies has now been extended to March 17, 2022 during which states may work with all existing HCBS providers to complete their remediation and be validated as fully complying with the settings criteria. Not meeting these standards could mean loss of Medicaid funding.

The new CMS guidance, issued as an FAQ, defines a setting that is isolating individuals as a facility that limits any opportunities for patients and residents to interact with the broader community. Certain settings are presumed under the regulations to have the qualities of an institution:

  • Settings that are located in a building that is also a publicly or privately operated facility that provides inpatient institutional treatment;
  • Settings that are in a building located on the grounds of, or immediately adjacent to, a public institution; and
  • Any other settings that have the effect of isolating individuals receiving Medicaid home and community-based services (HCBS) from the broader community of individuals not receiving Medicaid HCBS.

In this FAQ, CMS removed specific examples of settings that would automatically be identified as institutional due to isolation, and will now take the following factors into account when determining whether a setting isolates HCBS beneficiaries from the broader community:

  • Due to the design or model of service provision in the setting, individuals have limited, if any, opportunities for interaction in and with the broader community, including with individuals not receiving Medicaid-funded HCBS;
  • The setting restricts beneficiary choice to receive services or to engage in activities outside of the setting; or
  • The setting is physically located separate and apart from the broader community and does not facilitate beneficiary opportunity to access the broader community and participate in community services, consistent with a beneficiary’s person-centered service plan.

States are free to identify additional factors other than those provided by CMS. When a setting is presumed to have institutional qualities, the setting may be approved to continue providing Medicaid HCBS through a process called “heightened scrutiny.” The new guidance also clarifies this process for “heightened scrutiny” allowing a state provides evidence to CMS to demonstrate that a facility or setting meets the HCBS criteria and allow them to continue receiving Medicaid funding. Other changes included in the guidance are flexibility to allow states to minimize additional review by CMS (including the ability for CMS to conduct sampling), clarifying requirements for state comment with regard to presumptively institutional settings, and explaining that private residences where individuals receive Medicaid funded services are assumed to comply, and those settings which do not receive HCBS funding are exempt from these regulatory requirements entirely.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
C&M Health Law by Jodi G. Daniel And Amber Mulcare - 6M ago

In order to move health care organizations towards consistency in mitigating important cybersecurity threats to the health care sector, the Department of Health & Human Services (HHS) published multiple guidance documents on best practices for health care organizations to reduce cybersecurity risks (“HHS Cyber Guidance”). The HHS Cyber Guidance is the result of HHS’ public-private partnership with more than 150 cybersecurity and health care experts. While compliance is voluntary, this guidance serves as direction to health care entities on important practices that should be considered and implemented to reduce risk.

Why HHS has published this guidance

In 2015, Congress called for “Aligning Health Care Industry Security Approaches,” in Section 405(d) of the Cybersecurity Act of 2015 (CSA). As a result, the 405(d) Task Group was created, bringing together private members of the health care and cybersecurity industry with government agency representatives. Beginning in May 2017, the Task Group focused on developing a framework of voluntary, consensus-based principles and practices to provide health care entities with a better understanding of cybersecurity risks and mitigation strategies. The HHS Cyber Guidance notes that cyber attacks are becoming increasingly sophisticated and widespread and that cyber attacks on health care organizations can affect critical functions and expose patient health information and may lead to substantial financial costs and potential patient safety risks.

HHS notes that cybersecurity is increasingly top of mind for health care organizations. The publication states that 4 in 5 U.S. physicians have experienced some form of cybersecurity attack and the cost of a health care breach is currently $408 per record—the highest cost across all industries. Health care organizations have much to lose if they fall victim to a cyber attack—for example, a recent ransomware attack cost a hospital $17,000 and operational control after the hacker froze all computer systems, effectively halting all health care delivery by requiring the hospital to transfer all patients and resort to paper medical records. Health care organizations can be subject to regulatory enforcement actions after data breaches or could lose their electronic medical record systems altogether.

This Guidance marks continued agency focus on cybersecurity threats to health care organizations and an interest in improving security and safety in health care delivery. In the last year, FDA proposed guidance regarding postmarket management of cybersecurity in medical devices, as well as guidance for those submitted for premarket review.

What is in the HHS Cyber Guidance

The HHS Cyber Guidance includes an overview document aimed at health care organizations of all sizes, titled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). HCIP identifies five of the “most relevant and current threats to the industry” and provides cybersecurity practice recommendations consistent with the NIST Cybersecurity Framework. Two technical volumes, intended for IT and/or IT security professionals, provide guidance for small, medium, and large health care organizations on developing strong cybersecurity practices. The publication also includes resources and templates that end users may reference. A “Cybersecurity Practices Assessments Toolkit” has not yet been released, but interested stakeholders may request an advance copy.

Threats and Mitigation Practices

The HICP document identifies five of the “most relevant and current threats to the industry”:

  • E-mail phishing attacks
  • Ransomware attacks
  • Loss or theft of equipment or data
  • Insider, accidental or intentional data loss
  • Attacks against connected medical devices that may affect patient safety

In response, the Task Group outlines cybersecurity practice recommendations that are consistent with the NIST Cybersecurity Framework. The NIST Framework documents practices that entities should employ during a cyber incident using the typical phases of an incident lifecycle. NIST practices fall within one of the five phases: Identify, Protect, Detect, Respond, and Recover.

The document further provides ten practice recommendations, with 88 sub-practices. The ten practice recommendations include:

  • E-mail protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

Recommendations for the number of sub-practices that an organization should implement are dependent on the attributes and size of the organization. Small health care organizations are recommended to implement 19 or more sub-practices, medium organizations 36 or more, and large organizations should attempt to implement all 88. The task group acknowledges the difficulties that organizations may face in implementing the practices, but provides a step-by-step threat assessment tool in the resource documents to allow health care organizations to identify the threats that they may be most vulnerable to.

The Task Group notes that it was not feasible to address all threats or mitigations and that the publication is the first step in an iterative and ongoing process. As new threats and technologies emerge, it is anticipated that there will need to be updated information to health care organizations to guard against future cyber threats. HHS plans to work with stakeholders in the coming months to assist with implementation of the practices; however, Deputy Secretary Eric Hargan notes that HHS will continue to partner with the industry to address cybersecurity challenges and asks that anyone interested in joining the 405(d) Task Group to contact the team at CISA405d@hhs.gov.

Health care organizations should review the guidance and take an opportunity to discuss the Task Group’s recommendations and determine next steps in implementing the cybersecurity practices. For more information, please contact Jodi Daniel (jdaniel@crowell.com).

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

WANT TO KNOW HOW THE DOJ’S BRAND MEMO MAY GIVE HEALTH CARE CONTRACTORS A NEW AVENUE OF DEFENSE IN FCA LITIGATION? READ “DOJ: PUTTING LIMITS ON GUIDANCE” TO FIND OUT

Crowell & Moring has issued its seventh-annual “Litigation Forecast 2019: What Corporate Counsel Need to Know for the Coming Year.” 

The health care section of the Forecast, DOJ: Putting Limits On Guidance,” outlines how The DOJ’s Brand Memo may give health care contractors a new avenue of defense in FCA litigation, but how it will be interpreted is still unclear.

There is also an interesting discussion of how companies and law firms are leveraging technology to improve their legal operations and litigation strategy in the cover story, “Welcome to Your New War Room: How Technology Is Finding Its Way into Litigation Case Strategy.” It features interviews with in-house counsel at Cisco, Humana, United Airlines, and Lex Machina and discusses how technology is streamlining the collection and analysis of information to aid “data-driven” decision making along the continuum of litigation.

Be sure to follow the conversation on social media with #LitigationForecast.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
C&M Health Law by William Chang And Spencer Churchill - 7M ago

On Nov. 29, 2018, Deputy Attorney General Rod J. Rosenstein announced several amendments to policies on individual accountability set forth in the 2015 Yates Memo. As a result, companies facing FCA actions—especially defendants in health care cases—should consider following three strategy tips:  (1) Establish clear benchmarks for cooperation.  (2) Advocate for individual releases.  And (3) Emphasize that litigation costs outweigh the potential recovery in appropriate cases.

To learn more please read this Bloomberg BNA article written by Partner William S.W. Chang and Associate Spencer Churchill.

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 
C&M Health Law by David Mcfarlane, Meredith Parnell A.. - 7M ago

On January 1, 2019, portions of the U.S. Department of Labor’s (DOL) Final Rule expanding the availability of Association Health Plans (AHPs) went into effect. AHPs allow small businesses to band together and negotiate better deals when buying insurance for their members.

The partial government shutdown hasn’t slowed the raging debate over how states are to implement the DOL’s final rule. On December 28, 2018, a federal judge ordered litigation concerning the rule to continue despite the shutdown.

States have reacted to the final rule in dramatically divergent ways. Some states believe that AHPs will make it finally possible for small employers to offer affordable healthcare options for their employees. Other states worry that AHPs will destabilize the individual insurance marketplace. They predict that healthy people will join AHPs because they are less expensive than other insurance options, and this shift will leave sicker people in a smaller pool with higher premiums.  

AHPs Possible Because of a Broader Definition of “Employer”

To increase the availability of AHPs, the Final Rule adopts a new definition of “employer” under the Employee Retirement Income Security Act of 1974 (ERISA), for purposes of determining when employers can join together to form an AHP that is treated as a group health plan under ERISA. The new definition of employer now includes sole proprietors with no employees.

As previously noted, in order to be considered an employer under ERISA traditionally, an association was required to have a bona fide economic or other common purpose other than offering health coverage. The Final Rule now provides that an association need only share a “commonality of interest” which can be satisfied on the basis of common geography or industry or line of business or profession. Further, the principal purpose of the association may be to provide members with insurance.

An association must additionally have at least one “substantial business purpose,” such as holding conferences, offering classes or educational materials, or promoting common business or economic interests to qualify. When an association is treated as an employer under ERISA, it can be regulated as a large group health plan. As a large group health plan, an AHP does not have to comply with many of the ACA’s most significant consumer protections, such as the law’s rating rules and essential health benefits.

Some States Enthusiastic About AHPs

Proponents of AHPs argue that their flexibility is necessary for organizations to provide meaningful health coverage to small employer and self-employed individuals.

On August 31, 2018, the New Hampshire Insurance Department announced plans to convene a working group of stakeholders to develop legislation that will set clear standards for AHPs sold in the state. New Hampshire also released guidance clarifying that insurance coverage issued to small employer association members cannot be treated as large employer coverage for ERISA purposes.

Iowa has also proactively embraced AHPs. In anticipation of the federal rule, the Iowa Legislature granted the Iowa Insurance Commissioner emergency rule-making authority over AHPs. This authority allows rules to become effective prior to public participation in the rulemaking process. On September 6, 2018, the Iowa Insurance Division used this power to adopt Rule 4040C which allows AHPs to form in the state. Rule 4040C builds upon a state law passed in April 2, 2018 to allow small groups and agricultural associations to create AHPs.

AHPs are already forming in these and several other states such as Wisconsin, and Nevada. Many states have issued non-binding guidance documents to clarify their understanding of when state law is and is not preempted by the federal rule including ConnecticutIdahoLouisiana, Maryland, Illinois, and Michigan.

Other States Move to Tightly Regulate AHPs

Critics of AHPs argue that the DOL’s final rule will result in a vast expansion of associations that qualify as single, large employers capable of evading core ACA protections. For example, while AHPs that cover employers with at least 15 employees have to offer essential health benefits like maternity coverage, now smaller businesses that buy AHPs will be exempt from that requirement. Whether or not states have the power to mandate that AHPs comply with stricter state laws is an open question. Several states have asserted their power to regulate AHPs, and intend to do so until the federal government forces them to stop.

Pennsylvania has taken the position that AHPs must comply with state laws and the ACA. During the federal rulemaking process, the Pennsylvania Insurance Department expressed concern that AHPs will be used to skirt the ACA’s coverage requirements for essential health benefits and prescription drugs, and will destabilize the individual marketplace. Businesses with just one employee are not eligible for AHPs in Pennsylvania and must instead buy insurance on the individual market. Additionally, the Commonwealth requires that an association be active for two years before offering a plan.

Like Iowa, the Vermont Legislature gave the Department of Financial Regulation the power to enact emergency rules to regulate AHPs. On August 1, 2018, the state used this power to file an emergency rule to require associations to be licensed annually by the state. The rule, effective immediately, prohibits AHPs from restricting coverage based on pre-existing conditions or demographic information and requires AHPs to offer coverage of essential health benefits to all people and dependents in the association. Vermont (and Connecticut) also increased their minimum coverage requirements for association health plans.

On September 22, 2018, California’s Governor signed into law legislation that prohibits sole proprietors, partners, and spouses of sole proprietors and partners from participating in AHPs. Other states may soon follow.

Eleven states and the District of Columbia challenge AHPs in Court

Last summer, state attorneys general from eleven states and the District of Columbia filed a lawsuit against the Department of Labor challenging the Final Rule on the grounds that expanding the definition of employer is inconsistent with the ACA and ERISA, a violation of the Administrative Procedure Act. (State of New York et al. v. United States Department of Labor et al.) The suit, led by New York, alleges that the final rule was an arbitrary and capricious effort to override the market structure established by the Affordable Care Act. New York is joined by Massachusetts, the District of Columbia, California, Delaware, Kentucky, Maryland, New Jersey, Oregon, Pennsylvania, Virginia, and Washington.

The suit has attracted significant outside support and opposition. The American Medical Association and a group of Democratic lawmakers submitted comments in support of the lawsuit and in opposition to the DOL’s rule. The U.S. Chamber of Commerce, attorneys general for Texas, Nebraska, Georgia and Louisiana, the Restaurant Law Center, and a coalition of 23 organizations that represent over one million small employers have submitted amici briefs in support of DOL’s rule.

The lawsuit makes four claims. First, the states claim that treating self-employed individuals with no other employees as an employer capable of being in an association of employers creating an AHP is contrary to ERISA’s statutory definition of an employer, which is an entity “with two or more employees.” 42 U.S.C. § 300gg-91(g)(6). Second, the states argue that the final rule’s loose standard of what constitutes a “commonality of interest” (which may be satisfied where the main purpose of the association is merely to sell insurance), is insufficient to meet the established commonality test under ERISA. Third, the states allege that treating AHPs comprised of small employers as “large employers,” but not necessitating that they meet the coverage requirements mandated of large employers through the shared responsibility protection – which requires any company that has at least 50 full-time employees to offer full-time employees the opportunity to enroll in minimum essential coverage under an eligible employer-sponsored plan – violates the ACA. Lastly, the states’ argue that the DOL failed to take into account the stark history of fraud and abuse when drafting the Final Rule and exceeded their statutory authority in changing the definition of AHPs. The DOL has since filed its answer, and has been ordered by Judge Castel to produce discovery material requested by the States. A joint appendix highlighting documents relevant to the litigation is due January 2, 2019.

Time will soon tell which state strategies result in more affordable health care for state residents. For recent Crowell & Moring client alerts on AHPs see: Running with Scissors – and Association Health Plans and The New Wave of ACA Waivers.

Read for later

Articles marked as Favorite are saved for later viewing.
close
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview