Tag: health care

Better Care Reconciliation Act – Key Takeaways for Employers and Plan Sponsors

On June 22, 2017, the Senate released its much anticipated health care reform legislation – the Better Care Reconciliation Act (“BCRA”) (linked to amended version released June 26, 2017). In many respects the BCRA is similar to the House of Representatives’ American Health Care Act (which was described in our March 9, 2017 and May 4, 2017 blog entries). However, the BCRA differs from the AHCA in several important respects.

As of the date of this blog entry, the BCRA does not have sufficient support to pass a vote in the Senate and House GOP members have indicated that they would reject the bill. Therefore, Senate leadership has delayed a vote on the BCRA until after the July 4th holiday recess.  Nevertheless, as we provided for the AHCA, below are key takeaways for employers and plan sponsors and a few comparisons between the AHCA and BCRA.  A more detailed comparison between key provisions of the Affordable Care Act (“ACA”), the AHCA, and the BCRA is provided at the end of this blog.

1. Individual and Employer Mandates. Like the AHCA, the BCRA would essentially repeal the ACA’s individual and employer mandates effective after December 31, 2015. Both bills do this by “zeroing-out” the penalties for not having minimum essential coverage (individual mandate) or for not offering adequate minimum essential coverage to full-time employees (employer mandate). Outside of the effective repeal of the employer mandate, the AHCA’s and BCRA’s impact on group health plans appears to be minimal. However, if either the AHCA’s 30% surcharge or the BCRA’s 6-month waiting period becomes law, it is likely that plan sponsors will be required to provide notices similar to the certificates of creditable coverage required in the pre-ACA era

In the absence of an individual mandate, the AHCA and BCRA have different methods of incentivizing individuals to maintain continuous health coverage. Under the AHCA method, insurance carriers would be required to charge a 30% premium surcharge to those who fail to have continuous coverage (i.e., a break in coverage of 63 days or more would trigger the surcharge). The BCRA would require insurance carriers to apply a 6-month blanket coverage waiting period to any individual with a 63-day or more break in continuous coverage during the prior 12 months.

Outside of the effective repeal of the employer mandate, the AHCA’s and BCRA’s impact on group health plans appears to be minimal. However, if either the AHCA’s 30% surcharge or the BCRA’s 6-month waiting period becomes law, it is likely that plan sponsors will be required to provide notices similar to the certificates of creditable coverage required in the pre-ACA era.

2. BCRA Retains ACA’s Subsidy and Tax Credit Program. The Senate appears to have rejected AHCA’s elimination of cost-sharing subsidies and premium tax credits available only for coverage purchased on the Marketplace. The AHCA would have replaced the ACA’s program with an advance tax credit program available to individuals purchasing individual market insurance (not just Marketplace coverage) or enrolled in unsubsidized COBRA coverage. Under the AHCA, the amount of the tax credit would be based on age and would be available only to individuals with income less than $75,000 (individual) or $150,000 (jointly with a spouse).

The BCRA, however, maintains the ACA’s cost-sharing subsidies and premium tax credit program, albeit with some modifications. Under the BCRA, cost-sharing subsidies and premium assistance would be determined based on age, with younger individuals getting more assistance than older individuals, and income. Household income in excess of 350% of the federal poverty line would disqualify an individual from cost-sharing subsidies and premium assistance, in contrast to the ACA’s 400% threshold. Additionally, under the BCRA, the premium tax credit would be based on a benchmark plan that pays 58% of the cost of covered services (in contrast to the ACA’s use of the second-lowest cost silver (70%) plan). This lower value of coverage effectively reduces the amount of premium assistance an individual can get.

3. Employer Reporting Obligations to Continue. Although the individual and employer mandates would be repealed, it is likely that the ACA reporting obligations (Forms 1094-B/C and 1095-B/C) would remain in place, at least in some forms. As noted above, the BCRA retains the ACA’s cost-sharing subsidies and premium assistance, the availability of which is conditioned on an individual not being enrolled in employer-sponsored coverage. Therefore, the IRS would likely still need to obtain coverage information from employers.

4. Cadillac Tax Repealed Subject to Reinstatement. Like the AHCA, the BCRA effectively delays the so-called Cadillac Tax until 2025. The Cadillac Tax was originally slated to be effective in 2018, but it was delayed until 2020 in prior budget legislation.

5. Most ACA-Related Taxes Repealed. The BCRA would also repeal most of the tax reforms established under the ACA. Most relevant to employers and plan sponsors would be the elimination of the contribution limit on health flexible spending accounts (HFSAs), the ability reimburse over-the-counter costs under HFSAs and health savings accounts (HSAs), the increase in HSA contribution limits, and elimination of the Medicare surcharge applied to high-earners.

6. Popular ACA Reforms Remain. As was the case under the AHCA, the BCRA would keep many popular ACA market reforms and patient protections in place. These include:

• The requirement to cover dependent children until age 26;

• The prohibition on waiting periods in excess of 90 days;

• The requirement for individual and small group plans to cover essential health benefits;

• The prohibition against lifetime or annual dollar limits on essential health benefits;

• The annual cap on out-of-pocket expenditures on essential health benefits;

• Uniform coverage of emergency room services for in-network and out-of-network visits;

• Required first-dollar coverage of preventive health services;

• The prohibition of preexisting condition exclusions;

• Enhanced claims and appeals provisions; and

• Provider nondiscrimination.

7. ERISA Preemption for “Small Business Health Plans.” The BCRA would add a new Part 8 to ERISA for “small business health plans.” Currently, some states have enacted insurance laws that prohibit small employers from risk-pooling their employees in a single, large group insurance plan. New Part 8 of ERISA would preempt these state laws and allow the formation of “small business health plans,” which, generally, are plans sponsored by an association on behalf of its employer members. Small business health plans must meet certain organizational and financial control requirements and apply to the Department of Labor for certification.

8. Employee Tax Exclusion Remains Intact. Like the AHCA, the BCRA does not currently include a limitation on the employee tax exclusion that would result in imputed taxes to employees if the value of health coverage exceeds a certain amount. This absence, however, does not necessarily mean that such a limit will not eventually be imposed. It is possible that Congress will consider limiting tax incentives for both retirement and health and welfare plans when broader tax reform is considered.

9. HFSA/HSA Expansion. As mentioned above, the BCRA includes the same modifications to the HFSA and HSA rules as the AHCA. The BCRA would remove the annual contribution cap on HFSAs. Additionally, HFSAs and HSAs would now be able to reimburse on a non-taxable basis over-the-counter medication without a prescription. The annual contribution limit to HSAs would be equal to the out-of-pocket statutory maximum for high-deductible health plans. Spouses would both be able to make catch-up contributions to the same HSA.

It is still too early to tell whether the BCRA will fare better than the AHCA. In any event, we will continue to monitor legislative efforts and will provide updates as substantive developments occur.

Health Care Reform Legislation Comparison
Shared Responsibility ACA AHCA

BCRA
Employer Mandate Applicable large employers (those with 50 or more full-time employees and equivalents) face penalties if minimum essential coverage not offered to 95% of full-time employees (and dependents) or if coverage is not minimum value or affordable. No penalties for failing to provide adequate coverage. No penalties for failing to provide adequate coverage.
Individual Mandate Individuals subject to tax if not enrolled in minimum essential coverage unless exception applies. No tax for failing to enroll in minimum essential coverage. However, effective for plan years beginning in 2019, a 30% premium surcharge would be charged by insurance carriers to an individual who purchases insurance coverage following a lapse in coverage of 63 days or more. No tax for failing to enroll in minimum essential coverage. However, individuals who have a lapse in coverage of 63 or more days in the prior 12-month period will be subject to a 6-month coverage waiting period.
Reporting IRC §§ 6055 and 6056 require reporting from issuers of minimum essential coverage and applicable large employers. No change to ACA reporting requirements under IRC §§ 6055 and 6056. Additional Form W-2 reporting required. No change to ACA reporting requirements under IRC §§ 6055 and 6056.

Market Reforms

 ACA AHCA

BCRA
Dependent Coverage If dependent children covered, coverage must continue until age 26. No change. No change.
Essential Health Benefits Small group and individual market plans must cover 10 essential health benefit categories, as defined by benchmark plan established by state. No change, but states can apply for waiver to establish separate definition of essential health benefit. No change, subject to relaxed waiver rights under ACA § 1332 (State Innovation Waivers).
Annual/Lifetime Dollar Limits No annual or lifetime dollar limits can be applied to essential health benefits. No change, but states can apply for waiver to establish separate definition of essential health benefit. No change, subject to relaxed waiver rights under ACA § 1332 (State Innovation Waivers).
Out-of-Pocket Maximums Out-of-pocket maximum applied to essential health benefits. No change, but states can apply for waiver to establish separate definition of essential health benefit. No change, subject to relaxed waiver rights under ACA § 1332 (State Innovation Waivers).
Preexisting Condition Exclusions Preexisting condition exclusions prohibited. No change, but insurance providers must apply a 30% premium surcharge if individual has a gap in coverage of 63 days or more. No change, but 6-month waiting period applied if individual has a gap in coverage of 63 days or more.
Preventive Care Preventive care covered without cost-sharing. No change. No change.
Emergency Coverage Emergency room visit at an out-of-network hospital must be covered at in-network rate. No change. No change.
Rescissions Coverage cannot be retroactively terminated except in cases of fraud or misrepresentation or for premium nonpayment. No change. No change.
Summaries of Benefits and Coverage Short (8-page) disclosure of plan terms and glossary distributed on an annual basis. No change. No change.
Enhanced Claims Procedures Claims procedures now require additional claims procedures and voluntary external review. No change. No change.
Provider Nondiscrimination Cannot discriminate against a health care provider acting pursuant to state license. No change. No change.
Section 105(h) Nondiscrimination Fully-insured employer-sponsored health plans cannot discriminate in favor of highly compensated individuals (not yet effective). No change. No change.
Medical Loss Ratio Individual and small group plans must spend 80% of premium income on claims and quality improvement. Large group insurance plans must spend 85% of premium income on claims and quality improvement. No change. Applicable ratio determined by the state (effective for plan years beginning on or after January 1, 2019).

Tax Reforms

 ACA AHCA

BCRA
Cadillac Tax 40% excise tax applied to cost of group health coverage exceeding threshold (effective January 1, 2020). Delayed until January 1, 2025. Repealed effective December 31, 2019, but to be reinstated effective January 1, 2025,
Small Business Tax Credit Tax credit for premiums paid toward group health coverage available to small businesses. Not available for plans that cover abortion for plan years beginning on or after January 1, 2017; repealed for plan years beginning on or after January 1, 2020. Same as AHCA.
Health FSA Limit Maximum contribution to health FSA set at $2,500 (subject to annual increases for inflation). Repealed effective January 1, 2017. Repealed effective January 1, 2018.
HSA Distribution Penalty Penalty for HSA distributions used for non-qualifying medical expenses increased to 20%. Repealed effective January 1, 2017. Penalty would go back to 10% for HSAs and 15% for Archer MSAs. Same as AHCA.
HSA Contribution Limits No change. Increased to match statutory out-of-pocket maximum for high-deductible health plans (effective January 1, 2018). Same as AHCA.
FSA/HSA Over-the-Counter Health FSAs and HSAs cannot reimburse over-the-counter products without a prescription (excluding purchase of insulin). Repealed effective January 1, 2017. Same as AHCA.
Medical Expense Deduction Itemized deduction under IRC § 223 available for medical expenses in excess of 10% of adjusted gross income. Repealed effective January 1, 2017. Threshold would return to 7.5% adjusted gross income. Same as AHCA.
Medicare Surcharge Additional 0.9% hospital insurance (Medicare) tax applied to high-earners. Repealed effective January 1, 2023. Same as AHCA.
Medicare Investment Income Tax Medicare tax of 3.8% applied to unearned income. Repealed effective January 1, 2017. Same as AHCA.
Health Insurance Tax Tax applied to insurance carriers based on premiums collected. Repealed effective January 1, 2017. Repealed effective January 1, 2018.
Health Insurer Compensation Deduction No compensation deduction available to certain health insurance providers for compensation in excess of $500,000 paid to applicable individuals. Repealed effective January 1, 2017. Same as AHCA.
Medical Device Tax Excise tax of 2.3% imposed on manufacturer, producers and importers of medical devices. Repealed effective January 1, 2017. Repealed effective January 1, 2018.
Branded Prescription Drug Fee Manufacturers and importers of branded prescription drugs are subject to an annual fee. Repealed effective January 1, 2017. Repealed effective January 1, 2018.
Retiree Drug Subsidy Amount received under Retiree Drug Subsidy must be taken into consideration when determining prescription drug cost business deduction. Repealed effective January 1, 2017. Same as AHCA.

Marketplace

 ACA AHCA

BCRA
Marketplace Structure

Individuals can purchase insurance coverage on risk-pooled Marketplace established by Federal or state government.   Individuals purchasing coverage on the Marketplace may be eligible for cost-sharing subsidies and premium assistance.  Plans available on Marketplace (“qualified health plans”) must meet certain cost-sharing and actuarial value levels (i.e., gold, silver, bronze plans).  Qualified health plans must cover essential health benefits.

 Effective January 1, 2020, cost-sharing subsidies and premium assistance are repealed. Additionally, Marketplace plans are no longer required to meet cost-sharing and actuarial value requirements.  Limited-scope, or catastrophic plans would be available.

No structural changes from ACA.   Marketplaces, including cost-sharing subsidies and premium assistance, remain intact with modifications.
Cost-Sharing Subsidies and Premium Assistance Available to individuals with household income between 100% and 400% of federal poverty line. Age is not a factor in amount of subsidies or assistance available.

For plan years beginning in 2018 and 2019, basic structure remains the same except that age and income are factors in the amount of cost-sharing subsidies and premium assistance that is available.  No subsidies or assistance is available for qualified health plans that cover abortion.

Cost-sharing subsidies and premium assistance repealed for plan years beginning in 2020. Instead, advance tax credit available based solely on age.

 Available to individuals with household income between 100% and 350% of federal poverty line. Age is a factor in amount of subsidies or assistance available.
Premium Rate Setting Small group and individual insurance markets may vary rates based only on certain factors, including individual or family coverage, community rating, age (3:1 ratio) and tobacco use.

Age ratio increases to 5:1 beginning January 1, 2018. States may apply to waive ACA requirements and base premiums on health factors.

 Age ratio increases to 5:1 beginning January 1, 2018. State Innovation Waiver Program (ACA § 1332) requirements relaxed, giving states ability to waive many of the ACA’s market reforms.

This post was written by Damian A. Meyers and Steven D. Weinstein of Proskauer Rose LLP.

Key Tax Changes in the American Health Care Act

The American Health Care Act (“AHCA”), passed by the House of Representatives on May 4, 2017, repeals many of the taxes added by the Affordable Care Act (“ACA”) and makes changes to other tax rules.  Some of the notable changes proposed to be made to the Internal Revenue Code are:

            1. The individual mandate to maintain health insurance and the employer mandate to offer health insurance remain in the Code, but the taxes are “zeroed out” effective retroactively to 2016.

            2. The following taxes, fees, credits and limitations are repealed as of the year shown below:

·         The net investment income tax (NIIT) (2017)

·         The 0.9% additional Medicare tax (2023)

·         The small employer health insurance credit (2020)

·         The $2500 limitation on contributions to a health flexible spending account (FSA) (2017)

·         The annual fee on branded prescription drug sales (2017)

·         The medical device excise tax (2017)

·         The annual fee on health insurance providers (2017)

·         The elimination of a deduction for expenses allocable to the Medicare Part D subsidy (2017)

·         The 10% tanning salon tax (June 30, 2017)

            3.         The “Cadillac” tax on high cost health plans is delayed until 2026.

            4.         Individuals may be reimbursed for over-the-counter medications under a health savings account (HSA), health FSA or a health reimbursement arrangement (HRA) (2017).

            5.         The penalty tax on withdrawals from an HSA not used for a qualified medical expense is reduced from 20% to 10% (2017).

6.         The bill would replace the current ACA premium tax credit with a new refundable, advanceable tax credit effective January 1, 2020.  The credit could be applied toward the cost of any eligible health insurance coverage, whether purchased on or off the Exchange.  The credit is age-based as follows:

Age

Annual Credit

Under 30

$2,000

30 – 40

$2,500

40 – 50

$3,000

50 – 60

$3,500

60 and over

$4,000

The maximum credit for a family is $14,000. The credit is adjusted each year by CPI + 1%.

The credit is phased out depending on the individual’s modified adjusted gross income (MAGI) for the year.  It begins phasing out for an individual with income of $75,000 ($150,000 for joint filers) by $100 for every $1,000 in income above those thresholds.  The MAGI dollar limitations are also indexed for inflation beginning in 2021.              To be eligible to claim the credit, the individual must be covered by “eligible health insurance,” not be eligible for “other specified coverage” (including employer coverage or a government sponsored health program) and be a U.S. citizen or a qualified alien.

7.         The bill would make the following changes to health savings accounts, effective in 2018:

§  The maximum contribution to an HSA would be increased to the out-of-pocket maximum (in 2017, $6,550 for self-only and $13,100 for family coverage).  Under current law, HSA contributions are limited to $3,400 for self-only and $6,750 for family coverage.
§  Both spouses could make a “catch-up” contribution to the same HSA.  Under current law, each spouse must have his or her own HSA.
§  If an HSA is established within 60 days after coverage under a high deductible plan begins, the individual could be reimbursed for medical expenses incurred within that 60-day period.  Under current law, an individual cannot be reimbursed for any expense incurred before the HSA is established.

The bill now moves to the Senate where significant changes are expected.

This post was written by Cynthia A. Moore of  Dickinson Wright PLLC.

Health Care Task Force Pre-Releases Report on Cybersecurity Days Before Ransomware Attack

Last week, the Health Care Industry Cybersecurity (HCIC) Task Force (the “Task Force”) published a pre-release copy of its report on improving cybersecurity in the health care industry.  The Task Force was established by Congress under the Cybersecurity Act of 2015.  The Task Force is charged with addressing challenges in the health care industry “when securing and protecting itself against cybersecurity incidents, whether intentional or unintentional.”

The Task Force released its report mere days before the first worldwide ransomware attack, commonly referred to as “WannaCry,” which occurred on May 12.  The malware is thought to have infected more than 300,000 computers in 150 jurisdictions to date.  In the aftermath of the attack, the U.S. Department of Health and Human Services (HHS) sent a series of emails to the health care sector, including a statement that government officials had “received anecdotal notices of medical device ransomware infection.”  HHS warned that the health care sector should particularly focus on devices that connect to the Internet, run on Windows XP, or have not been recently patched.  As in-house counsels understand, the ransomware attack raises a host of legal issues.

Timely, the HCIC report calls cybersecurity a “key public health concern that needs immediate and aggressive attention.”  The Task Force identifies six high-level imperatives, and for each imperative, offers several recommendations.

The imperatives are as follows:

  1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity.

  2. Increase the security and resilience of medical devices and health IT.

  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.

  4. Increase health care industry readiness through improved cybersecurity awareness and education.

  5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.

  6. Improve information sharing of industry threats, weaknesses, and mitigations.

With respect to medical devices (imperative #2), the Task Force specifically advocates for greater transparency regarding third party software components.  The report encourages manufacturers and developers to create a “bill of materials” that describes its components, as well as known risks to those components, to enable health care delivery organizations to move quickly to determine if their medical devices are vulnerable.  Furthermore, the Task Force writes that product vendors should be transparent about their ability to provide IT support during the lifecycle of a medical device product.  The Task Force also recommends that health care organizations ensure that their systems, policies, and processes account for the implementation of available updates and IT support for medical devices, such as providing patches for discovered vulnerabilities.  The report suggests that government and industry “develop incentive recommendations to phase-out legacy and insecure health care technologies.”

The Task Force also encourages medical device manufacturers to implement “security by design,” including by making greater security risk management a priority throughout the product lifecycle, such as through adding greater testing or certification. In addition, the report encourages both developers and users to take actions that improve security access to information stored on devices, such as through multi-factor authentication.  The Task Force recommends that government agencies, such as the U.S. Food and Drug Administration (FDA) and the Office of the National Coordinator for Health Information Technology (ONC) at HHS, consider using existing authorities to “catalyze and reinforce activities and action items” associated with this recommendation.  This includes leveraging existing government guidance and industry standards, like FDA’s premarket and postmarket cybersecurity guidance documents.  Published in 2014 and 2016, these documents recommend that “manufacturers should monitor, identify, and address cybersecurity vulnerabilities and exploits as part of the [secure development lifecycle].”  We have previously discussed these guidance documents here and here.

Finally, the Task Force recommends that the health care industry take a “long-range approach” to considering “viability, effectiveness, security, and maintainability of” medical devices. The Task Force states that each product should have a defined strategy and design that supports cybersecurity during each stage of the product’s lifecycle.  In particular, the Task Force encourages HHS to evaluate existing authorities to conduct cybersecurity surveillance of medical devices.

This post was written by Dena Feldman and Christopher Hanson of Covington & Burling LLP.

The Unknown Future Of The Affordable Care Act

Donald Trump Affordable Care Act

Donald Trump’s victory to become the next president of the United States, and the Republican Party’s continued control of the United States Senate and House, will likely have a significant impact on the future of the Affordable Care Act (ACA). President-elect Trump (Trump) has vowed to immediately dismantle the ACA. To date, Trump has provided only a broad outline of what exactly he plans to replace the law with, such as the following:

  • Eliminating ACA requirements which generally require (1) individuals to maintain health insurance, and (2) employers with more than 50 full time employees to offer affordable major medical plan coverage or run the risk of paying penalties;

  • Eliminating tax subsidies that eligible individuals can use to purchase coverage and/or offset costs under health insurance exchanges;

  • Expanding the use of health savings accounts to pay deductibles, copayments, etc.;

  • Establishing tax breaks to allow taxpayers to deduct premiums they pay for individual health insurance policies;

  • Allowing health insurance across state lines;

  • Allowing states to manage Medicaid funds;

  • Modifying or eliminating the ACA’s “essential health benefits” requirements;

  • Expanding age rating bands (increasing the range of premiums that will be allowed); and

  • “Modernizing” Medicare.

Despite his general opposition to the ACA, Trump has expressed support for ACA rules which prohibit insurers and employer plans from excluding coverage for expenses related to preexisting conditions. However, those prohibitions force insurance companies and employer plans to bear significant costs. The ACA’s employer and individual coverage mandates were intended to make the pre-existing condition exclusions more palatable to payers by forcing healthy individuals into the applicable insurance pools. Consequently, it is unclear how Trump would preserve the pre-existing condition exclusions yet eliminate the employer and individual mandates.

In addition, the ACA contains hundreds of provisions affecting hospitals, corporations, Medicare, health care quality and integrity, the health care workforce, biosimilars, health care prevention and other issues unrelated to what most people think of as “Obamacare.” To date, Trump appears not to have taken any public position on these provisions.

ARTICLE BY Molly R. BerkeryTodd M. ClearyJohn E. DonahueThomas N. ShorterCharles G. Vogel & Jed A. Roher of Godfrey & Kahn S.C.

Copyright © 2016 Godfrey & Kahn S.C.

New Presidency Will Compel Action in Key Areas of Health Care in 2017

health careAs we enter the final stretch of the U.S. presidential election, health care remains one of the most contested issues with great potential for change, particularly to existing insurance and patient care systems. Compounding matters is the opening of enrollment season for exchange plans, which places the already hotly debated Affordable Care Act (ACA) at the forefront of the national health care discussion.

Former U.S. Congressman Dennis Cardoza, co-chair of Foley’s Federal Public Affairs Practice, and Public Affairs Director Jennifer Walsh opined recently about how our next president could symbolically break the congressional logjam on several health care-related fronts and why the industry is poised for more market-driven disruption.

What follows are a few highlights of their conversation.

1. What health policy issues will be most impacted by the next administration?

Cardoza: Since the passage of the ACA, there has been very little legislative activity when it comes to health care, as everything has been done at the administrative level and spread across various departments. During the honeymoon period that follows every newly elected president, we’ll likely see an immediate and significant push around the ACA marketplaces, especially in light of some high-profile defections, decreasing competition and increasing premiums. It doesn’t matter who is in the White House; there are things happening in the market that can’t be ignored.

Walsh: I agree that legislation concerning the exchanges will be the first out of the gate. There is a strong impetus to fix the system, but it may happen initially as part of the reauthorization of the Children’s Health Insurance Program (CHIP) that is set to expire in 2017. CHIP is a bi-partisan issue and no one wants to see it lapse. This must be passed in the first or second-quarter and could grease the skids for other ACA measures that are either attached as amendments or follow in subsequent bills.

On a separate, simultaneous track, drug pricing will continue to be scrutinized. Lawmakers will pick up where they left off leading up to the August recess. It’s now part of the national dialogue and lawmakers will continue to discuss how to address the issue.

2. Will merger activity continue on its current, accelerated pace?

Cardoza: The ACA has forced market consolidation due to everyone’s ability, or rather inability to compete over costs. We may see other large insurance plans leave the exchanges if the Department of Justice doesn’t approve their respective mergers.

Walsh: Mergers have been an interesting consequence of the ACA, and we’ll see more alignment in this regard. They don’t always generate big news headlines, but smaller acquisitions of technology assets and payments systems are happening all over, so health care organizations can build their portfolios.

3. What are some other noteworthy developments you’re watching closely?

Cardoza: Concluding a long, iterative process, the Centers for Medicare & Medicaid Services will soon be rolling out its new health care payment and service delivery models as part of the transition from fee-for-service. Next year will be a key period as we work toward full-blown implementation of new reimbursement practices that reflect better value and promote quality care for patients.

Walsh: The 21st Century Cures Act, which is Representative Fred Upton’s legacy issue, has received broad bipartisan support and already passed the House. It will allocate more funding to the National Institutes of Health to explore new cures and treatments, and incent to innovative approaches to disease management. It should get a fair shake in 2017, if not during the upcoming lame duck session.

4. What should health care executives be thinking about heading into 2017?

Cardoza: Complacency has set in with the Washington gridlock, and many executives with bearish outlooks have accepted the broken system and are merely just controlling costs. However, they need to change their mindset and be more cognizant of what could soon affect their business, as we’re about to enter a transformative year where there will be a lot of moving parts. If they’re not informed and engaged, they’re going to get left behind.

Walsh: The uncertainty surrounding the ACA has certainly caused a lot of angst, and makes planning for businesses extremely difficult. Companies need to channel that energy into advocacy for their organization. Although every system is different, the industry-wide movement toward modernization, value, and quality will affect all parties. While it will be incremental, the change that will be prompted by the election is inevitable.

ARTICLE BY Dennis A. Cardoza & Jennifer F. Walsh of Foley & Lardner LLP

© 2016 Foley & Lardner LLP

EEOC Alleges Hospital’s Mandatory Flu Vaccine Policy Violates Title VII

Mandatory Flu VaccineAs summer temperatures soar, one might think the last thing to worry about is the upcoming flu season. And while that may be true in most respects, the flu is on the minds of the Equal Employment Opportunity Commission (EEOC). A lawsuit filed by the EEOC sheds light on the issue for healthcare employers who impose mandatory flu vaccine requirements on employees as a condition of continued employment.

The EEOC alleges in EEOC v. Mission Hospital, Inc. – a lawsuit that includes class allegations – that Mission Hospital violated Title VII by failing to accommodate employees’ religious beliefs and by terminating employees in connection with the hospital’s mandatory flu vaccination program. In particular, the EEOC took issue with the hospital’s alleged strict enforcement of its deadlines, which required employees to request an exemption by Sept. 1 and, if the exemption request was denied, to obtain the vaccination by Dec. 1.

According to Lynette Barnes, regional attorney for the EEOC’s Charlotte District Office, “An arbitrary deadline does not protect an employer from its obligation to provide a religious accommodation. An employer must consider, at the time it receives a request for a religious accommodation, whether the request can be granted without undue burden.”

The key takeaway here is that, similar to what is required under the Americans with Disabilities Act (when, for example, an employer is analyzing the application of a policy to a particular employee with a disability), employers should consider analyzing their duty to accommodate under Title VII based on the facts and circumstances of the particular case, as opposed to applying an (allegedly) inflexible rule without regard to the circumstances of the particular case. The other take-away here is that employers should consider basing this kind of employment decision on more than one reason – for example, a missed deadline plus a determination that granting the exemption would (or would not) be an undue burden (and why).

A copy of the EEOC’s lawsuit is found here and a copy of Mission Hospital’s answer is found here.

ARTICLE BY Norma W. Zeitler of Barnes & Thornburg LLP
© 2016 BARNES & THORNBURG LLP

FDA Releases Draft Guidance for Manufacturers on Dissemination of Patient Data from Medical Devices

medical devices health dataOn June 9, 2016, the US Food and Drug Administration (FDA) published draft guidance outlining considerations for the “appropriate and responsible” dissemination of individualized data from medical devices from device manufacturers to patients.

In the draft guidance, FDA clarifies that medical device manufacturers may share “patient-specific information” from legally marketed medical devices with patients at the patients’ request without additional premarket review by the agency, provided such dissemination falls within the lawful scope for which the manufacturer may market the device. For purposes of the draft guidance, “patient-specific information” is any information that is unique to an individual patient or unique to that patient’s treatment or diagnosis that, consistent with the intended use of the device, may be recorded, stored, processed, retrieved and/or derived from that device. Examples of patient-specific information include recorded patient data, device usage/output statistics, provider inputs, alarms and/or records of device malfunctions. Patient-specific information does not, however, include any interpretation of such data aside from interpretations normally reported by the device to the patient or the patient’s healthcare provider.

When sharing patient-specific information with patients, FDA recommends that manufacturers consider the following factors to ensure that such information is usable by patients and to avoid the disclosure of confusing or unclear information:

  • Content of information provided.  The information provided to patients should be comprehensive and up-to-date, and manufacturers should take measures to ensure that such information is easily understood and useful to the patient. Depending on the type and scope of information being shared, the manufacturer should provide supplementary instructions, materials or references to help patients understand the data. In deciding what measures may be necessary, the manufacturer should be sure to consider whether any characteristics of the intended recipient audience (e.g., mental capacity) may affect the interpretability of the information.

  • Context in which information should be understood.  Manufacturers should provide the information in context to avoid situations where the information may be misinterpreted, leading to invalid or inappropriate conclusions.

  • Necessity of access to follow-up information.  Manufacturers should consider what, if any, information they should include about whom to contact for follow-up information.  At minimum, manufacturers should advise patients to contact their health care providers with any questions about their data. Manufacturers should also consider providing their own contact information to facilitate response to patient questions about the device.

The draft guidance is the latest in a line of documents in which FDA has attempted to clarify its expectations for—and in many cases, allay the concerns of—developers of mobile health products. Though short on specifics, developers should find the guidance helpful insofar as they have questions regarding the extent to which they can disseminate medical device data to patients. Notably, however, the FDA does not address how manufacturers should proceed with respect to the dissemination of many patient-specific analyses, likely because the agency intends to address such issues in its long-awaited guidance on clinical decision support software.

ARTICLE BY Michael W. Ryan of McDermott Will & Emery
© 2016 McDermott Will & Emery

Health Care Companies Agree to “Core Commitments” to Improve Access to EHR

Last month, the Department of Health and Human Services (HHS) announced that a number of large health care companies and providers had “agreed to implement three core commitments” to improve access to electronic health records (EHR).  HHS touted the commitments as a significant step toward increased EHR interoperability.

The three core commitments to which the health care entities agreed are as follows:

  1. Consumer Access: To help consumers easily and securely access their electronic health information, direct it to any desired location, learn how their information can be shared and used, and be assured that this information will be effectively and safely used to benefit their health and that of their community.

  2. No Blocking/Transparency: To help providers share individuals’ health information for care with other providers and their patients whenever permitted by law, and not block electronic health information (defined as knowingly and unreasonably interfering with information sharing).

  3. Standards: Implement federally recognized, national interoperability standards, policies, guidance, and practices for electronic health information, and adopt best practices including those related to privacy and security.

HHS highlighted the number and importance of the entities that have agreed to this “Interoperability Pledge.”  According to HHS, the nation’s five largest private health care systems signed the Interoperability Pledge, as well as “[v]endors who provide 90 percent of hospital electronic health records used nationwide.”

Notably, the three commitments in the Pledge are not enforceable.  At most, the Interoperability Pledge represents an agreement by its signatories that access and interoperability are key goals of EHR use.

 
Article By Philip Peisch of Covington & Burling LLP

© 2016 Covington & Burling LLP

Department of Justice Launches Targeted Elder Justice Task Forces

Woman Pushing Man in WheelshairOn March 30, the Department of Justice (“DOJ”) announced the formal launch of 10 regional Elder Justice Task Forces designed to identify nursing homes and other long-term care (“LTC”) facilities that provide “grossly substandard care” to residents.

Similar to DOJ’s previously launched Medicare Fraud Strike Force and Health Care Fraud Prevention & Enforcement Action Team (“HEAT”) initiative, the newly created Elder Justice Task Forces will focus on coordination and information sharing among federal, state and local enforcement agencies to combat suspected cases of physical abuse and financial fraud. Each task force will consist of representatives from the U.S. Attorneys’ Offices, state Medicaid Fraud Control Units, state and local prosecutors’ offices, the Department of Health and Human Services, state Adult Protective Services agencies, Long-Term Care Ombudsman programs and other law enforcement officials.

Part of the larger DOJ Elder Justice Initiative, the task forces will have a national footprint with locations in the following districts: Northern District of California, Northern District of Georgia, District of Kansas, Western District of Kentucky, Northern District of Iowa, District of Maryland, Southern District of Ohio, Eastern District of Pennsylvania, Middle District of Tennessee and the Western District of Washington.

The new Elder Justice Task Forces signal heightened interest and attention on the LTC industry, a move that comes on the heels of last summer’s Centers for Medicare and Medicaid Services’ proposed rule to overhaul requirements for participation by LTC facilities in federal health care programs.

Article By Jessica Talati of Barnes & Thornburg LLP

© 2016 BARNES & THORNBURG LLP

OCR Kicks Off HIPAA Audits After Issuing Two Major Settlements

HIPAAOn Monday, the HHS Office for Civil Rights (OCR) launched phase two of its much-anticipated audit program for covered entities and business associates. The announcement comes in the wake of OCR’s issuance of two major settlements—totaling more than $5 million—which highlighted the critical importance of managing the security basics, such as the business associate agreement (BAA) and the organization-wide risk analysis. These developments are summarized below, with practical tips that can help organizations mitigate related risks.

Summary

2016 Audit Program Begins

In announcing the 2016 audit program launch, OCR confirmed it will contact organizations by email to verify contact information and complete a pre-audit questionnaire. Organizations selected for audit will be subject to either a desk audit, an onsite audit or potentially both. Organizations will have a short period to produce requested documents, typically 10 business days, so it is important to have HIPAA privacy and security policies, security risk assessments, breach notification documentation, BAAs, and other HIPAA documentation up-to-date and readily available. While there is a detailed audit protocol from the phase one OCR audits, that protocol has not been updated for the final rules implementing the HITECH Act. OCR has committed to issuing an updated audit protocol closer to the date the audits will be conducted, which will set forth the criteria that auditors will review. Importantly, the phase two audits will extend to business associates. Although the risk of being selected for an audit is low, organizations would be well advised to review the existing and, when available, new audit protocols, conduct a compliance gap assessment and take corrective actions as needed, as part of overall HIPAA compliance efforts. While OCR states that the audits are primarily a compliance improvement activity, enforcement may follow where a serious issue is identified.

The North Memorial Settlement – The Importance of Business Associate Agreements

In the first of two recent settlements, North Memorial Health System, a nonprofit organization, will pay $1.55 million and enter into a two-year corrective action plan to settle charges that it violated HIPAA by failing to have a written BAA with a key contractor. OCR’s investigation followed the 2011 theft of an unencrypted laptop from a contractor’s workforce member’s vehicle. The settlement notes that the laptop contained protected health information (PHI) of approximately 9,497 North Memorial patients. For its part, the contractor separately settled HIPAA violations for $2.5 million, and entered into a related 20-year FTC consent order relating to its security procedures.[1] OCR also alleged that North Memorial failed to conduct an organization-wide risk analysis that covered all of its IT infrastructure.

OCR’s investigation indicated that North Memorial failed to execute a BAA with the contractor as required by HIPAA Privacy and Security Rules. OCR asserted that North Memorial gave the contractor access to its hospital database, which stored the electronic PHI of 289,904 patients, as well as access to non-electronic PHI as it performed services on-site at North Memorial.[2] In total, OCR’s investigation found that, from March 21, 2011, to October 14, 2011, North Memorial impermissibly disclosed the PHI of at least 289,904 individuals to the contractor without obtaining a proper BAA.[3] The investigation further indicated that North Memorial failed to complete a comprehensive risk analysis to identify all potential risks and vulnerabilities to the electronic PHI (ePHI) that it maintained, accessed or transmitted across its entire IT infrastructure, as required by the HIPAA Security Rule.[4]In settling the matter, North Memorial did not concede liability.

In addition to the $1.55 million payment, North Memorial agreed to a two-year corrective action plan (CAP) that requires it to develop policies and procedures related to business associate relationships and to conduct an organization-wide risk analysis and risk management plan, as required under the HIPAA Security Rule.[5] The CAP also requires North Memorial to train appropriate workforce members on all policies and procedures newly developed or revised pursuant to the CAP.[6]

OCR has previously (and repeatedly) emphasized the importance of having an organization-wide, thorough analysis, which it reinforces here with North Memorial. In addition, this settlement highlights the importance that OCR attaches to having BAAs where required, which OCR describes as another “cornerstone” of effective security.[7] Further, the settlement illustrates that, when a breach occurs with a business associate, the impacted covered entity should expect OCR to request a copy of the underlying BAA. Where that BAA cannot be found, the covered entity and business associates should expect potential enforcement.

FIMR Settlement: Basic Compliance Required of All Covered Entities (and Business Associates)

In the second settlement, Feinstein Institute for Medical Research (FIMR), a nonprofit research institute, will pay $3.9 million and enter into a three-year corrective action plan to settle charges it violated HIPAA, following its breach when an employee’s unencrypted laptop containing patient information of 13,000 individuals was stolen. OCR’s investigation determined that FIMR’s security management process was limited, it had failed to conduct a thorough risk analysis, and lacked sufficient policies and procedures. In its press release, OCR emphasized that it expects research institutions that are covered entities to comply with the same standards as other covered entities.

OCR’s investigation of FIMR stemmed from a self-reported breach after an employee’s unencrypted laptop was stolen. Based on the resolution agreement, OCR’s investigation appears to have identified widespread non-compliance. For example, OCR alleged that FIMR: (1) failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to all of the ePHI held by FIMR, including the ePHI on the employee’s laptop; (2) failed to implement policies and procedures for granting access to ePHI by its workforce members and restricting access by unauthorized users; (3) failed to implement physical safeguards for the laptop; (4) failed to implement policies and procedures that govern receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility; and (5) failed to encrypt ePHI on the laptop or, alternatively, document why encryption was not reasonable and appropriate and implement an equivalent safeguard.

As part of an extensive three-year CAP, FIMR must conduct an organization-wide risk analysis and develop a corresponding risk management plan, develop a process for evaluating environmental or operational changes to the security of ePHI, revise its policies and procedures for privacy and security, and provide extensive training and reporting.

Tips to Mitigate Risks

Covered entities and business associates can enhance HIPAA compliance, and reduce audit risk, by taking a number of practical steps outlined below.

Business Associate Risks:

  1. train workforce (at onboarding and at least annually thereafter) to recognize situations where a BAA (or subcontractor BAA) is required and understand how to activate the organization’s process for securing one;

  2. conduct periodic audits of existing outside service relationships to ensure that all necessary BAAs (or subcontractor BAAs) are, in fact, in place;

  3. periodically audit BAAs (and subcontractor BAAs) on file to ensure they are fully compliant (including as to the final HITECH rule content requirements), in full force and effect, and readily retrievable; and

  4. retain records of training and audits conducted for at least six years.

This also is an excellent time for covered entities and business associates to re-examine the effectiveness of their processes for conducting initial diligence and periodic audits of the security compliance of their key business associates and subcontractors.

Risk Analysis:

While not a new point, it remains critical for covered entities and business associates to conduct and document the requisite security risk analysis on a regular basis, and take prompt corrective action to manage identified risks. It is particularly important to ensure that the risk analysis covers all ePHI maintained, accessed or transmitted across the organization’s entire IT infrastructure, including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. This can be a challenge—particularly in light of the pace of developments and acquisitions/consolidations in the health care industry—but is essential. Organizations should develop a complete inventory of all electronic equipment data systems, and applications controlled by, administered or owned by the organization and its workforce that contain or store ePHI, including personally owned devices. Organizations should make sure their process includes equipment purchased outside of standard procurement processes.

Audit Preparation Tips:

  1. Confirm that all required HIPAA privacy and security policies and procedures are implemented and up-to-date;

  2. Make sure a through, organization-wide security risk analysis as described above has recently been conducted, and that resulting corrective actions have been taken;

  3. Confirm that BAAs are fully up-to-date and accessible, and follow the steps above to further reduce business associate risks;

  4. Use the audit protocols to conduct a gap assessment;

  5. Be prepared to provide documentation showing that breach notices have been provided as required by HIPAA; and

  6. Covered entities should ensure their notices of privacy practices are up-to-date and provided as required.

Other Basics:

  1. Encryption: Encryption of laptops, thumb drives and other mobile devices remains a critical risk mitigation strategy. HIPAA does not require encryption of ePHI in all cases “per se”; however, it does require organizations to specifically address, as part of their required risk analysis, whether encryption is a reasonable and appropriate safeguard (and if so, it requires organizations to encrypt; if not, it requires organizations to document why encryption is not reasonable and appropriate, and adopt an alternative safeguard ). However, encryption per the HHS guidance provides a “safe harbor” from breach notification under HIPAA and generally obviates the need to make state law data breach notifications as well, in the event of loss of encrypted data. Further, because encryption will, in fact, be “reasonable and appropriate” in many cases, often it is effectively required.

  2. Training: The scope and frequency of training also should be regularly reviewed to ensure training covers key aspects of privacy and security policies. In addition, training should address current and emerging threats and risk areas. For example, in light of the significant role of phishing attacks and malware in cyber-breaches, training should include employee awareness of how to identify and respond to these types of attacks.

[1] The related 2012 settlement by business associate Accretive Health with the Minnesota attorney general for violations of the HIPAA rules and state law was widely touted within the industry as the first HIPAA enforcement action against a business associate. See Settlement Agreement, Release, and Order, 12-cv-00145, ECF No. 90 (July 30, 2012). Because the breach occurred prior to the issuance of final rules implementing the HITECH Act’s extension of direct liability for HIPAA violations to business associates, OCR—the primary federal HIPAA enforcement agency—had indicated it would not enforce the HITECH Act changes against business associates until issuance of the final rules. However, this did not prevent the Minnesota attorney general from proceeding to enforce HIPAA, using newly expanded enforcement authority granted to state attorneys general under the HITECH Act. Accretive Health also entered into a related, 20-year consent order with the FTC, pursuant to which no fine or penalty was paid but in which Accretive Health agreed to establish and maintain a comprehensive information security program, and to periodic evaluations of that program. See Press Release, FTC approves final consent order settling charges that Accretive Health failed to adequately protect consumers’ personal information (Feb. 24, 2014).

[2] See North Memorial Resolution Agreement and Corrective Action Plan, I.2.A, (Mar. 16, 2016).

[3] See id. at I.2.B.

[4] See id. at I.2.C.

[5] See id. at I.V.A-C.

[6] See id. at I.V.D.

[7] See Press Release, $1.55 million settlement underscores the importance of executing HIPAA business associate agreements (Mar. 16, 2016).

Article By Matthew R. BakerMichael R. CallahanDoron S. Goldstein & Megan Hardiman of Katten Muchin Rosenman LLP
©2016 Katten Muchin Rosenman LLP