The Centers for Medicare & Medicaid Services (“CMS”) has published a final rule that will expand access to telehealth services for Medicare Advantage (“MA”) plan enrollees.[1] CMS Administrator Seema Verma characterized the agency’s latest policymaking efforts as “a historic step in bringing innovative technology to Medicare beneficiaries” and a way for the agency to provide “greater flexibility to Medicare Advantage plans, [so] beneficiaries can receive more benefits, at lower costs and better quality.”[2]

Traditionally, MA plans have been limited to providing, as part of their Medicare benefit packages, solely those telehealth services covered under original Medicare, as defined at Section 1834(m) of the Social Security Act (“Act”). MA plans seeking to offer a broader scope of telehealth services only could do so as MA supplemental benefits, which were funded through use of rebate dollars or supplemental premiums paid by enrollees. Section 1834(m) of the Act limits payments for Medicare telehealth services to specified services provided using a real-time, interactive audio and video telecommunications system between the Medicare beneficiary and practitioner. Also, this section of the Act limits the locations where beneficiaries may receive Medicare-covered telehealth services (e.g., rural and authorized health care facilities).

Under the Bipartisan Budget Act of 2018 (P.L. 115-123) (“BBA”), which was signed into law by President Trump in February 2018, Congress amended the Act to enable MA plans to offer telehealth services beyond the Part B-covered telehealth services traditionally covered as part of the MA basic benefit package. Section 50323 of the BBA created a new Section 1852(m) of the Act which allows MA plans to provide “additional telehealth benefits” starting in 2020 and to treat them as basic benefits (also known as “original Medicare benefits” or “benefits under the original Medicare FFS program option”). The term “additional telehealth benefits” is defined in the final rule as “services—(1) for which benefits are available under Part B, including services for which payments not made under section 1934(m) of the Act due to the conditions for payment under such section; and (2) that are identified for the applicable year as clinically appropriate to furnish using electronic information and telecommunications technology when a physician or practitioner providing the service is not at the same location as plan enrollee.”[3] This change will benefit both plans and enrollees by enabling plans to fund much of the cost of such benefits through the government-paid capitation without relying on rebate dollars or additional premium charges.

MA plans choosing to offer additional telehealth benefits may maintain different cost sharing for specified Part B services furnished through in-person visit and those Part B services furnished via electronic exchange.[4] CMS has required that for every MA additional telehealth benefit, the MA plan also must provide access to the same service via an in-person visit, thereby giving the MA plan enrollee the ultimate choice in how to access such services. CMS has chosen not to define which services will be considered “clinically appropriate” to offer in this manner, instead extending to the provision of such additional telehealth benefits the existing requirement at Section 422.504(a)(3)(iii) that the MA organization to agree to provide all benefits covered by Medicare “in a manner consistent with professionally recognized standards of health care.” CMS will defer to MA plans to independently determine, for each plan year, which services are clinically appropriate to furnish using electronic information and telecommunications technology.  MA plans that choose to cover additional telehealth benefits must do so through contracted providers; such benefits as provided by non-contracted providers would need to be covered as MA supplemental benefits.

The final rule also will allow MA plans to continue to separately offer as “MA supplemental benefits” those telehealth services that do not meet the requirements for coverage under original Medicare or to be considered MA additional telehealth benefits. For example, an MA plan may offer, as an MA supplemental benefit, a videoconference dental visit to assess dental needs because services primarily provided for the care, treatment, removal, or replacement of teeth or structures directly supporting teeth are not currently covered Part B benefits and thus would not be allowable as MA additional telehealth benefits.

Importantly, the final rule will allow MA enrollees to receive certain health care services via telehealth (e.g., ESRD-related, stroke-related) from places other than an authorized health care facility, such as beneficiaries’ homes.

While the final rule ensures that MA plans will have greater flexibility in providing a broader range of telehealth-delivered services and services in more locations, a plan’s choice to offer such benefits remains optional. The final rule may create widely varying offerings between otherwise comparable MA plans, as well as hesitation among MA plans to offer these additional telehealth benefits, for example, due to the requirement that only certain provider-types may provide these services. For plan year 2017, CMS reported that 219 MA plans (or 8 percent of plans) covered remote patient monitoring services and that 2,115 plans MA plans (or 77 percent of plans) covered “remote access technologies” (a term broadly describing services such as e-mail, two-way video, and nurse call-in telephone lines).[5] How many MA plans will take advantage of this new flexibility, how far they will go, and how these utilization numbers may change, remains to be seen. CMS’s hope is that the change in how MA additional telehealth benefits are financed will encourage MA plans to offer them which, in turn, will improve access for more MA enrollees in need of such benefits.

 

[1] See 84 Fed. Reg. 15680 (Apr. 16, 2019).

[2] Centers for Medicare & Medicaid Services, Press Release, CMS Finalizes Policies to Bring Innovative Telehealth Benefit to Medicare Advantage (Apr. 5, 2019).

[3] 84 Fed. Reg. 15680, 15684 (Apr. 16, 2019).

[4] However, MA plans may not use differential cost sharing to limit enrollee choice by steering or inhibiting enrollee access to services.

[5] The Medicare Payment Advisory Commission, Report to the Congress: Medicare Payment Policy, ch. 16 (Mar. 2018), at 483, available at http://www.medpac.gov/. In this March 2018 report, MedPAC stated that the Commission “supports expanding telehealth coverage in MA beyond the current level” and made recommendations related to a proposed two-phase plan for expansion. Id. at 499.

The importance of the Domain Name System (DNS) to your organization’s cybersecurity cannot be understated. Communications between computers on the Internet depend on DNS to get to their intended destination. Network communications begin with a query to DNS to resolve the human readable domain name to a numeric Internet Protocol (IP) address required by computers to route the transmission. A malicious party who is able to exploit a weakness in DNS can re-route sensitive traffic, including Protected Health Information (PHI), Personally Identifiable Information (PII) and other valuable information from the intended recipient to the malicious actor. Indeed, as recent attacks on DNS indicate, even encrypting the communication may not be an effective countermeasure because the transmission can be decrypted after interception. Malicious employees and other insiders may also abuse DNS as a side channel to covertly exfiltrate the organization’s most sensitive proprietary information avoiding Data Loss Prevention (DLP) countermeasures that may operate at different layers of the communication process. The recent attacks reported by the Department of Homeland Security reinforce the need to protect DNS functionality as a fundamental component of your organization’s overall cybersecurity and compliance strategy.

Although there is no specific mention of DNS in HIPAA, the Gramm Leach Bliley Act, the GDPR or State cybersecurity laws or regulations, including California, Massachusetts or New York, an organization cannot comply with those regulatory frameworks requiring reasonable network security safeguards without considering threats to DNS. The statutory requirements do not generally mandate the particular mix of cybersecurity controls required to protect DNS. Rather, the frameworks require organizations to implement formalized processes to anticipate and assess risks from cyber threats and then adopt reasonable safeguards.[i] Organizations may reference NIST publications and other technical guidance for a catalog of controls to choose from based on the risk assessment.[ii] Consistent with the regulatory imperatives requiring vigilance and appropriate counter-measures to safeguard data when threats evolve, organizations should revisit their defenses given the recent threats to DNS.

Attackers seek to disrupt the normal operations of DNS servers and applications responsible for resolving domain names to properly route network communications between computers. DNS looks up the IP address of the computer to receive the communication based on its domain name and advises the computer requesting a connection of the associated IP address to send the request to. For example, when a user types “www.anycompany.com” in his or her web browser or sends an email (e.g., “tsmith@anycompany.com”) DNS resolves the domain name (“www.anycompany.com”) to a numerical IP address, such as 172.30.xxx.xxx. DNS advises the requesting computer of the IP address corresponding to the domain name and the requesting computer accordingly directs the traffic.

DNS is under constant attack because of its open and distributed nature. Organizations under persistent threat, particularly healthcare, financial services and technology companies, should be concerned. DHS recently issued its first emergency alert to all its agencies about attacks to hijack DNS resolutions and misdirect the government’s traffic.[iii] Typically, the attacks involved compromise of credentials initially through a phishing attack. DHS reported: “Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.” Further, “because the attacker can set DNS record values, they can also obtain valid encryption certificates for an organization’s domain names. This allows the redirected traffic to be decrypted, exposing any user-submitted data. Since the certificate is valid for the domain, end users receive no error warnings.” DHS emphasizes the criticality of the threat: “This is roughly equivalent to someone lying to the post office about your address, checking your mail, and then hand delivering it to your mailbox.” As DHS also noted, security researchers have identified a wave of other DNS hijacking that affected dozens of government, telecommunications and internet infrastructure entities.[iv]

The risks from DNS exploitation are not exclusively from external hackers. Using DNS to exfiltrate information is also a well-recognized technique for malicious insiders because DNS must permit queries to resolve to perform its functions. Malicious employees and other insiders will try to exploit this functionality for unlawful purposes, including theft of trade secrets and protected data, and to conceal their activities. Hijacking and tunneling attacks to compromise DNS are not new, but the recent attacks highlight how damaging the attacks can be.[v] Moreover, recent caselaw holds that employers may lose statutory protection of their trade secrets if they do not make reasonable efforts to maintain its secrecy and protect it from insider threat.[vi]

Because cybersecurity should be a team effort, here are some steps that IT, HR and Legal should be considering to protect DNS in their particular organization from hijacking and tunneling attacks. Ensure that DNS servers are up to date on all patches and running the latest version of the name server software. Implement complex passwords and multifactor authentication for DNS administrator credentials to prevent unauthorized changes. Implement a formalized system to monitor/proxy DNS traffic to ensure DNS is being used as intended. Implement a formalized system to audit DNS logs to verify that queries are resolving to the intended location. Monitor encryption certificates for your organization’s domain. Consider implementing DNSSEC (which builds trust in the DNS query and resolution process) if technically feasible.[vii] Train your employees in phishing, social engineering and protecting their credentials. Ask basic questions: e.g., What processes are in place to prevent or discover an employee exploiting DNS to exfiltrate sensitive information? What processes are in place to protect administrator credentials? Implement written policies and procedures around protecting DNS, including configuration management, patching, passwords, monitoring and audit. Ultimately, the right mix of DNS safeguards depends on the risks to your particular organization after conducting a risk assessment.

___

[i] See, e.g., 45 C.F.R. §164.306(b); 15 U.S.C. §6801;  23 NYCRR §500.00, 500.02, 500.09; Cal. Civ. Code 1798.81.5; GDPR Article 32; Massachusetts (M.G.L. c. 93H; 201 CMR 17; Frequently Asked Questions).

[ii] See, e.g., NIST 800-53v4 – Security and Privacy Controls for Federal Information Systems and Organizations, NIST Cybersecurity Framework, HHS Technical Volumes 1 & 2: Cybersecurity Practices for Small, Medium and Large Health Care Organizations.

[iii] DHS Alert (AA19-024A) – DNS Infrastructure Hijacking Campaign; DHS Emergency Directive 19-01 – Mitigate DNS Infrastructure Tampering; CISA Blog – Why CISA issued our first emergency directive.

[iv] Fireeye Threat Research – Global DNS Hijacking Campaign: DNS Manipulation at Scale (https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html ); Crowd Strike: Widespread DNS Hijacking Activity Targets Multiple Sectors (https://www.crowdstcrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/).

[v] NIST Special Publication 800-81-2 – Secure Domain Name Systems (DNS) Deployment Guide

[vi] EBG Blog: Even if “Secret” Information Will Not Qualify As A “Trade Secret” Unless Adequate Measures Were Taken To Protect That Secrecy;  Abrasic 90 Inc., d/b/a CGW Camel Grinding Wheels, USA v. Weldcote Metals, Inc., Joseph O’Mera and Colleen Cervencik, No. 18 Civ. 05376 (N.D. Ill. March 4, 2019).

[vii] ICANN – DNSSEC – What Is It and Why Is It Important; ICANN Calls For Full DNSSEC Deployment Promotes Community Collaboration To Protect The Internet; ICANN Alert Regarding Published Reports of Attacks On Domain Name System.

On March 27, 2019, the FDA announced that it would be proposing new amendments to key regulations regarding mammography facilities that would require these entities “to tell women more about how dense breast tissue can affect their health and increase their cancer risk.”  The proposed changes to mammography facility regulations would be the first issued in more than 20 years.  The FDA believes the change will “expand the information mammography facilities must provide to patients and health care professionals, allowing for more informed medical decision-making.”  In addition, FDA is proposing to modernize quality standards by, for example, expressly authorizing FDA communications with patients and practitioners in the event of quality issues, requiring use of FDA-approved or -cleared digital accessories, and strengthening recordkeeping requirements.  These changes not only enhance regulatory requirements, but likely foreshadow increasing enforcement and communications from FDA with regard to mammography services.

As a general rule, it is a well settled rule of law that FDA does not regulate the practice of medicine, but mammography services are a notable exception.  Congress provided the FDA with regulatory oversight of mammography facilities in 1992 following passage of the Mammography Quality Standards Act (MQSA). The MQSA entrusts FDA with facility accreditation, annual inspections, certification, and enforcement of standards to assist in ensuring such facilities provide quality care.  FDA Commissioner Scott Gottlieb remarked that the new rule proposal would “modernize our oversight of mammography services, by capitalizing on a number of important advances in mammography, like the increased use of 3-D digital screening tools and the need for more uniform breast density reporting.”

Under the proposed rule, mammography providers would be required to tell women whether they have dense breast tissue, which may increase cancer risk and mask tumors, making cancer detection more challenging.  Women with dense tissue are often advised to seek other screening tests along with mammograms, such as M.R.I. scans or ultrasound, but in many states this is left to the discretion of providers.  (Currently, there are roughly 36 states already requiring that female patients be given information about breast density).  The new rule proposes specific language that would be implemented nationwide to explain breast density, note that some women may need additional imaging tests and recommend patients consult their physicians regarding their results.  The FDA language would set a minimal standard, and will not preempt states from imposing additional requirements regarding disclosures.

The content of communications beyond basic diagnosis have been raised as a concern under current state law disclosure standards. Some within the medical profession have argued that disclosure laws could provide women with information that does not necessarily reflect their condition, and could lead to a demand for expensive, unnecessary tests.  Further, some physicians have also suggested that state-mandated letters may be too complex for patients to understand.  For instance, the Journal of the American Medical Association (JAMA) published a study analyzing notification letters sent out in over 20 states and found that “many use such complex language that patients need a college degree to understand them.”  Acknowledging the pushback, Commissioner Gottlieb stated that women had a right to receive such information regarding their health in order to make an informed decision about next steps.

Moving forward, entities and medical professionals should be mindful of these regulations when providing mammography services to female patients.  It will be important to exercise best medical judgment when examining mammogram results as dense breast tissue may represent a significant confounder when assessing breast cancer risk.  Communications on these topics could face additional scrutiny as medical practitioners try to balance obligations in regulations with general principles about informing patients about their condition in an understandable manner.  In addition, there is potential that changes could drive an increase the use of additional diagnostic testing.  Thus, there is some uncertainty as to whether there should be a push for enhanced screening.

EBG will continue to monitor this proposed rule.  The FDA is accepting comments on these proposed changes until June 26, 2019.  The notice and comment portal for submitting comments is available at https://www.regulations.gov/document?D=FDA-2013-N-0134-0006.


Brian Hedgeman

On April 2, 2019, FDA issued a press release featuring a statement from FDA Commissioner Scott Gottlieb announcing the Agency’s latest enforcement actions taken against companies engaging in unlawful marketing of cannabidiol (CBD) products.  Coming just days before Gottlieb’s anticipated departure from the Agency, this news otherwise is unsurprising given recent events on the federal and state level.  In a December 2018 press release issued on the heels of the Farm Bill’s passage, FDA forecast its intention to step up enforcement against CBD products, and earlier this year state and local governments initiated seizures of CBD products from store shelves.  For manufacturers, retailers, and consumers, the takeaway from these recent statements and actions is that it remains unlawful under the Federal Food Drug and Cosmetic (FD&C) Act to market conventional foods or dietary supplements containing CBD.

The April 2, 2019 press release announces the issuance of three Warning Letters to companies marketing CBD products using “egregious and unfounded claims that are aimed at vulnerable populations.”  Notably, the Warning Letters were issued jointly by FDA and the Federal Trade Commission, which has authority to protect consumers from unfair trade practices, including false or misleading advertising claims. As examples of unlawful claims, the Warning Letters cite assertions that CBD products stop growth of cancer cells, slow the progression of Alzheimer’s, and reduce withdrawal symptoms in individuals with substance use disorders.  While FDA’s position is that the inclusion of CBD as an ingredient in conventional foods and dietary supplements is per se unlawful, the Agency’s focus on companies making cure or treatment claims for serious diseases and conditions is consistent with the December 2018 statement that the Agency would prioritize enforcement against products the Agency believes put consumers at risk.

The press release also sets a date for the previously promised public hearing on the future of CBD product regulation. The hearing, which is scheduled for May 31, 2019, will provide a platform for interested parties to “share their experiences and challenges” under the current regulatory environment.  A newly-created internal Agency working group will be tasked with reviewing and analyzing stakeholder feedback and exploring potential regulatory pathways for CBD products.  FDA seeks stakeholder feedback on issues including the levels of cannabis and cannabis-derived compounds that cause safety concerns; how the mode of delivery (e.g., ingestion, absorption, inhalation) affects the safety of, and exposure to, these compounds; and how cannabis and cannabis-derived compounds interact with other substances such as drug ingredients.

Stakeholders with an interest in developing, marketing, distributing, or purchasing consumer-focused CBD products—as well as in developing other hemp-derived cannabinoid compounds for the consumer market—can submit comments or a request to make an oral presentation at the hearing by May 10, 2019.  Stakeholders can also submit comments for FDA’s consideration after the hearing via regulations.gov by July 2, 2019.

Many physicians rely on publicly available reports to assess the safety of the devices they use on patients, but in some cases, these reports aren’t painting the full picture.  A recent Kaiser Health News (“KHN”) article raises serious questions about FDA’s practice of allowing a significant number of medical device injury and malfunction reports to stay out of the public eye.

Under FDA’s Medical Device Reporting (“MDR”) regulation (21 CFR part 803), device manufacturers, importers, and device user facilities (which include hospitals, ambulatory surgery centers, nursing homes, and outpatient diagnostic and treatment facilities (but not physician offices)) are required to submit reports of adverse events and product problems to the Agency.  Outside of this mandatory reporting structure, FDA also encourages health professionals and patients to submit voluntary reports of significant device adverse events and product problems through MedWatch.

Both mandatory and voluntary adverse event reports dating back to the 1990s are housed in FDA’s publicly-accessible Manufacturer and User Facility Device Experience Database (“MAUDE”), which is updated by the Agency monthly.  However, according to FDA’s website, MAUDE may not include reports made according to “exemptions, variances, or alternative reporting requirements granted under 21 CFR 803.19.”

The KHN article examined the scope of such “hidden” reporting channels, which keep certain device injury and malfunction reports from ever seeing the light of day.  In fact, according to KHN’s investigation, since 2016, more than one million device incidents have been able to bypass inclusion in the MAUDE database as a result of FDA’s “alternative summary reporting program.”

Under this program, which launched in 2000, device manufacturers have been able to seek an “alternative summary” reporting exemption, permitting them to send FDA an accounting of device injuries and malfunctions on a periodic basis (e.g., quarterly or annually) in lieu of fulfilling their standard public reporting obligations. Initially, only a few devices had been granted reporting exemptions, but today, about 100 devices, from surgical staplers to balloon pumps to mechanical breathing machines, are subject to exemptions.  The internal Agency database tied to this program is not open to the public.

FDA has also granted other types of reporting exemptions.  For example, pelvic mesh manufacturers have been granted a special “litigation complaint summary reporting” exemption.  This allows them to submit a single “injury” report to FDA, but attached to that summary report may be a listing of hundreds of patient injury reports (based on lawsuit allegations).  For someone reviewing pelvic mesh injuries in MAUDE, this would look like a single injury, with the underlying detail (and sometimes voluminous) patient injury reports tied to the summary report only being accessible through a Freedom of Information Act request.

According to FDA, for certain devices, alternative summary reporting helps eliminate redundant paperwork for the Agency.  But for physicians and patients, many of whom have no awareness of FDA’s “alternative” reporting mechanisms (and thus perceive the publicly available reports as the full universe of available safety information), the lack of transparency is troubling.  Where patient care decisions are in the balance, administrative efficiency should not trump the need for full public access to device injury and malfunction information.  At the very least, FDA should be completely transparent about the types of reporting exemptions that have been granted, and the specific devices that are subject to exemptions.

Despite recent welcome news to the home health agency (“HHA”) industry in Florida, Illinois, Michigan, and Texas following an end to Centers for Medicare & Medicaid Services’ (“CMS’s”) long-standing HHA provider enrollment moratoria, CMS subsequently announced that it would place some newly enrolled HHAs in a provisional period of enhanced oversight. The purpose of the enhanced oversight period and the corresponding additional restrictions placed on certain HHAs is to help CMS address and closely monitor fraud, waste, and abuse concerns in the HHA industry, thus signaling CMS’s ongoing industry-wide scrutiny.

Under the Affordable Care Act, CMS may subject providers and suppliers to enhanced oversight, such as prepayment review and payment caps.[1] CMS recently exercised its enhanced oversight authority, announcing that effective February 15, 2019, there would be a provisional period of enhanced oversight “on HHAs certified to participate in Medicare on or after January 1, 2019.” The provisional period of enhanced oversight includes a suppression of all Request for Anticipated Payment (“RAP”) payments. RAPs are upfront payments that HHAs receive before the beginning of a 60-day episode of home health services. During the period of time when an HHA is under enhanced oversight, which can vary from 30 days up to one year, the HHA will not receive RAPs as part of its reimbursement.[2] CMS indicated that it will make individual determinations as to the duration of the enhanced oversight and provide notice of the scope to the impacted HHAs.  Nonetheless, newly enrolled HHAs will need to consider the risks associated with launching de novo or expansion operations without the buffer of the advance funding from the RAP payment.  Furthermore, even though CMS ultimately pays the appropriate, total payment for their services for each particular home health episode after the submission of the final claim, HHAs that decide to enroll during the period of enhanced oversight may need to closely monitor their cash flow while they are affected by the RAP suppression.

The recent announcement comes on the heels of CMS’s November 2018 final rule that eliminates RAP payments for all newly enrolled HHAs beginning on January 1, 2020, with the implementation of an alternative case-mix adjustment methodology known as the Patient-Driven Groupings Model (“PDGM”).[3] Existing HHAs certified to participate in Medicare prior to January 1, 2019, will continue to receive RAP payments upon implementation of the PDGM on January 1, 2020. When it finalized the PDGM model, CMS indicated that it eliminated RAP payments for newly enrolled HHAs to combat program integrity vulnerabilities related to the potential overlap between RAP and final claim submission. As the implementation of PDGM changes the unit of payment from a 60-day episode of care to a 30-day unit of payment, this eliminates—or at least mitigates—the need for advance payments.

It is not clear from the final rule whether the enhanced oversight and RAP elimination applies only to newly enrolled HHA parent locations or whether it also extends to newly enrolled HHA branch locations. In response to a question from a commenter regarding whether HHAs acquired or opened under an HHA chain organization after January 1, 2019, would be “grandfathered” in and allowed to receive RAP payments, CMS explained that it “did not distinguish between solely-owned HHAs and HHAs that are owned by a parent company.” CMS stated the new policy is applicable to the CMS certification number (“CCN”) included on the Medicare claim and the RAP. Therefore, the new RAP rule applies to newly enrolled HHAs “regardless of whether they are solely-owned or owned by a parent or chain company.” Given that CMS assigns branch locations the same CCN number as the parent for billing purposes, this guidance may signal that a branch that enrolls after January 1, 2019, but is linked to a parent CCN certified prior to January 1, 2019, will still receive RAP payments. However, a branch that links to a parent that enrolled in Medicare after January 1, 2019, will not receive RAP payments.

The CMS announcement begins eliminating RAP payments as of early 2019 for newly enrolled HHAs, resulting in an acceleration of the PDGM RAP policy nearly one year sooner than the industry anticipated. We anticipate that CMS will continue to assess the necessity and advisability of RAPs for those “grandfathered” pre-2019 HHAs and that this may be the first step toward eliminating HHA RAPs altogether.

[1] See Patient Protection and Affordable Care Act, 42 U.S.C. § 1395cc(j)(3).

[2] However, CMS still requires HHAs subject to the enhanced oversight to submit a “no pay” RAP for each home health episode of care in order for CMS to process the final claim for payment.

[3] See 83 Fed. Reg. 56406, “CY 2019 Medicare Home Health Prospective Payment System (HH PPS) rates and wage index for calendar year (CY) 2019” (Nov. 13, 2019).

On March 15, 2019, the Centers for Medicare & Medicaid Services (CMS) released proposed changes to its methodology for calculating Civil Money Penalties (CMPs) for Medicare Advantage (MA) and Part D Prescription Drug Plan (MA and Part D) sponsors.  The proposed changes would impact both the calculation methodology for 2019 as well as the CMP amounts for 2019 and beyond in an effort to increase plan accountability.  CMS is accepting comments on these proposed changes until April 15, 2019 at 11:59 PM ET.

Though CMS has exercised its statutory and regulatory authority to impose CMPs on MA and Part D sponsors from the outset of these programs, it did not publicly release its methodology for calculating CMPs until December 2016.  The current proposed changes are the first to be issued since that initial release.

CMPs are calculated by applying a standard penalty amount to each deficiency committed by an organization.  The standard penalty amount imposed on an organization is calculated on either a “per enrollee” or “per determination” basis.  CMS may increase the standard penalty when specific aggravating factors (e.g., delay of prescription drugs for acute conditions) are identified. However, CMS places limits on CMP amounts imposed on organizations to ensure they are not paying excessive amounts compared to their number of enrollees.

Most significantly, CMS proposes to modify the aggravating factors considered in its determinations, to add, in cases of inappropriate denial of services/prescription drugs, consideration of whether the services/drugs were delayed or were, in fact, never received.  CMS further proposes to remove as an aggravating factor whether the violations were among the top conditions in the Annual MA/PD Audit and Enforcement Report.

In addition, CMS proposes to begin using the cost of living adjustment to calculate penalty increases in accordance with the Federal Civil Penalties Inflation Adjustment Act Improvement Act of 2015 (Sec. 701 of Pub. L. 114-74).  CMS would calculate these amounts annually but would only implement the resulting increases to the standard penalty amounts no more often than every 3 years to correspond to its 3-year MA/PD audit cycles. In reliance on the proposed adjustment, for 2019, CMS would increase the standard per enrollee penalty, such as for inappropriate delay/denial of Part C medical services or part D drugs or for charging incorrect premium amounts,  by $12 (to $212 from the current $200).  It is unclear whether CMS would also apply this cost of living adjustment to its per determination penalty amounts.

EBG will continue to monitor all developments in CMS’ regulation of CMPs.

The healthcare industry is still struggling to address its cybersecurity issues as 31 data breaches were reported in February 2019, exposing data from more than 2 million people.  However, the emergence of artificial intelligence (AI) may provide tools to reduce cyber risk.

AI cybersecurity tools can enable organizations to improve data security by detecting and thwarting potential threats through automated systems that continuously monitor network behavior and identify network abnormalities.  For example, AI may offer assistance in breach prevention by proactively searching and identifying previously unknown malware signatures.  By using historical data, these applications learn to detect malware issues even when such threats are not previously known. Utilizing these tools may prove more effective compared to conventional cybersecurity practices.

Recently, government agencies have endorsed the use of AI as having tremendous potential moving forward.  In December 2018, HHS launched a pilot that combined AI, automation, and blockchain technology.  This pilot was used to create cost savings as well as design better contracts while also ensuring sensitive data was encrypted and secured within a cloud-based system. Additionally, in January 2019, the Department of Health and Human Services’ shared services organization began building a contract vehicle, known as the Intelligent Automation/Artificial Intelligence (IAAI) contract, which offers “a host of automation and AI technologies and support services, including robotic process automation, machine and supervised learning and machine,” to help other agencies integrate AI technologies into their workflows.  Yet, certain lawmakers continue to express concern regarding appropriate and ethical use of AI.

Though AI is having a transformative effect on the healthcare industry relative to cybersecurity, there are still serious concerns regarding the technology.  First, some AI tools could be used maliciously by criminals to threaten digital and physical security.  External threats may train machines to hack systems at human or superhuman levels.  Secondly, organizations relying too heavily on AI may fail to hire sufficient specialized security personnel to properly manage and oversee cybersecurity operations.  For instance, a 2018 Ponemon report provided that 67 percent of IT and security professionals believed that automation was “not capable of performing certain tasks that the IT security staff can do” and roughly 55 percent believe automation cannot “replace human intuition and hands-on experience.”  Thus, poorly implemented and managed AI could result in greater risk.

Given the nascent state of AI in cybersecurity, entities should approach adoption of AI with caution.  Further, successful implementation and use of AI should be predicated on first establishing policies and procedures for managing cyberrisk.  Organizations should continue to maintain a team of highly skilled security personnel to oversee the implementation and use of AI tools and be on hand to make critical, real-time decisions where automation cannot resolve a cybersecurity issue.  O, brave new world….


Brian Hedgeman


Alaap B. Shah

Consumer privacy protection continues to be top of mind for regulators given a climate where technology companies face scrutiny for lax data governance and poor data stewardship.  Less than a year ago, California passed the California Consumer Privacy Act (CCPA) of 2018, to strengthen its privacy laws.  In many regards, the CCPA served as a watershed moment in privacy due to its breadth and similarities to the E.U. sweeping General Data Protection Regulation (GDPR) law.

Yet, California continues to push the envelope further.  Recently, California State Senator Jackson and Attorney General (AG) Becerra introduced a new bill (SB561) that will expand the consumer’s right to bring private lawsuits for violations of the CCPA. If passed, SB561 will: (1) provide for a private right of action for all CCPA violations—not just those stemming from a data breach; (2) eliminate the 30-day period for businesses to cure after receiving notice of an alleged violation; and (3) allow the AG to publish guidance materials for businesses instead of allowing businesses’ the option to seek specific opinions of the AG. Currently, the CCPA allows the AG office to bring action against business, in most instances, only allowing consumers to bring private action in instances of data breach resulting from a business’s failure to implement reasonable security measures. If SB561 is passed, the CCPA will materially expose businesses to private actions for damages applicable to other violations under the CCPA, including failure to provide consumers with proper notifications required under the CCPA.

These developments are just the tip of the iceberg.  Emboldened by California’s example, many other states are following suit. As such, businesses that implement an effective CCPA compliance program will likely position them to satisfy potential compliance obligations in other states moving forward.  For example, Colorado recently passed as sweeping law to protect patient privacy (HB18-1128), which went into effect September 1, 2018.  Colorado now requires covered entities (e.g., business entities that maintain, own, or licenses personal identifying information (PII) in the course of their business) to implement, and ensure that third-party service providers implement, reasonable security procedures and practices.  Additionally, the law requires covered entities to develop written policies and procedures concerning the destruction of paper and electronic documents that contain PII. Further, the law authorizes the AG to bring criminal prosecution against covered entities that violate the new rules.

Other states including Hawaii, Maryland, MassachusettsNew Mexico, New York, North Dakota, Rhode Island, and Washington are also using the CCPA and the GDPR as templates to perform similar overhaul of their privacy laws. As a result of this state law trend, businesses should closely monitor the legislative progress of these state bills.  Further, if businesses have not yet started shoring up their privacy and data security practices and programs, they had better do so in short order. It is likely that many of these state laws, if passed, will carry stiff penalties for noncompliance and may subject businesses to class actions.

In addition to these piecemeal state law efforts to strengthen privacy, the U.S. Chamber of Commerce is currently exploring whether a Federal consumer privacy protection law should be enacted.  It appears that the privacy tidal wave starting on California’s west coast is making its way eastward . . . .

 


Daniel Kim


Alaap B. Shah

One well-recognized way to protect patient privacy is to de-identify health data.  However, trends around increases in publicly-available personal data, data linking and aggregation, big data analytics, and computing power are challenging traditional de-identification models.  While traditional de-identification techniques may mitigate privacy risk, the possibility remains that such data may be coupled with other information to reveal the identity of the individual.

Last month, a JAMA article demonstrated that an artificial intelligence algorithm could re-identify de-identified data stripped of identifiable demographic and health information. In the demonstration, an algorithm was utilized to identify individuals by pairing daily patterns in physical mobility data with corresponding demographic data. This study revealed that re-identification risks can arise when a de-identified dataset is paired with a complementary resource.

In light of this seeming erosion of anonymity, entities creating, using and sharing de-identified data should ensure that they (1) employ compliant and defensible de-identification techniques and data governance principles and (2) implement data sharing and use agreements to govern how recipients use and safeguard such de-identified data.

De-identification Techniques and Data Governance

The HIPAA Privacy Rule (45 C.F.R. §164.502(d)) permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications (45 C.F.R. §164.514(a)-(b)).

In 2012, the Office for Civil Rights (OCR) provided guidance  on the de-identification standards. Specifically, OCR provided granular and contextual technical assistance regarding (i) utilizing a formal determination by a qualified expert (the “Expert Determination” method); or (ii) removing specified individual identifiers in the absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (the “Safe Harbor” method).

As publicly-available datasets expand and technology advances, ensuring the Safe Harbor method sufficiently mitigates re-identification risk becomes more difficult.  This is due to the fact that more data and computing power arguably increase the risk that de-identified information could be used alone or in combination with other information to identify an individual who is a subject of the information.

Given the apparent practical defects in the “Safe Harbor” method, many organizations are applying a more risk-based approach to de-identification through the use of the “Expert Determination” method.  This method explicitly recognizes that risk of re-identification may never be completely removed. Under this method, data is deemed de-identified if after applying various deletion or obfuscation techniques the “risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information . . . .”

In light of the residual risks associated with de-identified data generally, it is important that organizations continue to apply good data governance principles when using and disclosing such data.  These best practices should include: data minimization, storage limitation, and data security.  Organizations should also proceed with caution when linking data sets together in a manner that could compromise the integrity of the techniques used to originally de-identify the data.

Data Sharing and Use Agreements

Regardless of the de-identification approach, the lingering risk of re-identification can be further managed through contracts with third parties who receive such data.  Though not required by the Privacy Rule, an entity providing de-identified data to another party should enter into a data sharing and use agreement with the recipient.  Such agreements may include obligations to secure the data, prohibit re-identification of the data, place limitations on linking data sets, and contractually bind the recipient to pass on similar requirements to any downstream other party with whom the data is subsequently shared. Further, such agreements may include provisions prohibiting recipients from attempting to contact individuals who provided data in the set and may also include audit rights to ensure compliance.

The risk of re-identification may be a tradeoff to realize the vast benefits that sharing anonymized health data provides; however, entities creating, using and sharing de-identified data should doing so responsibly and defensibly.


Alaap B. Shah


Elizabeth Scarola