HHS Revises, Delays Medicare Enrollment Requirements for Part D Prescriptions

The Affordable Care Act authorized the Department of Health and Human Services (HHS) to require a physician, dentist or other healthcare provider to be enrolled in the Medicare program before they can issue a prescription covered by Medicare Part D.

Regulations implementing this requirement were first issued by HHS in 2014 and scheduled to go into effect June 1, 2015, with an enforcement delay until December 1, 2015.  Under the regulations, HHS required all providers to either formally enroll in, or officially opt out of, the Medicare program in order to issue a covered prescription to a Medicare Part D beneficiary.

These regulations will have the greatest impact on healthcare providers, such as dentists, whose services are generally not covered under Medicare but who may still issue prescriptions to Medicare beneficiaries.  These providers have historically neither formally enrolled in nor opted out of the Medicare program, because they never provided services which were eligible for Medicare reimbursement.

The provider community objected that these regulations would create an undue burden on providers who had never been subject to Medicare enrollment requirements and would limit beneficiaries’ access to needed pharmaceuticals. For example, a prescription for a painkiller or antibiotic issued to a patient by a dentist would no longer be covered if the dentist had not met these new enrollment requirements.  The patient would have to pay for the full cost of the drug and, if they could not afford to so, might not receive needed pharmaceutical care.

In response, HHS released revised regulations on May 6, 2015.  These revisions include a delayed effective date of January 1, 2016.  In addition, Medicare Part D plans must now provide provisional coverage of the a drug prescribed by a provider who does not meet the enrollment/opt out requirements.  The provider will then have up to 3 months to either enroll or formally opt out of Medicare, allowing the prescription to be covered back to the original date.

Providers who have not yet enrolled in or opted out of Medicare have four options to consider:

  1. Take no action.  The provider can still issue prescriptions – but Medicare Part D beneficiaries will be required to pay the full cost of the prescription or find an alternate provider.
  2. Enroll as a Medicare provider.  Dentists and other healthcare professionals are eligible for Medicare enrollment, even if they never provide Medicare-covered services.
  3. Enroll in Medicare as an ordering/referring provider (ORP).  This is a limited enrollment category.  An ORP is allowed to order Medicare-reimbursable services, including prescriptions, but is not eligible for Medicare reimbursement for any services they provide directly.
  4. Opt out of Medicare.  Providers can formally opt out of Medicare by filing an affidavit with the appropriate Medicare contractor.

Each option has pros and cons that should be weighed carefully before a decision is made.  If you have any questions regarding Medicare provider enrollment or opting out of the Medicare program, please contact the Benesch Health Care group.

CareFirst, Third Major Health Insurer This Year To Be Hit By Cyberattack

On May 20, 2015, CareFirst BlueCross BlueShield (“CareFirst”) announced that it was the latest victim of a major cyberattack, with as many as 1.1 million plan customers affected.  Current and former CareFirst members and individuals who do business with CareFirst online who registered to use CareFirst’s websites prior to June 20, 2014 are impacted by this event.

CareFirst said that although the hackers may have acquired customer names, email addresses, birthdates, customer-created user names and subscriber identification numbers, they did not obtain sensitive financial or medical information like Social Security numbers, medical claims, credit card or employment information or passwords associated with the user names.  The company has stated that those affected by the cyberattack will be provided two free years of credit monitoring and identity theft protection.

As an explanation of how CareFirst learned of the breach, Chet Burrell, CareFirst’s chief executive, said that after cyber attacks on other insurers earlier this year, he created a task force to review the company’s information technology systems.  CareFirst then hired Mandiant, a division of FireEye, to perform a forensic review of its systems.  Last month, Mandiant determined a breach had occurred in June 2014 allowing unauthorized access to a single database with the information listed above.

Just hours after the announcement of the breach, class action law firms were already investigating the circumstances of the breach and seeking plaintiffs who may have been affected.  Now that state claims may be brought based on HIPAA as a standard of care, the suits will likely consider potential harm due to the disclosure and whether CareFirst adequately protected the information and provided timely notice.  These are the same types of claims brought in the numerous class action lawsuits after the Anthem cyber-attack in February 2015.

The cyber-attack and pending lawsuits should serve as a reminder for healthcare companies to review and properly implement their HIPAA privacy and security policies and procedures.  For more information on HIPAA, health care compliance or related issues, please feel free to contact Daniel Meier or any member of our health care practice group for a further discussion.

Medicare Part B Reimbursement After the SGR Repeal

On April 16, 2015, President Barack Obama signed into law the Medicare Access and CHIP Reauthorization Act of 2015 and thereby repealed the sustainable growth rate (“SGR”) Medicare Part B provider reimbursement methodology, represented by the Physician Fee Schedule that had been in place for nearly twenty years. SGR reimbursement was originally intended to control Medicare costs by keeping provider reimbursement proportionate to America’s overall economic growth. This was to be accomplished by setting reimbursement ceilings and then cutting reimbursement when those ceilings were exceeded in a given year. Historically, rather than instituting these cuts as planned, Congress repeatedly delayed the implementation of reimbursement reductions through the use of repeated short term legislative patches delaying any cutbacks

This pattern of emergency stop-gap measures ended on April 16, 2015 when, in an uncharacteristically bipartisan move, Congress permanently repealed and replaced the SGR. This revised reimbursement formula includes:

  • eliminating delayed reimbursement rate reductions under the SGR;
  • from 2015 – 19, increasing reimbursement rates by 0.5%;
  • from 2020 – 25, freezing reimbursement rates; and
  • from 2026 – forward, instituting annual reimbursement rate increases based upon provider participation in one of two provider risk-sharing arrangements: (1) the Merit-Based Incentive Payment System (“MIPS”) provides for a 0.25% annual increase; or (2) Alternative Payment Models (“AMP”) provides for a 0.75% annual increase.

Both incentive programs incorporate value-based payments beginning in 2019. First, MIPS combines and replaces existing incentive programs and provides a payment adjustment to fee-for-service reimbursement based upon a composite score made up of four categories: (1) Quality; (2) Resource Use; (3) Clinical Improvement; and (4) EHR Use. Second, AMP participants will receive a 5% of annual reimbursement bonus payment in exchange for generating sufficient revenue through qualified risk-sharing payment models, such as Accountable Care Organizations and Medical Homes.

The SGR repeal is funded by reductions in Medicare payments to hospitals and post-acute care providers, elimination of first-dollar Medigap coverage, and increases to Medicare premium cost-sharing for high income beneficiaries. Despite these cuts, the Congressional Budget Office estimates that the legislation will still add a grand total of $141 billion to the Federal deficit.

The elimination of the SGR provides some enduring stability following years of uncertainty.  After repeated, temporary SGR legislative fixes, the legislation eliminating the SGR and instituting the replacement reimbursement methodology represents a bipartisan effort to transition Federal health care program reimbursement away from traditional fee-for-service arrangements and into a new era of value-based payments. Consistent with trends in the health care industry at-large, and the Federal health care programs in particular, providers seeking meaningful reimbursement increases through Medicare Part B under the revised reimbursement methodology must meet quality metrics, whether through an incentivized fee-for-service model or through participation in alternative payment mechanisms.

For more information on health care reimbursement trends, please contact a member of Benesch’s health care team.

Guidance Released for Health Care Governing Boards

On April 20, 2015, the Office of Inspector General (the “OIG”) of the U.S. Department of Health and Human Services, the Association of Healthcare Internal Auditors, the American Health Lawyers Association, and the Health Care Compliance Association published a first-of-its-kind guide entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight.”

The guide is intended to assist governing boards of health care organizations (“Boards”) to create and carry out compliance programs. The guide addresses issues relating to a Board’s oversight and review of compliance program functions, including: (1) the roles of, and relationships between, the organization’s audit, compliance, and legal functions; (2) the mechanism and process for issue-reporting within an organization; (3) the approach to identifying regulatory risks; and (4) methods of encouraging organization-wide accountability for achievement of compliance goals and objectives.

The guide encourages Boards to create benchmarks using publicly available resources, such as the Federal Sentencing Guidelines, the OIG’s voluntary compliance program guidance, and OIG Corporate Integrity Agreements.  Although there is no such thing as a “one size fits all” compliance program, these resources can be helpful in creating a program tailored to each organization’s needs.

While recognizing that not all organizations will possess the resources to support the structure in its entirety, the guide recommends creating corporate charters that address the following functions: (1) compliance; (2) legal; (3) internal audit; (4) human resources; and (5) quality improvement. Boards should continuously evaluate the effectiveness of these charters.

The guide also encourages Boards to ensure proper reporting mechanisms are in place within the organization. If managers or other individuals within the organization are not held responsible for reporting compliance concerns to the Board, the Board will not have a complete picture of the adequacy and effectiveness of the organization’s compliance atmosphere. Therefore, Boards should consider scheduling regular sessions to hear from the organization’s management about the organization’s utilization of compliance, legal, internal audit, and quality functions.

Identifying risk areas is an integral part of any organization’s compliance program. Boards can identify high risk areas from internal and external sources. The guide recommends tracking industry trends to identify risk areas, as new payment models can lead to new incentives and new compliance concerns.

Finally, the guide recommends encouraging accountability within an organization along with compliance. Many organizations have tied an employee’s performance assessment and other incentives to adherence to the organization’s compliance program to emphasize and encourage individual accountability.

The entire guide is available on the OIG’s website. For more information on health care compliance programs, please contact any member of Benesch’s health care practice group.

2015 Phase Two HIPAA Audits – Delayed Again

Recently, the Director of the Department of Health and Human Services Office for Civil Rights (“OCR”) confirmed that OCR is still working to finalize the procedures for “Phase Two” HIPAA audits. OCR had initially planned to launch the Phase Two audits in the Fall of 2014. Apparently, the delay is the result of behind-schedule implementation of the technology that OCR will use to collect audit-related documentation from covered entities and business associates via a web portal. An official date for the launch of Phase Two audits has not yet been announced.

The HIPAA Audit Program is authorized under Section 13411 of the HITECH Act, and is designed to test entities compliance with the Privacy Rule, Security Rule, and Breach Notification Standards. If you are a covered entity or business associate, this delay in the launch of Phase Two audits provides a great opportunity to conduct a comprehensive assessment of your current HIPAA compliance program. This means doing much more than just checking boxes and having an old binder of policies and procedures on your shelf. Instead, covered entities and business associates need to take real action, such as reviewing the audit protocol from the pilot program and applying it to your organization, conducting a risk assessment, engaging a dialogue with your compliance officer, and reviewing/updating training materials, among others.

Being proactive now will go a long-way towards easing the burden of Phase Two audit, should your organization be selected. If you have any questions concerning Phase II HIPAA audits, or general HIPAA compliance, please do not hesitate to contact a member of Benesch’s Health Care Department.

What Makes A Five Star Hospital?

The Affordable Care Act includes many provisions aimed at improving the quality of care provided by different types of health care professionals and providers. Along these lines, the ACA expands the types of facilities and providers for which quality data will be publically available.  The Secretary of the United States Department of Health and Human Services was therefore directed to develop a Hospital Compare website (amongst other similar sites such as Physician Compare and Nursing Home Compare) that would allow Medicare enrollees to compare scientifically sound measures of physician quality and patient experience.

In accordance with these directives, on April 16, 2015 the Centers for Medicare and Medicaid Services (“CMS”) released the first ever Hospital Compare Star Ratings on its public information website.  The site is intended to make it easier for consumers to choose a hospital and understand the quality of care they deliver.  The data set from the website contains hospital-specific quality data for over 4,500 hospitals nationwide.  The ratings are based on the 11 publicly reported measures in the Hospital Consumer Assessment of Healthcare Providers and Systems (“HCAHPS”) survey, which assesses patient experiences.

The star ratings allow for an easy comparison using a five-star scale, with more stars indicating better quality care.  The quality data on Hospital Compare includes clinical process of care, patient outcomes and patient experience of care measures.  The national rankings are based on hospitals’ performance on the clinical process of care measures and a national survey of patients’ experience of care.  The hospitals’ ranks are combined into an overall, composite performance ranking, with process of care measures contributing 70% and patient experience of care measuring 30%.

However, just 251 out of 3,553 hospitals received the highest score in the rating system based on the experiences of patients who were admitted between July 2013 and June 2014.  Hospitals had an opportunity to preview the ratings in the fall and many have already expressed concern.  Hospitals question the methodology and whether the ratings reflect meaningful reflections of performance.  They also assert that the ratings are oversimplifying the hospital’s performance to a single score.

Notably, the patient experience star ratings are only based on the information on quality of care that is reported by patients.  The surveys are provided to a random sampling of patients within two days after discharge from a hospital and must be completed within 42 days.  Further, positive results may mean that the hospital is delivering good care.  However, these results are not taking into account other factors such as timely and efficient care and results or outcomes of care measures.  Moreover, the results places substantial reliance on patient review, which is just one measurement of hospital quality.  Lastly, if one does not review Hospital Compare extensively, information aside from the star ratings may easily be overlooked.  For example, the complete results for each HCAHPS measure can be found in the “Survey of Patients’ experiences” section.

On the other hand, supporters of Hospital Compare argue that while it’s not a perfect measurement system, it creates a healthy competition among hospitals.

For more information on Hospital Compare, other CMS initiatives or related issues, please feel free to contact Daniel Meier or any member of our health care practice group for a further discussion.

Supreme Court Blocks Provider Challenges to Medicaid Program

On March 31, 2015, the Supreme Court issued the first of several expected decisions that will impact the healthcare industry this year, ruling that Medicaid providers have no constitutional or statutory right to challenge a state’s Medicaid reimbursement rates. In Armstrong v. Exceptional Child Center, Inc., a group of Idaho Medicaid providers had challenged the states’ reimbursement rates as violating the federal laws that govern the program, commonly known as the Medicaid Act.

Under the Medicaid Act, both the federal government and the individual states fund and administer the Medicaid program. Each state establishes the rates and other parameters within its Medicaid program, subject to overall federal approval. Each state must submit a plan outlining its Medicaid program to the Department of Health and Human Services (HHS). The Plan, among other things, is supposed to meet the Medicaid Act’s requirements that payments are sufficient to enlist enough providers so that covered care and services are available to Medicaid beneficiaries.

A group of Idaho Medicaid providers challenged Idaho’s Medicaid rates as violating this provision of the Medicaid Act. The Idaho Department of Health and Welfare had proposed rate increases which had been approved by HHS as part of the state’s overall Medicaid plan. However, the increases were never funded by the Idaho state legislature and thus never implemented. The providers filed a lawsuit seeking to impose higher Medicaid reimbursement rates on the grounds that Idaho had failed to follow its approved plan and had set reimbursement rates so low that providers were unwilling to enroll in the Medicaid program, denying Medicaid beneficiaries access to effective care.

Two lower courts had ruled in favor of the providers. However, the Supreme Court ruled that only HHS is entitled to enforce the requirements of the Medicaid Act. It is important to note that the case was purely procedural. While the Supreme Court held that Medicaid providers did not have a constitutional or statutory right to challenge a state’s Medicaid reimbursement rates, it did not rule on whether or not Idaho’s Medicaid reimbursement actually complies with the Medicaid Act requirements.

The increasing downward pressure on Medicaid reimbursement shows no signs of stopping, even as the Affordable Care Act expands Medicaid enrollment in many states. This case is a reminder that providers seeking to increase Medicaid reimbursement will need to also focus on obtaining federal and state legislative, not just judicial, solutions.