Recommendations for creating compliant security relationships with vendors

Recent regulatory changes have had an impact on what “covered entities” must do to create and maintain a compliant security relationship with their “business associates.” This impact, and how information technology (IT) and compliance departments can interact to improve business associate selection and management, were the topics of a recent Health Care Compliance Association (HCCA) webinar featuring Francois J. Bodhuin, Director, Information Security Officer, and Joseph A. Piccolo, Vice President, Corporate Compliance, at the Inspira Health Network. The presenters also offered a five-step life cycle approach to managing vendor security requirements.

Background

The term “covered entity” is defined in 45 C.F.R. sec. 160.103 as either a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic format. According to the presenters, the HITECH privacy provisions (Title XIII) of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5) resulted in the promulgation of the January 25, 2013 Final rule (78 FR 5566), which strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rule also expanded the definition of “business associates” (BAs) to include subcontractors/vendors (and written assurance from subcontractors/vendors that they will uphold the security and privacy of protected health information (PHI)), increased reporting requirements, and enhanced penalties (see HIPAA final rule modifies Privacy, Security, and Enforcement Rules and establishes direct liability for business associates that violate certain rules, Health Law Daily, January 25, 2013).

Enforcement themes and challenges

The presenters noted several themes present in recent government enforcement actions, including accusations of inadequate risk assessment plans, outdated vendor agreements, the lack of risk analysis, and inadequate oversight (lack of communication). The presenters also laid out several new logistical challenges, including (1) insuring that vendor agreements are current (and incorporate the 2013 rule changes); (2) the need to educate board members, employees, and vendors; and (3) the monitoring of vendor agreements.

Interaction of IT and compliance

The presenters stressed the need for IT and compliance to jointly develop a process that makes use of (1) HHS Office of Civil Rights (OCR) guidance, audit criteria, and recent settlements; and (2) that sets guidelines for vendors, including a vendor code of conduct, specific policies and procedures for vendors, and vendor education requirements.

The presenters see the IT role as performing annual security assessments, frequent vulnerability scans, and the integration of risk analysis. In addition, in support of compliance, they believe that IT must: (1) be represented on the compliance committee; (2) have software that tracks vendors; (3) develop security questionnaires; and (4) evaluate the security programs of vendors.

Compliance, according to the presenters, must support IT by: (1) being a conduit for communication in understanding vendor relationships; (2) collaborating with IT on new and unique projects; (3) educating the board on the compliance/IT partnership; (4) developing and updating policies; and (5) including audits as part of the annual work plan.

Collaborative management of vendors

The presenters recommend language in vendor agreements that will allow for the covered entity to conduct a survey or questionnaire of the vendor. They suggest that the questionnaire incorporate the organizational values of the covered entity, not just government requirements. The questionnaire should be required of both new and existing vendors.

The presenters also recommend that the covered entity create an oversight group to review vendor responses, extrapolate risk levels, review actions taken with the vendor, tweak questionnaires, and report results to executives though the compliance committee.

Five-step approach

The presenters concluded by describing their five-step life cycle approach to managing vendor security requirements. Their approach centers on the following elements: (1) patient satisfaction; (2) quality outcomes; (3) electronic data security; (4) patient engagement/population management; and (5) stewardship and reputation.

More choices and lower premiums available for MA and PDPs in CY 2018

As calendar year (CY) 2018 approaches, CMS reports that both the Medicare Advantage (MA) and the Part D prescription drug plan (PDP) programs continue to grow, currently providing care and services to more than one-third of Medicare beneficiaries. CMS also reports that the average monthly premium for an MA plan will decrease, enrollment in MA is projected to reach an all-time high, and premiums for a basic PDP will fall for the first time since 2012.

Earlier this year, CMS announced new policies in the 2018 Rate Announcement and Final Call Letter that support flexibility, efficiency, and innovative approaches that are designed to improve quality accessibility and affordability in MA and PDP programs.

MA program data

CMS data provides the following information regarding the MA program for CY 2018:

  • MA enrollment is projected to be an all-time high of 20.4 million beneficiaries, representing a 9-percent (1.7 million) increase from 18.7 million in CY 2017.
  • MA average monthly premiums will decrease by $1.91 to $30.
  • 99 percent of Medicare beneficiaries will have access to at least one MA health plan in their area.
  • More than 85 percent of Medicare beneficiaries will have access to 10 or more MA plans.
  • The average number of MA plan choices per county will increase by two plans—up to approximately 29 plan choices per county.
  • Access to popular supplemental benefits, such as dental, vision, and hearing, continues to grow in MA plans.
  • Approximately 77 percent of MA enrollees in 2017 will have the same or lower premium in 2018 if they continue in the same plan.

PDP program data

CMS projects that the average monthly premium for a basic Medicare PDP in CY 2018 will decrease by $1.20 to an estimated $33.50 per month. CMS also reports that all Medicare beneficiaries will have access to at least one stand-alone Medicare PDP.

Medicare Open Enrollment improvements

CMS is announcing several consumer-friendly improvements so that people with Medicare can make an informed choice between original fee-for-service Medicare and MA plans during open enrollment. These improvements include: (1) updating the “Medicare & You” handbook to better explain coverage options; (2) establishing a help wizard on Medicare.gov that will point to resources to help make informed health care decisions; and (3) establishing a new email communication opportunity to improve the customer service experience through important messages and reminders.

2018 MA and PDP premium, bid amount, related information released

Important 2018 Medicare Part D prescription drug plan (PDP) and Part C Medicare Advantage (MA) information for MA organizations and PDP sponsors has been announced by CMS. The information includes the average basic premium for a PDP, the Part D national average monthly bid amount, the Part D base beneficiary premium, the income-related monthly adjustment amount (IRMAA) for enrollees in PDPs who have incomes above certain threshold amounts, the Part D regional low-income premium subsidy amounts, the MA regional preferred provider organization (PPO) benchmarks, and the MA employer group waiver plan (EGWP) regional payment rates.

Average basic PDP premium

The average premium for 2018 is based on bids submitted by drug plans for basic drug coverage for the 2018 benefit year and calculated by the independent CMS Office of the Actuary. The average basic premium for a PDP in 2018 is projected to decline to an estimated $33.50 per month. This represents a decrease of approximately $1.20 below the actual average premium of $34.70 in 2017. The decline comes despite the fact that spending for the Part D program continues to increase faster than spending for other parts of Medicare, largely driven by spending on high-cost specialty drugs.

Part D national average monthly bid amount

CMS computes the national average monthly bid amount from the applicable Part D plan bid submissions in order to calculate the base beneficiary premium. The national average monthly bid amount is a weighted average of the standardized bid amounts for each stand-alone PDP and MA prescription drug plan (MA-PD). The calculation does not include bids submitted by Medicare medical saving account plans, MA private fee-for-service plans, specialized MA plans for special needs individuals, Program of All-Inclusive Care of the Elderly (PACE) programs, any “fallback” PDPs, and plans established through reasonable cost reimbursement contracts. The reference month for the 2018 calculation was June 2017. The national average monthly bid amount for 2018 is $57.93.

Part D base beneficiary premium

The base beneficiary premium is equal to the product of the beneficiary premium percentage and the national average monthly bid amount. Part D beneficiary premiums are calculated as the base beneficiary premium adjusted by the following factors: (1) the difference between the plan’s standardized bid amount and the national average monthly bid amount; (2) an increase for any supplemental premium; (3) an increase for any late enrollment penalty; (4) a decrease for MA-PDs that apply MA A/B rebates to buy down the Part D premium; and (5) elimination or decrease with the application of the low-income premium subsidy. The Part D base beneficiary premium for 2018 is $35.02. In practice, actual premiums vary significantly from one Part D plan to another and seldom equal the base beneficiary premium.

Income-related monthly adjustment amount (IRMAA)

If a beneficiary’s “modified adjusted gross income” is greater than the specified threshold amounts ($85,000 in 2018 for a beneficiary filing an individual income tax return or married and filing a separate return, and $170,000 for a beneficiary filing a joint tax return), then the beneficiary is responsible for a larger portion of the total cost of Part D benefit coverage. Therefore, in addition to the normal Part D premium paid to a plan, such beneficiaries must pay an IRMAA to the standard base beneficiary premium of $35.02 for 2018. Beneficiaries do not pay the IRMAA to the Part D plan; instead, IRMAAs are collected by the federal government.

Part D regional low-income premium subsidy amounts

Full low-income subsidy (LIS) individuals are entitled to a premium subsidy equal to 100 percent of the premium subsidy amount. A Part D plan’s premium subsidy amount is the lesser of the plan’s premium for basic coverage or the regional low-income premium subsidy amount (LIPSA). The 2018 regional LIPSAs are available through the CMS website.

MA regional PPO benchmarks

The standardized PPO benchmark for each MA region is a blend of: (1) a statutory component consisting of the weighted average of the county capitation rates across the region for each appropriate level of star rating; and (2) a competitive, or plan-bid, component consisting of the weighted average of all of the standardized A/B bids for regional MA PPO plans in the region. For 2018, the national weights applied to the statutory and plan-bid components are 66.5 percent and 33.5 percent, respectively.

Beginning in 2017, these benchmarks reflect the average bid component of the regional benchmark excluding EGWPs. The statutory and plan-bid components of the MA regional standardized benchmarks for 19 of the 26 MA regions are available from CMS. In the remaining seven MA regions, there are no regional MA plans.

MA regional EGWP payment rates

For detailed descriptions of the payment policy finalized for 2018 MA regional EGWP payment rates see the 2018 Advance Notice and Rate Announcement. The payment rates for Regional EGWPs are in the file Regional Rates and Benchmarks 2018 which can be accessed on the CMS website.

HHS Sec. Price: Trump’s FY 2018 budget does not ‘confuse spending with success’

On May 23, 2017, President Trump submitted his fiscal year (FY) 2018 budget proposal to Congress. The proposed budget contained the administration’s tax, spending, and policy proposals for FY 2018. The proposed budget was greeted with much criticism due to various program cuts (see $3.6T in cuts spells R-E-S-P-E-C-T in Trump budget, Health Law Daily, May 23, 2017). On June 8, 2017, HHS Secretary Price appeared before the House Ways & Means Committee and discussed the President’s proposals involving HHS programs.

Confusing spending with success

Because the President’s FY 2018 budget was met with so much criticism due to various program cuts, Price began by taking on that issue directly: “President Trump’s budget request does not confuse government spending with government success. The President understands that setting a budget is about more than establishing topline spending levels. Done properly, the budgeting process is an exercise in reforming our federal programs to make sure they actually work—so they do their job and use tax dollars wisely.”

Price continued: “The problem with many of our federal programs is not that they are too expensive or too underfunded. The real problem is that they do not work—they fail the very people they are meant to help. Fixing a broken government program requires a commitment to reform — redesigning its basic structure and refocusing taxpayer resources on innovative means to serve the people that the program is supposed to serve. And sometimes it requires recognition that the program is unnecessary because the need no longer exists or there are other programs that can better meet the needs of the people that the program was originally designed to serve.”

To emphasize this point, Price spoke directly about two federal programs, Aid to Families with Dependent Children and Medicaid.

Aid to Families with Dependent Children

According to Price, the Aid to Families with Dependent Children program undermined self-sufficiency and work. He applauded Congressional action that created the Temporary Assistance for Needy Families (TANF) program that promoted the empowerment of parents through work. He pointed out that TANF caseloads have declined by 75 percent through FY 2016. And that under the TANF program, the employment of single mothers increased by 12 percent from 1996 through 2000, and even after the 2008 recession, employment of single mothers is still higher than before welfare reform.

Medicaid

With regards to the Medicaid program, Price stressed that 20 years ago, annual government spending on Medicaid was less than $200 billion; and that within the next decade, that figure is estimated to top $1 trillion. Despite these investments, Price noted that: (1) one-third of doctors in America do not accept new Medicaid patients; and (2) research shows that enrolling in Medicaid does not necessarily lead to healthier outcomes for the newly eligible enrollee.

To illustrate the failure to achieve healthier outcomes, Price pointed to the results of an Oregon Health Insurance Study that replicated a randomized clinical trial by enrolling some uninsured people in Medicaid through a lottery. Comparing this population to those who remained without coverage, the data showed an increase in emergency room use for primary care, the probability of a diagnosis of diabetes, and the use of diabetes medication. The data also showed no significant effects on measures of physical health such as blood pressure, cholesterol, or average glycated hemoglobin levels (a diagnostic criterion for diabetes).

According to Price, “This mixed impact of Medicaid coverage on health outcomes suggests we need structural reforms that equip states with the resources and flexibility they need to serve their unique Medicaid populations in a way that is as compassionate and as cost-effective as possible.” This is what the President’s FY 2018 budget does, according to Price. It uses state innovation to save and strengthen Medicaid by unleashing state-level policymakers to advance reforms that are tailor-made to meet the unique needs of their citizens. Price estimates that over the next decade, these reforms will save American taxpayers $610 billion.

CHIP

Price further testified that the FY 2018 budget includes provisions to extend funding for the Children’s Health Insurance Program (CHIP). The budget would rebalance the federal-state partnership through a series of reforms, including ending the requirement under section 2001 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) that states move certain children from CHIP into Medicaid and capping eligibility at 250 percent of the federal poverty level to return the focus of CHIP to the most vulnerable and low-income children.

Health security and preparedness

Price affirmed HHS’ role as “the world’s leader in responding to and protecting against public health emergencies — from outbreaks of infectious disease to chemical, biological, radiological, and nuclear threats — and assisting the health care sector to be prepared for cyber threats.”

To support HHS’ public health emergency preparedness and response, Price noted that the President’s budget provides $4.3 billion for disaster services coordination and response planning, biodefense and emerging infectious diseases research, and development and stockpiling of critical medical countermeasures.

Key Public Health Priorities

In his testimony, Price described three new public health crises: (1) serious mental illness; (2) substance abuse, particularly the opioid abuse epidemic; and (3) childhood obesity. He stressed his commitment to these new challenges and noted that the President’s budget would:

  • invest $5 million in new funding authorized by the 21st Century Cures Act for Assertive Community Treatment for Individuals with Serious Mental Illness;
  • include a demonstration within the Children’s Mental Health Services program to test the applicability of new research from the National Institute of Mental Health on preventing or delaying the first episode of psychosis;
  • provide $811 million — an increase of $50 million above the FY 2017 continuing resolution — in support of HHS’ five-part strategy to combat the opioid epidemic; and
  • establish a new $500 million America’s HealthBlock Grant, which will provide flexibility for states and Tribes to implement specific interventions, including those designed to spur improvements in physical activity and the nutrition of children and adolescents, and to treat leading causes of death such as heart disease.

Women’s health services

Price also testified that the President’s budget would increase funding for the Maternal and Child Health Block Grant and Healthy Start to improve the health of mothers, children, and adolescents, particularly those in low-income families. The budget would also maintain funding for a variety of programs serving women, including, community health centers, domestic violence programs, women’s cancer screenings and support, mother and infant programs, and the Office on Women’s Health.