Final rule on Medicaid Prescription Drug Programs

In January of 2016, the Centers for Medicare and Medicaid Services (CMS) issued a final rule on covered outpatient drugs. The rule changes the Medicaid Drug Rebate Program by the Patient Protection and Affordable Care Act (PPACA) and the overall Medicaid drug reimbursement program.  These changes have several goals, including reducing the cost to the federal and state governments and improving beneficiary access to covered outpatient drugs.

CMS claims the changes implemented will help the government save money in the Medicaid Drug Rebate Program, which had been subject to sustainability issues. One key change in the final rule is a definition of the Average Manufacture Price, which in turn gets used to determine rebates and pharmacy reimbursements subject to the federal upper limit. Similarly, the changes to the federal upper limit formula will incentivize pharmacies to use certain generic drugs. The final rules clarify many of the ambiguous sections of the Medicaid Drug Rebate Program by the PPACA, including the manufacturer reporting requirements. The rule also aligns the pharmacy reimbursement system with the actual acquisition cost of the drug.

Overall, the new incentives and changes should improve the reimbursement system and help manage drug costs. This rule becomes effective April 1, 2016, although CMS is allowing comment for 60 days after publication on certain elements of the rule. The new rule can be found at the following link:

https://www.gpo.gov/fdsys/pkg/CFR-2014-title42-vol4/pdf/CFR-2014-title42-vol4-part447.pdf

 © 2015 Vandenack Williams LLC
For more information, Contact Us

Changes Coming to Meaningful Use

The government program providing incentives to health providers for meaningful use of electronic health records continues to be troubled as the final rule for stage 3  has been delayed until 2018. Coupled with recent comments by the Centers for Medicare and Medicaid Services (CMS), it appears that the entire program will undergo substantive changes in the year ahead. However, CMS notes, it is important to continue under the old program until the changes start being unveiled in the spring of 2016.

When meaningful use started in 2009, the intent was to induce medical providers to use the new technology purchased with the help of the federal government. By providing incentive payments to the physicians that showed they were using the new technology in a meaningful way, the government believed it would improve quality, safety, and efficiency of care through electronic health records. However, CMS has found that the program did not operate as envisioned, resulting in the forthcoming changes to the program, expected to start in the spring of 2016.

While the new program has guiding themes that were issued by CMS, it is unclear what the new program will ultimately look like. However, many of the themes are to focus on the outcome of patient care, with less focus on the use of the new technology, in hopes that complaints by all stakeholders about the meaningful use program will be alleviated. For health providers, the pending changes will take time implement and until such time, the meaningful use program is still the operative requirements. To read more about the changes, please visit the official blog of CMS at: http://blog.cms.gov/2016/01/19/ehr-incentive-programs-where-we-go-next/

© 2015 Vandenack Williams LLC
For more information, Contact Us

IRS issues final regulations on employer sponsored health insurance

In December of 2015, the Internal Revenue Service (IRS) issued final regulations that addressed some of the questions pertaining to whether employer sponsored health insurance meets the Patient Protection and Affordable Care Act minimum value requirements.  Amongst a variety of miscellaneous items pertaining to minimum value, the final regulations clarify the impact of a health reimbursement arrangement (HRA) on affordability. The regulations also clarify some of the rules regarding eligibility for the health insurance premium tax credit.

Under the final regulations, the new amounts made available by an employer to an employee in a HRA that can be used to pay health insurance premiums, when the employer also offers qualifying health coverage, will be counted towards affordability. Similarly, if the new amounts are available to an employee in a HRA integrated with qualified employer coverage, and the new amount can only be used to reduce cost-sharing, that new amount will be counted for minimum value purposes.

The health insurance premium tax credit had rules finalized in the same regulations. One rule includes the eligibility of a household that has income from a child. The premium tax credit is based on household income and when a parent includes a child’s income on their income tax return for tax credit eligibility purposes, the amount used is the child’s modified adjusted gross income, not the gross income reported on the child’s tax return.

The final regulations also addressed the impact of wellness incentives on the health insurance premium tax credit. The regulations clarify that wellness incentives that reduce the cost of health insurance premiums to an employee will not be included in the calculation for minimum value or affordability, instead the regulations assume the employee will not qualify for the incentive. This rule has one exception, which is if the incentive is based on tobacco use. If so, the regulations assume that the employee will qualify for the incentive and the incentive can be used in the minimum value and affordability calculation. Thus, only tobacco use wellness incentives can be used in the minimum value and affordability calculation for purposes of premium tax credit eligibility.

Overall, a variety of miscellaneous rules regarding health insurance were finalized in the regulation. The entirety of the IRS regulation can be found at the following link: https://www.federalregister.gov/articles/2015/12/18/2015-31866/minimum-value-of-eligible-employer-sponsored-plans-and-other-rules-regarding-the-health-insurance

© 2015 Vandenack Williams LLC
For more information, Contact Us

New HIPAA Rule Allows Mental Health Reporting to Federal Firearm Background Check System

by Matthew J. Effken

The Department of Health and Human Services is relaxing Privacy Rule provisions of the Health Insurance Portability and Accountability Act (HIPAA) to allow some covered entities to notify the National Instant Criminal Background Check System (NICS) about individuals who are prohibited from having a firearm for mental health reasons.  The NICS is a national database maintained by the FBI and used to conduct background checks for gun purchases.  Under the new rule, the only information that can be reported is the minimum necessary to identify persons who have been involuntarily committed to a mental institution or otherwise have been determined by a lawful authority to be a danger to themselves or others or to lack the mental capacity to manage their own affairs.

The new rule applies only to those HIPAA covered entities with lawful authority to make mental health determinations that disqualify an individual from having a firearm, or are designated NICS reporting entities under state law.  The only information that can be reported is limited identifying information, not diagnostic or clinical information.  The new rule does not apply to most treating providers.  The rule will primarily impact state agencies, boards and commissions outside the court system in states that do not already require that such information be provided to the NICS.

The new rule is effective February 5, 2016.  The text of the rule is available at       https://federalregister.gov/a/2015-33181.

© 2015 Vandenack Williams LLC
For more information, Contact Us

$750,000 HIPAA Settlement Highlights the Importance of Risk Assessments under HIPAA

By Matthew J. Effken

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) and The University of Washington Medicine (UW Medicine) recently announced an agreement to settle an OCR investigation into a self-reported HIPAA breach involving UW Medicine patient records.  The breach occurred when a UW Medicine staff member opened an e-mail attachment that contained malicious code, allowing outsiders to gain potential access to confidential patient information.  The information compromised included treatment and demographic information such as addresses, dates of birth and social security numbers for over 90,000 UW Medicine patients.

The settlement agreement states that UW Medicine had adopted HIPAA security policies and procedures, but had not assured that its affiliated entities had implemented such procedures.  UW Medicine also failed to conduct comprehensive risk assessments to identify and respond to potential security vulnerabilities.  The result was a $750,000 monetary penalty, plus a Resolution Agreement that requires at least two years of enhanced reporting to OCR.  UW Medicine also agreed to a reorganization of its compliance program.  Failure to comply with the Resolution Agreement may result in the imposition of additional monetary penalties.

OCR Director Jocelyn Samuels commented: “An effective risk analysis is one that is comprehensive in scope and is conducted across the organization to sufficiently address the risks and vulnerabilities to patient data.  All too often we see covered entities with a limited risk analysis that focuses on a specific system such as the electronic medical record or that fails to provide appropriate oversight and accountability for all parts of the enterprise.”

The Resolution Agreement is available on the OCR website at: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/uwm/index.html.

© 2015 Vandenack Williams LLC
For more information, Contact Us

Physician Conflict of Interest Reporting Requirements

The Physician Payments Sunshine Act was adopted as part of the Patient Protection and Affordable Care Act in 2010. The act allows patients to know if their physician may have an outside motivation when providing care, such as incentives provided by medical product manufacturers. These incentives could include simple monetary payments or any type of transfer of valuable goods. By making this information public, the hope is to ensure that physicians make the best possible decisions for their patients, not their own personal interests.

The Act requires physicians to disclose to the Centers for Medicare and Medicaid Services (CMS) any payment or “transfer of value” made to the physician or teaching hospital by a medical product manufacturers. This Act also requires a group purchasing organization or medical manufacturer to disclose any physician ownership. The information is then published online for patients and others to research, with the first set of data published in 2014. Despite the initial publication, CMS withheld some information due to technical difficulties and the outcome of this publicity remains unclear. For 2015 and 2016, CMS implemented changes to the reporting process for physicians as a result of the first release.

Despite the lack of clarity surrounding the outcome of making this information public, some lawmakers are trying to expand the law to include nurse practitioners and others that have prescribing authority. However, at the current time, the law remains limited to physicians, medical product manufacturers, and group purchasing organizations. To view the information and search for physicians, please visit the following website: https://www.cms.gov/openpayments/

© 2015 Houghton Vandenack Williams
For more information, Contact Us

Who Owns Medical Records in the Digital Age?

Determining who owns medical records in the age of electronic health records remains somewhat ambiguous. In fact, recent issues at the University of Rochester Medical Center highlight the confusion as the health provider recently reached settlement over a violation of protected health information because a nurse practitioner took patient information to a new practice. Thus, the relevant question is whether the provider, the physician, the electronic health record provider, or the patient own the information?

Many patients assume the Health Insurance Portability and Accountability Act (HIPAA) provides ownership of health information to the patient, but the law, in fact, fails to specify. Largely, this issue is left to state legislatures to determine, but the majority of states have failed to address the issue. According to a recent survey by the George Washington University’s Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation, only New Hampshire provides ownership of medical records to the patient, while in 20 other states, the healthcare provider owns them.

In the age of electronic health records, patient data is quickly shareable between physicians, patients, and other individuals. This poses new legal challenges for healthcare providers and physicians, especially as the laws and regulations on protected health information continue to evolve and state attorneys general start to enforce the privacy laws under the Health Information Technology for Economic and Clinical Health Act. This means that physicians and healthcare providers of all types should ensure that their internal policies on health records fully comply with the evolving legal landscape.

© 2015 Houghton Vandenack Williams
For more information, Contact Us

Clarity Emerges for Employer Sponsored Health Insurance Auto-Enrollment Requirement

In early November, 2015, the President officially signed the federal budget that included a repeal of the auto-enrollment mandate contained with the Patient Protection and Affordable Care Act (PPACA) for employers with over 200 employees.

Originally under the PPACA, an employer with 200 or more employees would be required to automatically enroll new employees into the employer-sponsored health coverage. This mandate had never been implemented and was indefinitely suspended due to problems at the Department of Labor in issuing regulations. It was unclear whether it would eventually be implemented, but the official legislative repeal ends this potential issue for employers.

Many aspects of the PPACA continue to change and evolve. As more of the law continues to be implemented, be sure to monitor the evolving requirements for both individuals and health insurance providers.

© 2015 Houghton Vandenack Williams

For more information, Contact Us

Ensuring Compliance with the Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) requires physicians, healthcare providers, and all others that qualify as “covered entities”  or “business associates” to comply with regimented patient privacy and security standards. Failure to fully comply with the law can result in an investigation by the Office for Civil Rights, leading to fines, penalties, and potential damages. This means the best solution for a covered healthcare entity is proactively auditing HIPAA compliance. The following are some key topics that are important for HIPAA compliance.

Risk Assessments.  All covered entities and business associates must conduct periodic risk assessments to identify potential risks to protected health information from a variety of threats, including threats from the environment, such as long-term power loss, chemicals, or pollution. Other threats that must be included in the assessment are intentional and unintentional human data breaches, human error, and natural disasters, such as floods, tornadoes, and earthquakes. The risk assessment must include a variety of information and clearly delineate the risk and potential impact from specific threats. In conjunction with the identification of threats, the risk assessment must demonstrate and outline safeguards implemented to mitigate the potential risk from the identified threats.

Privacy and Security Standards.  An easily overlooked issue pertains to the different standards between the requirements of the HIPAA Privacy Rule and the HIPAA Security Rule.  The HIPAA Privacy Rule requires a covered healthcare provider to have specific policies and procedures for health information disclosure and to distribute a Notice of Privacy Policy to patients.  These requirements are separate from the policies and procedures required by the HIPAA Security Rule.  Policies and procedures under the Security Rule relate to physical premises security, data encryption, and other electronic protection measures. The HIPAA Security Rule and the Privacy Rule require separate and distinct policies and procedures and should be evaluated individually.

On-Going Compliance. After HIPAA policies and procedures are adopted, on-going compliance requirements must not be overlooked.  For example, HIPAA compliance activities must be recorded, and records demonstrating implementation must be kept. Compliance with the Security Rule and the Privacy Rule must be periodically reviewed, with policies and procedures updated as circumstances warrant.

HIPAA has many pitfalls that a healthcare provider may fall victim to, even when that healthcare provider is attempting to comply with the law. This underscores the importance of taking proactive steps to audit HIPAA compliance and even seek outside counsel where appropriate to prevent unintentional miscues.

© 2015 Houghton Vandenack Williams
For more information, Contact Us

Federal HIPAA Audits Set to Resume in Early 2016

By Matthew J. Effken

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has announced its intent to move forward with new HIPAA compliance audits in early 2016. The so-called “Phase 2” audits were originally scheduled to commence in 2014, but have been repeatedly delayed.  The OCR reportedly sent preliminary pre-screening surveys to several hundred potential audit targets earlier this year, but there has been no apparent activity since that time.

The upcoming round of audits will include both covered entities and business associates.  There will be a combination of on-site visits and desk audits.  Before the audits can begin, however, the OCR still needs to revise its HIPAA audit protocol and update its information systems to support the audit program.

The OCR’s announcement came in the wake of a highly critical report from the HHS Office of Inspector General (OIG)  that highlighted various deficiencies in the OCR’s execution of its HIPAA oversight responsibilities.  Among the shortfalls noted in the report was the OCR’s failure to implement a permanent program of proactive HIPAA audits, as required by federal law. The OCR cited various obstacles, including limited resources, as having delayed the audit program.

The OIG report and the OCR response are available at the following link: http://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf.

© 2015 Houghton Vandenack Williams
For more information, Contact Us