On November 1, 2018, the Office of the Inspector General (“OIG”) for the U.S. Department of Health and Human Services (“HHS”) published an audit report finding that the U.S. Food and Drug Administration’s (“FDA”) policies and procedures were “deficient for addressing medical device cybersecurity compromises.” (A copy of OIG’s complete report is available here and Report in Brief is available here.) Specifically, the OIG found that FDA’s policies and procedures were “insufficient for handling postmarket medical device cybersecurity events” and that FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices. Although the OIG report “did not identify evidence that FDA mismanaged or responded untimely to a reported medical device cybersecurity event,” it noted that “existing policies and procedures did not include effective practices for responding to these events.”

Citing cybersecurity of medical devices as a top management challenge for HHS, OIG conducted an audit to evaluate FDA’s plans and processes for timely communicating and addressing cybersecurity compromises in the medical device postmarket phase. Based on OIG’s audit of certain FDA internal policies, procedures, and website, as well as interviews with FDA staff, OIG recommended that FDA take the following actions: (i) continually assess the cybersecurity risks to medical devices and update its plans and strategies; (ii) establish written procedures and practices for securely sharing sensitive information about cybersecurity events with key stakeholders; (iii) enter into a formal agreement with federal agency partners; and (iv) establish and maintain procedures for handling recalls of medical devices vulnerable to cybersecurity threats. Although the OIG acknowledged that FDA has recently implemented some of its initial recommendations, it emphasized that its findings and recommendations with regard to FDA’s cybersecurity policies and procedures remain valid.

On the same date OIG published its report, FDA’s Suzanne B. Schwartz, M.D., M.B.A., published a post on FDA Voices asserting that the OIG report is an incomplete and inaccurate picture of FDA’s oversight of medical device cybersecurity. The post addresses FDA’s ongoing efforts to improve medical device cybersecurity over the past five years, including entering into a memorandum of agreement between FDA and the Department of Homeland Security (“DHS”) and publishing a new premarket cybersecurity guidance update in October 2018, which we wrote about in a previous blog here. FDA’s post also highlights FDA’s other partnerships with industry that aim to increase awareness of cybersecurity vulnerabilities and related concerns.

FDA reiterated that its regulatory approach to cybersecurity threats “is not static,” and reconfirmed its commitment to “work with the medical device industry and other stakeholders to proactively address emerging cybersecurity threats to medical devices in a way that puts patient safety first.” FDA has announced that it will hold a public Workshop on January 29-30, 2019 to discuss the newly released draft guidance on cybersecurity in premarket submissions. Instructions for registration are available on FDA’s website here.

In response to the OIG’s report, FDA will likely continue to develop new cybersecurity policies, initiatives, and guidance. Stakeholders in the medical device industry should monitor these developments and be prepared to address any such changes in policy or regulation. Meanwhile, regulated industry should consider reviewing FDA’s current cybersecurity guidance documents and assess whether its internal controls, quality systems, policies, or procedures adequately address potential cybersecurity risks or threats or could be improved.

EBG will continue to monitor all developments in FDA’s regulation of and policies related to medical device cybersecurity.

While the opioid crisis has inspired a wave of new legislation by Congress, the U.S. Department of Justice (“DOJ”) has continued to increase its own response to the prevalent rate of opioid-related drug crimes with a number of new initiatives.  On October 17th, Deputy Attorney General Rod Rosenstein recently delivered remarks at the America’s Health Insurance Plans 2018 National Conference on Medicaid and highlighted the Department’s continued determination to tackle the opioid crisis. Rosenstein’s remarks reiterated Attorney General Jeff Sessions’ recent statements on September 25th at the Office of Justice Programs’ National Institute of Justice Opioid Research where Sessions outlined the varying ways in which DOJ’s resources are being devoted to combating the “national public health emergency.” Both remarks demonstrate DOJ’s continued approach in using “every tool” available to increase prosecution of opioid-related crime – including not only traditional criminal prosecutions but also affirmative civil enforcement actions through the “first-ever civil injunctions under the Controlled Substances Act against doctors who allegedly prescribed opioids illegally” in August, while apparently diverting resources away from more traditional white-collar investigations and prosecutions. Rosenstein and Sessions both applauded the success of Operation Synthetic Opioid Surge, which focuses not on prosecuting drug users, but on “vigorously prosecuting” suppliers of synthetic opioids, such as fentanyl. Sessions in particular noted that shifting focus from users to suppliers, regardless of the quantity of drugs found at the time of arrest, has succeeded in reducing the amount of overdose deaths in Manatee County, Florida by half since last year. Hoping to replicate these results elsewhere, Sessions touted his placement of ten prosecutors who were sent to ten districts with high rates of drug-related deaths to implement the “no amount too small” strategy for prosecuting synthetic opioid trafficking. Sessions noted that this is in addition to the more than 300 new prosecutors he dispatched around the country, as well as the designation in each of the 93 U.S. Attorney’s Offices of an “Opioid Coordinator,” whose job it to “facilitate intake of cases involving prescription opioids, heroin, and fentanyl; and to convene a task force of federal, state, local, and tribal law enforcement.”

Data analytics continues to be one of the most important tools in the Department’s toolbox. In his remarks, Sessions discussed the implementation of an innovative data analytics program that identifies opioid-related health care fraud in various “hot spot districts” around the country. The “Opioid Fraud and Abuse Detection Unit” mines “federal health care databases” and will help federal prosecutors efficiently identify “suspicious outliers,” such as doctors who prescribe opioids at a higher rate than their peers, doctors whose patients have died within sixty days of receiving an opioid prescription, and pharmacies dispensing a disproportionate amount of opioids. Indeed, in August, DOJ established the nation’s first opioid–focused Medicare Strike Force in Newark/Philadelphia region.

Rosenstein and Sessions also praised the Department’s overall health care fraud enforcement efforts and accomplishments to date, focusing on their view that “we lost proper emphasis on drug cases under the previous administration.” Rosenstein noted that since January 2017, DOJ “has charged more than 200 doctors and 220 other medical personnel for opioid-related crimes. The cases involved tens of millions of pills prescribed illegally.”

In a recent case of note, in a Southern Florida takedown this summer, which was part of the DOJ annual Health Care Fraud Takedown, four individuals were prosecuted in connection with kickbacks received from Smart Lab, LLC (“Smart Lab”), a clinical laboratory in Palm Beach Gardens, Florida, which involved alcohol and drug addiction treatment centers. Last month, Smart Lab, the corporation’s Chief Executive and Chief Operating Officers, as well as the top sales representative plead guilty to a series of heath care fraud and money laundering schemes.

The charges alleged that hoping to monetize from the increased volume of opioid-related health care services, such as confirmatory urinary analysis testing, Smart Lab and its executives entered into employment agreements with “sales representatives” to solicit bodily fluid samples from various substance abuse treatment centers. Smart Lab then conducted expensive confirmatory and medically unnecessary drug testing on the samples and submitted the claim to insurance for reimbursement, including from federal health care programs. In exchange for the referrals, Smart Lab kicked back a portion of the reimbursement to the owners, operators, or clinicians of the substance abuse treatment centers. On November 1st, the two owners of Smart Lab, one of whom was a former pitcher for the Miami Marlins, were sentenced to 46 and 63 months in prison, respectively, for their involvement in the operation, repaid almost $3.8 million to defrauded insurers and received a total of $70,000 in fines. Smart Lab, as a corporation, was sentenced to three years’ probation. Smart Lab is just one example of many cases in which the Department is prosecuting both entities and individuals seeking to profit from the opioid crisis.

Beyond just prosecuting suppliers domestically, DOJ is also focusing on sending a strong warning message   to foreign synthetic opioid manufacturers. Indeed, the Department indicted two leaders of the Zheng drug trafficking organization this August, after it determined that the company was using shell companies to ship synthetic opioids and fentanyl analogues to over 25 countries and to 37 U.S. states.

In an effort to stop the supply and distribution of all kinds of opioids, DOJ is also focusing on targeting “web-based drug trafficking” of synthetic opioids. Rosenstein applauded the establishment of the Joint Criminal Opioid Darknet Enforcement Team, under which the FBI has “doubled its investment in the fight against online drug trafficking by devoting more than 50 Special Agents, Intelligence Analysts, and professional staff to help disrupt the sale of synthetic opioids.”

Overall, the message from Sessions and Rosenstein is clear: the DOJ is leveraging its resources to focus on opioid-related health care fraud and crimes. Accordingly, we can expect an increased rate of civil and criminal enforcement actions targeting opioids as DOJ continues to devote its focus towards combating the opioid crisis.

On November 2, 2018 CMS announced the finalization of the 2019 OPPS and ASC payment rules which were initially proposed in July of 2018.[1] [2] While the final document will not be officially published until November 21st, an Inspection Copy is available for the public to review on the Federal Register website. These new payment rules in many ways expand the range of services that CMS will reimburse when performed at Ambulatory Surgical Centers (ASCs), most notably, by including certain cardiac catheterization procedures on the approved list, and by lowering the threshold that determines allowable device intensive procedures.

Increase in Covered Cardiac Catheterization Procedures:

The Final Rule will add 17 procedures relating to cardiac catheterization to the list of ASC Covered Surgical Procedures.  The final list includes five procedures that were not included in the July 2018 proposed rule, due in part to commenters requesting that additional procedures be added to the list, and CMS adopting their request, at least in part.[3] [4] [5] The expanded list reflects the growing trend of cardiac procedures being transitioned from an inpatient to an outpatient setting. This shift will have a continuing business impact on inpatient providers and may also lead to state-level regulatory changes. States that currently prohibit cardiac catheterization procedures at outpatient facilities may decide to adopt changes to allow certain procedures that have been deemed acceptable by CMS to be performed at facilities without on-site inpatient services, including ASCs.[6] Furthermore, these additions could be a springboard for CMS to later add more complicated procedures to the list of ASC covered services.

Decrease in Device Offset Percentage:

CMS has also taken steps to make device-intensive procedures more accessible in the ASC setting. Procedures categorized as “device-intensive” are paid at the higher OPPS rate, even if performed in an ASC.  However, a procedure only qualifies as “device-intensive” if the portion of the procedure’s cost related to the device falls within a predetermine percentage. The Final Rule decreases the device offset percentage threshold from 40 percent to 30 percent, meaning that procedures utilizing lower-cost devices will now be eligible for reimbursement as “device-intensive.”  As a result, ASCs will have the financial capacity to perform more procedures that involve lower cost medical devices.[7] CMS directly states its purpose behind this move saying “We believe allowing these additional procedures to qualify for device-intensive status will help ensure these procedures receive more appropriate payment in the ASC setting, which will help encourage the provision of these services in the ASC setting.”[8] The implementation of the new payment rules will undoubtedly lead to an increase in the amount of device-intensive procedures performed in the ASC setting as ASCs expand their scope of services to include more device-intensive procedures and patients choose to have these procedures performed in an outpatient setting. This change may also indicate future moves by CMS to encourage complex, device intensive procedures, such as joint replacements, in the ASC setting.

Government Shift to Outpatient Providers

These rule changes reflect Medicare’s continued shift towards encouraging services to be provided in the less costly outpatient setting. Anticipating a continued incline in the amount of individuals eligible for federal programs based on the expectation that 10,000 baby boomers will retire per day for over the next decade, CMS is likely to continue making changes to its payment rules to encourage the provision of care in lower cost settings.[9] These changes provide opportunities for ASCs and physicians to expand their business, but also threaten more “bread and butter” revenue streams on which hospitals have historically relied. Thus, hospitals, ASCs and physicians should consider addressing these changes in their long-term strategic plans, including possible joint ventures for outpatient services, in general, or specific service lines, such as cardiac catheterizations.

____

[1] CMS Inspection Copy

[2] 83 Fed. Reg. 37046.

[3] CMS Inspection Copy (at page 746)

[4] 83 Fed. Reg. 37046, 37160.

[5] CMS Inspection Copy (at page 743-44)

[6] N.J.A.C. 8:33E-1.3.

[7] 83 Fed. Reg. 37046, 37108.

[8] Id.

[9] http://www.pewresearch.org/fact-tank/2010/12/29/baby-boomers-retire/

Massachusetts employers with six or more employees are required to annually submit the new Health Insurance Responsibility Disclosure (“HIRD”) form, regardless of whether they offer health insurance to their employees or not. The Massachusetts Department of Revenue (DOR) recently issued guidance on the new HIRD reporting requirements. An individual is considered to be an employee if the employer has included such individual in the quarterly wage report to the Department of Unemployment Assistance during the past 12 months. The new HIRD form only consists of a single employer form, which only needs to be completed once annually. The old HIRD form consisted of an employer form and an employee form, which required separate forms completed and signed by each employee who declined to enroll in employer-sponsored insurance (“ESI”) or the Employer’s Section 125 Cafeteria Plan to pay for health insurance.

To file your HIRD form, login to your MassTaxConnect (“MTC”) withholding account and select the “File health insurance responsibility disclosure” hyperlink under the account alerts. The HIRD reporting period will be available to be filed starting November 1 of the filing year, and must be completed by November 30. Thereafter, HIRD reporting will be due on November 30 of each subsequent year.  Although HIRD may be completed by your payroll company, it is the employer’s responsibility to ensure compliance and timely filing.  The HIRD form collects employer-level information about your company’s health plan offerings and does not collect any personal information about employees.  The form will assist MassHealth in identifying its members with access to qualifying ESI who may be eligible for the MassHealth Premium Assistance Program.

On October 24, 2018, President Trump signed sweeping bipartisan legislation to combat the opioid epidemic. The Substance Use–Disorder Prevention that Promotes Opioid Recovery and Treatment for Patients and Communities Act, or the SUPPORT for Patients and Communities Act (“H.R. 6” or “the Law”), aims to “reduce access to the supply of opioids by expanding access to prevention, treatment, and recovery services.”[1] Congress has already appropriated $8.5 billion to implement this “landmark legislation” in 2018 and 2019.

In a series of Client Alerts, Epstein Becker Green will provide an overview of key components of H.R. 6, focusing on substantive requirements impacting an array of providers, manufacturers, health care professionals, community services organizations, and other health care entities. Forthcoming topics include the impact on treatment measures for opioid use disorders, addiction prevention measures, clarifications to U.S. Food and Drug Administration and U.S. Drug Enforcement Administration regulation and enforcement authority over opioid products, Medicare and Medicaid funding provisions, enhanced health care fraud protection, new data & reporting provisions, and telehealth requirements.

H.R. 6’s breadth requires impacted entities to take careful note of the Law’s requirements and varying effective dates.

____

[1] Press Release, The White House, President Donald J. Trump Signed H.R. 6 into Law (Oct. 24, 2018), available at https://www.whitehouse.gov/briefings-statements/president-donald-j-trump-signed-h-r-6-law/.

[2] Press Release, U.S. Senate Committee on Health, Education, Labor & Pensions, President Trump Signs Alexander Bill to Fight Opioid Crisis (Oct. 24), available at https://www.help.senate.gov/chair/newsroom/press/president-trump-signs-alexander-bill-to-fight-opioid-crisis.

On October 26, 2018, the Federal Trade Commission (FTC) announced that it will hold four days of hearings between December of 2018 and February of 2019 to examine the FTC’s authority to deter unfair and deceptive conduct in data security and privacy matters.[1] The two days of December hearings will focus on data security, while the two days of February hearings will focus on consumer privacy. This announcement comes as part of the agencies Hearings on Competition and Consumer Protection in the 21st Century, an initiative that has already scheduled hearings on closely related topics such as Big Data, Privacy, and Competition, and Algorithms, Artificial Intelligence (AI), and Predictive Analytics. The FTC will seek comments on the privacy and data security hearings through March 13, 2019.

These hearings serve as a signpost of a long-standing movement within the FTC to establish itself as the governing body over consumer data privacy and data security in the United States.[2] [3] This move however runs counter to the power that Congress has afforded it throughout the years. In particular, some of the most powerful enforcement tools for data breaches, such as the Computer Fraud and Abuse Act (CFAA) have been created outside of the FTC’s toolbox of enforcement. There are many reasons for this, including that acts like the CFAA include both criminal provisions and private causes of action, but it also speaks to a wider question of industry specific agency enforcement of data protection and privacy. As every industry and sector of American life becomes more digitally data-centric, the question of which government agency or agencies are best suited to ensure that sector-specific data is private and secure becomes more pressing.

As Congress considers following the European Union in increasing data privacy and security laws, it will have essential decisions to make regarding which agency is in charge of citizen data. Should this data be regulated by sector? Or should this data be regulated by a central agency? From the actions of the FTC, it is clear that the agency sees itself as a large part of the solution.

____

[1] https://www.ftc.gov/news-events/press-releases/2018/10/ftc-announces-sessions-consumer-privacy-data-security-part-its?mkt_tok=eyJpIjoiTlRWalpqZzFOV0ptWVRobCIsInQiOiJFSTc1UkdqZ0YyUWpKZG1WK3Z3K0RjbHNhd3ZQXC9SemtGelkzeVp6bGZyaXpwSGVaUUEzUU96bUtIRlpWdThuWmhsbGdhNmszb1U0TDhaelVCRExuXC9ieDd6Zk9VUTdvT3lKemJYZzJwdnBmTnozSUNHd3F0OGxTQzJJY1VaaTU3In0%3D

[2] 83 FR 38307

[3] https://www.law360.com/articles/495364/ftc-head-wants-more-power-to-penalize-for-data-breaches

On October 25, 2018, the Centers for Medicare and Medicaid Services (CMS) released an advance notice of proposed rulemaking (ANPRM) to solicit feedback on its newly proposed International Pricing Index (IPI) model for Medicare Part B drug reimbursement.  The IPI model will be tested by the CMS Innovation Center as a potential means to dismantle and replace the current buy-and-bill model and advance the Trump Administration’s agenda for drug pricing reform, as described in its May 2018 Blueprint to Lower Drug Prices and Reduce Out-of-Pocket Costs.  The framework of the IPI model is characterized by three components designed to achieve the following objectives:

  • Utilize private sector vendors to purchase and take title (but not necessarily possession) over single source drugs and biologicals (including biosimilars) and bill Medicare.  The vendors would then have flexibility to offer a variety of delivery options to ordering physicians.  This concept, which was inspired by Medicare Part D’s use of competing private-sector companies to facilitate the provision of Medicare-covered items and supplies, would leverage and improve upon the Competitive Acquisition Program (CAP) previously implemented in the mid-2000s.
  • Phase in, over a five-year period, a reduced Medicare payment for selected drugs based on a composite of international prices.  CMS would reimburse vendors for drugs purchased from manufacturers based on international pricing (except where the ASP is lower), as benchmarked against more than a dozen other nations with economies comparable to the United States that have significantly lower acquisition costs for physician-administered drugs.
  • Replace the percentage-based Part B add-on payment (i.e., ASP+6% (ASP+4.3% post-sequestration)) with a set payment amount, which would be based on 6% of a Part B drug’s historical drug costs.  Under the new model, physicians would continue to receive payment for drug administration.  Because physicians would be obtaining drugs from vendors, and no longer assuming financial risk, the add-on payment would be decreased to remove physicians’ incentive to prescribe higher cost drugs but be calibrated to hold providers harmless to the extent possible.

CMS plans to issue a proposed rule fully describing the IPI model in Spring 2019, with the goal of testing the model over a five-year period, from Spring 2020 to Spring 2025.  The IPI model would involve selected Part B-covered single source drugs and biologicals (including biosimilars) and would apply to all physician practices and hospital outpatient departments (HOPDs) in certain designated geographic areas.  Providers, beneficiaries, and drugs not included in the model will remain under the current Medicare Part B reimbursement system.

The ANPRM signals the Administration’s determination to dramatically overhaul the Medicare Part B drug reimbursement system through a new competitive acquisition program based on international pricing that would seek to reduce government and beneficiary costs while keeping providers revenue neutral.  While CMS appears committed to the general outlines of the IPI model, it has invited industry feedback on a wide range of matters pertaining to the configuration and details of each of the model’s components as well as certain quality measures that CMS will consider in assessing the impact of the model on beneficiary access and quality of care.  Stakeholders have until December 31, 2018 to submit comments on the ANPRM.

Epstein Becker Green (EBG) will be closely analyzing the proposed IPI model and related developments while working with its clients to assess its impact and formulate and advance new ideas to shape the model and its future implementation.

The Medicare Payment Advisory Commission (“MedPAC”) met in Washington, D.C., on October 4-5, 2018. The purpose of this and other public meetings of MedPAC is for the commissioners to analyze existing challenges and issues within the Medicare program and to provide future policy recommendations to Congress. MedPAC issues these recommendations in two annual reports, one in March and another in June. These meetings offer a comprehensive perspective on the current state of Medicare as well as future outlooks for the program.

As thought leaders in health care law, Epstein Becker Green monitors MedPAC developments to determine how regulations and policies will impact the health care marketplace. Here are our five biggest takeaways from the October meeting:

Managing Prescription Opioid Use in Medicare Part D

MedPAC provided an informational overview of opioid use and polypharmacy as an update to its work in prior years. MedPAC first discussed the use of opioids by Medicare beneficiaries. Since the 1990s, aggressive marketing of extended-release opioid formulations and liberal prescribing of these drugs for acute and chronic pain due to ambiguous clinical guidelines for safe prescribing contributed to the “opioid crisis.”  The Centers for Disease Control and Prevention (“CDC”) reported over 17,000 prescription opioid overdose deaths in 2016. Due to their age and accompanying pain and “illness burdens,” Medicare beneficiaries are especially prone to the toxicity and harm associated with even low-dosage opioid prescriptions. In its 2016 guideline, CDC generally addressed safe opioid prescribing for acute and chronic pain, including its preference for non-pharmacologic therapy and non-opioid pharmacologic therapy and recommendation that “additional caution” be used “when initiating opioids for patients age 65 and older.”

MedPAC then presented updated data on patterns of opioid use in Medicare Part D. From 2012 to 2016, opioid analgesic (i.e., pain-relief drugs) prescriptions per 1,000 Medicare Part D enrollees have declined about 18 percent. While it recognized this positive trend, MedPAC expressed continued concern that (1) “opioid use in Part D continues to be widespread, with nearly one-third of enrollees filling at least one opioid prescription in a given year”; (2) most opioid use did not relate to hospice care or cancer treatment; and (3) gross spending on opioids is among the highest in Part D, totaling $4.1 billion in 2016. MedPAC also discussed varying “opioid-related adverse drug events” (“ADEs”), defined narrowly by MedPAC  as “diagnosis codes specifying poisoning by opioid in inpatient and outpatient claims, including emergency department visits that resulted in inpatient stays.” MedPAC found that “high-intensity users”—17% of Part D beneficiaries defined as those with higher average dosage and treatment lasting longer than three months—had nearly seven times the ADE rate of “low-intensity opioid users,” defined by MedPAC as beneficiaries with “50 [morphine milligram equivalents (“MME”)] per day or less and treatment lasting three months or less.” MedPAC also stressed that polypharmacy, or beneficiaries using multiple drugs, is another key contributor to ADEs.

Lastly, MedPAC described steps that the Centers for Medicare & Medicaid Services (“CMS”) and Part D plan sponsors have been taking to monitor opioid use and manage opioid misuse. In 2013, CMS required plan sponsors to identify enrollees who were at “high risk of opioid abuse or misuse,” monitor high cumulative enrollee dosages, and notify pharmacists to coordinate with the enrollee’s prescriber. CMS uses its Overutilization Monitoring System (“OMS”) to supervise these plan sponsors’ compliance. In 2019, Part D plan sponsors will now have the authority to limit at-risk beneficiaries’ access to frequently abused drugs using a tailored approach. For example, plans must limit opioid quantity to a seven-day prescription for post-surgery patients. Plans may also limit access through a drug management program. Examples of restrictions include placing restrictions on beneficiaries’ fills, locking beneficiaries into seeking prescriptions from certain prescribers, and prescriber “safety checks” once cumulative daily dosage reaches 90 MME. Through Medicare Drug Integrity Contractors (“MEDIC”), CMS also monitors providers or opioids to ensure they are not prescribing inappropriately. In 2019, offending prescribers may ultimately be placed on CMS’s “preclusion list,” where Part D plan sponsors must reject their pharmacy claims.

Opioids and Alternatives in Hospital Settings

Under the new SUPPORT for Patients and Communities Act, MedPAC is required to report on the following opioid issues in inpatient and outpatient hospital settings by March 2019: (1) how Medicare pays for opioid and non-opioid alternatives, (2) incentives under prospective payment systems for prescribing opioids versus opioid alternatives, and (3) how Medicare claims data tracks opioid use. MedPAC addressed each issue in succession.

Reporting on the first issue, MedPAC stated that Medicare uses bundled payments for inpatient and outpatient hospital settings via the inpatient prospective payment system (“IPPS”) and outpatient prospective payment system (“OPPS”), respectively. The IPPS bundles all goods and services together, including drugs supplied during the hospital stay, whereas the OPPS pays for integral goods and services that are bundled into categories based on clinical and cost similarity. Medicare Part B pays for analgesics, including opioids, that are integral to the procedure or treatment for the beneficiary. For example, post-surgical opioid prescriptions are considered integral by CMS. Non-integral opioids may or may not be paid by Medicare Part D.

Although MedPAC acknowledged that patient-specific and clinical factors play a role in a provider’s prescribing choices, MedPAC focused on the financial incentives that guide prescribers’ opioid administration. Both IPPS and OPPS incentivize hospital prescribers to select the lowest-cost goods and services while adhering to Medicare’s quality measurement and reporting programs and clinical professionalism. MedPAC then stated it has “begun an analysis of the differences in prices between opioid and non-opioid drugs commonly used . . . [a]nd . . . options about non-drug alternatives.”

MedPAC lastly described how Medicare tracks opioid use. As described in the earlier section, CMS monitors Part D opioid use through OMS; ensuring plan sponsors implement opioid overutilization policies effectively. CMS also uses quality measures to track trends in opioid overuse and publicizes providers’ prescribing data through its online Part D Opioid Prescribing Mapping Tool. MedPAC then stated that CMS does not yet track opioid use in inpatient and outpatient hospital settings (Medicare Parts A and B). MedPAC listed multiple reasons for CMS initiating opioid monitoring in hospital settings, including the severity of the opioid epidemic and the need to understand the extent to which beneficiaries are exposed to opioids while in the hospital. It also acknowledged some challenges to implementation, including questions about how to interpret the “appropriateness of opioid prescriptions identified by a tracking program” and how Parts A and B do not have plan sponsors on which to rely for reporting data.

Medicare Payment Policies for APRNs and PAs

In response to Commissioner interest on rebalancing the physician fee schedule, MedPAC discussed Medicare payment polices for advanced practice registered nurses (“APRNs”) and physician assistants (“PAs”). APRNs include four types of licensed practitioners: nurse practitioners (“NPs”), certified nurse anesthetists (“CNAs”), clinical nurse specialists (“CNSs”), and certified nurse midwives (“CNMs”). While individual states determine the services and responsibilities that APRNs and PAs have, their authority and independence have substantially increased nationwide over time. Based on its review of existing literature, MedPAC concluded that “NPs and PAs provide roughly equivalent care in terms of quality and patient experience” at a lower cost for their provider-employers (although evidence of lower payer costs is mixed).

MedPAC then addressed Medicare payment for APRNs and PAs, whose services are generally covered if medically necessary. Medicare pays APRNs and PAs directly through their national provider identifier (“NPI”) at 85% of the physician fee schedule. Under this direct billing, MedPAC noted substantially increasing trends in total Medicare FFS allowed charges for APRNs and PAs—NPs total allowed charges billed have increased 158% from 2010–2016. MedPAC also pointed to rapidly growing (149% from 2010–2016) APRN/PA primary care patient visits, especially compared to the decline in traditional primary care physicians (-13% change from 2010–2016). Medicare also pays NPs and PAs under “incident to” billing at 100% of the physician fee schedule: the physician NPI is used instead of the NP or PA NPI. Certain circumstances (e.g., hospital settings, new patients, new problems for existing patients) require that NPs bill directly to Medicare; however, the rapid expansion of NPs and PAs suggests that incident to billing will also expand, especially in “evaluation and management” services (“E&M”) according to MedPAC. Based on its analysis, MedPAC concluded that for E&M office visits performed for established patients, NPs likely utilized incident to billing practices roughly 40% of the time, and PAs billed this way roughly 30% of the time. MedPAC then concluded with two policy options: (1) to eliminate incident to billing for APRNs and PAs—potentially reducing Medicare and beneficiary expenditures and (2) improving Medicare’s specialty designations for APRNs and PAs to indicate primary care as a field of practice.

Medicare’s Role in the Supply of Primary Care Physicians

MedPAC discussed Medicare’s role in the supply of primary care physicians (PCPs), focusing on beneficiaries’ current access to PCPs, factors influencing physicians’ choice of specialty, and methods for recruiting more medical students or graduates into primary care.  Recent statistics have shown that though most Medicare beneficiaries report that they are able to obtain care when needed, there was a small share who reported trouble finding a doctor.  This was a concern to the MedPAC committee given that the absolute number of primary care physicians treating beneficiaries between 2011 and 2016 had increased.

It was reported that physicians focusing on primary care were generally trained in family medicine, geriatric medicine, internal medicine and pediatrics.  Whereas family medicine residents usually ended up practicing primary care, internal medicine residents have increasingly decided to enter subspecialties (e.g., cardiology, gastroenterology), instead of practicing primary care.  The percentage of internal medicine residents going into primary care dropped 6% between 2001 and 2010.

One of the key factors influencing physician choice of specialty was educational debt load.  Medical students with high debts levels were found to be less likely to choose primary care.  The committee found this very concerning because education debt has been rising over time.  For instance, median debt among medical school graduates rose roughly $15,000 between 2010 and 2016.

MedPAC is currently seeking input on ideas to increase the supply of PCPs.  One of the proposed routes was creating a scholarship or loan repayment program for medical students and/or graduates who commit to providing primary care to Medicare beneficiaries.  Design issues to consider include size of programs in terms of dollars and the number of physicians, financing a Medicare program, determining type of medical student eligibility, physician requirement for treating Medicare beneficiaries, and the length of the service commitment.

Episode Based Payments and Outcome Measures Under a Unified Payment System for Post-Acute Care

MedPAC provided an overview regarding 2019 plans for the unified post-acute care prospective payment system (PAC PPS) and the quality measures being developed for PAC providers.  MedPAC has been developing a unified PAC PPS that would extend across four settings – home health agencies, skilled nursing facilities long-term care hospitals, and inpatient rehabilitation facilities – and provide base payments solely on patient characteristics.  The committee sees the system as having an impact in terms of redistributing payments, thus making payments more equitable “across different patient conditions compared with current policy.”  With payments increasing for medically complex patients and decreasing for patients receiving rehabilitative care unrelated to their clinical conditions, the belief is that providers would have less financial incentives to prefer various patients over others.

The committee discussed their initial work regarding patient stays, emphasizing that a stay-based payment system would encourage stays while discouraging providers from “offering a continuum of care.”  The committee proposes an episode-based PPS, where a single payment would cover both stays in the episode of PAC care (this would pertain only to post-acute care and others services like hospital or physician services).  MedPAC believes that such a model provides several advantages such as encouraging institutional PAC providers to offer a continuum of care as well as lower program spending and beneficiary cost sharing.

Finally, the Commission discussed their development of uniform measures to be utilized for measuring quality of care across providers.  In conjunction with the PAC PPS, the Commission recommended implementing a unified value-based payment (VBP) program, which would hopefully discourage shifting of care to other providers as well as overuse of care.  Some of the uniform measures discussed for a PAC VBP include Medicare spending per beneficiary, combined admissions and readmissions, hospital readmissions, and discharge to the community.  The Commission hopes to develop a combined measure of admissions and readmissions that will include admissions to hospitals for both community and inpatient admitted beneficiaries.

Recent comments by the Federal Trade Commission (FTC) Commissioner Rohit Chopra should have companies on notice for increased enforcement actions across the board. During the “Privacy. Security. Risk.” Conference in Texas last week, Chopra made comments regarding his views on increasing enforcement, including the imposition of greater civil monetary penalties. “I’ve already raised concerns about settlements we do with no monetary penalties. I want to see monetary consequences for egregious breaking of the law” said Chopra as reported by the IAPP during a live podcast taping. Chopra also stated that he was troubled by current federal enforcement action in the United States, the answer to which appears in part to come with heftier fines.

While the FTC hopes to have a bigger bite, it appears that Congressional action, or lack thereof, is in many ways muzzling the agency. During a House Subcommittee hearing in July, FTC officials indicated that while they were aggressively pursuing action regarding data and privacy security, they also said that their hands were tied in regard to bringing more aggressive enforcement. As stated by Chairman Joe Simmons, “In my view, we need more authority. I support data security legislation that would give us three things: (1) the ability to seek civil penalties to effectively deter unlawful conduct, (2) jurisdiction over non-profits and common carriers, and (3) the authority to issue implementing rules under the Administrative Procedure Act. And we should consider additional privacy authority as well….” In part, Chairman Simmons may be referencing Congress’s failure to pass a comprehensive data protection law, particularly in the shadow of the European Union’s GDPR standards, which are continuing to impact American companies.

These comments come at a time where companies face ever increasing risk as the economy becomes more and more data-centric. Across the country, companies and their boards are faced with an ever more complex business decision on how to make cyber-security make business sense. On the one hand, investing in a robust cyber-security program, both in terms of designing a compliance strategy and investing in technology, is balanced with the risk and cost of a data breach. While the risks appear to be increasing, the cost of such a breach may also be increasing as well. In addition to a loss of revenue due to a drop in consumer confidence, Chairman Simmons and Commissioner Chopra’s comments should make companies aware that enforcement and increased civil monetary penalties may also be more of a threat towards business’s bottom lines.

On October 15, 2018, the Centers for Medicare and Medicaid Services (CMS) unveiled its proposed rule requiring direct-to-consumer television advertisements for prescription drug and biological products to contain the list price (defined as the Wholesale Acquisition Cost) if the product is reimbursable by Medicare or Medicaid. Medical devices are not included in the proposed rule, although CMS seeks comment on how advertised drugs should be treated if used in combination with a non-advertised device. If finalized, the requirement will be sweeping and only purports to exclude products costing under $35 per month for a 30-day supply or a typical course of treatment.

CMS prescribes specific language for manufacturers to use at the end of an advertisement:

The list price for a [30-day supply of ] [typical course of treatment with] [name of prescription drug or biological product] is [insert list price]. If you have health insurance that covers drugs, your cost may be different.

The list price is determined “on the first day of the quarter during which the advertisement is being aired or otherwise broadcast.” This pricing statement must be legible, “placed appropriately against a contrasting background for sufficient duration,” and must be in an easily read font and size. Manufacturers are permitted under the proposed rule, “[t]o the extent permissible under current laws,” to include a competitor’s current product list price, so long as the disclosure is done in a “truthful, non-misleading way.”

CMS proposes that drug and biological products in violation of the proposed rule would be publically listed on its website. Although CMS acknowledged that it was proposing no other HHS-specific enforcement mechanisms, CMS anticipates an influx in private actions under the Lanham Act as the primary enforcement mechanism if the proposed rule is finalized.

Health and Human Services Secretary Alex Azar emphasized the proposed rule’s intent to mitigate consumer out-of-pocket costs and reduce unnecessary Medicare and Medicaid expenditures. Interested stakeholders can submit comments online to the regulations.gov docket or by mail until December 17, 2018.