IT experts say foreign actors, human error biggest threats to health record security

Foreign hackers and human error are two of the most significant threats to protected health information (PHI) and other health records that providers and health care entities must prepare for, according to four information technology experts speaking at a conference sponsored by Becker’s Hospital Review. They all agreed that breaches and cyberattacks will continue, so health care institutions must be diligent about security systems, audits, training, insurance, and adequately responding to breaches to mitigate punishment and quickly recovery from an attack..

Weakest link 

Aaron Miri, chief information officer for Imprivita, and Michael Leonard, director at Commvault, both noted that regardless of the tools and systems put in place to ward off breaches, malware, ransomware, and other cybersecurity threats, people will always be the weakest link. Leonard noted that when it comes to an institution’s cybersecurity program, “people training has to be continuous and repetitive.”

Katherine Downing, senior director at the American Health Information Management Association (AHIMA), highlighted one type of “insider threat”—physicians who do work arounds that bypass the security features of electronic health record (EHR) systems (like texting PHI about patients to each other). Although David Miller, CEO of HCCIO Consulting, LLC, was blunter when asked what the biggest threat was to PHI and other health records—”Russia and China.”

Jurisdictions

Miri noted that providers must deal with a “wide disparity of laws” regarding the security and privacy of health information, not just federal and state laws, but, starting in May 2018, the General Data Protection Regulation (GDPR) issued by the European Union. The GDPR replaces a framework of different information security measures that mainly affected just European companies with a national network and information security strategy that will impact American life sciences and healthcare entities that collect and/or use any data concerning health, genetic data, or other types of protected health information (PHI).

Audits

Miller expressed amazement at how many health care institutions have not had a HIPAA audit in the previous two years. The HHS Office for Civil Rights (OCR) reviews organizations’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules and looks for documentary proof that entities have conducted risk assessments and created and implemented policies and procedures governing areas including the shielding of PHI. Miller noted that providers must continually educate and re-educate staff on policies related to HIPAA. But he added that providers can also “take advantage of a breach situation to talk to senior management to increase security measures.”

Record retention

In addition to protecting PHI, health care entities have to make decisions about destroying records after record retention periods have ended. Katherine Downing, senior director at the American Health Information Management Association (AHIMA), noted that entities “can’t keep everything forever.” Downing noted that health care entities already have the expense of saving, backing up, and securing required health records; doing the same for older records that no longer have to be retained is just an added expense.

In the end, Miri noted that these are the questions that health care entities have to ask: What are they willing to spend to avoid a breach? What are they willing to risk regarding their reputations?

Medicaid block grants would pose challenges for states

If federal support for Medicaid was transformed into a block grant to states, with a per capita cap set by Congress, the impact would vary widely on different states, according to participants in a webinar sponsored by the Alliance for Health Reform. The webinar also focused on the reauthorization of the Children’s Health Insurance Program (CHIP) and state Medicaid waiver requests. The American Health Care Act (H.R. 1628) would transform the federal part of Medicaid into a block grant to states starting in 2020, with a per capita cap on spending. Also, it would roll back the enhanced federal spending for adult Medicaid beneficiaries newly eligible under the Affordable Care Act. (The legislation, which passed the House on May 4, has not yet been considered by the Senate.).

Current Medicaid challenges

Robin Rudowitz, associate director at the Kaiser Family Foundation, noted that certain states are at higher risk if federal funding for Medicaid is transformed into block grants with per capita caps. These states have challenging demographics, including higher populations of people with poor health status, high cost health markets, and limited ability to raise tax revenues. Tony Leys, a reporter with the Des Moines Register, noted that state Medicaid programs already struggle to cover expensive blockbuster drugs, such as those for treating hepatitis C. If the federal Medicaid payment was capped, Leys said, states would struggle to pay for the next blockbuster drug that comes along.

Per capita caps 

Chris Pope, senior fellow at the Manhattan Institute, noted that per capita caps do nothing to prevent future expansions of benefits or eligibility by future Congresses, and may be preferable to the long-term health of the Medicaid program rather than “letting the program continue on autopilot without any real scrutiny.” Hemi Tewarson, program director for the National Governors Association Center for Best Practices’ Health Division, noted, however, that because of the way most states have to prepare their annual budgets “if we were to introduce every year uncertainty around whether the per capita caps would be raised or lowered…that would throw a lot of chaos into state operations, not just impacting health care, but all the their programs they have to make decisions on.”

Pope said that it’s a political decision for states to maintain coverage for Medicaid enrollees if expansion funding from the federal government is rolled back. He added, “There is a substantial overlap between the Medicaid expansion population and the population that would be eligible for substantial subsidies at the bottom of the income distribution covered by the exchange.” These are people who would be eligible for basic insurance plans with capped out-of-pocket spending.

Leys noted that in Iowa, this would be difficult because the state is about to lose its last participating insurer in the Exchange. In addition, Rudowitz said that after the per capita caps would go into place in 2020, the restriction of growth in federal spending would compound over time, putting Medicaid beneficiaries in the higher risk states noted above at greater risk of losing any insurance coverage. Tewarson agreed, noting that for some states disenrollment would be necessary over time as the restriction in federal spending grows.

CHIP reauthorization

The transformation of Medicaid into a federal block grant is not a sure thing, but the deadline for reauthorizing CHIP is. Congress has to regularly reauthorize CHIP, which provides enhanced federal funding to states who offer expanded Medicaid coverage for children; the program is currently extended only until September 30, 2017. Tewarson noted that as states prepare their 2018 budgets, some are planning on the enhanced match being renewed, while others plan on it going away, in which case states have to budget reserves to make up for the lost matching funds. Rudowitz also noted that the continuation of CHIP is a coverage issue; if the program is not reauthorized or the enhanced funding is cut back, states will have to make decisions about coverage and contact beneficiaries in a timely manner.

Medicaid waivers

States have been able to request waivers from federal Medicaid requirements for years; waivers are used by states for demonstration programs related to delivery system reforms, long-term care, behavioral health, among other things. As of February 2017, 33 states have 41 approved Medicaid waivers in place. Since President Trump was inaugurated, states have submitted waivers that would require certain Medicaid beneficiaries to be employed, although none of these waivers have been approved.

Tewarson noted that one of the big question states have regarding waivers is the administrative aspect—”how do you operationalize them?” In considering work requirement waivers, the administrative issues get bigger, she said. “How do we connect systems? What are the real outcomes we want to see from this? How do we define work requirements and who would be exempt?” She also noted that while the Obama administration approved many Medicaid waivers, they had guideposts as to what would or would not be acceptable; work requirements were not one of the acceptable waiver options previously.

HHS developing new system to speed PRRB, other appeal processes

HHS and its subagencies continue to struggle with eliminating the backlog of appeals that has led to delays in payments to providers and litigation trying to get HHS to meet statutory requirements for hearing appeals. The two main appeals backlogs relate to Provider Reimbursement Review Board (PRRB) decisions (appeals by providers of final determinations by Medicare contractors) and individual appeals for Medicare coverage, payment, and premiums brought before the Office of Medicare Hearings and Appeals (OMHA).

PRRB

CMS is developing a system to electronically track and file PRRB and Medicare Geographic Classification Review Board (MGCRB) decisions, according to CMS officials speaking at a conference sponsored by the American Health Lawyers Association at the end of March. The current appeals process relies heavily on a manual, snail mail process that has added to the time it takes for parties to file all papers in preparation for a hearing. The “Office of Hearings Case and Document Management System (OH CDMS)” should be ready for use by the end of 2017. The OH CDMS will be accessible through the CMS Enterprise portal.

Using the new system, parties may:

  • file appeal requests
  • upload position papers, jurisdictional documents, and other supporting documentation
  • view documents issued by Board or filed by opposing party
  • manage issues raised in individual appeals and providers participating in groups
  • request other actions such as change in representative, expedited judicial review, mediation, etc., and
  • monitor case status

This new system also will be used by CMS Hearing Officers who hear appeals not covered by other CMS or HHS appeal avenues, such as:

  • Risk Adjustment Data Validation (RADV)
  • Medicare Advantage/Prescription Drug Plan (MA/PD)
  • Medicaid State Plan Amendments
  • Retire Drug Subsidy Determinations (RDS)
  • Organ Procurement Organizations (OPO)

The need for a more efficient way of handling all the filings related to an appeal was underscored by a presentation by Sue Anderson, PRRB chairperson. She noted that the PRRB currently has more than 10,000 cases on its docket. In fiscal year 2016, the PRRB issued 27 decisions that closed 66 cases; 147 expedited judicial determinations; and 497 jurisdictional determinations, so it has a long way to go to work through its backlog.

OMHA appeals

Issues with PRRB appeals aren’t even the most serious ones facing HHS. The Office of Medicare Hearings and Appeals (OMHA) has a backlog of hundreds of thousands of administrative appeals, and the American Hospital Association is engaged in long-standing litigation with HHS trying to force HHS to hold Administrative Law Judge appeals within 90 days. Currently, these appeals take 10 times longer, and the backlog grows every year. A recent filing by HHS in the litigation shows the seriousness of the issue: as of March 5, 2017, there were 667,326 pending appeals; HHS projects the number of pending appeals to grow to 1,009,768 by the end of FY 2021 (September 30, 2021).

OMHA is looking at a number of ways to deal with the backlog; (see OMHA trying to speed claims appeals process, April 18, 2017). One solution is legislation. Speaking at the Health Care Compliance Association (HCCA) Compliance Institute at the end of March, Kimberly Brandt, Chief Oversight Counsel for the U.S. Senate Committee on Finance, noted that the Senate is considering re-introducing the “Audit & Appeal Fairness, Integrity, and Reforms in Medicare Act.” The bill “seeks to increase coordination and oversight of government audit contractors while implementing new strategies to address growing number of audit determination appeals that delay taxpayer dollars from reaching the correct source,” according to Brandt. The bill also would encourage the use of voluntary alternate dispute resolution process to allow for multiple pending claims with similar issues of law or fact to be settled as a unit, rather than as individual appeals.

States try to manage expectations for Medicaid managed care

When CMS updated regulations regarding Medicaid managed care in May 2016, it was the first significant update to these regulations since 2002. Over the past year, as speakers at the American Health Lawyers’ Association Institute on Medicare and Medicaid Payment on March 29, 2017, noted, states have started the multi-year process of complying with the new rules, while dealing with resources issues at the state level and political change in Washington, D.C.

About 80 percent of the 73 million Medicaid enrollees are in some kind of managed care program, according to Lindsey Browning with the National Association of Medicaid Directors. Thirty-nine states and the District of Columbia have contracted with managed care entities to deliver care to all or some of their Medicaid beneficiaries.

Four options

Prior to the issuance of the revised regulations (81 FR 27498, May 6, 2016) states had basically one option for putting a managed care plan in place—requesting a Medicaid state plan amendment from HHS. Under the revised regulations states now have four options to implement managed care waivers under various provisions of the Social Security Act: (1) a Sec. 1932 state plan waiver; (2) a Sec. 1915(a) waiver (waiving competitive procurement process); (3) a Sec. 1915(b) waiver, requiring all enrollees, including dual eligibles and children with special health care needs to enroll in managed care; and (4) a Sec. 1115 waiver (which may permit coverage of services not otherwise covered in Medicaid) (see CMS modernizes Medicaid managed care, Health Law Daily, May 6, 2016).

James Golden, director, Division of Managed Care Plans at CMS, noted that full implementation of the revised regulations will take three to five years, and that the key to success is how well states work with affected stakeholders—both managed care entities and beneficiaries. “CMS expects the states to take the lead in setting standards,” Golden said.

State challenges

Browning highlighted two key challenges that states face – setting up adequate networks of providers so managed care beneficiaries can actually access health care; and limited staff capacity to drive expansion of Medicaid managed care alongside a number of other Medicaid related regulations.

Impact of new administration

A further complication, Browning noted, is the new Trump Administration and new leadership for HHS and CMS. She noted that the new CMS Administrator, Seema Verma, indicated an interest in re-examining all recent rules related to Medicare and Medicaid during her confirmation hearing. Browning also pointed to the Executive Order issued by President Trump which requires all agencies to create a Task Force to review existing regulations with the goal of repealing many of them. Browning noted that both Verma and HHS Secretary Tom Price are interested in increased state flexibility around health programs.

In addition, Browning said that any changes to the Affordable Care Act (ACA) (P.L. 111-148) may impact the new Medicaid managed care regulations, for example, she noted that a key goal of the managed care rule was alignment with qualified health plan requirements under the ACA. Would this change if the ACA’s health insurance Exchanges are eliminated? Finally, she said that any structural changes to Medicaid would likely require revised managed care rules.