CMS cut to 340B spending overshadows OPPS update; associations threaten suit

Reimbursement to outpatient departments in 2018 will increase $5.8 billion compared to 2017, according to the hospital outpatient prospective payment (OPPS) and ambulatory surgical center (ASC) PPS Final rule for calendar year 2018. However, CMS will drastically reduce reimbursement for drugs under the 340B Program, much to the ire of providers and associations, which have already threatened to sue. (Final rule, 82 FR 52356, November 13, 2017).

340B program 

In calendar year (CY) 2018, CMS will change its reimbursement for separately payable drugs and biologics (other than pass-through drugs and vaccines) acquired through the 340B Program from average sales price (ASP) plus 6 percent to ASP minus 22.5 percent. Rural sole community hospitals, PPS-exempt cancer hospitals, and children’s hospitals will be exempt from this policy for CY 2018. This change, said CMS, addresses recent trends of increasing drug prices and will save beneficiaries about $320 million on copayments in 2018. CMS will offset the projected $1.6 billion decrease in drug payments by redistributing this amount for non-drug items and services across the OPPS.

The 340B Program (see 42 U.S.C. §256b, as expanded by Secs. 2501, 7101, and 7102 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148)), has been controversial, as critics have accused hospitals of abusing the program (see Participants in drug delivery system testify to impacts on patient prescription drug costs, Health Law Daily, October 18, 2017). However, the American Hospital Association, the Association of American Medical Colleges, and America’s Essential Hospitals criticized the cut to 340B spending as contrary to Congressional intent and a threat to safety net hospitals (see, e.g., Testimonies focus on benefits of 340B Drug Program, Health Law Daily, October 12, 2017).

Further, said the AHA, the policy “does nothing to address the stated goal of reducing the cost of pharmaceuticals” and could cause increases in beneficiaries’ out-of-pocket costs for non-drug Part B benefits. American’s Essential Hospitals predicted that, “given their fragile financial position, essential hospitals will not weather this policy’s 27 percent cut to Part B drug payments without scaling back services or jobs.” The three associations plan legal action to stop CMS from cutting 340B spending.

OPPS update

For CY 2018, CMS increased the payment rates under the OPPS by an increase factor of 1.35 percent, which is based on the hospital inpatient market basket percentage increase of 2.7 percent, minus the multifactor productivity adjustment of 0.6 percentage point, and minus a 0.75 percentage point adjustment required by Sec. 3401(i) of the ACA.

Direct supervision requirement

42 C.F.R. Sec. 410.27(a)(1) requires therapeutic outpatient services to be furnished under the direct supervision of a physician or nonphysician practitioner. Sec. 16004 of the 21st Century Cures Act (P.L. 114-255) delayed enforcement through 2016 of this requirement for therapeutic hospital services provided by critical access hospitals and small rural hospitals with fewer than 100 beds. The CY 2018 OPPS Final rule continues the nonenforcement of the direct supervision requirement for hospital outpatient therapeutic services for CAHs and small rural hospitals having 100 or fewer beds for CYs 2018 and 2019.

Inpatient only list

Services that typically would be paid in an inpatient setting will not be paid by Medicare under the OPPS (see 42 C.F.R. Sec. 419.22(n)). These are services that require inpatient care because of (1) the invasive nature of the procedure; (2) the need for at least 24 hours of postoperative recovery time or monitoring before the patient can be safely discharged; or (3) the underlying physical condition of the patient. Effective for CY 2018, CMS will remove total knee arthroplasty (TKA) and five other procedures from the inpatient only list and will add one procedure to the list. CMS is also prohibiting recovery audit contractors from reviewing TKA procedures for “patient status” for two years to give providers time to gain experience with the procedure in the outpatient setting.

Packaging

CMS will conditionally package low-cost drug administration services assigned to Ambulatory Payment Classifications (APCs) 5691 and 5692 effective January 1, 2018. In addition, CMS assigned skin substitutes with a geometric mean unit cost (MUC) or a per day cost (PDC) that exceeds either the MUC threshold or the PDC threshold to the high cost group. For CY 2018, a skin substitute product that was assigned to the high cost group for CY 2017, but does not exceed either the CY 2018 MUC or PDC threshold for CY 2018, will be assigned to the high cost group for CY 2018.

OQR program

CMS removed six measures from the Outpatient Quality Reporting (OQR) program beginning with the CY 2020 payment determination (CY 2018 reporting). CMS stated that the removal of these measures results in a burden reduction of 457,490 hours and a saving of $16.7 million in CY 2020 for hospitals. CMS also delayed the mandatory implementation of the Consumer Assessment of Healthcare Providers and Systems Outpatient and Ambulatory Surgery Survey under the Hospital OQR Program beginning with the CY 2018 data collection.

Laboratory tests

A new exception to the laboratory date of service policy will generally permit laboratories to bill Medicare directly for advanced diagnostic laboratory tests and molecular pathology tests excluded from OPPS packaging policy if the specimen was collected from a hospital outpatient during a hospital outpatient encounter and the test was performed following the patient’s discharge from the hospital outpatient department.

ASCs

For CY 2018, payments to ASCs will increase 1.2 percent, or $4.62 billion, based on a projected consumer price index of 1.7 percent minus a multifactor productivity adjustment required by the ACA of 0.5 percentage point. For CY 2018, CMS added three procedures to the ASC covered procedures list. In addition, CMS removed three measures from ASC Quality Reporting program for the CY 2019 payment determination and later and added two measures of hospital events following specified surgical procedures for the CY 2022 payment determinations and later (see Approximate 2 percent increase in OPPS, ASC payments proposed for 2018; cuts to 340B drug discount pay, Health Law Daily, July 20, 2017).

CMS seeks feedback on ‘new direction’ for Innovation Center

The Center for Medicare and Medicaid Innovation (CMMI) is seeking feedback on a potential “new direction” to promote patient-centered care and test market-driven reforms that empower beneficiaries as consumers, provide price transparency, and increase choices and competition. To be considered, comments on the informal Request for Information must be submitted online or through email by November 20, 2017.

CMMI develops new payment and service delivery models in accordance with the requirements of Sec. 1115A of the Social Security Act, as added by Sec. 3021 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148), in an effort to reduce program expenditures while preserving or enhancing the quality of care furnished to individuals. However, CMMI has recently come under fire; HHS Secretary Tom Price criticized CMMI for dictating the type of care physicians are to provide for patients. In August 2017, CMS proposed to eliminate the Episode Payment Models and Cardiac Rehabilitation incentive payment model and revise aspects of the Comprehensive Care for Joint Replacement model (see Out with the old models, CJR model gets revamped, August 16, 2017).

In the Request for Information, CMMI sought feedback on testing models in eight areas: (1) increased participation in Advanced Alternative Payment Models (APMs); (2) consumer-directed care and market-based innovation models, which could empower beneficiaries to make choices from among competitors in a market-driven health system; (3) physician specialty models; (4) new models for prescription drug payment, in both Medicare Part B and Part D and Medicaid, that incentivize better health outcomes for beneficiaries at lower costs and align payments with value; (5) Medicare Advantage (MA) innovation models; (6) state-based and local innovation, including Medicaid-focused models; (7) potential models focused on behavioral health, including opioids, substance use disorder, dementia, and improving mental health provider participation in Medicare, Medicaid, and CHIP; and (8) program integrity.

In an op-ed piece, CMS Administrator Seema Verma called CMMI a “powerful tool” for improving quality and reducing costs. House Ways and Means Committee Chairman Kevin Brady (R-Tex) lauded CMMI’s issuance and said that the Obama Administration at times used the Innovation Center’s authority “in a top-down manner through mandatory, national ideas that received little to no input from those actually providing care to patients,” resulting in bipartisan Congressional concern for patients and stakeholders.

Hospital organizations again advocate for delay of Medicaid DSH reductions

Nine hospital organizations have urged Congress to further delay the start of Medicaid disproportionate share hospital (DSH) cuts, which are set to begin in fiscal year (FY) 2018. The organizations, including the American Hospital Association (AHA), wrote letters to both the House and the Senate.

State Medicaid programs make DSH payments to qualifying that serve a large number of Medicaid and uninsured patients. Section 2551 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) would have reduced federal DSH allotments beginning in 2014 to account for the decrease in uncompensated care anticipated under health insurance coverage expansion. Legislation has since delayed the Medicaid DSH reduction; most recently, the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (P.L. 114-10) delayed the reductions until FY 2018 through FY 2025 (see Soc. Sec. Act Sec. 1923(f)).

The organizations contended, however, that “the coverage rates envisioned under the ACA have not been fully realized,” and many Americans remain uninsured. In addition, Medicaid underpayment poses an ongoing financial challenge for hospitals.

In July 2017 CMS issued a Proposed rule (82 FR 35155, July 28, 2017) that would implement the annual DSH allotment reductions using a DSH health reform methodology (see CMS proposes updated method to calculate ACA-mandated Medicaid allotment reductions, Health Law Daily, August 2, 2017). Commenting on the Proposed rule, the AHA advocated for the repeal of the ACA Medicaid DSH allotment reductions and requested that CMS delay the implementation of the FY 2018 DSH allotment reductions (see AHA raises concerns about proposed reductions in DSH allotments, Health Law Daily, August 30, 2017).

Security management process is the foundation for compliance with HIPAA Security Rule

Security management process can be an organization’s biggest strength or biggest weakness, and most organizations lack one or all of the components that establish a security management process. In a Health Care Compliance Association (HCCA) webinar entitled, “Is Your Security Management Process Your Biggest Risk?” presenters Kezai Cook-Robinson and Ahmad M. Sabbarini of Ernst & Young LLP emphasized that a security management process is the foundation for an organization’s compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) (P.L. 104-191) Security Rule.

Under 45 C.F.R. Sec. 164.308(a)(1) a covered entity or business associate is required to implement policies and procedures to prevent, detect, contain, and correct security violations. This process requires covered entities and business associates to implement standards and required implementation specifications and to implement, when appropriate and reasonable, addressable implementation specifications through risk analysis, risk management, sanction policy, and information system activity review.

Risk analysis

Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. This means, said the presenters, that covered entities and business associates must conduct an enterprise-wide risk analysis and develop a current, comprehensive, and thorough risk analysis of security risks and vulnerabilities to include the electronic personal health information (e-PHI) created, received, maintained, or transmitted by the organizations’ facilities and applications. This should be done periodically (calendar-based) and in response to events (event-based triggers).

As part of the risk analysis, organizations should conduct a comprehensive inventory of e-PHI. Assets can be grouped into a common grouping for purposes of the inventory—for example, if work stations have the same number and type of e-PHI, they can be grouped into one asset category. In addition, to save time and money, organizations should start with lists that have already created from financial statements and privacy compliance activities.

Risk management

Covered entities and business associates should establish and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis. It should include a process and timeline for an organization’s implementation, evaluation, and revision of its risk remediation activities. The presenters noted that the higher the risk, the more robust controls are needed.

Sanctions policy and information system activity review

The security management process also requires covered entities and business associates to apply appropriate sanctions against workforce members who fail to comply with security policies and procedures and to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Documentation

“Document, document, document,” said Cook-Robinson, because “it does not exist unless it’s in writing.” She advised that covered entities and business associates document and keep as records the analyses, decision making, and rationale for overall risk assessments, as well as individual risk analyses for implemented safeguards.

NIST guidelines

Cook-Robinson and Sabbarini also advised organizations to align as necessary with the guidelines and frameworks that HHS leverages, including the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) and NIST 800-30.