CY 2019 Medicare Part C and D policy changes and updates finalized

CMS has issued a Final rule making revisions to the Medicare Advantage (MA) (Part C) and prescription drug benefit (Part D) programs based on its continued experience in the administration of these programs and to implement certain provisions of the Comprehensive Addiction and Recovery Act of 2016 (CARA) (P.L. 114-198) and the 21st Century Cures Act (P.L. 114-255). The major provisions of the Final rule include: (1) the implementation of the CARA provisions governing the establishment of drug management programs, (2) revisions to timing and method of disclosure requirements for MA and Part D plans, and (3) preclusion list requirements for prescribers in Part D and individuals and entities in MA, cost plans, and Programs of All-Inclusive Care for the Elderly (PACE) (Final rule, 83 FR 16440, April 16, 2018).

On November 28, 2017, CMS published the Proposed rule (see Proposed CY 2019 Part C and D changes address opioid misuse and numerous other policy concerns, Health Law Daily, November 17, 2017). While this Final rule finalizes several of the provisions from the Proposed rule, there are a number of provisions from the Proposed rule that CMS intends to address later and a few that it does not intend to finalize. These provisions are discussed in the Final rule.

CARA provisions

CARA includes new authority for Part D plans to establish drug management programs effective on or after January 1, 2019. This Final rule establishes a framework under which Part D plan sponsors may establish a drug management program for beneficiaries at risk for prescription drug abuse or misuse, or “at-risk beneficiaries.” Specifically, under drug management programs, Part D plans will engage in case management of potential at-risk beneficiaries, through contact with their prescribers, when such beneficiary is found to be taking a specific dosage of opioids or obtaining them from multiple prescribers and multiple pharmacies who may not know about each other. Sponsors may then limit at-risk beneficiaries’ access to coverage of controlled substances that CMS determines are “frequently abused drugs” to a selected prescribers or network pharmacies after case management with the prescribers for the safety of the enrollee.

CMS also limits the use of the special enrollment period (SEP) for dually- or other low income subsidy (LIS)-eligible beneficiaries by those LIS-eligible beneficiaries who are identified as at-risk or potentially at-risk for prescription drug abuse under such a drug management program. Finally, these provisions will codify the current Part D Opioid Drug Utilization Review (DUR) Policy and Overutilization Monitoring System (OMS) by integrating this current policy with drug management program provisions.

The purpose of these CARA drug management program provisions is to create a lock-in status for certain at-risk beneficiaries. In addition to the benefits of preventing opioid and benzodiazepine dependency in beneficiaries, CMS estimates, in 2019, a reduction of $19 million in Trust Fund expenditures because of reduced opioid scripts. This $19 million reduction modestly increases to a $20 million reduction in 2023.

Timing and method of disclosure requirements

CMS is finalizing changes to align the MA and Part D regulations in authorizing CMS to set the manner of delivery for mandatory disclosures in both the MA and Part D programs. CMS will use this authority to allow MA plans to meet the disclosure and delivery requirements for certain documents by relying on notice of electronic posting and provision of the documents in hard copy when requested, when previously the documents, such as the Evidence of Coverage (EOC), had to be provided in hard copy. CMS is also changing the timeframe for delivery of the MA and Part D EOC to the first day of the Annual Election Period (AEP), rather than 15 days prior to that date.

Allowing MA and Part D plans to provide the EOC electronically will alleviate plan burden related to printing and mailing and reduce the number of paper documents that enrollees receive from plans. In addition, changing the date by which plans must provide the EOC to enrollees will (1) allow plans more time to finalize the formatting and ensure the accuracy of the information in the EOC, and (2) separate the mailing and receipt of the EOC from the Annual Notice of Change (ANOC), which describes the important changes in a patient’s plan from one year to the next.

CMS estimates that 67 percent of the current 47.8 million beneficiaries will prefer use of the internet versus hard copies. This will result in a savings to the industry of $54.7 million each year, 2019 through 2023, due to a reduction in printing and mailing costs.

Preclusion list requirements for prescribers and providers

The Final rule rescinds the current regulatory requirement that prescribers of Part D drugs and providers of MA services and items must enroll in Medicare in order for the drug, service, or item to be covered. Instead, a Part D plan sponsor will be required to reject, or require its pharmacy benefit manager to reject, a pharmacy claim for a Part D drug if the individual who prescribed the drug is included on the “preclusion list.” Similarly, an MA service or item will not be covered if the provider that furnished the service or item is on the preclusion list.

The preclusion list will consist of certain individuals and entities that are currently revoked from the Medicare program under 42 CFR sec. 424.535 and are under an active reenrollment bar, or have engaged in behavior for which CMS could have revoked the individual or entity to the extent applicable if they had been enrolled in Medicare, and CMS determines that the underlying conduct that led, or would have led, to the revocation is detrimental to the best interests of the Medicare program.

CMS estimates that for 2019, the preclusion list provision will save providers $34.4 million. For 2020 and future years, there will be no savings. The $34.4 million in savings to providers arises because of removal of the requirement of MA providers and suppliers and Part D prescribers to enroll in Medicare as a prerequisite for furnishing health care items and services. Part C providers and suppliers will save $24.1 million in reduced costs while Part D providers will save $10.3 million in reduced costs.

Perfecting cybersecurity through better training and testing

Various types of training and testing of health care professionals and staff can be used by health care entities to perfect their cybersecurity programs, according to a Health Care Compliance Association (HCCA) webinar presented by Steve Snyder of Smith Moore Leatherwood, LLP.

Snyder believes that perfecting cybersecurity training and testing is made especially challenging due to the uniqueness of the cybersecurity threat. Snyder listed the primary factors making cybersecurity unique, including:

  • the people trying to penetrate are adversarial and usually off-shore;
  • cyberattacks are evolving rapidly, with attacks designed to respond to new defenses;
  • cybersecurity involves highly technical concepts, which make staff hesitant to embrace safeguards; and
  • cybersecurity is outside the core competency for most of the staff to be trained and tested.

Training

Snyder believes that cybersecurity training must take a long term view, be about learning and reminding, have the objective of conditioning behavior, and must evolve over time as circumstances and threats change.

Opportunities for training, according to Snyder, could be when new job functions are created, when introducing new procedures, or when reinforcing integral work functions. He listed the possible training scenarios and their pros and cons as:

  • External programs offered by third parties. These programs offer specialized knowledge and instruction but can be costly, rely on the competency of others, and may suffer from the lack of familiarity of the third-party with the organization.
  • Internal learning management systems (LMS). These internal systems, relying on online or classroom training, can develop custom content and make tracking compliance easy. However, they require internal expertise and can create a record of noncompliance for government investigators.
  • This method can be particularly effective for conveying best practices to staff members in a new role. However, it requires competent mentors and is not ideal for new and evolving issues that the mentor is unfamiliar with.
  • Passive measures (e-mail reminders, etc.). This method is easy, cheap, and is agile enough to address emerging issues. However, it is easy for staff to ignore and therefore it is hard to access effectiveness.
  • Training tips. Snyder’s cybersecurity training tips included the following:
  • Start with objectives (such as increasing reporting of possible cyber incidents) and work back to prevention methods.
  • Try to find objective metrics (such as the rate of reporting vs. known incidents).
  • Make it digestible by staff (we live in a sound bite society).
  • Show a tangible purpose (clicks = malware = detriment to business).
  • Use varying approaches as people learn differently.
  • Make it interesting by using gamification, simulations, scoring, ranking, competitions, etc.

Testing

Snyder believes that testing should be focused on existing knowledge and established procedures. He favors a testing program with a narrow focus and reoccurring elements. The goals of testing, according to Snyder, should insure that cybersecurity procedures are known and understood, are effective, guarantee compliance, and identify gaps in policies and procedures.

Snyder listed several types of cybersecurity testing:

  • Penetration testing (looking for breach of security from the outside).
  • Vulnerability testing from the inside (looking for known bugs, unpatched software, or legacy systems that can be exploited).
  • Simulated testing (using drills and tabletop exercises).
  • Pop quizzes (discrete staff testing).
  • Final comprehensive exams.

Final takeaway

Snyder wrapped up his presentation by stressing that in training and testing for cybersecurity, and organization should: (1) be contemplative in designing their programs, (2) use a mix of internal and external resources, and (3) assess and revisit the programs often.

New law stops potential criminalization of EMS ‘standing orders’ for timely controlled-substance use

A new bipartisan law, the Protecting Patient Access to Emergency Medications Act of 2017, P.L. 115-83, signed by President Trump on November 17, 2017, amends the Controlled Substances Act (CSA) (P.L. 91-513) to clarify that emergency medical services (EMS) professionals (including nurses, paramedics, and emergency medical technicians) are able to continue administering controlled substances (contained in schedules II, II, IV, or V) to critical patients, such as pain narcotics and anti-seizure medications, pursuant to standing (written medical protocol) or verbal (oral directive) orders when authorized by state law (Protecting Patient Access to Emergency Medications Act of 2017, P.L. 115-83, enacted November 17, 2017).

It has been a long-standing practice for medical directors of EMS agencies to write standing orders for the administration of controlled substances by EMS professionals. As reported by Emergency Physicians Monthly, in a January 2015 meeting with the National Association of EMS Physicians (NAEMSP) Executive Committee to discuss possible EMS regulations, the Drug Enforcement Administration (DEA) stated its position that the CSA only allows for patient-specific orders for controlled substances and that it is illegal for EMS agencies to deliver any controlled substances under written medical protocols or standing orders. Therefore, absent this new legislation, it was the position of the DEA that any regulations concerning EMS agencies would be required to prohibit the continued use of standing orders for EMS professionals.

The law also allows EMS agencies the option of having a single DEA registration in each state where the EMS agency administers controlled substances, in lieu of requiring a separate registration for each location of the EMS agency within the state, as long as certain transportation, storage, re-stocking, and recordkeeping rules for controlled substances are followed by the EMS agency. The act further provides that a hospital-based EMS agency may use the DEA registration of the hospital to administer controlled substances without an additional registration of its EMS agency.

The law was introduced as H.R. 304 in the House of Representatives by Reps. Richard Hudson (R-NC) and G.K. Butterfield (D-NC). The Senate version, S. 916, was introduced by Sens. Bill Cassidy (R-La) and Michael Bennet (D-Colo). H.R. 304 initially passed the House by a vote of 404-0 on January 9, 2017. It passed the Senate, as amended, by unanimous consent, on October 24, 2017.

New York dietary supplement maker accused of failing to comply with cGMP regulations

At the request of the FDA, the U.S. Department of Justice filed a civil complaint against Riddhi USA Inc. of Ronkonkoma, New York, and its owner and President Mohd M. Alam, to enjoin the distribution of adulterated and misbranded dietary supplements. The complaint alleges that Riddhi and Alam prepared, packed, and held dietary supplements under conditions that failed to comply with the FDA’s current good manufacturing practice (cGMP) regulations for these products.

According to the complaint, the FDA inspected the Riddhi facility in January 2017 and found numerous significant deviations from cGMP regulations, including a failure to: (1) establish product specifications for identity, purity, strength, and composition of their finished dietary supplements; (2) conduct at least one appropriate test to verify the identity of a dietary ingredient; and (3) establish and follow written procedures for quality control operations.

The complaint further alleges that many of the cGMP deviations were the same as those observed by the FDA during a previous inspection that occurred in January 2016. The complaint notes that on April 27, 2016, the FDA issued a warning letter detailing violations of cGMP regulations observed during the 2016 inspection and that these violations are the same as those observed during the FDA’s subsequent 2017 inspection.

The complaint also alleges that the dietary supplements were misbranded under the labeling provisions of the federal Food, Drug & Cosmetic Act (FDC Act) (21 U.S.C. §301 et seq.) because the products are fabricated from two or more ingredients but fail to declare any ingredients on their product labels or labeling. Specifically, the complaint alleges that the dietary supplement Neuroxygen is misbranded because it is manufactured using soy lecithin, which contains “soy,” but soy is not listed on the product label. The complaint also alleges that the products Prenatal Formula, Osteo Gest, Neuroxygen, Inflam-Ease, and All-Ease, are misbranded because their label or labeling fails to declare the place of business of the manufacturer, packer, or distributor.