Hospital organizations again advocate for delay of Medicaid DSH reductions

Nine hospital organizations have urged Congress to further delay the start of Medicaid disproportionate share hospital (DSH) cuts, which are set to begin in fiscal year (FY) 2018. The organizations, including the American Hospital Association (AHA), wrote letters to both the House and the Senate.

State Medicaid programs make DSH payments to qualifying that serve a large number of Medicaid and uninsured patients. Section 2551 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) would have reduced federal DSH allotments beginning in 2014 to account for the decrease in uncompensated care anticipated under health insurance coverage expansion. Legislation has since delayed the Medicaid DSH reduction; most recently, the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (P.L. 114-10) delayed the reductions until FY 2018 through FY 2025 (see Soc. Sec. Act Sec. 1923(f)).

The organizations contended, however, that “the coverage rates envisioned under the ACA have not been fully realized,” and many Americans remain uninsured. In addition, Medicaid underpayment poses an ongoing financial challenge for hospitals.

In July 2017 CMS issued a Proposed rule (82 FR 35155, July 28, 2017) that would implement the annual DSH allotment reductions using a DSH health reform methodology (see CMS proposes updated method to calculate ACA-mandated Medicaid allotment reductions, Health Law Daily, August 2, 2017). Commenting on the Proposed rule, the AHA advocated for the repeal of the ACA Medicaid DSH allotment reductions and requested that CMS delay the implementation of the FY 2018 DSH allotment reductions (see AHA raises concerns about proposed reductions in DSH allotments, Health Law Daily, August 30, 2017).

Security management process is the foundation for compliance with HIPAA Security Rule

Security management process can be an organization’s biggest strength or biggest weakness, and most organizations lack one or all of the components that establish a security management process. In a Health Care Compliance Association (HCCA) webinar entitled, “Is Your Security Management Process Your Biggest Risk?” presenters Kezai Cook-Robinson and Ahmad M. Sabbarini of Ernst & Young LLP emphasized that a security management process is the foundation for an organization’s compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) (P.L. 104-191) Security Rule.

Under 45 C.F.R. Sec. 164.308(a)(1) a covered entity or business associate is required to implement policies and procedures to prevent, detect, contain, and correct security violations. This process requires covered entities and business associates to implement standards and required implementation specifications and to implement, when appropriate and reasonable, addressable implementation specifications through risk analysis, risk management, sanction policy, and information system activity review.

Risk analysis

Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. This means, said the presenters, that covered entities and business associates must conduct an enterprise-wide risk analysis and develop a current, comprehensive, and thorough risk analysis of security risks and vulnerabilities to include the electronic personal health information (e-PHI) created, received, maintained, or transmitted by the organizations’ facilities and applications. This should be done periodically (calendar-based) and in response to events (event-based triggers).

As part of the risk analysis, organizations should conduct a comprehensive inventory of e-PHI. Assets can be grouped into a common grouping for purposes of the inventory—for example, if work stations have the same number and type of e-PHI, they can be grouped into one asset category. In addition, to save time and money, organizations should start with lists that have already created from financial statements and privacy compliance activities.

Risk management

Covered entities and business associates should establish and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis. It should include a process and timeline for an organization’s implementation, evaluation, and revision of its risk remediation activities. The presenters noted that the higher the risk, the more robust controls are needed.

Sanctions policy and information system activity review

The security management process also requires covered entities and business associates to apply appropriate sanctions against workforce members who fail to comply with security policies and procedures and to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Documentation

“Document, document, document,” said Cook-Robinson, because “it does not exist unless it’s in writing.” She advised that covered entities and business associates document and keep as records the analyses, decision making, and rationale for overall risk assessments, as well as individual risk analyses for implemented safeguards.

NIST guidelines

Cook-Robinson and Sabbarini also advised organizations to align as necessary with the guidelines and frameworks that HHS leverages, including the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) and NIST 800-30.

Preparation is key to HIPAA compliance for health IT vendors

Health IT vendors are not breach proof but should be “breach ready,” according to a Health Care Compliance Association webinar entitled, HIPAA: Marketing and Contracting Solutions for Health IT Vendors. William J. Roberts, partner at Shipman & Goodman LLP, discussed strategies for vendors to incorporate compliance with the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) into negotiations, agreements, and policies.

HIPAA landscape

HIPAA privacy continues to grow in importance for the health care sector, for both covered entities and their vendors. Roberts said that health IT vendors face two challenges: managing covered entity customers that have concerns about HIPAA compliance, a “major undertaking” when a vendor has thousands of covered entity customers, and a regulatory and enforcement landscape that is shifting its focus from covered entities to vendors (see 2017 OCR resolution agreements off to a strong start, June 30, 2017; Business associates no longer second to covered entities as OCR increases focus, November 22, 2016). He pointed out that 60 percent of business associates have suffered a data breach, and in 2016 HHS imposed a $650,000 penalty in the first HIPAA enforcement action against a business associate (see $650K payment, 6 year CAP resolve nursing home ePHI loss, July 1, 2016).

Pitches

A vendor should already have developed a formal HIPAA compliance program before reaching out to potential customers, and HIPAA compliance should be at the forefront of a vendor’s pitch or response to a request for proposals. The vendor should provide a summary of its HIPAA compliance policies, including its establishment, review, security, and training. A policy summary, said Roberts, is preferable to disclosing the policies themselves, which would be a “roadmap to being hacked.” Roberts also advised vendors to highlight certifications and set forth clear expectations for the privacy aspects of the proposed relationship.

Business associate agreements

The business associate agreement is a vendor’s first opportunity to make a good impression regarding its commitment to privacy. Vendors should have at least one template agreement, or more than one for different types of customers. Roberts advised knowing what a vendor can and cannot agree to before a negotiation and educating the sales team to avoid later back-pedaling on a promise. He also suggested empowering the customer by providing a “menu” of choices that are acceptable to the vendor—for example, barebones breach notice within five days or a more thorough notice at 15 days.

If customers are or might someday be substance abuse treatment providers, the vendor should consider this same approach for qualified service organization agreements. The vendor should review its customers and potential targets for the application of the “Part 2” confidentiality rules and include a provision in the agreement requiring the customer to notify the vendor of the customer’s status as a Part 2 program.

Data breach response

No human or service is perfect, and a vendor will probably have a data breach at some point, said Roberts, which makes a detailed data breach response plan “vital.” He identified the following elements of a breach response plan:

  • Develop an incident intake procedure.
  • Identify the leaders and members of the response team.
  • Rely on standard templates and standard works.
  • Consider a “playbook” and/or a breach reporting decision tool.
  • Develop a customer relations strategy before the breach occurs.
  • Have support vendors ready to act.

The vendor should not simply notify the customer that a breach has occurred; it should have a plan and proposal that it can offer the customer. The process should:

  • provide the covered entity the information it needs to fulfill its own legal obligations;
  • reassure the customer that the situation is under control and being handled properly;
  • inform the customer of steps the vendor has taken and is willing to take on behalf of the covered entity;
  • provide a “menu” of services available to the customer; and
  • create a plan for the future—a holistic look at what the company is doing, not just boilerplate language.

House Committee urged to extend funding for federal safety net programs

Extend funding for the Children’s Health Insurance Program (CHIP) to ensure continuity of coverage for children, particularly in light of the current uncertainty surrounding other sources of health coverage in the U.S., witnesses urged at a House Committee on Energy and Commerce hearing titled “Examining the Extension of Safety Net Health Programs.” The purpose of the hearing was to examine the extension of funding for two federal safety net health programs that provide health care and coverage for low-income adults and children, CHIP and the Community Health Center Fund (CHCF).

CHIP

CHIP is a program that provides health coverage to targeted low-income children and pregnant women in families that have annual income above Medicaid eligibility levels but have no health insurance. It is jointly financed by the federal government and states, and the states are responsible for administering the program. A memo from the committee majority staff states that in fiscal year (FY) 2015, 8.4 million children received CHIP-funded coverage.

Section 2101 of the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) increased the CHIP enhanced federal medical assistance percentage (E-FMAP), which varies by state, by 23 percent from October 1, 2013 through September 30, 2019. Since the ACA did not include additional or extended funding for CHIP, MACRA extended funding through September 30, 2017. The Medicaid and CHIP Express Lane Option, Child Enrollment Contingency Fund, CHIP Qualifying State Option, and CHIP Outreach and Enrollment Grants also expire September 30, 2017.

At the hearing, Cindy Mann, partner at Manatt, Phelps & Phillips, touted the success of CHIP, which covers 8.9 million children nationwide. She stated that Congress must consider the overall level of funding for CHIP, in addition to the E-FMAP funds, which “are now fully integrated into states’ budgets and a key source of funding for sustaining CHIP.” She said that Congressional action is needed as soon as possible to ensure program continuity, budget certainty for states, and stable coverage for children, particularly those with special health care needs. She urged a five-year extension instead of two to provide needed stability (see Extend CHIP, protect DSH payments, MACPAC tells Congress, March 16, 2017).

Jami Snyder, Director of the Medicaid and CHIP programs for the state of Texas, noted that a decision to not reauthorize the CHIP program would result in a loss of over $1 billion in annual funding to the state of Texas and a loss of coverage for more than 380,000 Texas children.

Health Center Program

The Health Resources and Services Administration’s (HRSA) Health Center Program, authorized under Section 330 of the Public Health Service Act, awards grants to federally qualified health centers (FQHCs). The program is supported by discretionary appropriations and the CHCF, a mandatory multibillion-dollar fund established by Section 10503 of the ACA. The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (P.L. 114-10) extended funding through fiscal year 2017. According to the staff memo, the CHCF represents over 70 percent of the Health Center Program’s FY 2016 funding.

Michael Holmes, the chief executive officer of Cook Area Health Services, an FQHC in Minnesota, testified that as a result of CHCF investments new FQHC were added in more than 1,100 communities. With the extension nearing its expiration date, he “strongly urged” Congress to renew funding for at least five years to allow FQHCs to provide a stable and reliable source of access to patients and recruit and retain a comprehensive health care workforce.