Highlight on Wisconsin: As opioid overdose and deaths rise, state seeks $15.7 million in SAMHSA support

The rate of opioid overdose deaths in Wisconsin has risen approximately 81 percent from 2006 through 2015, according to a new Wisconsin Department of Health Services (DHS) report, titled “Select Opioid-Related Morbidity and Mortality Data for Wisconsin.” In response, the Wisconsin DHS has submitted an application for up to $15.7 million in federal funding to boost the state’s response to the growing misuse and abuse of opioids from the Substance Abuse and Mental Health Services Administration (SAMHSA). The amount of the grant is based on the unmet need for opioid-related treatment and the number of opioid-related deaths in the state. Wisconsin is eligible to receive up to $7,636,938 each year for the next two years under the 21st Century Cures Act.

The DHS report provides statewide and county-level data on opioid-related deaths and hospital visits, neonatal abstinence syndrome (NAS) (in which an infant is born with withdrawal symptoms from substances taken by the mother), and data on ambulance runs in which naloxone (a medication used to reverse opioid overdose) was administered. The report includes these data highlights:

  • The rate of opioid overdose deaths increased from 5.9 deaths/100,000 residents in 2006 to 10.7 deaths/100,000 in 2015.
  • Rates of drug overdose deaths involving opioids were higher among counties in the southeastern region of the state (Milwaukee area), and higher among men compared with women.
  • Drug overdose deaths involving opioids were highest among young men aged 25-34, and among women aged 35-54.
  • Hospital visits involving opioid acute poisoning (including overdose) increased from 25.3 to 52.0 per 100,000 between 2006 and 2014.
  • The rate of ambulance runs in which naloxone was administered rose from 51.2 to 67 per 100,000 from 2011 to 2015.
  • The rate of NAS increased from 2.0 to 8.7 per 1,000 live births from 2006 to 2014, a rate increase of 335 percent.

In 2016, DHS issued a Public Health Advisory due to the opioid epidemic. In 2017, Governor Scott Walker called for a special session of the legislature to consider recommendations presented by the Governor’s Task Force on Opioid Abuse. New legislative proposals will build on efforts already underway under the HOPE (Heroin, Opioid Prevention and Education) agenda, which includes 17 bills aimed at prevention and treatment of opioid addiction and overdose.

Pending approval from SAMHSA, the funds will be used to:

  • Support community coalitions focused on reducing the nonmedical use of opioids among people age 12 to 25.
  • Establish a hotline to provide information on treatment services and recovery supports.
  • Expand access to treatment for uninsured and underinsured individuals.
  • Establish new opioid-specific treatment programs to reduce the distance people have to travel for these services.
  • Establish a network of individuals in long-term recovery from the misuse and abuse of opioids trained to coach people through the treatment and recovery process.
  • Develop training for professionals on proven intervention and treatment strategies for opioid misuse and abuse.

 

Highlight on Florida: Prison for administrator involved in home health Medicare fraud conspiracy

Medicare was scammed of $2.5 million in false and fraudulent claims and another of the conspirators is heading to prison. A home health administrator was sentenced to 126 months in prison for his role in the scheme after a two-week jury trial convicted him in December 2016 of one count of conspiracy to commit health care fraud and wire fraud and one count to defraud the U.S. and pay and receive health care bribes and kickbacks.

While the administrator was the manager of Mercy Home Care Inc. and a billing employee for D&D&D Home Health Care Inc. in Miami-Dade County, Florida, he and others submitted false claims through the companies to Medicare between October 2014 and June 2015, based on services that were (1) not medically necessary, (2) not provided, and (3) for patients brought to the companies through payment of illegal kickbacks to providers and recruiters. The claims the administrator submitted to Medicare were based on forged prescriptions and falsified medical documentation, backdated so services were supposedly provided in prior years, and for beneficiaries who were coached to say they needed services when they were not homebound. According to evidence from trial, he also destroyed evidence prior to his arrest. Medicare paid approximately $2.5 million for false and fraudulent claims submitted by Mercy and D&D&D.

Ten other co-conspirators previously pleaded guilty or were convicted by the Southern District of Florida, including the owner and president of Nerey Professional Services, Inc. That co-conspirator was convicted of one count of receiving kickbacks in connection with a federal health care program and one count of conspiracy to defraud the U.S. and pay health care kickbacks and sentenced to 60 months in prison on May 27, 2016. According to evidence from trial, the co-conspirator was involved in the conspiracy to accept kickbacks in return for referring Medicare beneficiaries to Mercy and D&D&D to serve as patients, even those who did not qualify for home health care services, between October 2014 and September 2015.

Highlight on New York: Insurers subject to first-in-nation cybersecurity regulations affecting financial institutions

The nation’s first cybersecurity regulations governing financial institutions–including insurers–take effect March 1, 2017 in New York state. Noting that  “New York is the financial capital of the world,” Governor Andrew Cuomo (D) stressed the necessity of protecting consumers and financial systems from cyberattacks. The regulations require institutions to implement a cybersecurity program that includes regular assessments of information systems and the use of effective controls, requires compliance by third party vendors, and includes more stringent governmental reporting requirements than the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

The regulations apply to anyone operating under the Banking Law, Insurance Law, or Financial Services Law and specifically pertain to “nonpublic information.” Only electronic information qualifies as nonpublic information, which can be protected health information (PHI) as it is understood under HIPAA; business-related information that could materially and adversely impact the entity’s business, operations, or security; or any information concerning an individual that, when combined with specific data elements, including but not limited to Social Security and drivers’ license numbers, could identify the individual.

The regulations require covered entities to maintain a cybersecurity program based upon a required risk assessment. Risk assessments must be conducted on a “periodic” basis and “updated as reasonably necessary.” Entities must implement and maintain written cybersecurity policies, including policies governing vendor and third party service provider management and recurrent assessments and policies that allow for secure and periodic disposal of nonpublic information that is no longer necessary for business operations or other legitimate business purposes. They must also designate a chief information security officer (CISO) who is employed by the entity, an affiliate, or a third party service provider, and who will provide a written report to the covered entity’s board of directors at least annually.

While HIPAA does not require penetration testing, the New York regulations require annual testing and biannual vulnerability assessments, unless covered entities have in effect some other type of continuous monitoring or other system to detect changes in information systems that could create or suggest vulnerabilities. The regulations specifically require entities to limit user access privileges to nonpublic information and to periodically review those privileges. They also require multi-factor authentication whenever an individual accesses the entity’s internal network from an external network, unless the CISO has approved controls in writing that are at least reasonably equivalent. Encryption is required for all nonpublic information held or transmitted by the entity; if encryption is not feasible, the CISO must review and approve “alternative compensating controls” and review them at least annually.

Certain requirements do not apply to entities with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end total assets.

The regulations define a “cybersecurity event” as an act or attempt, successful or not, to gain unauthorized access to, or to disrupt or misuse an information system or the information stored in the system. Written incident response plans to cybersecurity events must detail the response process and its goals, including “the definition of clear roles, responsibilities and levels of decision-making authority.” Requirements for reporting to government entities are much stricter than those under HIPAA Breach Notification Rule, which requires entities to report breaches affecting 500 or more individuals to the HHS Secretary “without unreasonable delay,” but no more than 60 days since discovery of a breach, or, if affecting fewer than 500 individuals, within 60 days of the end of the calendar year in which the breach occurred.  The New York regulations, in contrast, require entities that are otherwise required to provide notice to the government or other self-regulatory agency or supervisory body, or who believe that a cybersecurity event is reasonably likely to materially harm the entity’s normal operations, to notify the Superintendent of the New York Department of Financial Services as soon as possible, but no more than 72 hours after determining that the event occurred.

 

Highlight on the District of Columbia: Congress fails to stop D.C. Death with Dignity law

Although the House Committee on Oversight and Government Reform voted to advance a resolution (H.J. Res. 27) that would nullify the District of Columbia’s Death with Dignity Act (D.C. ACT 21-577), the House failed to act on the resolution in time to block the law from becoming effective. Under the Constitution, D.C. is a federal district under the exclusive jurisdiction of Congress; since the 1973 District of Columbia Home Rule Act (P.L. 93-198), however, certain powers were granted to the city council and mayor, while Congress retained the authority to review all legislation passed by the council and imposed other restrictions. Bills passed by the council and signed by the mayor must be sent to Congress; they become law if Congress fails to block the law within 30 legislative working days.

Death with Dignity Act

 D.C.’s Death with Dignity Act–like similar laws passed in the states of California, Colorado, Montana, Oregon, Vermont, and Washington–legalizes physician-assisted suicide for terminally ill residents of the District who retain the ability to make and communicate health care decisions to health care providers and who complete certain required steps. Under the Act, individuals who are terminally ill may request life-ending medication from a physician, though no health care provider is required to prescribe or dispense life-ending medication even if the individual qualifies. To qualify, individuals must:

  • in the opinion of a court or the patient’s attending physician, consulting physician, psychiatrist, or
    psychologist, have the ability to make and communicate health care decisions to health care
    providers;
  • be a resident of the District of Columbia;
  • have an incurable and irreversible disease that has been medically confirmed and will, within reasonable medical judgment, result in death within six months; and
  • voluntarily make two oral requests and one written request in the presence of witnesses.

The Act also imposes requirements upon physicians, including providing the individual with certain information to ensure informed consent, and making referrals, recommendations, and counseling.

The bill was first introduced in January 2015, and a public hearing was held in July of that year. In November 2016, the City Council passed the bill by a vote of 11 to 2, and Mayor Muriel Bowser (D) signed it in December. It provided for an effective date immediately following the 30-day Congressional review period.

Congressional action

The term “Legislative Days” is a term of art. According to the Congressional Research Service:

In context of the daily activities of Congress, any calendar day on which a chamber is in session may be called a (calendar) “day of session.” A legislative day, by contrast, continues until the chamber adjourns. A session that continues into a second calendar day without adjourning still constitutes only one legislative day, but if a chamber adjourns, then reconvenes later on the same day, the single day of session includes two legislative days. Conversely, if a chamber recesses and then reconvenes on the same day, the same day of session and the same legislative day both continue. Finally, when a chamber recesses overnight, instead of adjourning, although a new calendar day of session begins when it reconvenes, the same legislative day continues.

The bill was transmitted to Congress on January 6, 2017, three days after the 115th Congress was sworn in. H.J. Res. 27 was introduced on January 12 by sponsor Rep. Brad Wenstrup (R-Ohio), and referred to the Oversight Committee. On February 13, 2017, the Committee voted to advance the resolution to consideration before the full House.

By the D.C. City Council’s determination, the Congressional review period for the Death with Dignity Act ended on February 18, 2017; despite the Committee’s advancement, the House failed to bring the resolution to a floor vote before the review period ended. To succeed in disapproval of a D.C. law, such resolutions must pass both Houses of Congress–though only by a simple majority and therefore not subject to Senate filibuster–and be signed by the President.