OCR thinks small to stop data breaches

Reports of breaches impacting the protected health information (PHI) of 500 or fewer individuals will be more widely investigated by the HHS Office for Civil Rights (OCR), beginning August 2016. Previously, the OCR’s regional offices investigated all breach reports involving the PHI of 500 or more individuals and only investigated smaller breaches when resources permitted the additional oversight. Under the new initiative, regional offices will retain discretion to investigate smaller breaches, but each office will increase investigative efforts to identify smaller breaches and obtain necessary corrective action.

Considerations

Covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), are required to report breaches of PHI to affected individuals and the HHS Office for Civil Rights (OCR), consistent with the Breach Notification Rule; in instances of breaches involving at least 500 individuals, they must also notify the media. To decide which breach reports affecting fewer than 500 individuals will be investigated, the OCR plans to consider the following factors:

  • the size of the breach;
  • the presence of theft or improper disposal of unencrypted PHI;
  • unwanted intrusions into information technology IT systems (hacking); and
  • instances where numerous breach reports from a single entity raise similar issues.

Prior breaches

The OCR has already investigated some smaller breach reports, which have led to settlements. Those investigations include breaches resulting from a business associate’s failure to safeguard the PHI of skilled nursing facility residents, an insurance company’s failure to implement adequate PHI security measures, a medical center’s improper use of a data-sharing internet application, and the theft of two unencrypted laptops—one from a hospice provider and another from an employee’s car at a physical therapy center.

Other threats

Data breaches and cybersecurity threats of all kinds continue to plague the health care industry. For example, in July 2016, Banner Health experienced a breach of PHI and payment card data of 3.7 million patients, members, beneficiaries, and food and beverage outlet customers (see Banner Health breach potentially affects millions, Health Law Daily, August 4, 2016). Additionally, health systems are facing new threats, like ransomware, where hackers “kidnap” data and demand ransom payments for the data’s release (see Lawmakers, agencies raise specter of ransomware threats to cybersecurity, Health Law Daily, June 30, 2016).

HHS says sharing is preparing for cybersecurity threats

Cyber threat information sharing can help efforts to prevent, detect, and respond to cyber-attacks, according to the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Assistant Secretary for Preparedness and Response (ASPR). Premised on the belief that health system preparedness requires knowledge of up-to-date threat information, the ONC and ASPR issued two funding opportunities to develop an Information Sharing and Analysis Organization (ISAO) for the health care sector.

Cyber Threats

As the health system becomes digital and health information takes on an increasingly electronic format, cyber threats have become a regular burden for health systems. Despite the growing threat, many components of the health care system lack the technological abilities to identify and protect themselves from cyber threats. Under the Cybersecurity Information Sharing Act (CISA) agencies, like HHS, were directed to develop tools that can help with the sharing of cybersecurity threat risks. Prior to the CISA, Executive Order 13691, signed on February 13, 2015, encouraged information sharing related to cyber threats between the government and private sector.

Recent Threats

Although some governmental efforts have focused on preparedness, data breaches continue to be a burden for the health care industry. This summer, Banner Health reported a cyberattack potentially affecting the protected health information (PHI) and payment card data of 3.7 million patients. The breach resulted from a hack of Banner’s point-of-sale systems, which may have been connected to its clinical systems. Such a lack of segmentation, may have contributed to the breach. Segmentation is the segregation of a network into areas that limits access to only those people, servers, and applications that need access, as a method of preventing hackers who enter part of a system from gaining complete control. However, the threat of cyber-attack reaches far beyond Banner Health. The scope of cyber threats is readily apparent from HHS’ “wall of shame,” which lists all of the breaches affecting 500 or more people that have been reported to the Office for Civil Rights (OCR).

ISAO

The idea behind the ISAO is to allow organizations with greater cyber threat knowledge share their understanding with less-equipped organizations. For example, with greater information sharing regarding the risks of segmentation, perhaps the scope of the Banner breach could have been mitigated. HHS hopes by sharing information between HHS and the health care and public health sector, the capacity to better prevent, detect and respond to cyber-attacks will improve. The funding directs an ISAO to:

  • provide cybersecurity information and education on cyber threats affecting the healthcare and public health sector,
  • expand outreach and education activities to assure that information about cybersecurity awareness is available to the entire healthcare and public health sector,
  • equip stakeholders to take action in response to cyber threat information, and
  • facilitate information sharing widely within the healthcare and public health sector regardless of the size of the organization.

HHS hopes its combined funding opportunities—$250,000 that can be renewed for up to five years—will help spread cyber threat information among industry stakeholders and federal partners.

 

Second annual release provides clearer look into Part D costs

CMS’s second annual release of privacy-protected data details information on prescription drugs paid under the Medicare Part D prescription drug program. The data provides key information to consumers, providers, researchers, and other stakeholders to help transform the health care delivery system. With data from 2013 and 2014, CMS will now be able to analyze trends, prescribing habits for specific providers, brand versus generic drug prescribing rates, and state- and local-level differences in drug utilization and costs.

The new release is based on 2014 data describing the specific medications prescribed for 38 million enrollees in Medicare Advantage (MA) prescription drug plans (PDPs) and stand-alone PDPs. The 2014 data set includes new aggregated information on opioids, antibiotics, antipsychotics, and high-risk medications among the elderly. A prescriber enrollment status field has also been added to the 2014 data set to indicate whether the prescriber is enrolled, is not enrolled, or opted out of the Medicare program.

Public data set

The public data set, the Medicare Provider Utilization and Payment Data: Part D Prescriber Public Use File (PUF), was created by CMS using information on prescription drugs prescribed by individual physicians and other health care providers and paid for under the Medicare Part D. The Part D Prescriber PUF is based on information from CMS’ Chronic Conditions Data Warehouse,which contains prescription drug event records submitted by MA-PD plans and by stand-alone PDPs. The dataset identifies providers using their National Provider Identifier and presents the specific prescriptions dispensed at their direction, listed by brand and generic name.

For each prescriber and drug, the dataset includes the total number of prescriptions dispensed and the total drug cost. The total drug cost includes the ingredient cost of the medication, dispensing fees, sales tax, and any applicable administration fees. The total cost is based on the amounts paid by the Part D plan, Medicare beneficiary, other government subsidies, and any other third-party payers (such as employers and liability insurers). Total drug costs do not reflect any manufacturer rebates paid to Part D plan sponsors through direct and indirect remuneration or point-of sale rebates.

Drugs by claim count

For 2014, the top 10 drugs based on claim count were generic drugs, and the top nine drugs were among the drugs with the highest claim counts in 2013. The 2014 claim counts for these drugs ranged from 22.1 to 38.3 million claims,andthe total drug costs for each drug ranged from $136 million to $748 million. From 2013 to 2014, the total number of claims increased from 1.37 billion to 1.42 billion, a 3 percent increase from 2013 to 2014.

Drugs by cost

The drugs with the highest cost in 2014 were all brand name drugs. In 2014, Solvaldi® (Hepatitis C antiviral) had the highest total drug costs at $3.1 billion, with the costs for each of the top 10 drugs all more than $1 billion. Total drug costs increased from $104 billion in 2013 to $121 billion in 2014, reflecting a 17 percent increase.

Lantus Solostar® and Lantus® insulin products had the highest growth in total drug costs between 2013 and 2014 with growth rates of 47 percent and 32 percent, respectively. Abilify® (antipsychotic), Januvia® (diabetes), and Revlimid® (cancer) also had high growth rates of 20 percent or higher. Advair Discus® (asthma and COPD) had a very low growth in total drug costs of only 1 percent.

Antibiotic prescribing

The new 2014 dataset also can be used to examine patterns of antibiotic prescribing in the Medicare program. These data can inform where high rates of antibiotic prescribing are occurring across the U.S. The 2014 data shows that states in the South and Midwest have rates of antibiotic prescribing that are higher than the national average of 1.39 fills per beneficiary.

Florida health care provider settles monopolization, conspiracy claims

Health First, Inc. and its subsidiaries have settled allegations that they attempted to establish a vertically integrated, self-reinforcing, illegally-maintained health care monopoly in Southern Brevard County, Florida. Just days after denying Health First’s motion for summary judgment, the federal district court in Orlando dismissed the antitrust claims with prejudice.

Omni Healthcare, Inc. and other physicians and physician practice groups filed suit against “fully integrated” health care corporation Health First, Inc. and three of its wholly owned subsidiaries: Holmes Regional Medical Center, Inc.; Health First Health Plans, Inc., and Health First Physicians, Inc. Omni alleged that Health First engaged in an anticompetitive scheme to monopolize Southern Brevard County’s interrelated health care markets for years and that the scheme has largely been successful.

The court denied Health First summary judgment on August 13, 2016, finding that Omni and other physicians and physician groups created genuine issues of material fact in whether Health First monopolized, attempted to monopolize, and conspired to monopolize the markets for physician services, Medicare Advantage, and ancillary services.