Did CMS just sound the death knell for Medicaid expansion?

In their first joint action, HHS Secretary Price and newly confirmed CMS Administrator Verma issued a letter to state governors discussing potential improvements to the Medicaid program. The letter underscored the need to develop cost-effective, state-specific ways to serve vulnerable populations but made clear the administration’s anti-expansion stance, noting that the Patient Protection and Affordable Care Act’s (ACA’s) (P.L. 111-148) expansion of Medicaid “to non-disabled, working-age adults without dependent children was a clear departure from the core, historical mission of the program.”

Overall, Price and Verma emphasized their desire to grant states more freedom to design their own programs, but committed to retaining mechanisms to ensure state accountability, including budget neutrality in waivers and demonstration projects. To this end, the letter suggested fast-tracking waiver and demonstration project extensions and developing consistent guidelines for evaluating requests to waivers and demonstration projects that have already been approved in other states. Price and Verma plan to use “Section 1115 demonstration authority to review and approve meritorious innovations that build on the human dignity that comes with training, employment and independence.” Prior to serving as CMS Administrator, Verma was involved in crafting Indiana’s Healthy Indiana 2.0 expansion program. The program initially sought to impose a work activity requirement. CMS declined to approve the requirement linked directly to Medicaid eligibility, but allowed the state to encourage enrollees to participate in other voluntary state programs (see Amendment of Healthy Indiana Plan implements Medicaid expansion, Health Law Daily, February 11, 2015).

Price and Verma also noted the importance of maintaining public input processes and transparency guidelines, with respect to State Plan Amendments (SPAs) and other actions, expressed a desire to make the SPA process less burdensome. They discussed allowing states more time to comply with a 2014 Final rule regulating expanded access to home- and community-based services (see Final rule sets requirements for expanded home and community based services, Health Law Daily, January 16, 2014). They made suggestions for aligning Medicaid policies for non-disabled adults with commercial health insurance features to help them “prepare for private coverage,” including alternative benefit designs with aspects similar to health savings accounts (HSAs), designing emergency room copayments to encourage the use of primary and other providers for non-emergency care, and facilitating enrollment in employer-sponsored health plans. They also plan to work with states to combat the opioid epidemic, through state plans, the Medicaid Innovator Accelerator Program, and other methods.

Trump nominates Gottlieb for FDA Commissioner

President Trump intends to nominate Scott Gottlieb, M.D., a resident fellow at the conservative American Enterprise Institute (AEI), clinical assistant professor at New York University School of Medicine, and a member of the HHS Federal Health IT Policy Committee, to the post of FDA Commissioner. The White House announced the nomination, which brought varied reactions from opposite sides of the aisle and a general positive response from the pharmaceutical industry, via a tweet from Press Secretary Sean Spicer.

Gottlieb served as the Deputy FDA Commissioner from 2005 to 2007 and previously served as a senior official at CMS. He has testified before Congress on numerous occasions as an AEI felllow, most recently with respect to EpiPen® price increases and “How Regulatory Barriers Inhibit Pharmaceutical Competition.” Gottlieb noted that FDA regulatory policy has made developing less expensive copies of complex drugs after patent expiration difficult, discussed how the 340B program has put “upward pressure on drug prices,” while noting other change in drug insurance coverage structure, and described obstacles to competitive single source drug pricing.

Various sources report that Gottlieb has close ties to the pharmaceutical industry. Scientific American noted that Gottlieb believes in a quicker approval process for new drugs, but has focused on shortening waiting times for large, clinical trials rather than doing away with efficacy considerations. He commented on this, to an extent, in remarks he made at the 21st Annual International Meeting of the International Society for Pharmacoeconomics and Outcomes Research (ISPOR) in May 2016.

Gottlieb has also issued commentary about the Patient Protection and Affordable Care Ac (ACA) (P.L. 111-148). In May 2016, he testified before Congress that the law’s tiered marketplace approach has aided consumers with plan selection, but has forced insurers into narrow design corridors. His testimony regarding the ACA also included a suggestion that CMS move away from mandates and towards incentives to encourage individuals to enter into the insurance market (see Is there a better way than the ACA? Hearing asks experts, Health Law Daily, May 12, 2016). More recently, he coauthored a piece with another AEI fellow, opining that President Trump’s election provided, “a generational opportunity to pursue a new direction for American health care” and making suggestions about how a new health care system should operate. The authors suggested that the system should provide a path to catastrophic health insurance for all, accommodate individuals with pre-existing health conditions, allow access to health savings accounts, and deregulate the medical services market.

Senator Lamar Alexander (R-Tenn), Chairman of the Committee on Health, Education, Labor & Pensions, touted Gottlieb’s “impressive qualifications” in a released statement. His colleague, Ranking Member Patty Murray (D-Wash), expressed “initial concerns” about the nomination, including Gottlieb’s “work with multiple pharmaceutical companies, medical device companies, and investment firms.”

Highlight on New York: Insurers subject to first-in-nation cybersecurity regulations affecting financial institutions

The nation’s first cybersecurity regulations governing financial institutions–including insurers–take effect March 1, 2017 in New York state. Noting that  “New York is the financial capital of the world,” Governor Andrew Cuomo (D) stressed the necessity of protecting consumers and financial systems from cyberattacks. The regulations require institutions to implement a cybersecurity program that includes regular assessments of information systems and the use of effective controls, requires compliance by third party vendors, and includes more stringent governmental reporting requirements than the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

The regulations apply to anyone operating under the Banking Law, Insurance Law, or Financial Services Law and specifically pertain to “nonpublic information.” Only electronic information qualifies as nonpublic information, which can be protected health information (PHI) as it is understood under HIPAA; business-related information that could materially and adversely impact the entity’s business, operations, or security; or any information concerning an individual that, when combined with specific data elements, including but not limited to Social Security and drivers’ license numbers, could identify the individual.

The regulations require covered entities to maintain a cybersecurity program based upon a required risk assessment. Risk assessments must be conducted on a “periodic” basis and “updated as reasonably necessary.” Entities must implement and maintain written cybersecurity policies, including policies governing vendor and third party service provider management and recurrent assessments and policies that allow for secure and periodic disposal of nonpublic information that is no longer necessary for business operations or other legitimate business purposes. They must also designate a chief information security officer (CISO) who is employed by the entity, an affiliate, or a third party service provider, and who will provide a written report to the covered entity’s board of directors at least annually.

While HIPAA does not require penetration testing, the New York regulations require annual testing and biannual vulnerability assessments, unless covered entities have in effect some other type of continuous monitoring or other system to detect changes in information systems that could create or suggest vulnerabilities. The regulations specifically require entities to limit user access privileges to nonpublic information and to periodically review those privileges. They also require multi-factor authentication whenever an individual accesses the entity’s internal network from an external network, unless the CISO has approved controls in writing that are at least reasonably equivalent. Encryption is required for all nonpublic information held or transmitted by the entity; if encryption is not feasible, the CISO must review and approve “alternative compensating controls” and review them at least annually.

Certain requirements do not apply to entities with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end total assets.

The regulations define a “cybersecurity event” as an act or attempt, successful or not, to gain unauthorized access to, or to disrupt or misuse an information system or the information stored in the system. Written incident response plans to cybersecurity events must detail the response process and its goals, including “the definition of clear roles, responsibilities and levels of decision-making authority.” Requirements for reporting to government entities are much stricter than those under HIPAA Breach Notification Rule, which requires entities to report breaches affecting 500 or more individuals to the HHS Secretary “without unreasonable delay,” but no more than 60 days since discovery of a breach, or, if affecting fewer than 500 individuals, within 60 days of the end of the calendar year in which the breach occurred.  The New York regulations, in contrast, require entities that are otherwise required to provide notice to the government or other self-regulatory agency or supervisory body, or who believe that a cybersecurity event is reasonably likely to materially harm the entity’s normal operations, to notify the Superintendent of the New York Department of Financial Services as soon as possible, but no more than 72 hours after determining that the event occurred.

 

Protecting personal data beyond HIPAA

Safeguarding protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191) is important, but what responsibilities do hospitals have to protect other types of personally identifiable information (PII)? What concrete steps can hospitals take to follow through on these responsibilities? Meg Grimaldi, Director of Compliance at Martin Luther King, Jr. Community Hospital in Los Angeles, and Sarah Bruno, Matthew Mills, and Jade Kelly, Partners at Arent Fox LLP, answered these questions in a Health Care Compliance Association (HCCA) webinar titled, “Navigating the Rest of the Iceberg: Privacy and Security Compliance Beyond HIPAA.”

Grimaldi began by reminding hospitals of the different types of information they encounter and the manner in which they encounter them. Aside from PHI gleaned through medical records, for example, hospitals may take in data used in accessing patient portals or submitted through event registrations and surveys. When gathering such information, hospitals must weigh the benefits of detriments of easy to use portals with the need to verity identity. User IDs, passwords, and personal questions are no longer sufficient to protect data; instead, hospitals should implement two-factor authentication—something a person knows, such as a User ID and password, with something a person has, such as a card or mobile device. Some hospitals may even consider utilizing biometrics. Hospitals should carefully consider the need to use cookies, which store data. If using cookies, session cookies are less risky because they do not save personal information beyond a single session. The use of long-term cookies must be carefully safeguarded.

The hospitals, themselves, may handle payment information or employee information submitted through secure portals, or may farm these duties out to third parties, but they remain no less responsible for the protection of the PII. Hospitals must ensure that business associate agreements (BAAs) or other contracts hold third parties accountable for handling types of data.

In general, hospitals should implement safeguards such as network segmentation, security scans, penetration testing, and encryption. In addition, they should routinely review software patching solutions, implement active alerts in intrusion detection systems, and periodically perform test backups. When data is no longer needed, hospitals should destroy it.

Bruno noted a need to categorize data as falling into the purview of specific laws, including HIPAA, the Children’s Online Privacy Protection Act of 1998 (COPPA) (P.L. 105-277), and various other federal and state laws, as well as industry standards. In addition, hospitals should take note that European countries accept a much broader definition of PII than the U.S., and that care should be taken the handling of information from European nationals. The hospital’s website should disclose its privacy practices. Mills discussed laws and industry standards that govern debtor data, including the Gramm-Leach-Bliley Act (GLBA), which requires financial institutions to provide their customers with notice of the institutions’ privacy practices and to safeguard sensitive data.

Kelly discussed hospitals responsibilities with respect to employee data, including noting in many cases that employee medical information should be kept separate from personnel files and accessed only by certain authorized individuals. Employer must also be sure to comply with the Fair Credit Reporting Act (15 USC § 1681 et seq.) and any applicable state laws.

Grimaldi discussed the need to inform employees of the location of PII policies and procedures and make sure they are easily accessible to employees. Hospitals should diversify training materials to discuss types of data beyond PHI so that they understand what must be protected. It is crucial for hospitals to use plain language, skipping jargon, abbreviations, and acronyms, to ensure that each employee understands what is being discussed. For example, many employees may understand the importance of not clicking on strange emails, but may not know that the tactic is referred to as “phishing” and may thus not understand directions about responses to phishing campaigns. It has been suggested that information needs to be communicated seven times before it is truly understood, so it is important to deliver information in various modes, including training, newsletters, and staff huddles. Hospitals should train employees in various social engineering techniques that are relevant to the particular organization.

Bruno noted that hospitals must create a culture in which employees feel comfortable letting the organization know about potential and actual breaches, which are inevitable, whether through a malicious hack or a lost laptop. Once a breach is identified, a number of individuals should be involved in the response, including the privacy officer, the head of marketing, and the chief information security officer (CISO).