Three Key Things in Health Care

November 11, 2020

  • Final Rules requiring transparency in health insurance coverage
    • In a prior issue, we addressed the 2019 CMS hospital price transparency rule and suggested the reporting challenges it presented might serve as a catalyst for the development of simplified billing and payment systems.
    • On November 12, 2020, a final “Coverage Transparency Rule” will be published in the Federal Register. Issued jointly by the Centers for Medicare & Medicaid Services (“CMS”), the Department of Labor and the Internal Revenue Service, the Coverage Transparency Rule 1  will require group health plans and health insurance issuers to disclose
      • cost sharing information to beneficiaries and enrollees (e.g., cost-sharing liability for a covered item or service, accumulated amounts toward deductible or out-of-pocket limits, in-network rate for a covered item or service, and out-of-network allowed amounts for the item or service) beginning in 2023; and
      • pricing information to the public (e.g., all applicable in-network rates for covered items, services and prescription drugs, and out-of-network allowed amounts and billed charges for covered items or services) beginning in 2022.
    • America’s Health Insurance Plans has criticized the Coverage Transparency Rule, though it remains to be seen whether the rule will be challenged in court.
    • Assuming the rule survives, health systems have to assume the race will be on collect and analyze as much of this information (together with information disclosed under the hospital price transparency rule) as possible, and should ask the following questions:
      • What does “our” data look like, alone or in comparison to my competitors or our benchmarks?
      • How would we explain the picture our data paints–To our customers? To our bondholders or shareholders? To our legislators?
      • Could one of our board members explain that picture?
      • How might my data be used by competitors, regulators, enforcement officials or investigative journalists?
    • Key takeaway: Health systems should give serious attention to the answers to the foregoing questions, and consider whether the picture is a positive one. If not, health systems should determine what steps can be taken, and when, to improve the landscape. In the end, what a competitor can say (and prove) about pricing and payments may be more important than the justifications that could be offered up in defense of the status quo.
  • In a Joint Cybersecurity Advisory, federal agencies warn of “an increased and imminent cybercrime threat to US hospitals and healthcare providers.”
    • The Cybersecurity and Infrastructure Security Agency (“CISA”), the Federal Bureau of Investigations (“FBI”) and the Department of Health and Human Services (“HHS”), issued a joint advisory warning of an increased and imminent threat of ransomware attacks on the healthcare sector.
    • Ransomware attacks, which involve the use malware to encrypt files and make them inaccessible to users subject to payment of a ransom to regain access, increasingly have become a reality for the US healthcare system. While the specific number of healthcare industry ransomware attacks is unclear, there is no question that attacks are happening more frequently.
      • At the beginning of June, the University of California San Francisco (“UCSF”) fell victim to a ransomware attack from NetWalker that infected several of the UCSF School of Medicine’s servers. Although UCSF was able to stop the attack as it was in process, it acknowledged paying an approximately $1.14 million ransom demand to unlock the encrypted data and secure return of the data obtained by the cyber criminals.
      • In late September, Pennsylvania-based University Health Services (“UHS”), one of the largest health systems in the US, was the victim of a ransomware attack that affected all of its US hospitals and healthcare sites. While UHS stated that its major information systems, including its electronic health record, were not directly impacted, the attack forced UHS to suspend user access to its IT applications related to its US operations for eight days until its IT network could be fully restored. It also prompted Senator Mark Warner (D-Va.), who serves as Vice Chair of the Senate Intelligence Committee, to send a letter to UHS raising concern and asking a number of questions about the attack and about UHS’s policies, procedures and processes relating to its IT systems.
      • There also have been recent reports of ransomware attacks on Michigan-based Dickinson County Healthcare System; Sky Lakes Medical Center in Klamath Falls, Oregon; New York-based St. Lawrence Health System; the University of Vermont Health Network; and Sonoma Valley Hospital.
  • The recent joint advisory warns that the cybercriminals behind Trickbot and BazarLoader/Bazar Backdoor malware in particular are targeting the healthcare and public health sector to deploy ransomware, identifying ransomware known as “Ryuk” and “Conti” specifically. To manage the increased risk and mitigate the impact of a cyberattack, the joint advisory makes recommendations relating to business continuity plans, network, ransomware and user awareness best practices, as well as ransomware mitigation measures. It further recommends against paying any ransom, observing that payment will not ensure that the data subject to the attack will be decrypted or that compromise to the affected systems will be resolved.
  • Key Takeaway: The joint advisory specifically acknowledges the particular challenges organizations already strained by the COVID-19 pandemic face in addressing the increased risk of cyberattacks. Notwithstanding the increased strain, hospitals and health system must remain attuned to the increased risk and determine the steps and investments they are able to make to mitigate such risk.
  • As part of its Calendar Year (“CY”) 2021 End State Renal Disease (“ESRD”) Prospective Payment System (“PPS”) final rule, the Centers for Medicare & Medicaid Services (“CMS”) finalized policy changes designed to encourage in-home dialysis.
    • On November 2, 2020, CMS issued its CY 2021 ESRD PPS final rule. The rule, which becomes effective January 1, 2021, finalized modifications relating to the ESRD PPS, payments for dialysis services furnished to beneficiaries with acute kidney injury (“AKI”), and the ESRD Quality Incentive Program (“QIP”).
    • Among the more notable modifications is an expansion to the eligibility for transitional add-on payment adjustment for new and innovative equipment and supplies (“TPNIES”) “to include certain capital-related assets that are home dialysis machines when used in the home for a single patient.”
    • CMS first established the transitional add-on payment adjustment as part of its CY 2020 ESRD PPS final rule “to help address the unique circumstances experienced by ESRD facilities when incorporating new and innovative equipment and supplies into their businesses and to support ESRD facilities transitioning or testing these products during the period when they are new to market,” adding 42 C.F.R. § 413.236 to establish eligibility criteria and payment policies for TPNIES. But under the CY 2020 final rule, CMS specifically excluded capital-related assets from the TPNIES, stating that it needed more time to evaluate business arrangements involving renal dialysis equipment.
    • Pursuant to the CY 2021 final rule, and prompted by several factors—a July 2019 Executive Order on Advancing American Kidney Health from President Trump, certain kidney health initiatives of the US Department of Health and Human Services (“HHS”), and the increased vulnerability of the ESRD population to COVID-19, particularly for those ESRD patients receiving in-center dialysis—CMS modified its position on capital-related assets, expanding eligibility for TPNIES to include a narrow category for certain capital-related assets that are home dialysis machines when used in the home for a single patient. CMS did not go so far as to incorporate capital-related assets for multiple-patients usage due to a focus on promoting in-home dialysis consistent with HHS goals and President Trump’s Executive Order. In addition, as the intent is to pay for those assets that are owned, either by purchase or through a capital lease, equipment obtained through an operating lease is excluded.
    • For those capital-related assets that qualify for the TPNIES, Medicare will pay 65 percent of the Medicare Administrative Contractor (“MAC”) determined pre-adjusted per treatment amount, offset by $9.32 (the amount currently included in the base rate for a dialysis machine).
    • Key Takeaway: According to CMS, more than 85 percent of Medicare fee-for-service beneficiaries with ESRD travel to a facility to receive dialysis at least 3 times per week, where they spend, on average, approximately 12 hours each week on a dialysis machine. Through expansion of the TPNIES to include capital-related assets that are dialysis machines when used in the home for a single patient, CMS aims to incentivize dialysis in the home, and in turn increase access to care for vulnerable patients, improve health outcomes and lessen patients’ exposure to COVID-19 without forgoing treatment.

 

 

1 The pre-publication version of the Coverage Transparency Rule is available here, and will be replaced by the official version after publication.