Category: Health Care

Auto Added by WPeMatico

 

Lessons Learned from 2017 OCR HIPAA Enforcement Actions

So far 2017 is proving to be an active year for Health Insurance Portability and Accountability Act (HIPAA) enforcement. This comes on the heels of 2016, which saw an unprecedented level of enforcement actions, with 13 total settlements and nearly a 300 percent increase in total collected fines over 2015. To date in 2017, nine actions have been settled and the average settlement amount continues to outpace 2016.

Three Tips to Help Reduce the Risk of a HIPAA Violation

Several themes have emerged from these enforcement actions that HIPAA-regulated entities should be mindful of to help reduce the risk of a HIPAA violation occurring and to reduce the potential resulting fine in the event of enforcement.

1. Conduct Risk Analyses Regularly. One of the most consistent themes that has emerged from the 2017 settlement and corrective action plans announced by the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) is that organizations subject to HIPAA must regularly conduct risk analyses in accordance with the Security Rule to assess risk and vulnerabilities in an organization’s ePHI environment. The Security Rule does not proscribe a specific risk analysis methodology given that the analysis will vary depending on an organization’s size and capabilities. However, the risk analysis should comply with available OCR guidance, including the Guidance on Risk Analysis Requirements under the HIPAA Security Rule.

[A] lack of risk management not only costs individuals the security of their data, but it can also cost covered entities a sizable fine.
– OCR Acting Director Robinsue Frohboese

2. Implement a Risk Management Plan and Reasonable Safeguards. While conducting a risk analysis is critical, equally important is the risk management plan and the reasonable safeguards an organization adopts in light of any risks or vulnerabilities that are identified in the risk analysis. For example, OCR assessed a $3.2 million civil monetary penalty against a hospital in February, after noting that the hospital continued to use unencrypted devices even after reporting a breach in 2009 involving the loss of an unencrypted, non-password protected device. Note that the issuance of a penalty is rare, as most OCR enforcement actions result in a settlement, not a penalty. Here, however, the hospital chose to pay the penalty as opposed to negotiate with OCR.

hipaa3. Report Breaches in Timely Manner. A settlement announced in January made headlines as the first HIPAA settlement based on the untimely reporting or notification of a breach under the HIPAA Breach Notification Rule. OCR found that the healthcare network failed, with unreasonable delay, to notify OCR, the affected individuals, and the media within the required 60-day timeframe. Instead, the notifications were made over 100 days after discovery of the breach. This settlement highlights the importance of having clear policies and procedures that workforce members have been trained on in order to respond within HIPAA’s breach notification timeframes.

OCR Updated Web Tool

OCR recently announced the release of an updated web tool to provide enhanced transparency to the HIPAA breach reporting tool. New features include: 1) breaches currently under investigation and reported within the last 24 months; 2) an archive of all older data breaches; 3) tips for consumers; and 4) navigation to additional breach information.

Foley regularly assists clients with implementing HIPAA compliance programs, handling data breach notification requirements, and responding to OCR audits and investigations. For more information contact: Jennifer Rathburn, Jennifer Hennessy, or Julie Kadish.

Powered by WPeMatico

New Jersey’s Telemedicine Law: What Providers Need to Know

new jersey telemedicine

New Jersey has a new telemedicine law, recently signed by Governor Chris Christie. The law cements the validity of telehealth services in the Garden State, establishes telemedicine practice standards, and imposes telehealth coverage requirements for New Jersey Medicaid, Medicaid managed care, commercial health plans, and other State-funded health insurance. After a year of debate in the New Jersey Legislature, the bill (SB 291 now P.L.2017, c.117) unanimously passed both the House and Senate before going to the Governor’s Office. The law is effective July 21, 2017.

The new law is quite lengthy, but we have summarized and explained the essential provisions below:

Key Definitions

  • Telemedicine is broadly defined as the delivery of a health care service using electronic communications, information technology, or other electronic or technological means to bridge the gap between a health care provider who is located at a distant site and a patient who is located at an originating site. The term does not include “the use, in isolation, of audio-only telephone conversation, electronic mail, instant messaging, phone text, or facsimile transmission.

  • Telehealth is defined as the use of information and communications technologies, including telephones, remote patient monitoring devices, or other electronic means, to support clinical health care, provider consultation, patient and professional health-related education, public health, health administration, and other services.
  • Asynchronous Store-and-Forward is defined as the acquisition and transmission of images, diagnostics, data, and medical information either to, or from, an originating site or to, or from, the health care provider at a distant site, which allows for the patient to be evaluated without being physically present.
  • Health Care Provider is broadly defined as an individual who provides a health care service to a patient, which includes, but is not limited to, a licensed physician, nurse, nurse practitioner, psychologist, psychiatrist, psychoanalyst, clinical social worker, physician assistant, professional counselor, respiratory therapist, speech pathologist, audiologist, optometrist, or any other health care professional acting within the scope of a valid license or certification issued pursuant to Title 45 of the New Jersey Statutes.

Telemedicine Communication Modalities

  • The law also states that telemedicine services must be provided “using interactive, real-time, two-way communication technologies” (a requirement that interestingly does not appear to extend to “telehealth services” under the statute itself). Synchronous audio-video is not mandated except for Schedule II prescribing.
  • Interactive Audio with Store-and-Forward. A provider engaging in telemedicine or telehealth may use asynchronous store-and-forward technology to allow for the electronic transmission of images, diagnostics, data, and medical information; except that the provider may use interactive, real-time, two-way audio in combination with asynchronous store-and-forward technology, without video capabilities, if, after accessing and reviewing the patient’s medical records, the provider determines that the provider is able to meet the same standard of care as if the health care services were being provided in person.
  • Audio-Only or Text-Based Communications. The law excludes from the definition of telemedicine consultations provided by “the use, in isolation, of audio-only telephone conversation, electronic mail, instant messaging, phone text, or facsimile transmission.”

Telemedicine Practice Standards

  • Provider-Patient Relationship. A valid provider-patient relationship may be established via telemedicine or telehealth without an in-person exam. Moreover, New Jersey licensing boards are prohibited from passing regulations that would require an in-person exam as a prerequisite to delivering telemedicine or telehealth services. A valid provider-patient relationship must include, at a minimum, the following:
    • Properly identifying the patient using, at a minimum, the patient’s name, date of birth, phone number, and address. The provider may additionally use the patient’s assigned identification number, social security number, photo, health insurance policy number, or other appropriate patient identifier associated directly with the patient.
    • Disclosing and validating the provider’s identity and credentials, such as the provider’s license, title, and, if applicable, specialty and board certifications.
    • For an initial consult with a new patient, the provider must review the patient’s medical history and any available medical records before initiating the telemedicine consult. (For telehealth consults conducted in connection with a pre-existing provider-patient relationship, the provider may review the information with the patient contemporaneously during the consult.)
    • The provider must determine whether or not he/she will be able to meet the standard of care. This determination must be done prior to each unique patient consult.
  • A health care provider delivering services via telemedicine or telehealth must adhere to the following practice standards.
    • The provider’s identity, professional credentials, and contact must be made available to the patient during and after the provision of services. The contact information must enable the patient to contact the provider (or a substitute provider authorized to act on behalf of the provider who provided services) for at least 72 hours following the provision of services.
    • The provider must review the patient’s medical history and any available medical records.
    • After the consult, the patient’s medical information must be made available to the patient upon his/her request. If the patient consents/requests, the information must be forwarded directly to the patient’s primary care provider or health care provider(s) of record.
    • If a patient has no health care provider of record, the telemedicine or telehealth provider is allowed to advise the patient to contact a primary care provider, and, upon request by the patient, may assist the patient with locating a primary care provider or other in-person medical assistance that, to the extent possible, is located within reasonable proximity to the patient.
    • The telemedicine or telehealth provider must refer the patient to appropriate follow up care where necessary, including making appropriate referrals for emergency or complimentary care, if needed.
  • Standard of Care. Diagnosis, treatment, and consultation recommendations, including discussions regarding the risk and benefits of the patient’s treatment options, made via telemedicine or telehealth, including the issuance of a prescription based on a telemedicine or telehealth consult, are held to the same standard of care or practice standards as are applicable to in-person settings. If telemedicine or telehealth services are not consistent with this standard of care, the provider must direct the patient to seek in-person care.
  • Telemedicine Prescribing. A provider may prescribe medications via telemedicine only after establishing a valid provider-patient relationship.
    • Unless the provider has established a valid provider-patient relationship, a provider shall not issue a prescription to a patient based solely on the responses provided in an online questionnaire.
    • With regard to prescribing controlled substances via telemedicine, the law does not prohibit the activity except for Schedule II drugs. A provider may prescribe Schedule II controlled substances via telemedicine only after conducting an initial in-person examination of the patient. Moreover, subsequent in-person exams are required every three months for the duration of time that the patient is being prescribed the Schedule II controlled dangerous substance. Note: despite the New Jersey law, providers must still comply with the prescribing requirements under the federal Ryan Haight Act.
    • The New Jersey in-person exam requirement does not apply to prescriptions for Schedule II controlled stimulant drugs for use by a patient under the age of 18 if: 1) the provider uses interactive, real-time, two-way audio and video technologies; and 2) has obtained written consent from the minor patient’s parent or guardian to waive the in-person exam.
  • Patient Consent. The law does not require patient informed consent to telehealth services (although New Jersey Medicaid requires it for certain specialties). However, to the extent the provider must obtain patient consent for certain activities (e.g., recommending a primary care referral, clinical procedures), the patient’s consent may be oral, written, or digital in nature, provided that the chosen method of consent is deemed appropriate under the standard of care.
  • Originating site. There are no geographic or facility restrictions on originating sites, which are simply defined as “a site at which a patient is located at the time that health care services are provided to the patient by means of telemedicine or telehealth.”
  • Patient-Site Telepresenter. There is no requirement to use a patient-site telepresenter, unless otherwise needed by medical standard of care expectations.
  • Medical Records; HIPAA. Providers must maintain a complete record of the patient’s care and comply with all applicable State and federal statutes and regulations for recordkeeping, confidentiality, and disclosure of the patient’s medical record.

Other unique and notable highlights of the New Jersey law include:

  • Business Registration for Telemedicine or Telehealth Organizations. The law requires each telemedicine or telehealth organization operating in New Jersey to annually register with the Department of Health and submit annual reports on activity and encounter data. The content of the reports will be specified further in forthcoming regulations, but we know the reports will include, at least, for each consult: the patient’s race and ethnicity; the diagnostic codes; the evaluation management codes; and the source of payment for the consult. The Department of Health will compile the information into a statewide database. A “Telemedicine or telehealth organization” is a corporation, sole proprietorship, partnership, or limited liability company that is organized for the primary purpose of administering services in the furtherance of telemedicine or telehealth.
  • Telemedicine and Telehealth Review Commission. The law creates a seven-member New Jersey Telemedicine and Telehealth Review Commission. The Commission will review the information reported by telemedicine and telehealth organizations and make recommendations for policy and law changes to promote and improve the quality, efficiency, and effectiveness of telemedicine and telehealth services in New Jersey.
  • Exceptions to Provider-Patient Relationship. Telemedicine or telehealth may be practiced without a proper provider-patient relationship in the following circumstances:
    • During informal consultations performed by a provider outside the context of a contractual relationship, or on an irregular or infrequent basis, without the expectation or exchange of direct or indirect compensation.
    • During episodic consultations by a medical specialist located in another jurisdiction who provides consultation services, upon request, to a properly licensed or certified health care provider in New Jersey.
    • When a provider furnishes medical assistance in response to an emergency or disaster, provided that there is no charge for the medical assistance.
    • When a substitute provider, who is acting on behalf of an absent provider in the same specialty, provides health care services on an on-call or cross-coverage basis, provided that the absent provider has designated the substitute provider as an on-call provider or cross-coverage service provider.
  • Mental health screeners, screening services, and screening psychiatrists subject to the provisions of P.L.1987, c.116 (C.30:4-27.1 et seq.) are not required to obtain a separate authorization in order to engage in telemedicine or telehealth for mental health screening purposes, and are not required to request and obtain a waiver from existing regulations prior to engaging in telemedicine or telehealth.

New Jersey Telemedicine and Telehealth Insurance Coverage

The law establishes fairly broad coverage of telemedicine and telehealth services, both under New Jersey Medicaid and commercial health insurance plans. However, the law does not explicitly impose a payment parity requirement (i.e., mandating that reimbursement for telemedicine and telehealth services be equal to reimbursement rates for identical in-person services). Instead the law sets the in-person reimbursement rate as the maximum ceiling for telemedicine and telehealth reimbursement rates.

  • With regard to Medicaid and Medicaid managed care, the law states that the State Medicaid Program and NJ FamilyCare Program “shall provide coverage and payment for health care services delivered to a benefits recipient through telemedicine or telehealth, on the same basis as, and at a provider reimbursement rate that does not exceed the provider reimbursement rate that is applicable, when the services are delivered through in-person contact and consultation in New Jersey.”
    • Reimbursement payments may be provided either to the individual practitioner who delivered the reimbursable services, or to the agency, facility, or organization that employs the individual practitioner who delivered the reimbursable services, as appropriate.
    • The programs may limit coverage to services that are delivered by participating health care providers, but may not charge any deductible, copayment, or coinsurance for a health care service, delivered through telemedicine or telehealth, in an amount that exceeds the deductible, copayment, or coinsurance amount that is applicable to an in-person consultation.
  • With regard to commercial health insurance plans, the law states that “a carrier that offers a health benefits plan in [New Jersey] shall provide coverage and payment for health care services delivered to a covered person through telemedicine or telehealth, on the same basis as, and at a provider reimbursement rate that does not exceed the provider reimbursement rate that is applicable, when the services are delivered through in-person contact and consultation in New Jersey.”
    • Reimbursement payments may be provided either to the individual practitioner who delivered the reimbursable services, or to the agency, facility, or organization that employs the individual practitioner who delivered the reimbursable services, as appropriate.
    • A carrier may limit coverage to services that are delivered by health care providers in the health benefits plan’s network, but may not charge any deductible, copayment, or coinsurance for a health care service, delivered through telemedicine or telehealth, in an amount that exceeds the deductible, copayment, or coinsurance amount that is applicable to an in-person consultation.
  • The law establishes similar telemedicine and telehealth coverage requirements for contracts purchased through the New Jersey State Health Benefits Commission and the New Jersey School Employees’ Health Benefits Commission.

Passage of this new legislation is welcome news for telemedicine companies and health care providers looking to offer telemedicine services in New Jersey. We will continue to monitor New Jersey for any rule changes that affect or improve telemedicine opportunities in the state.

For more information on telemedicine, telehealth, virtual care, and other health innovations, including the team, publications, and other materials, visit Foley’s Telemedicine and Virtual Care practice.

Powered by WPeMatico

The Ball is in the SEC’s Court: What Health Care Borrowers Can Do While Waiting on Changes to Rule 15c2-12

On March 1, 2017, the Securities and Exchange Commission (SEC) issued Release No. 34-80130 (the Release) proposing several amendments to its Rule 15c2-12 (the Rule) that would add two new events to the list of events that must be included in the continuing disclosure undertakings of municipal issuers or obligors (Borrowers) of municipal bonds. These 2 new events are:

  1. The incurrence of “financial obligations, if material, or agreeing to covenants or other provisions that affect security holders, if material,” and
  2. The occurrence of one or more of the following events under the terms of such a financial obligation: “default, event of acceleration, termination event, modification of terms or other similar events under the terms of a financial obligation of the obligated person,” if the event reflects financial difficulties.

The SEC has yet to respond to the comments received on the proposed changes to the Rule and has a variety of alternatives from taking no action on the rule change, implementing the rule as proposed, or adopting the rule with various modifications. Given the increasing call for greater transparency in the municipal securities industry, but without firm guidance on the “materiality question” discussed below, the best action during this waiting period is simply to prepare for change. Following are some strategies for participants in the municipal market to address the challenges posed by the proposed amendments.

A Review of the Proposed Amendments

Scope of “financial obligations” that must be disclosed. The clear focus of the Release and the proposed amendments to the Rule is provision of continuing disclosure relating to direct placements of debt obligations, but the scope of the proposed financial obligations that would have to be disclosed is significantly broader than that. The term “financial obligation” is defined in the Release to include a “(i) debt obligation, (ii) lease, (iii) guarantee, (iv) derivative instrument, or (v) monetary obligation resulting from a judicial, administrative, or arbitration proceeding.”  These terms are interpreted broadly in the Release.

For example, the Release provides that the term “lease” is intended to include an operating lease or a capital lease, while a “guarantee” is intended to capture a contingent financial obligation of the issuer or obligor to secure the obligations of a third party or of the issuer or obligor itself. Thus, an extremely wide range of obligations, if material, would need to be disclosed on the Municipal Securities Rulemaking Board’s (MSRB) Electronic Municipal Market Access (EMMA) website by Borrowers if the amendments are adopted, as proposed.

Impact of “materiality” qualifier. A second area of concern is the use of materiality to qualify those events that must be disclosed. This qualification ideally would limit the amount of disclosure that must be provided only to events where there is a substantial likelihood that a reasonable investor would consider such information important in making an investment decision, based on the Basic v. Levinson standard of materiality. However, as was evidenced by the SEC’s recent Municipal Securities Disclosure Cooperation (MCDC) initiative, there is a lack of clear guidance regarding what is material to an investor in the municipal market, leading to a conservative view of materiality and what one market participant has termed “hyper disclosure.”

Determining which events are “material” to a reasonable investor could be difficult and, if the SEC does not later concur with the Borrower’s analysis, the consequences can be severe. Use of the materiality standard (without further guidance) to qualify the events that must be disclosed gives rise to the concern that Borrowers will be required to provide detailed summaries of their direct placements, leases, swaps, for example, or to post in full redacted copies of the underlying documentation, in order to comply with the amended Rule.

Preparing for Change

As described above, the amendments to the Rule as they are currently proposed could have a significant impact on the municipal market, especially upon Borrowers, but also on broker-dealers. Below are several actions that Borrowers and broker-dealers may wish to consider undertaking in response to the Release and Rule.

  • Review Current Arrangements and Disclosure Policies. If the proposed amendments to the Rule are adopted, Borrowers will need to be prepared to gather and disseminate a considerably wider scope of information regarding their financial obligations than is currently the case. We recommend that Borrowers review their existing disclosure undertakings and policies and consider what modifications may be necessary to comply with the Rule as amended.
  • Review Processes and Procedures for Event Notifications. Because of the potentially broad scope, the person responsible for filing event notices with EMMA will need to develop processes and procedures for becoming aware of these additional events in a timely manner, evaluating whether they are material or reflect financial difficulties, and preparing and filing the required notices, generally within 10 business days of the occurrence of the event. It seems likely that the most important and difficult element of this new, wider inquiry will be setting up processes to ensure that the designated person receives timely notice of the new events that must be disclosed.
  • Revise Due Diligence Processes. Similarly, broker-dealers will need to revise their due diligence processes to devise methods of determining whether any of the new listed events have occurred and, if so, whether they were material or reflect financial difficulties and, if so, were adequately and timely reported to EMMA.
  • Consider Disclosure Standards Under Federal Securities Laws and What Must Be Included in an Events Notice. Another critical element that must be borne in mind by Borrowers is that the requirements of Rule 10b-5, which requires that disclosure be accurate and complete, will apply to each of the event filings. Simply filing a notice with EMMA that a certain event has occurred may not be sufficient, even if such a notice meets the requirements of the applicable continuing disclosure undertaking. Because many of the new proposed events require a certain degree of analysis and context to determine whether they are material or reflect financial difficulties, additional disclosure necessary to provide the context of such a determination is likely to be necessary. Disclosure filed with EMMA is subject to the 10b-5 standard and therefore cannot contain any untrue statement of a material fact or omit to state any material fact necessary to make the statements therein, in light of the circumstances under which it was made, misleading.

What Resources Are Available to Learn More?

The SEC’s proposed amendments to the Rule are substantial and could have wide-ranging implications for Borrowers’ disclosure practices. We recommend that Borrowers examine their current disclosure practices and procedures to ensure that they are ready and able to comply with the Rule if and when it is amended. Additional information on the Release and the Rule, is available in the March 2017 client alert and the May 2017 webinar recording. Or contact Heidi Jeffery or David Bannard directly.

For more information on Foley’s healthcare finance practice, including the team, publications, and other materials, visit Foley’s Healthcare Finance Practice.

Powered by WPeMatico

OIG to Audit Medicare Telehealth Services: What You Need to Know

medicare telehealth

For what may be the first time, the Office of Inspector General (OIG) at the Department of Health & Human Services (HHS) recently announced a new project to review Medicare payments for telehealth services. Accordingly, providers who bill the Medicare program for telehealth services may expect to have those claims reviewed to confirm the patient was at an eligible originating site and that the statutory conditions for coverage were met. The audit is a new project added as a supplement to the OIG’s 2017 Work Plan.

OIG Work Plan

Historically, at the beginning of each new fiscal year, the OIG issued its Work Plan, setting forth the compliance and enforcement projects and priorities OIG intends to pursue in the coming year. Beginning in June 2017, OIG will update the annual Work Plan on a monthly basis.  The Work Plan contains dozens of projects affecting Medicare and Medicaid providers, suppliers and payors, as well as public health reviews and Department-specific reviews.

The Work Plan reflects (in large part) two aspects of the work of OIG:

1) Projects originating within the Office of Audit Services (OAS), which conducts financial, billing, and performance audits of HHS programs; and

2) Projects originating within the Office of Evaluations and Inspections (OEI), which provides management reviews and evaluations of HHS program operations.

Except by providing general statistics, the Work Plan itself does not detail the work of the Office of Investigations or the Office of Counsel to the Inspector General in investigating and enforcing matters involving specific individual providers and suppliers.  The new telehealth project will be run by the OAS.

Review of Medicare Payments for Telehealth Services

OIG describes its new telehealth review project as follows:

“Medicare Part B covers expenses for telehealth services on the telehealth list when those services are delivered via an interactive telecommunications system, provided certain conditions are met (42 CFR § 410.78(b)). To support rural access to care, Medicare pays for telehealth services provided through live, interactive videoconferencing between a beneficiary located at a rural originating site and a practitioner located at a distant site. An eligible originating site must be the practitioner’s office or a specified medical facility, not a beneficiary’s home or office. We will review Medicare claims paid for telehealth services provided at distant sites that do not have corresponding claims from originating sites to determine whether those services met Medicare requirements.”

The expected issue date of the OIG report is 2017, so presumably the review will commence shortly (although OIG Work Plan projects are sometimes continued or extended from year-to-year).

Medicare 2014 Telehealth Claims Data

The new OIG project is not the first time Medicare claims data has identified a potential mismatch regarding the conditions for coverage for telehealth services. A July 2016, Medicare Payment Advisory Commission (MEDPAC) Report to Congress: Medicare and the Health Care Delivery System contained a detailed chapter on telehealth services and the Medicare program.  In it, MEDPAC analyzed Medicare claims data from 2014 for preliminary qualitative assessments on the state of telehealth services under Medicare. The report included a paragraph on telehealth distant site claims without a corresponding originating site claim, stating:

“Among the 175,000 telehealth claims from distant sites, 95,000 (55 percent) were without an originating site claim.  This discrepancy could be due to providers not bothering to bill for the $25 facility fee, or it could be that some services inappropriately originated from a patient’s home, as other research has suggested (Gilman and Stensland 2013).  Among the distant site telehealth claims without an originating site claim, 56 percent (53,000 visits) were associated with rural beneficiaries and 44 percent (41,000 visits) were associated with urban beneficiaries.  Both claims groups suggest that beneficiaries could be inappropriately receiving telehealth services from home or another unapproved location that did not file an originating site claim.  The urban claims are also potentially problematic because they could be occurring in urban originating sites, which is inconsistent with Medicare statute.”

Medicare Coverage of Telehealth Services

Current coverage of telehealth services under Medicare is limited, with the coverage restrictions established via statute under the Social Security Act.  Any notable expansion of telehealth coverage under Medicare would require legislation by Congress.  There are several bills pending in Congress to remove these limitations, but until such time, there are five main conditions for coverage for telehealth services under Medicare.

  1. The beneficiary is located in a qualifying rural area (providers can check if the originating site is in a qualifying rural area by using the Medicare Telehealth Payment Eligibility Analyzer);
  2. The beneficiary is located at one of eight qualifying originating sites (i.e., the offices of physicians or practitioners; Hospitals; Critical Access Hospitals; Rural Health Clinics; Federally Qualified Health Centers; Hospital-based or CAH-based Renal Dialysis Centers (including satellites); Skilled Nursing Facilities; and Community Mental Health Centers);
  3. The services are provided by one of ten distant site practitioners eligible to furnish and receive Medicare payment for telehealth services (i.e., physicians; nurse practitioners;™physician assistants;™nurse-midwives;™ clinical nurse specialists;™ certified registered nurse anesthetists; clinical psychologists; clinical social workers; registered dietitians; and nutrition professionals);
  4. The beneficiary and distant site practitioner communicate via an interactive audio and video telecommunications system that permits real-time communication between them (store and forward is covered in Alaska and Hawaii under demonstration programs); and
  5. The CPT/HCPCS (Current Procedural Terminology/Healthcare Common Procedure Coding System) code for the service itself is named on the CY 2017 (or current year) list of covered Medicare telehealth services.

In order to bill Medicare for telehealth services, the distant site practitioner must fully comply with each of these requirements. If the service does not meet each of these above requirements, the Medicare program will not pay for the service.  If, however, the conditions of coverage are met, the use of an interactive telecommunications system substitutes for an in-person encounter (i.e., it satisfies the “face-to-face” element of a service).

Providers ought not fear the new OIG project, or see it as a reason not to offer telehealth services to their patients. Indeed, the project and its eventual report can help shed light on those areas of compliance which the OIG believes important. In the interim, providers should continue to ensure their telehealth programs and claims comply with Medicare requirements, including coverage, coding, and documentation rules.

For more information on telemedicine, telehealth, and virtual care innovations, including the team, publications, and other materials, visit Foley’s Telemedicine Practice.

Powered by WPeMatico

The Office of the National Coordinator Releases Guidance on Recent International Ransomware Campaign

With the news of the newest international ransomware campaign that is currently affecting some organizations within the Health Care sector, it is important to not only educate staff on necessary precautions, but also be aware of steps to take in the instance you are infected by a ransomware attack.

The following information was distributed  today by the Office of the National Coordinator (ONC).  Please take a moment to review the information and prepare your organization in the event that an attack occurs.

Be sure to review our preparedness recommendations and contact us with any questions.

Health and Human Services/Assistant Secretary of Preparedness and Response Critical Infrastructure Protection Program

If you are the victim of a ransomware attack

If your organization is the victim of a ransomware attack, HHS recommends the following steps:

  1. Please contact your FBI Field Office Cyber Task Force or US Secret Service Electronic Crimes Task Force immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
  2. Please report cyber incidents to the US-CERT and FBI’s Internet Crime Complaint Center.
  3. **NEW**If your facility experiences a suspected cyberattack affecting medical devices, you may contact FDA’s 24/7 emergency line at 1-866-300-4374. Reports of impact on multiple devices should be aggregated on a system/facility level.
  4. For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC@hhs.gov

Mitigating against this threat

  • Educate users on common phishing tactics to entice users to open malicious attachments or to click links to malicious sites.
  • Patch vulnerable systems with the latest Microsoft security patches available here.
  • Verify perimeter tools are blocking Tor .Onion sites
  • Use a reputable anti-virus (AV) product whose definitions are up-to-date to scan all devices in your environment in order to determine if any of them have malware on them that has not yet been identified. Many AV products will automatically clean up infections or potential infections when they are identified.
  • Monitor US-CERT for the latest updates from the U.S. government. See below for current reporting.
  • Utilize HPH Sector ISAC and ISAO resources. See below for further information.

US-CERT Resources

Multiple Petya Ransomware Infections Reported

06/27/2017 12:56 PM EDT

Original release date: June 27, 2017 US-CERT has received multiple reports of Petya ransomware infections occurring in networks in many countries around the world. Ransomware is a type of malicious software that infects a computer and restricts users’ access to the infected machine until a ransom is paid to unlock it. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee that access will be restored. Using unpatched and unsupported software may increase the risk of proliferation of cybersecurity threats, such as ransomware.

Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block (SMB). US-CERT encourages users and administrators to review the US-CERT article on the Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010. For general advice on how to best protect against ransomware infections, review US-CERT Alert TA16-091A. Please report any ransomware incidents to the Internet Crime Complaint Center (IC3).

Sector ISAO and ISAC resources

National Health Information-Sharing and Analysis Center has shared the following TLP-White Message and will continue to share information at nhisac.org.

HITRUST has shared the following Threat Bulletin for distribution.

ONC and OCR resources

  • ONC provides many helpful resources about Health IT Security to include cybersecurity guidance materials and training at here and here.
  • OCR provides cybersecurity guidance materials including a cybersecurity checklist, ransomware guidance and cyber awareness newsletters at here.

Powered by WPeMatico

Opioid Crisis Initiating New State Gift Ban Laws

opioid

The Maine legislature passed with broad bipartisan approval L.D. 911, An Act to Prohibit Certain Gifts to Health Care Practitioners. The legislation prohibits gifts to practitioners who are licensed to prescribe and administer drugs by manufacturers, wholesalers, or agents of manufacturers or wholesalers of prescription drugs.

What’s Excluded?

  • Free samples of prescription drugs for patients
  • Items less than $50 over a calendar year
  • Payments to sponsors of educational programs
  • Honoraria for educational conferences
  • Compensation for research
  • Publications or educational materials
  • Salaries to employees

At the Heart of the Bill is the State’s Opioid Crisis

While similar in substance to what already exists in Massachusetts, Vermont, and other states as a law designed to curtail conflicts of interest in physician prescribing practices, the purported impetus here is the state’s opioid crisis. Representative Scott Hamann, the sponsor for the bill, said that the goal is to ensure doctors do not have conflicts of interest when prescribing drugs, especially opioids. According to Hamann’s testimony before the legislature, “People are dying, and the addiction often starts in the doctor’s offices.” The bill intends to curb any influence on the prescribing of opioids given the perspective that there is a correlation between payments and prescribing behavior. Maine has seen a forty percent increase in drug overdose deaths in the last year, and spending on physicians nearly doubled from 2014 to 2015.

The “gift ban” law is now awaiting the Maine Governor’s signature. It will be interesting to see if other states impacted heavily by heroin and opioid abuse will follow suit with increased surveillance or banning of industry gifts to physicians.

Powered by WPeMatico

Senate Releases Repeal and Replace Legislation on ACA: The Better Care Reconciliation Act of 2017

After weeks of secrecy, the Senate has released a discussion draft of legislation that is the counterpart of the American Health Care Act (AHCA) previously passed by the House.  The Senate legislation, entitled the Better Care Reconciliation Act of 2017 or BCRA, closely tracks the language in AHCA.

Foley Attorneys are continually monitoring and analyzing the impact of the bill and will provide additional coverage as changes are announced.  Below is a summary of the differences between the BCRA and AHCA.

Changes to the ACA Insurance Markets and Subsidies

Like the AHCA, the BCRA would make several immediate or near term changes to the health insurance markets originally established by the ACA including:

  • Reduction in Tax Penalties. The tax penalties associated with the employer and individual mandates will be reduced to $0 effective January 1, 2016, essentially repealing the employer and individual mandates with retroactive effect.
  • Reforms for Age and Pre-existing Conditions Remain. Several major market reforms implemented by the ACA are retained, including the ability for children to remain on their parents’ coverage until age 26, the requirement that individual health insurance be guaranteed issue and guaranteed renewable, and the prohibition on pre-existing condition exclusions.
  • Application for Waivers. States may apply for certain waivers of ACA market reforms, including the requirement that health insurance provide coverage of ten “Essential Health Benefits” (EHBs), requirements for credentialing plans on the health insurance marketplaces (exchanges), and limits on deductibles or cost sharing for exchange plans. BCRA would direct the federal government to approve state applications for such modifications, unless the alternative proposal would increase the federal deficit.
  • Increase of Premiums for Older Enrollees. Allowing states to increase premiums for older enrollees up to five times more than younger enrollees, increased from ACA’s maximum ratio of 3 to 1. Unlike the AHCA, the BCRA does not permit waivers of the ACA’s prohibition on determining premium amounts based on an individual’s health status.
  • Addition of a Six-month Waiting Period. Under the updated draft of the BCRA released on June 26, 2017, insurers in the individual market may impose a six-month waiting period on any individual who cannot demonstrate 12 months of continuous coverage. Under the AHCA, health insurance companies in the individual market would assess a 30% premium surcharge if an applicant has gone longer than 63 days without continuous health insurance coverage during a 12-month lookback period.
  • Cost-sharing reduction (CSR) Changes. CSR payment provisions in the ACA are repealed effective starting in 2020. However, the BCRA appropriates funds to make CSR payments through December 31, 2019. The AHCA did not appropriate any funds for CSR payments.

Additional Insurance Market Reforms

Like the AHCA, the BCRA would promote greater use of alternative approaches by states or by individuals to manage insurance costs, including use of high-risk pools and health savings accounts (HSAs).

  • Expanded Tax Benefits Associated with HSAs. Effective January 1, 2018, the BCRA would expand the tax benefits associated with HSAs, and allow consumers to contribute substantially more pre-tax money to an HSA regardless of whether they have individual or employer-sponsored health coverage.  HSA contributions would be allowed up to the limits on out-of-pocket expenses permitted for high deductible health plans (for 2018, $6,650 for self-only coverage and $13,300 for family coverage) (same as the AHCA).
  • Changes in Flexible Spending Account Contributions. Effective January 1, 2018, ACA’s limit on the amount an employee may contribute to a health flexible spending account (health FSA) per year (for 2017, $2,600) would be repealed (same as the AHCA but the BCRA’s effective date is a year later).
  • Ability to Purchase Over-the-counter Medications using FSA or HSA. Effective January 1, 2017, employees would again be able use health FSA and HSA funds to purchase over-the-counter medications without a prescription, as was the case before ACA was adopted (same as AHCA).
  • Changes to the Effective Date of the Cadillac Tax. While many of the taxes included in the ACA would be repealed, the BCRA retains but delays the “Cadillac Tax” until 2026 (same as the AHCA).  The Cadillac Tax is a 40% excise tax on high-cost health coverage provided by employers.

Significant Modifications to the Medicaid Program

The BCRA’s most significant impact may be felt on the Medicaid program, which would be slated for substantial reductions in funding along with new authority for states to modify the scope of their programs.

Incentives to Roll-Back the ACA’s Medicaid Expansion. BCRA would provide significant financial incentives for states to reverse or roll back the expansion of Medicaid under the ACA to cover low-income adults who do not have dependents or serious disabilities.

  • Reduction in Federal Financial Support for the Expansion. The Senate bill would gradually reduce the level of enhanced federal funding available for the expansion population each year until 2023, when funding would be available at a state’s normal Medicaid matching rate.  The reductions are certain to create enormous budgetary problems for states that expanded Medicaid, potentially forcing modifications or reductions in benefits or the roll-back of the expanded coverage.  The Senate bill also prevents states that elect to expand Medicaid on or after March 1, 2017 from receiving the enhanced funding.
  • Disparate Treatment of Expansion and Non-expansion States.  Medicaid expansion states would also face scheduled reductions in their disproportionate share hospital (DSH) payments, while BCRA would remove the reductions for non-expansion states.  In addition, non-expansion states would have their DSH allotments increased between 2020 and 2024 if the state has a per capita DSH allotment below the national average. These increases would not apply to expansion states.
  • New Authority for $2 Billion in Funds for Non-expansion States.  Similar to the House legislation, BCRA would create new authority for $2 billion in funds for non-expansion states that can be used to increase Medicaid payments to providers up to the provider’s uncompensated costs of treating Medicaid and uninsured patients.  A state would be disqualified from these payments if it elects to expand Medicaid coverage.

Changes to Limit Federal Support for Medicaid beginning in 2020.  BRCA also makes significant changes to the financial structure of the Medicaid program that are unrelated to the ACA’s Medicaid expansion.

  • Hard Caps on Federal Medicaid Funding through a Per Capita Calculation.  The formula for this calculation closely follows the approach in the House legislation.  However, the Senate version utilizes a different inflation adjuster beginning in 2025 that, if implemented, would limit the growth in federal Medicaid expenditures (on a per capita basis) to the general consumer price index for urban consumers. In recent years, Medicaid expenditures have risen much faster than this inflation measure. The per capita caps would apply beginning in 2020.
  • Budget Neutral Adjustments to the Per Capita Caps for Low- and High-Cost States.  New authority to adjust the per capita caps for specific enrollment categories for states that are 25% above or below the  mean per capita cap for all states.  Under this provision, states that spend more on a per capita basis for a specific enrollment category (e.g., for Medicaid-enrolled children, or seniors, or the disabled) would have their per capita caps reduced, and states that pay less than the mean would have their per capita cap increased. This authority does not apply to low-density states.
  • Reduction to the Per Capita Cap for New York State.  BCRA includes the language previously included in the House legislation that would reduce the per capita cap for New York state, unless New York state stops requiring local governments (other than New York City) to contribute to the Medicaid program.
  • New Authority for States to Apply for and Receive Federal Block Grants.  New authority for states, beginning with fiscal year 2020, to receive federal block grants for the operation of approved “Medicaid flexibility programs” for qualifying Medicaid beneficiaries.  The legislation provides that the Medicaid flexibility programs would not be available for children, seniors, the disabled, or individuals in the expansion population, meaning interested states would apply them to low-income adults with dependent children. The Medicaid flexibility programs would be in lieu of the operation of the state’s normal Medicaid benefit, and would allow the state to modify conditions of eligibility, benefit package, and cost sharing.  The amount of the block grant would be based on the per capita cap amount otherwise available to the state.  States would be required to meet a maintenance of effort requirement that is lower than what they would otherwise need to expend to draw down the same amount of Medicaid funds.
  • Phases Down the Cap on Health Care Provider Taxes.  BCRA would phase down provider taxes that will be considered permissible without meeting alternate, more burdensome criteria from 6% to 5%, beginning in 2021.  As a result of these changes, the provider taxes or fees in many states that help support Medicaid payments to hospitals and other providers may need to be reduced or modified.

Restrictions on Medicaid Eligibility.  BCRA also implements new oversight and restrictions on beneficiaries accessing Medicaid coverage.

  • Ability to Condition Medicaid Coverage on Satisfaction of a Work Requirement. States would be allowed to condition Medicaid coverage on the beneficiary’s satisfaction of a work requirement, which would be defined by federal law.  This requirement could not be applied against pregnant, disabled, elderly, or minor (under age 19) beneficiaries, or against individuals who is the only parent or caretaker in the family of a child with disabilities or under age 6.
  • Option to Require Re-enrollment for Expansion Enrollees.  States would have the option to require individuals in the Medicaid expansion population to re-enroll at least every 6 months to maintain their coverage.
  • Limits on Retroactive Medicaid Coverage.  Current law requires Medicaid programs to cover services provided to an individual within the 3 months prior to the completed application.  BCRA would reduce this to one month, effective October 1, 2017.
  • Sunset Hospital Presumptive Eligibility. Hospital authority to make presumptive eligibility determinations will end January 1, 2020.

Medicaid Benefit Changes. New limitations or options for state Medicaid coverage.

  • Access to Essential Health Benefits.  BCRA removes the requirement for Medicaid expansion beneficiaries to receive a package including EHBs.  The inclusion of this requirement in the ACA led to a significant expansion of Medicaid mental health and substance abuse disorder treatment services.
  • Limited Exception to Medicaid IMD Exclusion.  Medicaid currently does not cover services for adults who are residents in an institution for mental diseases (“IMD”).  The BCRA would expand state’s options to cover adult psychiatric hospital services, regardless of whether the IMD designation applies, when an individual has a stay of up to 30 consecutive days (and up to 90 days in a calendar year).  State would not be eligible to cover these services if the state reduces the number of licensed beds at psychiatric hospitals owned, operated, or contracted by the state, or reduces the non-Medicaid funding expended by the state and political subdivisions for inpatient and outpatient psychiatric treatment.

Other Notable Changes

  • Medicare Program Remains Intact – Like the AHCA, the Senate bill does not seek changes to the benefits or coverage under the Medicare program, although it does remove taxes imposed by the ACA that help finance the Medicare trust fund.
  • Substance Use Grants – An additional $2 billion would be available as grants for states to support substance use disorder treatment and recovery support services for individuals with mental or substance use disorders.
  • Additional Funding to Federally Qualified Health Centers– An additional $422 million in funding will be provided to Federally Qualified Health Centers through the Community Health Center Fund in 2017.
  • Planned Parenthood Funding – The BCRA would prevent any Medicaid, CHIP, and certain federal block grant payments from being made to Planned Parenthood for one year.

The Question Remains as to Whether the BCRA Will Pass the Senate

Yesterday, the Congressional Budget Office (CBO) released its estimate that 22 million people will lose coverage by 2026 if the Senate bill were to become law. The CBO also projected the measure would reduce the deficit by $321 billion between 2017 and 2026, roughly $200 billion more savings than in the House’s AHCA.

Senate Republican Leader Mitch McConnell (R-KY) intends to bring the bill to the Senate floor for a vote later this week under a process known as reconciliation, which means the measure can move forward with only 51 votes.  Should he be successful, the House could pass the Senate bill at the end of the week and send the measure to President Trump for his signature.  However, thus far five Republican Senators have stated they oppose the bill as currently written:  conservative Senators Rand Paul (R-KY), Mike Lee (R-UT), Ted Cruz (R-TX) and Ron Johnson (R-WI) and moderate Senator Dean Heller (D-NV).  Several other Senators have expressed concerns over a multitude of issues with the bill, including the 22 million individuals that are projected to lose coverage, lack of funding for Planned Parenthood for one year, and the lack of sufficient time to review and understand the likely impacts of the legislation.  McConnell can only lose votes from two Senators or the measure will fail.  Democrats have repeated their willingness to work with the Republicans to improve upon the Affordable Care Act, but oppose the BCRA or the “repeal and replace” bill in its current state.

Negotiations are underway as Senator McConnell tries to secure of the votes in order to move the bill this week.  He has significant flexibility to negotiate on Medicaid, funding to combat opioids, and other aspects of the measure because the $321 billion in projected savings far exceeds the amount required.  Senators are scheduled to be in their home states next week for the July 4th recess.  If the measure does not pass before they leave Washington, D.C., history tells us the path could become even more difficult once they return.  President Trump has reportedly contacted many Senators to hear their concerns and Vice President Pence, who is expected to expected to deliver the 51st vote to get the bill over the finish line, is scheduled to attend today’s regularly scheduled meeting of the Senate Republicans.

We will continue to monitor the Senate Legislation and will provide updates on any changes that happen in an effort to gain support of the existing bill.

Senate Vote Delayed

Editors note: This section was added at 2:30pm CDT on Tuesday, June 27th.

Senator McConnell announced this afternoon (Tuesday, June 27th) the Senate will not vote on BCRA this week, due to concerns raised by multiple Republican Senators who want more time to understand the bill’s impact on their respective states.  The earliest the Senate could take up the bill is the week of July 10th, following a scheduled recess the previous week.  The Senate is in session for three weeks during the month of July and then adjourns for five weeks beginning July 31st.  If the bill has not passed before the August recess its prospects are greatly diminished.

We expect negotiations to continue as McConnell works to address Senators’ concerns and secure the votes necessary for passage.

Powered by WPeMatico

Senate Sets Timeline to Take up Repeal and Replace Legislation on ACA

With Congress returning to Washington, D.C. from its Memorial Day work period, Senators are focusing heavily on the timeline and details of legislation that would significantly alter the Affordable Care Act (ACA). Over the last week, many senior Senators have expressed skepticism regarding whether they can pass a bill, but Senate Republican Leader Mitch McConnell (R-KY) has laid out an aggressive timeline. Specifically, he would like the chamber to vote on a bill before the July 4th recess and use the rest of July to reconcile the House and Senate versions, leading to a final vote before the August recess. Congressional Republicans are eager to move beyond health care in order to take up tax reform and FY2018 federal government funding.

The Great Medicaid Expansion Divide

Senate Republicans are in agreement that their bill will be significantly different from what the House passed earlier this year, but that is where consensus ends. The main sticking point is how to appease Senators on both sides of the expansion – states that expanded and those that did not – in order to cobble together 50 votes (with Vice President Pence delivering the 51st). Those that did expand their Medicaid population don’t want to see their expansion population lose coverage, and those that did not expand, believe they are entitled to an additional financial benefit so they are not at a disadvantage as compared to the expansion states.

Achieving the required savings under reconciliation, while appeasing both factions, is proving extremely difficult. At this point, Democrats are not expected to vote for any Senate bill that significantly modifies the ACA so Republicans must rely entirely on their own Conference. Senators are also concerned about the alarming number of Americans projected to lose coverage under the House passed bill, and are developing a plan that would provide more generous tax subsidies for purchasing coverage. At this point, there is very little interest in including changes to the Essential Health Benefits package as was done in the House bill.

Still Awaiting the House-Passed Bill

In an interesting twist, the Senate parliamentarian is still in the process of reviewing the House-passed bill to make sure it does not violate Senate rules. Therefore, the legislative vehicle has still not officially been delivered to the Senate from the House. A ruling is expected this week.

Stay tuned for further updates as we eagerly await the first draft of the Senate bill, which could come as early as this week.

Powered by WPeMatico

New FDA Commissioner Hits the Ground Running

FDA

Fresh off his noticeably smooth confirmation, the new Commissioner of Food and Drugs, Dr. Scott Gottlieb, appeared before Congress last Thursday and unveiled his strategic initiatives and priorities for the Trump Food and Drug Administration (“FDA”).  These run the gamut from improving regulatory science and policies to streamlining clinical trials to spurring innovation on behalf of patients.  Two initiatives, in particular, merit closer attention and discussion: combating opioid abuse and addressing drug price increases through more, accelerated generic competition.

Opioid Regulation

In his first post to the FDA Voice blog, Dr. Gottlieb wrote:

As Commissioner, my highest initial priority is to take immediate steps to reduce the scope of the epidemic of opioid addiction. . . .  I believe it is within the scope of FDA’s regulatory tools – and our societal obligations – to take whatever steps we can, under our existing legal authorities, to ensure that exposure to opioids is occurring under only appropriate clinical circumstances, and for appropriate patients.

First among these steps, the Commissioner is establishing an Opioid Policy Steering Committee, comprised of “some of the agency’s most senior career leaders, to explore and develop additional tools or strategies FDA can use to confront this epidemic.”  The strategies under consideration include (1) mandatory education for health care professionals about (i) appropriate prescribing recommendations; (ii) how to identify the risk of abuse in individual patients; and (iii) how to get addicted patients into treatment; and (2) working more closely with provider groups to develop standards for prescribing opioids in different clinical settings, so that “the number of opioid doses that an individual patient can be prescribed is more closely tailored to the medical indication.”

Limiting the availability of prescription pain medication is a dicey proposition, however.  As Dr. Gottlieb acknowledged, certain situations “require a 30-day supply” and, “[i]n those cases, we want to make sure patients have what they need.  But there are plenty of situations where the best prescription is a two- or three-day course of treatment.”  The individualized medical judgments and circumstances that drive opioid prescribing likely mean that no single approach is likely to strike the proper balance between over-prescribing and ensuring sufficient access to adequate pain management.  Interestingly, the variability between opioid prescribers and patients did not stop the Centers for Medicare and Medicaid Services from proposing hard limits on opioid dosing for non-cancer pain or palliative/end-of-life care (i.e., chronic pain) for Medicare Advantage Organizations and Prescription Drug Plan Sponsors.

In fact, pain patients already have struggled under bright-line limitations on opioids.  As we previously reported, the State of Massachusetts enacted a new law in March 2016 that prohibits “a practitioner [from] issu[ing] a prescription for more than a 7-day supply . . . [w]hen issuing a prescription for an opiate to an adult patient for outpatient use for the first time [or] to a minor,” the first such limitation legislatively imposed by any state.”  Mass. Gen. Laws ch. 94C, § 19D (2016).  Massachusetts physicians surveyed following the law’s enactment complained that “the pendulum has swung too far, depriving pain patients of needed relief,” and that “regulations won’t solve the addiction problem . . . .  Instead, they make doctors reluctant to prescribe opioids.”

Broadly targeting opioids as a class of drugs also may cast too wide a net.  A recent article in the journal Substance Abuse reported “[t]he US opioid epidemic has changed profoundly in the last 3 years” in that “[h]eroin and fentanyl have come to dominate an escalating epidemic of lethal opioid overdose, whereas opioids commonly obtained by prescription play a minor role, accounting for no more than 15% of reported deaths in 2015.”  The article urged that the changing etiology of opioid overdose “require[s] substantial recalibration of the US policy response.”

What is clear—and what Dr. Gottlieb seems to recognize—is that opioid abuse and addiction are dynamic issues that differ from prescriber to prescriber and from one patient to another.  Those variables may make a one-size-fits-all strategy unviable.

Drug Prices

During a budget hearing before the House Committee on Appropriations, Dr. Gottlieb testified that, “while the FDA does not have a direct role in drug pricing, we can take steps to facilitate entry of lower-cost alternatives to the market.”  He identified policy challenges that the last Congress had attempted to address through legislation designed to expedite access to affordable drugs.  Such legislation included the CREATES Act, which we previously analyzed.  The proposed law sought to prevent brand-name drug companies from using FDA safety rules (i.e., Risk Evaluation and Mitigation Strategies (REMS) and requirements thereunder, e.g., Elements to Assure Safe Use (ETASU)) for medicines with higher risk potential to block or delay generic entry.  “FDA has an important role to play in making sure that its statutory and regulatory processes are working as intended,” Gottlieb told Congress, “not being manipulated in ways that FDA and Congress did not intend.”

In response to growing political pressure in Washington to expedite drug reviews, Dr. Gottlieb assured lawmakers that biomarkers, new technologies, and more efficient clinical trial designs would make it possible to shorten the regulatory process.  But accelerated approval of expensive, investigational (albeit life-saving) therapies has raised concerns among health policy experts.

A recent op-ed published by the New England Journal of Medicine (NEJM) cautioned that

accelerated approval can lead to situations in which private payers may choose not to cover a drug because of high cost and lack of evidence of clinical efficacy, thereby thwarting the pathway’s goal of getting potentially important therapies to patients earlier, while major government payers are forced to cover the product, directing substantial tax dollars to drugs not yet shown to have clinical benefit.

The NEJM article’s authors argue that any biopharma company granted an accelerated approval should be subject to certain price restrictions until the confirmatory trials are completed, reasoning that “the price paid by taxpayers should reflect the strength of the available evidence about the drug’s clinical impact.”  Additionally, they proposed that all drugs moving through an accelerated-approval pathway should be subject to formal economic impact analyses after one to two years on the market, possibly funded by an increase in the user fees for manufacturers that use this pathway.

Dr. Gottlieb is also evaluating the generic drug and biosimilar review and approval process.  More specifically, Dr. Gottlieb is looking at measures to facilitate communication between the industry and FDA, address complex molecules, and to speed up the approval of biosimilar products.

These recommendations are not without some appeal.  Despite seeking to deliver more “bang” for the taxpayer’s “buck,” however, prospectively capping the federal reimbursement for a high-cost drug product still subject to additional clinical trials and/or other R&D may create a financial disincentive to pharmaceutical manufacturers to foot the expense of developing breakthrough drugs to fill an unmet medical need.

Stay Tuned

To deliver on the promises of reducing the incidence of opioid abuse and lowering drug prices, Dr. Gottlieb’s FDA must navigate the competing interests and thorny health policy issues highlighted above.  Foley & Lardner will report further as the agency’s redefined mission unfolds.

Powered by WPeMatico

17 Measures Every Health Care Organization Should Consider to Reduce the Risk of Cyber-Intrusions

cybersecurity

The importance of privacy in the health care industry starts at the most basic level between a patient, a doctor, and the doctor’s laptop computer. The levels of importance and complexity increase exponentially when you look at entire networks of payers and providers. The amount of data produced and stored in these organizations is staggering and keeping it secure is of the utmost importance. We have identified misconceptions about cybersecurity. We’ve covered some of the legal obligations the c-suite is under to secure its organization’s data. With the rise cyber-intrusions like ransomware, we know it’s important to effectively train employees and follow the guidelines provided by the Federal Department of Health and Human Services.

With the developments expected in this space under the Trump Administration, it is vital that every health care organization is prepared on the cybersecurity front.

Below is our list of 17 measures every health care organization should consider to reduce the risk of cyber-intrusions.

  1. Conduct internal compliance and risk assessments, to determine your organization’s vulnerability to cyber-attacks. This includes, but is not limited to, the security risk analysis required under the HIPAA Security Rule for covered entities and their business associates.
  2. Develop and implement corporate policies and procedures required for compliance with federal and state privacy and security laws.
  3. Develop quick-response teams to handle potential cyber-attacks, using pre-formulated decision trees and procedures so that you don’t have to develop them while under the fire of an ongoing attack.
  4. Establish secure data backup protocols to ensure that, even if your company is under attack, important company records are secure and available.
  5. Establish protocols to deal with common forms of cyber-attacks (denial of service, etc.).
  6. Line up outside experts, if necessary based upon the risk profile of your company, to swing into action if company processes are overwhelmed by a cyber-attack.
  7. Perform periodic audits of cybersecurity practices against industry norms, accepted best practices, and the risk profile of your organization.
  8. Implement information security best practices, reflect them in information security policies, records retention and management policies, and in internal controls/standard operating procedures.
  9. Make certain the CEO and executive leadership are properly informed about the cyber risks to your company and that they’re involved in oversight and the decision-making process related both to cyber-attacks and proactive cybersecurity measures.
  10. Review funding of all electronic security measures to ensure they are adequate to cover not only routine compliance measures but also to allow for proactive testing and probing of systems in light of increasingly sophisticated measures being used by hackers.
  11. Collect only that protected health information and personally identifiable information from clients, customers, or company personnel that is needed for identified business needs, with the retention of such information being only for as long as it serves those business needs, with storage being accomplished in a way that minimizes the chance of it being of any use outside the organization (encryption, etc.).
  12. Obtain cyber insurance and understand the coverage, including the legal counsel and other experts the company is permitted to engage under the policy.
  13. Coordinate cyber incident response planning across the entire company.
  14. Store sensitive information securely (encrypting where appropriate) and away from other data that does not require the same level of protection. Use a layered defense approach to protect “crown jewel” information.
  15. Conduct appropriate data security due diligence on third-party service providers with access to protected health information, personal identifiable information, and/or sensitive business information, and require them to enter into agreements that they are implementing robust data security procedures, following up to ensure these requirements are in fact implemented.
  16. Assess ways in which your company’s access vulnerabilities (website, VPNs, remote access, and so forth) are configured to minimize potential intrusion risk, with regular testing and probing to update and address identified risks.
  17. Perform companywide training, tailored to the personnel at issue, to ensure personnel understand the importance of following all security policies and procedures and reporting any suspected violations.

This list was generated as part of a Legal News: Cybersecurity newsletter by Greg Husisian, Chanley Howell and Jacob Heller titled, “Cybersecurity and the New Trump Administration: Your Top Ten Questions Answered.” Click here for the original publication.

Powered by WPeMatico