Kusserow on Compliance: The OIG on Health IT security

Many are not aware of the fact that the HHS OIG boasts having an A-class team that focuses on IT controls and engages in what they refer to as penetration testing or “hacking” into IT systems and networks. With 100 million health care records already compromised and medical records serving as a top target for hackers, healthcare related cybersecurity has become a high priority for the OIG. Health IT offers some unique challenges, in that health records are for a lifetime, whereas credit cards may have a shelf life, if they’re compromised, of just a day or two. This makes them very valuable for criminals that can often realize 60 times more than what a stolen credit card can yield on the dark web. Compromised health information could have wide-ranging consequences, including affecting credit and even someone filing a false tax return with the information. In addition to people’s personal information, there is concern about health care provider and managed care proprietary information.

The OIG IT audits begin with setting an audit objective, which varies according to what they are trying to accomplish. The OIG desires to provide transparent and objective assessments of the security posture of the systems within HHS and those that receive funding from HHS. The OIG engages in penetration testing, as a means to help strengthen IT vulnerabilities. By engaging in penetration testing or “hacking into” IT networks, the OIG is able to provide chief information officers, and sometimes CFOs, with information regarding particular vulnerabilities. Among the common testing of IT systems is determining whether passwords are being changed periodically.  The OIG stated guiding philosophy is that “what gets checked gets done.” By identifying vulnerabilities, they draw management attention to addressing them and raising their awareness to cybersecurity.

The OIG wants to ensure that funds for cybersecurity, and ultimate for technology, are being used judiciously, and overall the OIG is working every day to protect sensitive personal and proprietary data. The OIG is using its resources to enhance awareness around cybersecurity.  The OIG focuses much of its resources on IT controls for the Medicare enrollment database; however the OIG does not confine its work to the Medicare and Medicaid space. The OIG is also looking at IT security at NIH, Indian health hospitals throughout the country, and FDA information on drugs and medical devices. The OIG typically addresses reports to senior level personnel, such as the CEO and Chief Information Officer, and often addresses reports to state administrators for Medicare and Medicaid.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Narrow MA networks reduce cost at what price?

More than one-third (35 percent) of Medicare Advantage enrollees were in “narrow” network plans, which insurers create to greater control the costs and quality of care provided to enrollees in the plan. According to a Kaiser Family Foundation (KFF) report, the size and composition of Medicare Advantage provider networks is particularly important to enrollees when they have an unforeseen medical event or serious illness. As of 2017, 19 million of the 58 million people on Medicare are enrolled in a Medicare Advantage plan, yet KFF noted that little is known about their provider networks.

Accessing this information may not be easy for enrollees and comparing networks could be especially challenging. The report noted that beneficiaries could face significant costs if they unknowingly went out-of-network. In addition to the differences across plans, the report discussed questions for policymakers about the potential for wide variations in the healthcare experience of Medicare Advantage enrollees across the country.

Findings

KFF examined data from 391 plans, offered by 55 insurers in 20 counties, which accounted for 14 percent of all Medicare Advantage enrollees nationwide in 2015. In addition to the narrow network plans, Medicare Advantage networks included less than half (46 percent) of all physicians in a county, on average. The network size also varied greatly among Medicare Advantage plans offered in a given county.

For example, while enrollees in Erie County, NY had access to 60 percent of physicians in their county, on average, 16 percent of the plans in Erie had less than 10 percent of the physicians in the county while 36 percent of the plans had more than 80 percent of the physicians in the county. Access to psychiatrists was more restricted than for any other specialty. Medicare Advantage plans had 23 percent of the psychiatrists in a county, on average; 36 percent of plans included less than 10 of psychiatrists in the county. Some plans provided relatively little choice for other specialties as well—20 percent of plans included less than 5 cardiothoracic surgeons, 18 percent of plans included less than 5 neurosurgeons, 16 percent of plans included less than 5 plastic surgeons, and 16 percent of plans included less than 5 radiation oncologists.

Conversely, broad network plans tended to have higher average premiums than narrow network plans, and this was true for both HMOs ($54 versus $4 per month) and PPOs ($100 versus $28 per month).

KFF noted that CMS should consider strategies to improve the quality of information available to current and prospective Medicare Advantage enrollees. For instance, accurate, up-to-date provider directories to inform beneficiaries as they choose plans, along with the agency’s proposal to review all Medicare Advantage networks at least every three years.

FDA effectively spends prescription drug user fee collections

After conducting its 2017 review of FDA policies and procedures and financial records related to the FDA’s use of prescription drug user fee collections, the Office of Inspector General (OIG) concluded that, overall, the FDA spent prescription drug user fee collections appropriately. Since the passage of the Prescription Drug User Fee Act (PDUFA) of 1992 (P.L. 102-571), prescription drug user fees have significantly helped in expediting the drug approval process and eliminating backlogs of pending human drug applications. The average approval time for an application prior to the PDUFA was two years (OIG Report, A-05-16-00040, September 2017).

The PDUFA

The PDUFA, which must be reauthorized by Congress every five years, authorizes the FDA to collect user fees from pharmaceutical and biotechnology companies that are seeking FDA approval of certain human drug and biological products to expedite the review of human drug applications. The user fees provide the FDA with resources, including the ability to hire more reviewers and support staff and upgrade information technology systems. According to the OIG, these resources help the FDA meet its goal of timely review of human drug and supplement applications.

Inadequate documentation

The OIG reviewed $796,065,980 in prescription drug user fees reported for October 1, 2014, through September 30, 2015, and determined that the FDA did not have adequate supporting documentation for $6,402 in travel expenses, made a duplicate payment for airfare of $1,213, and overpaid a traveler $587. The OIG attributed the inadequate documentation to oversight by FDA staff rather than a systemic issue. Therefore, the OIG made no recommendations.

More choices and lower premiums available for MA and PDPs in CY 2018

As calendar year (CY) 2018 approaches, CMS reports that both the Medicare Advantage (MA) and the Part D prescription drug plan (PDP) programs continue to grow, currently providing care and services to more than one-third of Medicare beneficiaries. CMS also reports that the average monthly premium for an MA plan will decrease, enrollment in MA is projected to reach an all-time high, and premiums for a basic PDP will fall for the first time since 2012.

Earlier this year, CMS announced new policies in the 2018 Rate Announcement and Final Call Letter that support flexibility, efficiency, and innovative approaches that are designed to improve quality accessibility and affordability in MA and PDP programs.

MA program data

CMS data provides the following information regarding the MA program for CY 2018:

  • MA enrollment is projected to be an all-time high of 20.4 million beneficiaries, representing a 9-percent (1.7 million) increase from 18.7 million in CY 2017.
  • MA average monthly premiums will decrease by $1.91 to $30.
  • 99 percent of Medicare beneficiaries will have access to at least one MA health plan in their area.
  • More than 85 percent of Medicare beneficiaries will have access to 10 or more MA plans.
  • The average number of MA plan choices per county will increase by two plans—up to approximately 29 plan choices per county.
  • Access to popular supplemental benefits, such as dental, vision, and hearing, continues to grow in MA plans.
  • Approximately 77 percent of MA enrollees in 2017 will have the same or lower premium in 2018 if they continue in the same plan.

PDP program data

CMS projects that the average monthly premium for a basic Medicare PDP in CY 2018 will decrease by $1.20 to an estimated $33.50 per month. CMS also reports that all Medicare beneficiaries will have access to at least one stand-alone Medicare PDP.

Medicare Open Enrollment improvements

CMS is announcing several consumer-friendly improvements so that people with Medicare can make an informed choice between original fee-for-service Medicare and MA plans during open enrollment. These improvements include: (1) updating the “Medicare & You” handbook to better explain coverage options; (2) establishing a help wizard on Medicare.gov that will point to resources to help make informed health care decisions; and (3) establishing a new email communication opportunity to improve the customer service experience through important messages and reminders.