Highlight on New York: Insurers subject to first-in-nation cybersecurity regulations affecting financial institutions

The nation’s first cybersecurity regulations governing financial institutions–including insurers–take effect March 1, 2017 in New York state. Noting that  “New York is the financial capital of the world,” Governor Andrew Cuomo (D) stressed the necessity of protecting consumers and financial systems from cyberattacks. The regulations require institutions to implement a cybersecurity program that includes regular assessments of information systems and the use of effective controls, requires compliance by third party vendors, and includes more stringent governmental reporting requirements than the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191).

The regulations apply to anyone operating under the Banking Law, Insurance Law, or Financial Services Law and specifically pertain to “nonpublic information.” Only electronic information qualifies as nonpublic information, which can be protected health information (PHI) as it is understood under HIPAA; business-related information that could materially and adversely impact the entity’s business, operations, or security; or any information concerning an individual that, when combined with specific data elements, including but not limited to Social Security and drivers’ license numbers, could identify the individual.

The regulations require covered entities to maintain a cybersecurity program based upon a required risk assessment. Risk assessments must be conducted on a “periodic” basis and “updated as reasonably necessary.” Entities must implement and maintain written cybersecurity policies, including policies governing vendor and third party service provider management and recurrent assessments and policies that allow for secure and periodic disposal of nonpublic information that is no longer necessary for business operations or other legitimate business purposes. They must also designate a chief information security officer (CISO) who is employed by the entity, an affiliate, or a third party service provider, and who will provide a written report to the covered entity’s board of directors at least annually.

While HIPAA does not require penetration testing, the New York regulations require annual testing and biannual vulnerability assessments, unless covered entities have in effect some other type of continuous monitoring or other system to detect changes in information systems that could create or suggest vulnerabilities. The regulations specifically require entities to limit user access privileges to nonpublic information and to periodically review those privileges. They also require multi-factor authentication whenever an individual accesses the entity’s internal network from an external network, unless the CISO has approved controls in writing that are at least reasonably equivalent. Encryption is required for all nonpublic information held or transmitted by the entity; if encryption is not feasible, the CISO must review and approve “alternative compensating controls” and review them at least annually.

Certain requirements do not apply to entities with fewer than 10 employees, less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end total assets.

The regulations define a “cybersecurity event” as an act or attempt, successful or not, to gain unauthorized access to, or to disrupt or misuse an information system or the information stored in the system. Written incident response plans to cybersecurity events must detail the response process and its goals, including “the definition of clear roles, responsibilities and levels of decision-making authority.” Requirements for reporting to government entities are much stricter than those under HIPAA Breach Notification Rule, which requires entities to report breaches affecting 500 or more individuals to the HHS Secretary “without unreasonable delay,” but no more than 60 days since discovery of a breach, or, if affecting fewer than 500 individuals, within 60 days of the end of the calendar year in which the breach occurred.  The New York regulations, in contrast, require entities that are otherwise required to provide notice to the government or other self-regulatory agency or supervisory body, or who believe that a cybersecurity event is reasonably likely to materially harm the entity’s normal operations, to notify the Superintendent of the New York Department of Financial Services as soon as possible, but no more than 72 hours after determining that the event occurred.

 

The Empire State woos pharma, biotech industries

The 21st Century Cures Act (Cures Act) was passed by the House on November 30, 2016 and the Senate on December 7, 2016. The President signed it into law on December 13, 2016.  The Cures Act contains three primary titles that makes good on the promise of its name through FDA reforms by accelerating drug and device development and delivery. The Cures Act also creates new administrative positions related to mental health and substance abuse and provides state funding to combat opioid addiction. The President applauded Congress’ approval of the bill, commenting, “I think it indicates the power of this issue and how deeply it touches every family across America.”

In a similar vein, New York Governor Andrew Cuomo and New York City Mayor Bill de Blasio recently unveiled two initiatives that would commit $1.15 billion in funding and tax incentives for education, business development, and job creation in the life sciences sector. Of the total amount,  New York City will be investing $500 million in biotech and life sciences over the next decade via a program called LifeSci NYC, the largest piece is composed of $300 million in tax credits that will be made available to companies building lab space in the city, in order to defray the high costs of construction in the city. The state’s contributions include $250 million in tax incentives for new and existing life science companies, $200 million in state capital grants to support investment in wet-lab and innovation space, and $100 million in investment capital for early stage life science initiatives with an additional match of at least $100 million for operating support from private sector partnerships.

Citing the lack of affordable and appropriate lab space as a barrier to industry, especially in the New York City real estate market, the state and city initiatives will provide more than 3.2 million square feet of innovation space and 1,100 acres of developable land available tax-free at 45 colleges and universities statewide. The availability of grants, land and space would offer an incentive for life science industry to access labs, infrastructure, and other equipment for product development.

 

Medicaid Whistleblower Leads to $137.5 Million Settlement

Tampa-based managed care company WellCare Health Plans, Inc. recently agreed to pay $137.5 million to settle allegations of fraud and other abuses, the Justice Department announced. The federal government will share the proceeds of the settlement with nine states: Connecticut, Florida, Georgia, Hawaii, Illinois, Indiana, Missouri, New York and Ohio. The for-profit company served about 2.6 million Medicaid beneficiaries as of August 2011. The four relators who brought whistleblower suits against the company will receive about $25 million.

The alleged fraud, which the company has not admitted, included:

  • inflated reports of the amounts spent on medical care to avoid returning funds to state agencies
  • retention of overpayments
  • operation of a sham special investigation unit
  • cooperating with providers who overbilled for services
  • falsification of records of patients’ medical condition and treatments provided and
  • manipulation of grades of service in reports on the performance of its call center

The company also allegedly violated federal marketing requirements for Medicaid managed care organizations by “cherrypicking” potential members to keep costs down. It was reported that WellCare performed a study of its costs for certain patients and then encouraged patients to disenroll to shift the cost of their care to state Medicaid agencies. A relator who worked undercover to assist in the federal investigation alleged that the company dropped premature infants and terminally ill patients. Arguing that the company’s actions cost the government between $400 and $600 million, the relator initially objected to the settlement; he disbelieved the company’s claim that it could not possibly afford more than $137.5 million.

In 2009, the company paid $80 million—$40 million in restitution and forfeiture of another $40 million—and entered into a Deferred Prosecution Agreement for fraud against the Florida Medicaid program. Thus, according to DOJ, its total recovery against WellCare will exceed $200 million. And if the company is acquired or there is a change of control in the next three years, the company will have to pay an additional $35 million. In April, 2011, the company entered into a corporate integrity agreement with the HHS Office of Inspector General to come into compliance with the law.

In 2009, in a related enforcement action by the Securities and Exchange Commission (SEC), WellCare agreed to pay $10 million to the SEC and return another $1 million in profits. Top-level executives, including the former general counsel, were prosecuted for fraud. One pleaded guilty in 2007; three others are scheduled for trial in 2013. SEC brought a civil suit against the three in January 2012.

In 2011, the company also settled a class action brought by investors alleging misrepresentations in violation of federal securities laws. The $200 million settlement is to be paid with $87.5 million in cash and $112.5 million in bonds. As with the DOJ settlement, if the company is acquired or experiences a change in control within three years of the agreement, it must pay another $25 million.

Florida Health News reports that resolution of its legal difficulties makes WellCare an attractive target for a buyout. Because many states are moving toward mandatory managed care, there are many opportunities to grow its business. One analyst says that the company’s revenue could double. If the Supreme Court upholds the Affordable Care Act, the expansion of Medicaid eligibility will make contracts with Medicaid agencies even more valuable.

Even while the settlement was on hold, the company picked up a contract with the Kentucky Medicaid agency, which began in the fall of 2011. Problems with the roll-out of Kentucky’s managed care program were discussed in an earlier post.

Competition for those Medicaid managed care contracts is fierce. States usually must use competitive bidding. Bidders and their affiliates make large campaign contributions to state officials. In Missouri, Centene donated $50,000 to the governor’s campaign in the two years preceding the contract award and $175,000 to the Democratic governors Association. Centene is based in Missouri but did not have a Medicaid contract previously; Molina, which lost despite 16 years of managed care contracts with the state, sued and asked the court to enjoin the state’s open enrollment, set for April 19, 2012. The case is being litigated at this writing.

According to the Chicago Tribune, in November, 2005, WellCare and its affiliates contributed a total of $100,000 to the reelection campaign of then-Governor Rod Blagojevich. The local affiliate had given him $25,000 earlier in the year.

 According to the Orlando Sentinel, three Medicaid HMOs— Humana, United and WellCare—were among the top 100 spenders for lobbying the Florida legislature in 2011. Humana spent more than $300,000. United and WellCare each spent an amount in the mid-210’s. In addition, the Florida Association of Health Plans, which seeks to influence Medicaid policy, among other issues, spent more than $300,000 on lobbying. Blue Cross Blue Shield, which isn’t a Florida Medicaid contractor but plans to bid, spent just under $300,000.

All the money that any plan spends on fines, unlawful remuneration, campaign contributions or lobbying isn’t going to pay for health care. It’s not paying for quality review, patient education, or even upgrading electronic health record systems. Could these facts be related to the findings of the study described in an earlier post, showing poorer health outcomes for beneficiaries in publicly traded Medicaid managed care organizations?

Geographic Markets Selected for Comprehensive Primary Care Initiative

Market selections have been made for certain areas to become some of the first participating payers in the Comprehensive Primary Care (CPC) initiative. On April 11, the CMS Innovation Center announced seven areas from a pool of applicants to represent their selected markets as part of this CPC demonstration, which is a public-private partnership to enhance access to primary care services by establishing medical homes supported by multiple payers.

CMS directed the solicitation for the Comprehensive Primary Care Initiative to public and private health care payers to respond individually to the Innovation Center and the markets were selected in places where there is sufficient interest from a number of payers to support a comprehensive model of primary care. Individual payer applications were collected by CMS to evaluate the degree to which they align with CMS’ approach in the initiative. High scoring payer applications proposing overlapping market areas were aggregated to assess the expected market share of enhanced support for comprehensive primary care. No more than two markets in an HHS region were eligible to participate, and CMS aimed to include at least two markets with significant rural areas.

These markets are multi-payer and may include private health plans, state Medicaid agencies, and employers and include: Arkansas, statewide; Colorado, statewide; New Jersey, statewide; New York, Capital District-Hudson Valley Region; Ohio, Cincinnati-Dayton Region; Oklahoma, Greater Tulsa Region; and Oregon, statewide.

These selected participating payers in each market will be entering into a “Memorandum of Understanding” (MOU) with CMS. Once the participating payers in each market have agreed to the terms and conditions of this MOU, the Innovation Center will then release a solicitation to primary care practices in these geographic areas wishing to participate in providing comprehensive primary care as part of this initiative. The Innovation Center will also invite local practitioner representatives and local patient and consumer representatives to participate in these discussions with Medicare.

The White House has indicated that funding of up to $322 million is available to support 75 practices in seven states beginning this year with plans to serve up to 330,750 Medicare and Medicaid beneficiaries over the course of this four-year initiative. The practices involved will receive a new care management fee on behalf of Medicare fee-for-service beneficiaries to support enhanced primary care services for their patients. The enhanced services will include: improved care coordination; increasing patients’ access to care; delivering preventive care; engaging patients and caregivers in managing their own care, and providing individualized, enhanced care for patients living with multiple chronic diseases and higher needs.

Two models will be tested simultaneously: a service delivery model and a payment model. The service delivery model will test comprehensive primary care, which is characterized as having the following five functions:

  • risk-stratified care management;
  • access and continuity;
  • planned care for chronic conditions and preventative care;
  • patient and caregiver engagement; and
  • coordination of care across the medical neighborhood.

The second type, known as the “payment model” includes a monthly care management fee paid to the selected primary care practices on behalf of their fee-for-service Medicare beneficiaries and, in years 2-4 of the initiative, the potential to share in any savings to the Medicare program. Practices will also receive compensation from other payers participating in the initiative, including private insurance companies and other health plans, which will allow them to integrate multi-payer funding streams to strengthen their capacity to implement practice-wide quality improvement.

The Comprehensive Primary Care Initiative was developed under the Patient Protection and Affordable Care Act (PPACA) (P.L. 111-148) and the American Recovery and Reinvestment Act of 2009 (Recovery Act), as a multi-payer initiative fostering collaboration between public and private health care payers to strengthen primary care and is one of the ways the Obama Administration has made the recruitment, training and retention of primary care professionals a top priority.