Ruane v. Levy: Both Sides of the Bar Meet in Health Care Fraud and Abuse Class

[Ed note: This article was authored by John Barry '13, a second year law student pursuing a Health Care Concentration at Seton Hall Law.  A native of New York, he graduated in 2005 from the University of Pennsylvania with a degree is psychology.]

Recently, Professor Zack Buck’s Health Care Fraud and Abuse class was treated to a spirited panel on the current state of health care fraud, prosecution and defense.  The panel, meeting again this year to allow students an opportunity to hear details about actual practice from both sides of the bar, was moderated by Chris Zalesky, the Vice President of Global Policy & Guidance for Johnson & Johnson in the Office of Health Care Compliance & Privacy.  Zalesky has more than 20 years of experience in regulatory affairs, quality assurance and research and development functions within the medical device and pharmaceutical industries. He has also taught as an Adjunct here at Seton Hall Law.

The panel included Maureen Ruane, Assistant U.S. Attorney and Chief of the Health Care & Government Fraud Unit for the United States Attorney’s Office, District of New Jersey, and Bruce Levy, an attorney with the firm of Gibbons, P.C.  Ruane served as Assistant United States Attorney from 1998 to 2004, and returned to the office in 2010 after working as a partner in the law firm of Lowenstein Sandler.  Levy, also formerly an Assistant U.S. Attorney, currently focuses his practice at Gibbons on criminal, civil, and administrative cases arising from federal and state health care fraud investigations, health care compliance, The False Claims Act and qui tam cases, corporate investigations, and white collar criminal law.

Touching on a wide variety of topics, Ruane explained that the “sea of health care fraud is so deep” that it affects all aspects of the American health care system, from hospitals to physicians to pharmacies and all other health care providers.  Many of the fraud prosecutions that flow through Ruane’s office come in the form of qui tam actions under the False Claims Act.  Coming from a Latin phrase meaning “[he] who sues in this matter for the king as [well as] for himself,” a qui tam action is a unique fixture of the False Claims Act that allows private citizens to act as whistleblowers and sue health care corporations for perpetrating fraud on the government.  The whistleblower, or “relator,” stands to gain a percentage of the civil damages awarded against the corporations.

Having seen countless relators over her time with the government, Ruane was in a rather unique position to speak about the underlying motivations behind the people who sue on behalf of “king and self.”  Contrary to common thinking, Ruane explained that whistleblowers generally did not act out of greed or a desire to hurt the company.  In fact, she felt the opposite:  most relators were actually intensely loyal to their companies and had usually tried to voice their concerns multiple times in-house before bringing a complaint to the attention of government prosecutors.

Working as defense counsel, Levy voiced the concerns of private industry, in particular about the lack of guidance in the current law.  He stressed that many pharmaceutical companies, hospitals, physicians and health care providers feel as if they are trying to act within the bounds of the law when in reality those boundaries are more blurry than clear.  As an example, Levy talked about how he felt the need for clearer guidance on pharmaceutical marketing of “off-label” medications.   When the Food and Drug Administration approves a medication for use in the U.S. health care market, the drug is approved for a specific use or indication.  However, clinical studies often show beneficial uses for medications for additional aliments, and it is legal for physicians to prescribe the drugs for these other uses.  In addition, Medicare and many private insurers will pay for use of a medication for different indications than what the FDA approved, in effect, subsidizing “off-label” use. There are thus competing federal agency views on medications, with the FDA only approving the drug for a particular use, but the Center for Medicare Services alternatively approving use of the drug for other, off-label uses.  Problems arise because there are complex, and Levy felt unclear, regulations as to how pharmaceutical companies may represent or market the drug for off-label use.  Levy explained that he felt new legislation was required to give clear guidance to the industry.

Both Ruane and Levy, approaching the bar from different perspectives,  engaged in lively conversation and took questions from the audience, giving students numerous real-world examples of the theories and topics they learn about in class.  As might be imagined, bringing with them contrasting prosecution and defense-side perspectives, the two often approached the same issues from opposing viewpoints, providing a unique experience for the class.  However, the one thing they both agreed on was that with rising health care costs directly on the government’s radar, aggressive prosecution of health care fraud will not slow down any time in the future.

HIPAA Administrative Simplification: Enforcement

By Laura Sunyak

In February of 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA), and with it enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  The HITECH Act contains regulations that significantly increase the penalty amounts the Secretary of the Department of Health and Human Services (HHS) may impose for violations of rules promulgated under the Health Information Portability and Accountability Act (HIPAA), and encourages corrective action.  In order to incorporate the increased penalty structure into HIPAA, HHS has recently issued an interim final rule designed to strengthen its enforcement power and incorporate the new penalty structure of the HITECH Act into HIPAA.

Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation, or $25,000 for all identical violations of the same provision.  A covered entity could also bar the imposition of a civil monetary penalty by simply showing that it did not know that it violated a HIPAA rule.  As a result, enforcement of HIPAA rules has been weak, bordering on nonexistent.  The number of covered entities that were in full compliance with the law was always very low, simply because HHS did not have a sufficient enforcement mechanism in place to deter violations.  If covered entities did change their behavior to become compliant, it was out of a desire to follow the law, not due to fear of prosecution or administrative action.

Before ARRA was signed into law, although there were HIPAA audits that took place, they were few and far between.  Covered entities complained that the requirements were not clear, and so hesitated to attempt to comply. With the enactment of ARRA and the HITECT Act, and the adoption of the interim rule, HIPAA covered entities will have no choice but to take notice and comply, or face much harsher penalties.  The implementation of these acts also transfers authority for enforcement of HIPAA’s security rules from the Centers for Medicare and Medicaid to the Office of Civil Rights which, with 275 investigators and an annual budget of $40 million, is in a better position to bring enforcement actions and recover penalties.  The penalties collected for violations will in turn be used to fund greater enforcement efforts. The interim rule amends 45 CFR part 160, subpart D, which establishes rules relating to the imposition of civil money penalties, to conform several provisions to section 13410(d) of the HITECH Act’s amendments to section 1176 of the Social Security Act, which became effective February 18, 2009. This interim final rule’s amendments distinguish between violations occurring before February 18, 2009, and violations occurring on or after that date, with respect to the potential amount of the civil money penalty and the affirmative defenses available to covered entities.

The interim final rule, effective as of November 30, 2009, modifies the penalties for HIPAA violations occurring after February 18, 2009.  (For an explanation of the meaning of “interim final rule,” click here.  According to this rule, the penalty for unknown violations, where the covered entity did not know of the violation, and would not have known by exercising reasonable diligence, is now between $100 and $50,000.  For violations involving reasonable cause, such as circumstances that would make it unreasonable to comply with HIPAA despite extraordinary care, the penalty is now between $1,000 and $50,000. For violations involving willful neglect, or a conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA, the penalties are further broken down into whether or not the covered entity corrects the violation.  If the violation is corrected within 30 days, the penalty is now between $10,000 and $50,000.  If the penalty is not timely corrected, each violation will be fined $50,000.  The rule also puts into place an annual cap of $1.5 million on all violations of an identical provision.

According to Georgina Verdugo, the director of OCR, the implementation of these tougher enforcement provisions strengthens HIPAA protections and rights related to protected health information, and should encourage covered entities, including health care providers and health plans, to “ensure that their compliance programs are designed to prevent, detect, and quickly correct violations of the HIPAA rules.… such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”

The enactment of these tougher enforcement penalties create additional incentives to make sure that covered entities have HIPAA compliance programs in place, which should include training employees to be compliant and ensuring that they are aware of how important it is to report potential violations so that they can be corrected in a timely manner.

When taking into account the lack of enforcement that had occurred prior to the recent HIPAA amendments, the new provisions seem to be a necessary step in enforcing the law and preventing the misuse of protected health information.  With more resources available to track down HIPAA violations, and steeper penalties exacted against entities that violate HIPPA, the new rule is a step in the right direction toward greater protection of protected information.  With the rampant rise of identity theft in this electronic age, consumers can never be too careful in ensuring that information stays in the right hands.

As HHS, acknowledges, this Interim Final Rule is only the first of several steps being taken to implement the HITECH Act’s tougher enforcement provisions.  The remaining provisions, which are not yet effective, will be addressed in the near future.

High Risk Pools: Then and Now

By Christine Davis

For medically uninsurable people, or people with pre-existing conditions who cannot find coverage, coverage may soon materialize.   Even before President Obama signed the PPACA, CMS had provided “Qualified High Risk Pool” grants to qualifying states, in order to cover these higher risk people since 2007.  (45 CFR Part 148)  Thirty-five states participated.  Before health care reform passed in 2010, states could qualify for operational or seed grants, which they could use to cover eligible individuals.  (Federal Register, v 73, no 81).  PPACA authorizes the development of  a temporary national high risk pool, which will operate similar to what is happening now with the state grants and will function as a temporary fix until the insurances exchanges kick in after 2014 and insurance companies are mandated to cover all individuals with pre-existing conditions. This is a unique part of the new bill because it seems to be something both Republicans and Democrats can agree on.    Previously, the majority of these state high risk pools had lifetime maximum payouts, usually around $1 million, (three states had lifetime maximums of $500,000). Once these individuals reached that amount, they had no other way to be insured. (http://www.federalgrantswire.com/seed-grants-to-states-for-qualified-highrisk-pools.html).

The goal of the national risk pool is to transition the uninsurable until health care exchanges are established in 2014.  Once that happens, there will no longer be lifetime or annual limitations on coverage.  The idea here is that an individual will never reach a point where there is absolutely nowhere else to go for coverage.

By 2014, eligible individuals will be people “who have not had creditable coverage for the previous six months and now have a pre-existing condition.”   As of now, most state pools require those seeking coverage to (a) submit proof that they have been denied coverage due to a pre-existing condition, or (b) show that they have applied recently for coverage and were a victim of “adverse underwriting actions,” such as limiting benefits or charging extraordinary premiums (for example, diabetics). (Coverage: Creating a Temporary National High Risk Pool: the New Health Dialogue Jan 12, 2010). One concern of these eligibility requirements is that they might discriminate against those who only recently lost coverage, because they are making every individual prove they have not had coverage in the past.

An advantage to a national high risk pool as opposed to a state high risk pool is that it will be more balanced and less costly, because the premiums charged won’t be as high.  Although, if annual or lifetime limits aren’t capped once these exchanges kick in, these costs could skyrocket. However, a downside is that in some states, these high risk pools have limited eligibility and low enrollment, and for example, monthly premiums costing an individual well over $1,000/month.  However, the news is not all bleak. States like Minnesota have been doing it right all along, even with broad eligibility, by finding additional streams of revenue, such as tobacco settlement funds, with which to support the pool.  In order to  be successful, the national pool, should model itself after successful states like Minnesota.

Patient Safety and Quality Improvement: Civil Money Penalty Inflation Adjustment

By: Constantina Koulosousas

The Patient Safety and Quality Improvement Rule was amended, effective November 23, 2009, by the Department of Health and Human Services to adjust the maximum civil money penalty amount for violations of the confidentiality provisions. The amount was adjusted for inflation to comply with the Federal Civil Penalties Inflation Adjustment Act of 1990. This amendment was carried out through direct final rule making, as HHS expected no significant adverse comments to the rule.

The Patient Safety and Quality Improvement Act of 2005 created a voluntary program for health care providers to share what is known as “patient safety work product” (PSWP), or any information relating to patient safety events and concerns with each other and Patient Safety Organizations (PSOs). The Department of Health and Human Services is required to maintain a listing of all PSOs.

The Act amended Title IX of the Public Health Service Act for the purpose of improving patient safety and quality of care. As with attorney work product, this information is privileged and confidential. While the program may be voluntary, a knowing or reckless violation of the confidentiality requirements of the Act can result in a civil money penalty of up to $10,000 for each violation, as assessed by the Office for Civil Rights.

The deterrence effect of the civil money penalties had been reduced by inflation. This caused Congress to enact the Inflation Adjustment Act. This Act requires Federal agencies to issue regulations adjusting each civil money penalty found within the Public Health Service Act within their jurisdiction, for inflation. The agencies are required to issue these regulations at least once every four years from July 29, 2005, the date of its enactment. The inflation amount is adjusted through a three-step process.

First, the agency must calculate an increase in the penalty amount by a “cost-of-living adjustment.” “Cost-of-living adjustment” is defined in the act as the percentage for each civil monetary penalty by which the Consumer Price Index for the month of June of the calendar year preceding the adjustment, exceeds the Consumer Price Index for the month of June of the calendar year in which the amount of such civil money penalty was last set or adjusted pursuant to law.

Second, the amount of increase must be rounded based on the size of the penalty as set forth in section 5(a) of the Act. Since the penalty in this case is $10,000, the increase is $1,000, making the final maximum penalty amount $11,000. Finally, the third step requires that a first adjustment be limited to 10 percent of the penalty amount. Accordingly, an $11,000 adjusted penalty is appropriate.

One great benefit of the Act is to make sure that the penalties assessed for such violations provide adequate deterrence to potential violators. This is done by periodically increasing the violation amount to account for inflation over time. Especially now in the wake of the massive health care reform and improvements in the use of Electronic Health Records, it is important to ensure patients that their personal health information remains confidential and that a breach of this confidentiality requirement will result in steep monetary penalties.

On the contrary, many may argue that the increase in the penalty amount is not adequate. Since the Act imposes a 10% cap in addition to a standard chart for calculating the inflation, it may not always be completely in sync with the current economic environment. Further, these penalty amounts are only updated every four years, which leaves a significant gap in time.

Additionally, the slight increase in money penalties assessed will not do much to comfort patients that their health information is protected and confidential. Once the information gets out, there is no amount of money assessed as a violation that can remedy the breach and the damage which may have already been done. Further, to many of the entities involved in such violations, a $10,000 penalty may seem like an insignificant slap on the wrist.

The Act only punishes a “knowing or reckless” violation of the confidentiality provisions, so breaches that occur unintentionally will not subject physicians or PSOs to liability. This mental state requirement is especially important as electronic health record software gets ironed-out, to get rid of any technical issues or glitches that may arise in the course of implementing such a national electronic system.

Conversely, the “knowing or reckless” standard may pose some difficulties enforcing liability under the Act, as it may not always be easy to prove that the confidentiality breach was done with such a state of mind, or even where the disclosure came from.

Surety Bond Requirements for Durable Medical Equipment, Prosthetics, Orthotics and Supplies (DMEPOS)

By Rachel Jones

The final rule implementing surety bond requirements for DMEPOS became effective March 3, 2009.  The regulation implemented the surety bond requirements for DMEPOS set forth in section 4312(a) and (c) of the Balanced Budget Act of 1997 (BBA).  The Centers for Medicare & Medicaid Services (CMS) proposed a rule on January 20, 1998 (63 FR 2926) reflecting the BBA’s surety bond requirements and solicited comments.  Comments were solicited for advisability with respect to Section 4312(c) of the BBA, which further allowed CMS to require a surety bond from some or all providers or suppliers who furnish items or services under Medicare Part A or Part B and not solely Durable and Medical Equipment (DME) suppliers.  A substantial amount of comments were received and in the final published rule on October 11, 2000 (65 FR 60366), CMS decided to delay the final rule with respect to surety bond requirements for suppliers of DMEPOS in order to further study the issue.  However, in 2003 Congress enacted section 902 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (Pub. L. 108-173) (MMA) which prohibits the Secretary of Department of Health and Human Services from finalizing a proposed rule related to Title 18 that was published more than 3 years earlier except under exceptional circumstances.  In response to this CMS proposed a rule on August 1, 2007 (72 FR 42001) to implement the statutory surety bond requirements set forth in the BBA.  CMS received approximately 200 comments that were considered before they published the final rule on January 2, 2009. (FR 30802)

Surety bonds are a financial guarantee whereby a first party (obligee) contracts with a second party (principal) to perform duties in a contract that will benefit a third party (surety).  The first party guarantees that the second party will fulfill its obligation(s) under the contract and in the event that the obligations are not met, the first party will recover its losses via the bond.  CMS has imposed the rule in order to deter fraud and abuse by Medicare suppliers of DMEPOS.  CMS believes a surety bond requirement will (1) limit the Medicare program risk to fraudulent DMEPOS suppliers; (2) enhance the Medicare enrollment process to help ensure that only legitimate DMEPOS suppliers are enrolled or are allowed to remain enrolled in the Medicare program; (3) ensure that the Medicare program recoups erroneous payments that result from fraudulent or abusive billing practices by allowing CMS or its designated contractor to seek payments from a surety up to the penal sum; and (4) help ensure that Medicare beneficiaries receive products and services that are considered reasonable and necessary from legitimate DMEPOS suppliers.  CMS has also instituted other measures– including requiring accreditation for DMEPOS suppliers to deter fraud.

Who is affected by the surety bond requirements?

The regulation affects many healthcare providers; generally any DMEPOS supplier that is registered with the National Supplier Clearinghouse (NSC) may be subjected to the surety bond requirement.  Every DMEPOS supplier to Medicare patients must register with the NSC.  There are several exempt DMEPOS suppliers under the regulation:

I.      Government-owned suppliers,

II.       State-licensed orthotic and prosthetic personnel in private practice making custom made orthotics and prosthetics if the business is solely-owned and operated by said personnel and is billing only for orthotic and prosthetics, and supplies,

III.      Physicians and non-physician practitioners if the DMEPOS items are furnished only to his or her patients as part of his or her professional service, and

IV.      Physical and occupational therapists if: (1) the business is solely-owned and operated by the therapist, and (2) if the DMEPOS items are furnished only to his or her patients as part of his or her professional service.

The economic impact on non-exempt healthcare providers is significant since the regulation requires a minimum of $50,000 surety bond.  This bond amount is required for each National Provider Identifier (NPI).  Since DMPEOS suppliers must obtain an NPI by practice location, this amount can become quite significant for a supplier with multiple locations.  The estimated cost to DMPEOS suppliers is approximately $1200 per $50,000 surety bond, depending on the company’s financial stability.  The regulation also permits an additional $50,000 surety bond for high risk DMPEOS.  For example, if a DMPEOS supplier has an adverse legal action within the last ten years preceding enrollment, revalidation, or re-enrollment then an additional $50,000 surety bond is required per adverse legal action.  An adverse legal action includes: Medicare imposed revocation of any Medicare billing number, suspension of a license to provide health care by any State licensing authority, revocation or suspension of accreditation, a conviction of a Federal or State felony offense or an exclusion or debarment from participation in a Federal or State health care program.

CMS believes that the surety bond will deter fraudulent activity because a fraudulent DMEPOS supplier will not likely post a surety bond.   However, it is more likely the basis for this new requirement is to more easily allow CMS to recoup lost funds due to fraudulent activities.  In addition, the bond requirement allows CMS to track and reprimand those DMEPOS suppliers that have continuously violated the law and stayed in the Medicare

Medicaid Programs: State Flexibility for Medicaid Benefit Packages

By Ryan S. McCrosson

This post seeks to further an understanding of 42 CFR 440 (“The Rule”), State Flexibility for Medicaid Benefit Packages.  Specifically, it will provide (1) an overview of what rulemaking is about, (2) the best argument in support of 42 CFR 440, (3) the best argument against 42 CFR 440, (4) and the blogger’s position on the rule.

The Rule implements provisions of § 6044 of the Deficit Reduction Act of 2005 (“DRA”), which amends the Social Security Act (“SSA”) by adding § 1937 to the definition of coverage of medical assistance under approved State plans.  Generally, The Rule provides states with increased flexibility under an approved Medicaid plan to define the scope of covered medical assistance.  Medicaid is a federally and state financed program by which medical assistance is furnished to families with dependent children and individuals who are aged, blind or disabled.  State eligibility and federal funding is contingent upon federal approval of the state’s plan.  Prior to the passage of the DRA, states were required to offer the standard minimum benefits packaged as it is defined by § 1902(a)(10)(A) of the SSA.

However, § 6044 of the DRA provides states flexibility with regard to the standard minimum benefits package.  § 6044 of the DRA adds § 1937 to the SSA.  § 1937 provides states with the option of amending their Medicaid plans to provide “Benchmark Benefit” packages or “Benchmark-Equivalent” packages instead of the standard minimum benefits package.  The following link provides the Center for Medicare and Medicaid Services’ description of, and requirements for, Benchmark and Benchmark Equivalent Benefits packages:

http://www.cms.gov/DeficitReductionAct/Downloads/Flexibility.pdf.

A Benchmark Package is defined by § 440.330 of The Rule and generally must be equivalent to either of a Federal Employees Health Benefit Plan Equivalent Coverage, a State Employee Coverage, a Health Maintenance Organization plan or other coverage approved by the Secretary of Health and Human Services.  Specifically, § 440.330 provides:

“Benchmark coverage is health benefits coverage that is equal to the coverage under one or more of the following benefit plans:

(a) Federal Employees Health Benefit Plan Equivalent Coverage (FEHBP – Equivalent Health Insurance Coverage).  A benefit plan equivalent to the standard Blue Cross/Blue Shield preferred provider option service benefit plan that is described in and offered to Federal employees under 5 U.S.C. 8903(1).

(b) State employee coverage.  Health benefit coverage that is offered and generally available to state employees in the State.

(c) Health maintenance organization (HMO) plan.  A health insurance plan that is offered through an HMO, (as defined in section 2791(b)(3) of the Public Health Service Act) that has the largest insured commercial, non-Medicaid enrollment in the state.

(d) Secretary-approved coverage.  Any other health benefits coverage that the Secretary determines, upon application by a State, provides appropriate coverage to meet the needs of the population provided [in] that coverage….”

A Benchmark-Equivalent Package is defined by § 440.335 and generally requires benefits within each of the following categories of basic services: inpatient and outpatient hospital service, physicians’ surgical and medical services, laboratory and x-ray services, “well-baby” and “well-child” care including age-appropriate immunizations and other appropriate preventive services, as defined by the Secretary.  The coverage must have a value that is at least equivalent to coverage under a Benchmark Package as outlined in § 440.330.  Specifically, § 440.335 provides:

“(a) Aggregate actuarial value.  Benchmark-equivalent coverage is health benefits coverage that has an aggregate actuarial value, as determined under § 44.340, that is at least actuarially equivalent to the coverage under one of the benchmark benefit packages described in § 440.330 for the identified Medicaid population to which it will be offered.

(b) Required coverage.  Benchmark-equivalent health benefits coverage must include coverage for the following categories of services”

(1) Inpatient and outpatient hospital services.

(2) Physicians’ surgical and medical services.

(3) Laboratory and x-ray services.

(4) Well-baby and well-child care, including age-appropriate immunizations.

(5) Emergency services

(6) Family planning services and supplies and other appropriate preventive services, as designated by the Secretary.”

Arguments against the rule include worries that the Benchmark or Benchmark-Equivalent Benefit packages are overly restrictive in their allowance for benefits, and therefore, will deter needy individuals from receiving appropriate care.  Specifically, the low-income populations are argued to be at risk.  Cutting against these arguments is the fact that The Rule is only an option for the state.  Therefore a state is not required to switch the standard benefit package with a Benchmark Package or a Benchmark-Equivalent Package.  Furthermore, the General Accountability Office’s assessment of The Rule has projected a $2.3 billion cost savings from 2006-2010, and, as such, arguments in favor of the rule are founded in cost savings.  The GAO’s assessment may be accessed at:

http://www.gao.gov/decisions/majrule/d09259r.htm

Developments since enactment include numerous state application for, and approval of, alternative benefits under the DRA.  These states Include West Virginia, Kentucky, Virginia, Idaho, Washington, Wisconsin, Kansas and Missouri.  These plans require either mandatory or voluntary enrollment and target specific subpopulations.  Wisconsin’s Badgercare Plus Benchmark Benefit Plan, for instance, requires enrollment for pregnant women and infants with incomes between 200% and 250% of the federal poverty level.  But, as with many of the plans, provides additional services to this specific subpopulation.  As such, it may be concluded that, at least in part, the documented cases of states switching to Benchmark plans derive from a desire to increase health care services for specific, at risk, subpopulations of the specific state as opposed to a general desire to cut costs.  The CMS’s assessment of these plans may be accessed at:

http://www.cms.gov/MedicaidGenInfo/Downloads/070609benchmarkreport1937.pdf

Because this rule maximizes state flexibility to target specific subpopulations of the needy, assures that beneficiaries get quality care and reduces the federal budget deficit, it would seem that the benefits of The Rule outweigh the possibility of diminished care.

CMS Regulations: In the Best Interest of Patient Care or the Industry?

By James Hlavenka

Suppose you are an uninsured individual who has been severely injured in a car accident.  After the accident, you are rushed to a hospital with a dedicated emergency room, subject to the requirements of the Emergency Medical Treatment and Active Labor Act of 1986 (“EMTALA”).  Upon being screened, the hospital learns that you need further, immediate treatment to be stabilized.  After admitting you as an inpatient for further stabilization purposes, the hospital discovers that you have severed a critical nerve in your spine.  The hospital is incapable of stabilizing your emergency medical condition and appropriately attempts to transfer you to an available specialty hospital two towns over that specializes in nerve repair.  Under EMTALA and the 2003 Centers for Medicare and Medicaid Services (“CMS”) regulations, there was no direct answer addressing whether the specialty hospital was required to accept your transfer from the original hospital and stabilize your emergency medical condition.

In 2008, CMS proposed rule 73 FR 23669 containing significant policy changes relating to the requirements of EMTALA to address the obligations of specialty hospitals.  Under the proposed 2008 CMS rule, the answer would have been clear: assuming the specialty hospital was subject to EMTALA, it must accept your transfer.  The proposed rule would have clarified the interaction of EMTALA’s transfer provisions with the 2003 CMS regulations that hold EMTALA obligations cease when an individual is admitted into a hospital as an inpatient.  The proposed 2008 CMS rule ensured that EMTALA’s primary purpose of patient stabilization under its transfer provisions would not be contravened by the 2003 CMS regulations.  After solicitation of comments on the proposed 2008 rule, however, CMS ultimately declined to adopt this critical policy clarification in its 2009 Final Rule, CMS-1390-F.

Background

In general, EMTALA imposes specific obligations on certain Medicare-participating hospitals to both screen and stabilize individuals who visit those hospitals’ emergency departments.  For a comprehensive, attorney-prepared EMTALA FAQ page, please click here. After a hospital screens an individual and determines that the individual has an emergency medical condition, it is obligated to provide that individual with necessary stabilizing treatment or provide an appropriate transfer to another medical facility that can achieve stabilization.

EMTALA’s transfer provisions are contained within the “specialized care” requirements of Section 1395dd(g).  Section 1395dd(g) requires a receiving hospital with specialized capabilities to accept a request to transfer an individual with an unstable emergency medical condition as long as the hospital has the capacity to treat that individual and regardless of whether the individual had been an inpatient at the admitting hospital.  These provisions would seem to answer the above hypothetical without the need for any further clarification.  In 2003, however, CMS muddied the answer with a new Final Rule.

In 2003, CMS published Final Rule 68 FR 53263 regarding the applicability of EMTALA requirements to inpatients.  The 2003 CMS rule amended section 489.24(d)(2)(i) of CMS regulations to state that a hospital’s obligations under EMTALA cease when the hospital admits an individual with an unstable emergency condition as an inpatient, so long as the admission is in good faith.  CMS reasserted that EMTALA was not intended to be a federal malpractice statute and that after admission inpatients are protected by State malpractice laws and Medicare Conditions of Participation (“CoPs”).  The 2003 CMS rule was entirely silent, however, as to how EMTALA’s specialized care requirements would continue to apply to inpatients, if EMTALA obligations cease upon admission.

As a result, in 2008, CMS proposed a rule amending Section 489.24(f) of the CMS regulations.  The amendment added a provision requiring a receiving hospital with “specialized capabilities or facilities” to accept an unstabilized inpatient with an emergency medical condition from an admitting hospital, thereby continuing the specialty hospital’s obligation under Section 1395dd(g) of EMTALA.  Thus, when the 2008 proposed CMS rule was analyzed in conjunction with the 2003 Final Rule, EMTALA obligations would not end for all hospitals once an individual is admitted as an inpatient.  Rather, EMTALA obligations would cease only at the hospital where the individual is first admitted as an inpatient.  EMTALA’s transfer provisions would continue to apply, however, to all other participating hospitals with higher levels of care, should an inpatient need to be transferred for stabilization of the original emergency medical condition.

2009 CMS Final Rule 1390-F

Upon review of solicited comments, CMS ultimately decided not to adopt the 2008 proposed rule clarifications in its 2009 Final Rule regarding transfer and inpatient care requirements under EMTALA.  Instead, in the 2009 Final Rule, CMS stated that under EMTALA individuals can only be appropriately transferred to another hospital for specialized stabilizing care where two requirements are met: (1) The individual must have an emergency medical condition that requires specialized stabilizing treatment not available at the hospital where the individual is first screened, and (2) The individual has not already been admitted as an inpatient.

Understandably, commenters disagreed about the possible effects of the proposed 2008 CMS rule.  Both opponents and proponents ultimately offered patient-centered rationales for their  policy perspectives.  When read in conjunction with EMTALA as a whole, however, those in favor of the proposed 2008 rule seem to have stayed most true to EMTALA’s original intent–to provide emergency care to all individuals who are determined to have an emergency medical condition.  The commenters’ statements below can be found within the final rule, here.

Opponents of the proposed 2008 CMS rule

The majority of the concerns raised by the dissenting commenters, which ultimately swayed CMS not to adopt the proposed 2008 rule, can be placed into three categories, each to be discussed in turn:

(1) Patient Dumping

Commenters highlighted the danger of patient dumping at hospitals with specialized facilities.  Of particular concern to one commenter was that a hospital, acting in bad faith, could choose to transfer only “medically complex patients requiring extensive lengths of stay, patients who are uninsured, and patients who have been subject to a medical error” and unresolved medical conditions.  Also of concern was that such transfers would be made as a “convenience measure and not a necessity.”  These particularly strong arguments were not overlooked by CMS when proposing the 2008 rule.  It is true that hospitals can act in bad faith, however such actions would violate both EMTALA and the CMS regulations.  Commenters also emphasized that allowing transfer of inpatients may allow hospitals to transfer unstable individuals before using all available resources in an attempt to stabilize the individual.  Again, while entirely possible, this argument is based in an assumption of bad faith, which in itself is a violation of EMTALA and medical ethics.

(2) Patient Care

Commenters expressed concern about how the proposed rule would affect patient health and safety.  Specifically, commenters were concerned that patients’ physical and psychological health could deteriorate as a result of the potential increase in inappropriate and unnecessary transfers mentioned above.  Commenters noted that referring hospitals may transfer patients who deteriorate following admission, thereby risking the life of the patient.  These arguments must raise concern, as any increase in danger to an individual already suffering an emergency medical condition is unwarranted.  These arguments do not seem overly persuasive, however, when read in conjunction with the safety measures already in place under EMTALA to ensure that transfers only occur when the benefit outweighs the risk to an individual.

(3) Futility

Commenters also asserted that the proposed 2008 rule was largely unnecessary for various reasons.  First, it was stated that it is unlikely that a hospital would knowingly admit an individual with an unstabilized emergency medical condition if the hospital did not have the capability to stabilize the individual.  This argument is not particularly strong.  While it is likely that a hospital would not knowingly do so, in daily practice errors can easily occur.  Therefore, there is no harm to ensuring that if such a mistake does occur, it will not adversely affect the suffering individual.  Along the same lines, a commenter stated that “all hospitals which have emergency departments are capable of evaluating an individual who presents to the emergency department and if the hospital does not have the capability to appropriately care for the individual, the hospital should transfer, rather than admit the individual.”  For the same reasons stated above, while a hospital may have the capability to do so, that does not mean that the hospital will make a correct decision every time.

Proponents of the proposed 2008 CMS rule

Commenters in favor of the proposed 2008 CMS rule focused upon the stabilization and safety of individuals suffering from emergency medical conditions.  Overall, commenters in favor of the proposed 2008 rule stated that the policy clarifications were in the best interests of patient care and should be implemented.  A particularly strong argument by one commenter was that inpatient admission status should be irrelevant in determining whether the individual has an emergency medical condition and whether the admitting hospital has the capability to provide the necessary care. The commenter noted that such requirements are “the only operative criteria to whether the transfer is justified under EMTALA” and as a result, EMTALA and CMS regulations must be read in harmony to achieve such a result.  The commenter stressed that EMTALA was enacted because “Congress recognized that patients needing transfers were being denied access to higher levels of care.”  This argument is very strong.  By failing to adopt the proposed 2008 rule clarifications, the will of Congress was hindered in part.

Of particular concern to other commenters were individuals who suffer emergency medical conditions in rural areas.  Such commenters stated that the proposed rule was “especially important for individuals living in rural areas because those individuals are routinely denied transfer to a regional facility for definitive care based on the conclusion that the individuals are already at a ‘hospital.’”  Given that much of our country is comprised of rural areas, such concerns should not have been minimized.  Last, a proponent addressed the concern of inappropriate transfers by suggesting that the clarified process could be adequately monitored for abuse and bad faith.  This suggestion is sound, as such monitoring is already required under the 2003 Final Rule regarding admission into hospitals to end EMTALA requirements.

Did CMS Get it Right?

CMS should have adopted the proposed 2008 rule.  Although finalizing the proposed 2008 rule may have resulted in an increase in inappropriate transfers to hospitals with specialized capabilities, arguments based on an assumption of bad faith should not outweigh the legitimate concerns voiced by many commenters.  Hypothetical risks of inappropriate transfers are always a possibility.  Regardless of whether an individual is admitted as an inpatient, both the admitting/transferring hospital and receiving hospital must comply with the stringent transfer requirements under EMTALA, namely, the requirements contained within 42 USC § 1395dd(c)(1), (2).  These provisions require a treating physician to certify that the medical benefits of the transfer to another medical facility will outweigh the increased risks to the individual.  Further, the receiving hospital must have both available space and qualified personnel for the treatment of the individual, and must have agreed to accept transfer of the individual and to provide the appropriate medical treatment.

As a result of these safeguards, the argument that individuals could suffer greater physical and psychological harm as a result of inappropriate transfers under the proposed rule equally falls flat.  If both hospitals follow the strict transfer requirements already contained within EMTALA, the risk of patient harm should be no greater or less than already present. Contrary to what CMS and industry commenters have stated, CMS has arguably increased the potential for individual physical and psychological harm by failing to adopt the proposed 2008 rule.

The primary concern of physicians within emergency departments should be focused on patient care, and not whether admitting that patient for crucial stabilizing treatment may extinguish the individual’s right under EMTALA to be transferred to an appropriate hospital.  Surely it is not always possible to give a thorough examination and attempt to stabilize a patient in the emergency room setting and thus, a hospital’s attempt to stabilize a patient through admission (even if ultimately futile because the hospital lacks the ability to do so) should not detrimentally extinguish the ability to appropriately transfer that individual under EMTALA.  As the rule currently stands, once a hospital decides to admit a patient for stabilization purposes, it automatically extinguishes its right to transfer that inpatient.  This right is extinguished even if the hospital later learns it is incapable of stabilizing a potentially life threatening emergency medical condition.

Commenters argue that a hospital should know whether or not it has the capacity to stabilize an individual prior to admission.  Theory, however, does not always equal practice.  In the fast paced, hectic setting of emergency rooms across the country, such accurate assessments may not always be possible for obvious reasons.  CMS was wrong to render this crucial transfer provision of EMTALA inoperable simply because of the technicality of inpatient admission.  Patient care and stabilization must be the focal point of this statute, and not a bright line test of patient admission and hospital liability.  CMS should reconsider harmonizing EMTALA’s original transfer provisions with its 2003 Final Rule regarding EMTALA requirements after inpatient admission.

Breach Notification for Unsecured Protected Health Information

By: Michael R. Spaltro

Gordon Moore, Intel co-founder, famously predicted that the speed of technology will double about every two years. Between 1981 and 1991, “computer processing speed increased tenfold, the instruction execution rate a hundred fold, system memory grew a thousand times, and system storage expanded by a factor of 10,000.” That was just the beginning. Intel has kept that pace for nearly 40 years, now introducing the world’s first 2-billion transistor microprocessor. The development of fundamental computer technology has translated into ubiquitous information technology infrastructure. Deploying information technology within the healthcare industry is significantly complicated by the indispensability of life and health to everything else we do. The privacy of electronic health records (“EHR”) that contain personally identifiable health information (“PHI”) is one area of particular concern.

Health care providers, health care plans, health care clearinghouses, and their business associates across the country are currently using EHRs as an efficient method to locally store patient records.[1] EHRs may contain patient treatment history, social and demographic data, and a multitude of other personal health information (“PHI”).[2] If the underlying computer technology continues to grow at the staggering pace predicted by Moore’s Law, the function of EHRs will expand to “assume a key roll in medical diagnosis and treatment management.”[3] Moreover, the Food and Drug Administration, in collaboration with public, academic, and private entities, is expected to use EHRs to link and analyze medical safety data from over 100 million patients by July 2012.[4] The resulting electronic network of interoperable healthcare data is of a scale never before contemplated in the industry. Personally identifiable health information, such as the data contained across local provider EHRs, health plan claims databases, and Medicare databases, will be remotely transmitted, stored, accessed, and analyzed.

Transmitting EHRs between an originating entity and the entity/infrastructure involved in research, development, and storage of EHRs, creates an increased potential for internal and external breach. Moreover, as EHRs become populated in local and remote institutions across the country, the incidence of breach ostensibly increases. In the event of breach, an individual may be exposed to a number of dangers. EHRs contain personal information of high value to computer hackers, such as social security numbers or payment information.[5] Furthermore, an otherwise legitimate entity could potentially use health information in a less nefarious way that nonetheless breaches individual privacy. How can we legally protect privacy while realizing the benefit of electronic health information technology?

The Health Insurance Portability and Accountability Act (“HIPAA”) shores up unauthorized access to protected health information. The HIPAA Security Rule and Privacy Rule require an entity such as a health plan, health care provider, business associate, or a health care clearinghouse, to safeguard all protected health information. Civil and criminal penalties are enforced against entities that fail to comply. The FDA’s qualified contractors[6] will similarly be subject to HIPAA under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act by 2017.[7] Therefore, the entire electronic network of EHRs will be covered by the Privacy Rule and the Security Rule. Within covered entities, protected health information is to be stored with any security measure that allows an entity to reasonably and appropriately implement all safeguard requirements. The Security Rule approves that a covered entity may use firewalls and other access controls (such as passwords) to safeguard PHI in its electronic form. Without this intangible structure protecting EHRs, unauthorized parties could easily access PHI and PHI could easily flow out to any individual, device, or system that interoperates with EHR databases. The HIPAA Security Rule therefore assures that a covered entity is reasonably protecting an individual’s privacy by safeguarding personal health information.

Firewalls and other reasonable access controls are not impermeable. Earlier this year, an ultra sophisticated hack attack on Google penetrated the multi-billion dollar corporation, causing it to later withdraw from China. Merck & Co. and Cardinal Health Inc. were among others infiltrated in the attack. The extent of information exposed is still not fully understood. Thus, breaches occur even if reasonable and appropriate safeguards are required. The access controls required by HIPAA in the Security Rule are not sufficient to protect a vast network of interoperable EHRs. Further data encryption and/or secure data destruction will eventually be required to protect individual privacy.

Pursuant to the Privacy section of the HITECH Act, Title XIII Division A, Subtitle D, the Department of Health and Human Services (“HHS”) was required to promulgate breach notification for unsecured protected health information rules and regulations (“Breach Rule”). HHS issued a final rule, effective September 23, 2009, requiring all entities and business associates covered under HIPAA to provide notification in the cases of breaches of unsecured protected health information. Presumably, an individual who is made aware that his personal information was compromised is better equipped to mitigate identity theft or other harms that could arise.

The provisions in Section 13402 of the HITECH Act are consistent with HIPAA definitions of a “covered entity” and “protected health information.” The Act defines breach as the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security of that information. In other words, if a firewall or reasonably appropriate access control is breached — a covered entity must report that breach to all of the individuals affected. Importantly, notification of breach is only required for unsecured personal health information. If a covered entity is in the practice of encrypting and/or destroying PHI in accordance with the National Institute of Standards and Technology (NIST), then that entity does not have to report a breach of their firewalls or access controls. It is only necessary to provide notice if “unsecured protected health information that is not secured through the use of technology or methodology specified…” is breached. The rationale is obvious. If a covered entity encrypts PHI in accordance with NIST standards, then the data is unusable in the event of a breach, and notification would be superfluous.

Consequently, a covered entity has two choices: (1) secure all EHRs that contain PHI; or (2) report breaches of PHI. The Breach Rule encourages cover entities to take the former approach. To secure EHRs that contain PHI, an entity must regularly perform two standard procedures. First, the NIST published standards recommend a “one pass” method of data deletion for most applications.[8] When electronic data is deleted, it is only removed from the file system. The “image” of the data physically remains on the hard drive of the device. Software and hardware methods of recovering deleted data are available to the public. Therefore, “deleted” PHI data could be recovered by an unauthorized entity in the event of a breach. The NIST recommends that one data overwrite be performed on the deleted data, as to render it unrecoverable. Depending on the method used and size of the database, data deletion can take up to an hour.

Second, and perhaps less straight forward, the NIST recommends data encryption using one the following four methods: full disk encryption; volume encryption; virtual disk encryption; or file/folder encryption.[9] The capital expenditure necessary to install and maintain encryption software/hardware throughout a covered entity is immense. Furthermore, encrypting millions of EMRs will tax computer processors and networks, and will additionally hamper interoperability. When data is encrypted it losses all functionality, and therefore must be decrypted by the authorized end-user before each use. It would be additionally problematic to transfer encrypted data throughout an electronic network, like that contemplated by the FDA, unless all systems were equip to recognize and decrypt the data. Thus, under either of the encryption methods above, the net result is a loss of productivity and interoperability. Moreover, encrypted data may not be mean secure data. The end-user authorized to access encrypted data will likely decrypt it during the course of a work day. Therefore, so-called encrypted PHI would be exposed to the same daily risks as unsecured PHI. Consequently, the nature of data encryption may not even provide the security and privacy that the Breach Rule contemplates.

While some covered entities are voluntarily choosing to encrypt and secure PHI, the impracticality and cost of data encryption is prohibitive. Covered entities were allowed 180 days to become compliant with the Breach Rule. That period has expired, and most covered entities have not opted to encrypt PHI. Instead, covered entities have put reasonable systems in place to detect breaches, as required by the Breach Rule. The Breach Rule requires notification without unreasonable delay once a covered entity learns of a breach. A majority of states already had breach notification laws in place, and thus covered entities had respective systems in place to detect and report breaches.

Reporting breaches under the Breach Rule still requires some capital expenditure. In some cases, notification to popular media outlets and the Secretary is required. This notification could potentially detract business and invite legal action. Of greater concern, a major breach and broadcast resulting in legal action may dissuade industry players from adopting EHR systems that could potentially reduce medical error and healthcare costs.[10] However, the burden of encrypting PHI is overwhelming, and perhaps ultimately ineffective. Consequently, the Breach Rule has done little to foster the actual security of PHI. In practice, covered entities merely provide notification of breach. It is unclear how this may or may not benefit a patient whose privacy has been breached. Deploying new EHR technology throughout the healthcare industry presents a risk to individual privacy that is not adequately addressed by the Breach Rule and HIPAA.

Privacy concerns should positively correlate with the volume of online EMRs. Pursuant to the FDAAA, 100 million EHRs will be linked within the FDA’s seminal network by July 2012. The sensitive and valuable nature of robust EHR databases will likely attract the attention of unauthorized parties around the world, and should therefore warrant a heightened level of security. Within two years, encryption technology may prove to be significantly smarter, cheaper, and more efficient. The concerns that bar covered entities from adopting data encryption may be lifted. While absolute data security is not likely attainable under any standard, software operating systems that integrate on-the-fly encryption would be ideal and foolproof. Rules and regulations should proportionately reflect advances in computer technology and the quantity of EMRs over the next two years. To protect public privacy and trust in our healthcare system, all PHI should eventually be encrypted by covered entities and their business associates.

---

[1] Hoffman and Podgurski, Finding a Cure: The Case for Regulation and Oversight of Electronic Health Record Systems, 22 Harv. J. L. & Tech 103.

[2] Id. at

[3] Id. at

[4] Food and Drug Administration Act of 2007 (FDAAA), 21 U.S.C. 355(k)(3).

[5] See, Hoffman, surpa note 1, at 113.

[6] 21 U.S.C. 355(k)(3). A qualified contract is similar to a business associate. The FDA contracts with entities that are deemed “qualified” within the meaning of the Act.

[7] See, HITECH, Pub. L. No. 111-5 Section 13401 and 13404.

[8] Special Publication 800-88, available at http://csrc.nist.gov.

[9] Special Publication 800-111, available at http://csrc.nist.gov.

[10] See, Hoffman, surpa note 1, at 104.

Autism: Pork Roast & Dayenu

[Ed. Note: Today's post is from Jennifer Simon, M.A. Ms. Simon is the former Coordinator of Academic Programs for Student Athletes, New Mexico State University and a reader of Health Reform Watch.]

Dayenu.

There is a call and response performed on Passover. Each thing the Lord did for the Jews in the long story of Exodus is recited in turn. After each one, we say, “Dayenu!” “It is enough!” We praise what we have been given. Sometimes the word is also used casually and ironically to mean, “Enough, already!”

Autism rates have skyrocketed in the last few decades; the curve is steep. Some experts believe the numbers reflect nothing more than heightened awareness. Other experts, along with puzzled doctors, worried governments, horrified teachers and anguished parents, are casting about for causes and cures. Nobody has any answers, although theories abound. I have my own theories, but all I can know with any certainty is reduced to my own experience with my son.

Autism is not merely a disability; it is another world. What we sense and how we think forms our understanding and expectations of ourselves, others and our surroundings. People with autism who are verbal describe fundamentally different, often overwhelming sensations and ways of thinking; our behavior is as much a puzzle to them as theirs is to us.

All the experts agree that early intervention is crucial. They admit that in most cases our children will still be autistic, but they will be higher-functioning. That means they will be less atypical; they will conform more closely to common expectations, which is the path to independence. We do not want them to have to depend on the kindness of strangers. For his own sake, and at whatever cost to his own truths, I am instructed to round the corners of my son’s mind to make him fit in an uncomprehending world.

My first exposure to the world of autism came in the form of a news feature on television. This must have been almost twenty years ago, back when I was married to a man who didn’t want children. As I watched, I consoled myself with the thought that at least I would be spared the fate of these parents, who could not communicate with their children through touch or word.

Many years, one divorce, another marriage, and two children later, my son was diagnosed with severe autism. It turns out that I can communicate with him, and he with me, through touch and word. He is my cuddly, affectionate boy, nothing like the children I saw on television. Except that he makes some of the same sounds and moves. Except that he, too, lives in his own little world.

He doesn’t talk like other five-year-olds, except for some of the autistic ones. He doesn’t sleep like other five-year-olds, except for some of the autistic ones. He makes beautiful murals in ketchup on the kitchen floor at three in the morning when I inadvertently doze off in the chair. I sleep in snatches, a few hours here, a few hours there, always interrupted. All my dreams are unfinished.

An old family friend told me that when he first joined the department where my father taught, my parents invited him for dinner. He’d known very few Jews, but he had enough general knowledge to be surprised when my mother brought a pork roast to the table. His expression must have revealed his confusion. He said she glanced at him, smiled blithely, and said, “You may find we do things a bit differently here, and we love it!” I cling to the notion, bred in my bones, that difference is lovable.

My son is so arrestingly beautiful that people sometimes stare. At story hour in the library, the woman in charge was enchanted with him, ignoring the other toddlers as she tried to engage his wide, deep-brown gaze. His eyes met hers briefly in a shy smile and then slid away to an abstracted distance, even when she called him by name.

He slithered off his chair as she read, lying sprawled on his back, looking up at the dazzle of fluorescent lighting and then at the little girl next to him. He gently stroked her hand. She grinned at him but had business elsewhere, animal pictures to identify and projects to complete. My son wandered off, making his funny little noises, repeating expressive but incomprehensible phrases and humming, pressing his cheeks to the shelves to sight along their lines.

I watched the other parents’ interested admiration and friendly we’re-all-in-this-together nods turn uncertain. Their glances slidaway, almost autistically avoidant. Some obsessively attended to their children. A few, unconsciously defensive, interposed their bodies between my child and theirs as we searched for a seat at the activity table. I tried to smile blithely.

My son had a pleasant outing, knowing nothing of the sensations he had created. We went home to play and soak in the sun. It took hours of light and distraction to wash away the taste of bile in my mouth. He climbed in my lap, and we invented yet more silly games involving lots of kisses and giggles. He is so very different and so very lovable and so happy in his world.

My friends like to play at contracting marriages between their children. It’s great fun, a harmless fantastical way of praising one another and showing love, but I’m silent when the conversation takes that turn. I applaud as they proudly recount their children’s displays of developmental genius, all the accomplishments of early childhood reinforcing their expectations for college educations and brilliant careers, but I also wince internally. I don’t know what to expect.

I never feared the future before; it seemed wide-open. Now I cannot see round the corners where walls of fatigue and worry meet. Undistracted by distant visions, I am learning to see where I am, to be here now instead of taking the here-and-now as a path to somewhere else. My son’s beauty and kisses and giggles, his artlessness and his art, and the strange world he shares with me are present blessings.

It must be enough. It is enough. Dayenu.

State Long-Term Care Partnership Programs

By Brian Seguin

Long-term care refers to end of life care where a person can no longer take care of themselves. These people require either the assistance of a trained professional, such as a home health aide, to help them care for themselves in their home, or they need to be housed in a nursing home and cared for there. Since Medicare does not cover long-term care, people who require it need to either pay for it themselves, or if they have almost no savings and get a low enough monthly income that they qualify, they can apply for Medicaid which does cover it. If someone pays for it themselves and winds up spending all of their savings and still needs care, they can then apply for Medicaid to cover it if their monthly income is under the threshold set by their state in order to qualify for the program.

In the early 1980′s, states began to worry that as the baby boomer generation got closer to retirement age and might start requiring long-term care, it could cause increases in their Medicaid expenditures and thus budget deficits. One possible solution forwarded for this impending problem, and eventually implemented by four states in 1993, was the idea of state long-term care partnership programs. Under these programs states would incentivize their citizens to purchase private health insurance to cover at least part of the long-term care they may eventually require and thus spare Medicaid from covering some of the costs. Insurance companies who participated in the programs had to meet certain regulations of what type of care was provided and had to report certain data back to the states so they could effectively monitor the impact the programs were having.

Proponents hoped these plans would cause people to buy their own long-term care insurance coverage and hopefully never need to turn to Medicaid to pay for it. They also hoped this would stop the perceived threat of people transferring their assets (savings) to family members early in order to appear qualified for Medicaid. Of the four original states, California and Connecticut incentivized their citizens by allowing them to disregard assets they had above the threshold allowed to qualify for Medicaid in the amount that the partnership plan had paid towards their long-term care. In other words if a person purchased a partnership plan and it paid out $200,000 towards their long-term care, that person would still qualify for Medicaid even if they had up to $200,000 in assets over the amount usually allowed to qualify. This was called the “dollar for dollar approach.” New York required citizens to purchase more comprehensive plans that had higher lifetime benefits, and if they did they could disregard all of their assets in determining if they qualified for Medicaid, known as the “total assets approach.” Indiana allowed a “dollar for dollar” disregard if the person purchased a plan covering less than four years of care and a “total asset” disregard if they purchased a plan covering more than four years.

Opponents of this idea worried that these public partnerships would inappropriately promote private plans with limited values, and that they could lead to increases in Medicaid expenditures by allowing wealthier people who would purchase private long-term care plans anyway keep their assets and now have access to Medicaid that they wouldn’t have otherwise had. As a result of these fears part of the Omnibus Budget Reconciliation Act of 1993 (OBRA) required any state that started a partnership program after 1993 to recover any disregarded assets of a deceased Medicaid recipient from their estate. Although this Federal law did not apply to the four states already operating partnership programs and did not ban other states from starting their own programs, it effectively eliminated any other states from trying to start their own programs by removing the incentives for citizens to join. This is because although a person could keep some of their assets while still alive, and still qualify for Medicaid, the state would now have to take those assets from their estate. So there was no longer any incentive for a person to purchase a partnership plan which they may never need, and thus shift some of the potential costs of long-term care on private insurers rather than Medicaid.

The Federal government finally decided to give long-term care partnership programs another chance in 2005 with the passage of the Deficit Reduction Act (DRA). Parts of that bill removed the estate recovery requirement of OBRA and allowed states (other than the original four who have continued their programs and are again not subject to this bill) to start their own partnership programs provided they use the “dollar for dollar” approach. Insurance companies participating in these new programs will have to be certified by the state, using new federal guidelines, and will have specific data reporting requirements. The “dollar for dollar” approach is mandated to avoid the grant of Medicaid benefits to those who do not need or deserve them. This approach only allows beneficiaries to keep the amount of assets they would have presumably spent for long-term care themselves and then qualified for Medicaid anyway, had their partnership plans not paid that amount. The federal government has finalized its rule of what data needs to be submitted by partnership insurers after consulting with the National Association of Insurance Companies, insurance companies who issue long-term care plans, the four original states with programs, and consumers who purchase long-term care plans. The data collected is meant to cost insurers as little as possible while still allowing the federal government to accurately track the effectiveness of these programs. While no states or private insurers are required to participate in these partnership programs, as of August 2008, 13 states (in addition to the original four) are now offering partnership plans and 12 more are in the process of implementing them.

Comment on Medicare Advantage and Prescription Drug Benefit Programs: Final Marketing Provisions (Parts III & IV)

[Ed. Note: This post is a continuation of a post we published the other day regarding "modifications and additions to initial marketing regulations implementing The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 ("MMA"), which "established the Medicare Prescription Drug Benefit Program (Part D) and made revisions to [] provisions” of the Medicare Advantage Program.” The initial post, detailing the modifications, can be found here.]

By Michael Rabasca

PART III

The strongest argument against these final regulations is that they prevent eligible enrollees “from learning about their full range of healthcare options” and, thus, unduly hinder the market for Part C and Part D plans. (Federal Register, Volume 73, No. 182 at p. 54214). In order for consumers to make informed healthcare decisions, they need to have ready access to information. Marketing is all about the strategic distribution of information, and placing restrictions on plan marketing activities limits the information available to potential enrollees. Thus, regulating the marketing activities of Part C and Part D plans could lead to consumer ignorance and severely limit the choices of Medicare eligible individuals.

These new rules significantly hinder the ability of potential Part C and Part D plan participants to both obtain plan information and enroll in plans. Many individuals who are eligible for Medicare are hospitalized or living in nursing homes where healthcare is delivered. Under these rules, Part C and Part D plans would be unable to make marketing presentations, distribute enrollments applications, or collect completed applications from these individuals. Unfortunately, these potential enrollees are often the people who would benefit the most from enrolling in these plans and these regulations severely limit their ability to do so.

PART IV

I think that government oversight of Part C and Part D plans’ marketing activities provides vital protection to the individuals who are eligible to participate in these plans. I feel that Medicare participants are particularly vulnerable to questionable marketing practices, and these final regulations provide important modifications and additions and to CMS’s marketing regulatory scheme. Nevertheless, I am not convinced that these rules do enough to deter Part C and Part D plans from engaging in impermissible marketing activities. Although CMS may impose civil monetary penalties or marketing/ enrollment sanctions on plans that violate its marketing regulations, these penalties are merely discretionary. I agree with one commenter who suggested that CMS should mandate civil monetary penalties for plans that violate the marketing rules in order to ensure that violators are punished. (Federal Register, Volume 73, No. 182 at p. 54211). Additionally, I feel that CMS should provide some sort of financial incentive for both individuals and competing plans who report marketing violations in order to increase the likelihood that violations are discovered and reported. These additional enforcement tools would help to ensure that the new final marketing regulations serve their purpose by effectively protecting individuals who are eligible to participate in Part C and Part D plans from inappropriate marketing tactics.

Comment on Medicare Advantage and Prescription Drug Benefit Programs: Final Marketing Provisions (Parts I & II)

By Michael Rabasca

Part I

These rules represent modifications and additions to initial marketing regulations implementing The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (“MMA”), which “established the Medicare Prescription Drug Benefit Program (Part D) and made revisions to [] provisions” of the Medicare Advantage Program (Part C). (Federal Register, Volume 73, No. 182 at p. 54208). The Centers for Medicare and Medicaid Services’ (“CMS”) enacted these final regulations pursuant to §§ 1851(h) and 1860D-1(b)(1)(B)(vi) of the Social Security Act, which empower the CMS to “implement standards consistent with ‘fair marketing.’” (Federal Register, Volume 73, No. 182 at p. 54210).

The most significant aspect of these final regulations is the new restrictions they place on Part C and Part D plans’ marketing activities. Specifically, these rules prohibit the following:

(1) unsolicited direct contact with potential enrollees, including telemarketing (42 C.F.R. §§ 422.2268(d), 423.2268(d));

(2) selling non-healthcare related products during a plan marketing event or presentation (42 C.F.R. §§ 422.2268(f), 423.2268(f));

(3) conducting marketing presentations or distributing and/or collecting enrollment applications “in provider offices or other areas where healthcare is delivered to individuals, except . . . where such activities are conducted in common areas in healthcare settings” (42 C.F.R. §§ 422.2268(k), 423.2268(k));

(4) conducting marketing presentations or distributing and/or collecting enrollment applications at “educational events”  (42 C.F.R. §§ 422.2268(l), 423.2268(l)); and

(5) offering meals to potential plan enrollees at marketing events (42 C.F.R. §§ 422.2268(p), 423.2268(p)).

These regulations also implement new rules regarding CMS’s procedure for reviewing Part C and Part D plan marketing materials. Generally, Part C and Part D plans must submit all marketing materials to CMS at least forty-five days before distribution. (42 C.F.R. §§ 422.2262(a), 423.2262(a)). However, the regulations provide for an abbreviated “file and use” procedure, under which CMS deems certain materials approved five days after submission. (Federal Register, Volume 73, No. 182 at p. 5410). Previously, Part C plans could use the “file and use” procedure to obtain approval of marketing materials if: 1) the plan had a record of continued exemplary performance in CMS reviews of its marketing materials; or 2) the plan certified that the marketing materials in question did not contain “substantive content” or, alternatively, only used “model language already reviewed and approved by CMS.” (Federal Register, Volume 73, No. 182 at p. 54210).  Part D plans, on the other hand, could only obtain “file and use” approval through plan certification. (Federal Register, Volume 73, No. 182 at p. 54210). However, these final regulations “eliminate file and use status based on an organization’s track record” for Part C plans, and implement “a uniform policy of applying the file an use policy to marketing materials that either use model language without substantive modification, or materials identified by CMS as not containing substantive content warranting CMS review” for both Part C and Part D plans. (Federal Register, Volume 73, No. 182 at p. 54210-54211).

Additionally, these final regulations implement licensure requirements for plan marketing representatives. Specifically, the rules require Part C and Part D plans to exclusively use State licensed marketing representatives to conduct direct marketing activities targeted at potential plan enrollees. (42 C.F.R. §§ 422.2272(c), 423.2272(c)). Plans must also notify states that they are using licensed representatives in a manner that is “consistent with the appointment process provided for under State law.” (42 C.F.R. §§ 422.2272(c), 423.2272(c)).

Finally, these rules mandate that Part C and Part D plans make certain disclosures to plan participants. Under these final regualtions, plans must now disclose the information specified in §§ 422.111(b) and 423.128(b) to all plan participants both “[a]t the time of enrollment and at least annually thereafter, 15 days before the annual coordinated election period.” (42 C.F.R. §§ 422.111(a)(3), 423.128(a)(3)).

PART II

The best argument in support of these final regulations is that they provide necessary consumer protections. Generally, individuals age sixty-five and older, and people with disabilities are eligible for Medicare programs. This group of potential enrollees is particularly vulnerable to dubious marketing tactics. Allowing insurers to market their Part C and Part D plans unchecked could be harmful potential participants. Indeed, permitting plans to distribute information and solicit enrollment applications at any place and in any manner they chose has the potential to confuse potential enrollees and, in some cases, could result in plans coercing individuals into participating. Thus, a free market philosophy as to plan marketing practices is inappropriate in the Part C and Part D setting, and strict regulation is required.

These new rules protect consumers by: 1) prohibiting certain problematic marketing activities; and 2) limiting the places where plans may conduct marketing activities. Indeed, prohibiting Part C and Part D plans from offering meals or selling non-healthcare related products to potential participants prevents hurried “enrollments without personal attention to the appropriateness of the plan.” (Federal Register, Volume 73, No. 182 at p. 54215). Additionally, prohibiting plans from conducting marketing activities and soliciting enrollments at educational events and anywhere healthcare is delivered prevents plans from targeting individuals for enrollment when they are vulnerable to suggestion, and avoids the appearance that individual providers and facilities recommend or support specific plans.

Recent Developments in the Implementation of the Patient Safety and Quality Improvement Act of 2005

By Jeanine Juillet

In 2000 the Institute of Medicine (IOM) published a report entitled “To Err is Human: Building a Safer Health System.” The report estimated that as many as 98,000 people die in America each year due to medical errors.  In order to combat this problem, the IOM recommended that providers should voluntarily report errors and the results should be evaluated to discover weaknesses in the health care delivery system in the United States.

Congress responded to this appeal for reform by passing the Patient Safety and Quality Improvement Act of 2005.  The Act calls for voluntary and confidential self-reporting by health care providers and creates independent local or regional Patient Safety Organizations (PSOs) to collect and analyze safety events in the hope of uncovering problems with the current system. Hospitals, physicians or other health care professionals submit reports, memoranda, analyses, or written or oral statements referred to as a patient safety work product (PSWP), describing adverse events. PSWP may include details identifying the providers involved in the event as well as protected patient information as defined by the Health Insurance Portability and Accountability Act (HIPAA). Based upon an assessment of the data, PSOs develop insights into underlying problems contributing to patient safety events. Moreover, in order to aggregate data on a larger scale, the Act provides for the establishment of a Network of Patient Safety Databases (NPSD); PSOs contribute PSWP information after removing patient and provider identifiers before submission to the NPSD. The database includes definitions and reporting formats in order to facilitate analyses of information. Through use of the NPSD, large volumes of data are available in order to rapidly identify patterns with the goal of developing strategies to avoid, mitigate or eliminate risks and hazards in the delivery of patient care nationally.

The success of the Act depends on providers voluntarily reporting medical errors. To this end, the Act includes federal privilege and confidentiality protections for PSWP. This protection alleviates provider concerns that reported information will be used against them in civil and criminal actions, specifically, medical malpractice litigation. Further, the Act forbids disciplinary actions as a result of a provider’s report. In order to ensure confidentiality of patient information, the Office for Civil Rights (OCR) will investigate allegations of violations and the HHS Secretary has the power to impose civil money penalty (CMP) of up to $10,000 per violation.

The Act vests oversight responsibilities in the Health and Human Services (HHS), Agency for Healthcare Research and Quality (AHRQ). The Patient Safety and Quality Improvement Final Rule (Patient Safety Rule), the regulation implementing the Act, was published on November 21, 2008 and became effective on January 19, 2009. The Patient Safety Rule provides a framework for PSOs by identifying 15 distinct statutory criteria that an organization must meet before it is qualified by the AHRQ. These public or private entities do not receive federal funding to fulfill this role and cannot be a health insurance issuer or be owned, managed or controlled by a health insurance issuer. Additionally, employees of PSOs must have expertise in analyzing patient safety events. The Patient Safety Rule also authorizes AHRQ to conduct PSO site visits to assess continued compliance with the eligibility requirements.

Supporters are excited that specialized organizations will be analyzing providers’ adverse events in order to identify common patterns that will minimize risks associated with health care delivery. Not only will this save lives, it will also reduce health care costs. Medical mistakes are expensive and needlessly waste resources. The Act also encourages the submission of information by providing protection for reporters from legal liability and professional sanctions. Additionally, it protects the patients by requiring that all information submitted to the database comply with HIPAA regulations. Further, the NPSD represents the largest effort to collect data from various providers across the country and the immense amount of information gathered may be able to identify improvements that could not be identified otherwise.

Opponents of the Act are particularly critical of the exceptions to the Patient Safety Work Product including disclosure exceptions. It remains to be seen how broadly these exceptions will be interpreted since the Act has a limited history. Additionally, by not offering federal funding for PSOs and by forbidding insurance companies from providing capital, the source of revenue to support these organizations is uncertain. Providers are also skeptical that standardized data gathered by PSOs will be effective in curtailing medical errors or that PSOs will be able to provide useful information for various provider structures (i.e., hospitals, doctors offices, etc.) in states across the country. Critics also argue that the existing state organizations, which currently collect this information, are likely to be more effective than PSOs. On the other hand, such peer review protections are limited in their scope and do not offer the same confidentiality protection.

Another area as yet to be defined is the overlap between this initiative and FDA measures to evaluate drug effects in a more thorough and timely manner. These latter initiatives include the Observational Medical Outcomes Partnership (OMOP), which will assess the feasibility of using a range of analytical methods against multiple data sources to evaluate safety events. Moreover, through the Sentinel initiative, claims databases and electronic health records will be integrated nationally, linking data from 25 million patients by July 1, 2010 and 100 million by July 1, 2012. Thus, both OMOP and the Sentinel Network taken together may be used to identify and evaluate safety risks for marketed products. These initiatives, while focused on drug and device safety, will need to be integrated with similar data generated from the NPSD.

The underlying purpose of the Act — to collect data and identify weaknesses in the health care system — is an unprecedented and laudable goal. However, it is unclear whether the Act will achieve its stated goals. The rules establishing a critical element of the Act, PSOs, have only been in effect for little more than a year. The success of the Act requires more time for implementation in order to adequately assess the effectiveness of this ambitious effort.

Is Medicaid a Right? Are Medicaid Rate Cuts Unconstitutional?

By: Matt McKennan

Seton Hall Law
Class of 2011

Expanding Medicaid Rolls and Limited Access to Care

Medicaid beneficiaries have a difficult time accessing care.  Physicians are not required to participate in the program and due to low reimbursement rates, among other factors, many physicians choose not to join.  The President, federal and state lawmakers, physicians, hospitals, and patients (regardless of their political views) undoubtedly agree that access to care for Medicaid beneficiaries is a growing problem.  Notably, the Patient Protection and Affordable Care Act (ACA) will likely add approximately 16 million beneficiaries to state Medicaid rolls.  According to Senator Lamar Alexander of Tennessee, “it dumps 15 to 18 million low-income Americans into a Medicaid program that none of us would want to be a part of because 50 percent of doctors won’t see new patients. So it’s like giving someone a ticket to a bus line where the buses only run half the time.”

Interestingly, Medicaid’s “Equal Access provision” requires that participating states,

“assure that payments are consistent with efficiency, economy, and quality of care and are sufficient to enlist enough providers so that care and services are available under the plan at least to the extent that such care and services are available to the general population in the geographic area.”

If Sen. Alexander is right — and there is substantial evidence that Medicaid participants face significant obstacles to access – then states are violating federal law, or the federal law is so lax in its enforcement or its mandates that it has become ineffective.  Health reform vests huge responsibility in the hands of the states, and the ability to enforce federal law or the willingness of states to comply will play a crucial role in achieving its goals.

In response to Medicaid’s expansion, states face a number of critical decisions.  Currently, states are contemplating cuts to already low Medicaid rates.  According to the National Association of State Medicaid Directors, “state budget shortfalls in the coming fiscal year . . . will total $140 billion.”  Adding additional pressure, state constitutions generally require that state governments maintain a balanced budget.  As Medicaid expands, states will face even more difficult decisions when balancing budgets and implementing Medicaid consistently with federal guidelines.

How Will the States Respond?  Are Rate Cuts the Final Answer?

In response to increasing federal demands and local financial pressures, states are pursuing legal action as a successful lawsuit would surely decrease future state obligations under Medicaid.  States are also enacting legislation to oppose the bill and according to the National Conference of State Legislatures, 36 states have legislation to oppose certain reforms.  Others are lobbying Congress for repeal and those interested have already attested “that if any federal health care takeover is passed in 2010, I will support — with my time, money, and vote — only candidates who pledge to support its repeal and replacement with real reforms that lower health care costs without growing government.”

States may eventually decide to drop the program altogether.  After all, Medicaid is voluntary.  States are not obligated to provide medical assistance if they choose not to participate.  According to the Heritage Foundation, states would save over $1 trillion by opting out and “failure to leave Medicaid might be viewed as irresponsible on the part of elected state officials.”   On March 18, Arizona dropped its Children’s Health Insurance Program, foregoing millions in federal aid and leaving 47,000 children without insurance.  Earlier this year, Governor Jim Gibbons of Nevada stated, “[b]ecause it appears Sen. Reid’s plan is no longer viable, this crushing additional cost to the state isn’t forcing us to seriously consider opting out of Medicaid at this time.  However, if Congress wants to pass the buck and shift the fiscal burden of health care reform directly onto the states instead of looking seriously at ways to reduce spending and costs, we will be forced to revisit the issue.”  Like the Reid bill, the ACA also increases state Medicaid obligations.  And even if it increases the federal share, it is still worth asking whether Gov. Jim Gibbons  is once again seriously considering opting out of the program.

Alternatively, States may decide that Medicaid is just not that bad.  They may decide that it might just be a good idea to take advantage of the federal government’s helping hand.  Realistically, it is highly unlikely that states will drop Medicaid.  Dropping a program that provides care to low-income families is morally indefensible, especially without an alternative safety net.  Moreover, dropping Medicaid is fiscally irresponsible as the uninsured would undoubtedly wind up in emergency rooms seeking high-cost care at the private payers’ expense.  However, even if states decide to continue participating in Medicaid, the requirements of Medicaid must be enforced to achieve success.  After all, states administer Medicaid and states set reimbursement rates.  Drastic rate cuts by financially strapped states will undeniably balance budgets, but at the same time cuts will likely limit access to care.  So what happens when states cut Medicaid rates? See here, here, and here.

Is Medicaid a Right?  Are Rate Cuts Unconstitutional?

Thankfully, Medicaid’s “Equal Access provision” requires that states pay reimbursement rates that are sufficient to assure access to care.  Unfortunately, it is not easily enforced and the remedies are limited.  On the one hand, the federal government can withdraw its support from states that fail to live up to the statute’s demands.  On the other hand, providers and beneficiaries can also pursue legal action.  Legal action, however, is not that easy.

Shortly after the Civil War, Congress enacted the Civil Rights Act of 1866, providing equal rights to all “persons within the jurisdiction of the United States.”  In response, many Southern Governors refused to comply, frustrating Congressional intent as the KKK violently opposed the bill and terrorized the South without state intervention.  Congress then enacted 42 U.S.C. § 1983.  It provides a private cause of action against state or local actors that violate federal rights.  At its most basic level, the cause of action reins in rogue states and local actors.  A plaintiff that pursues a Section 1983 claim to enforce Medicaid’s requirements is in essence alleging that a state is violating federal rights by failing to comply with the federal law (Medicaid).

Initially, the Supreme Court adopted this line of reasoning.  In Wilder v. Virginia Hospital Association, the Supreme Court held that Medicaid providers can file suit under Section 1983 when a state fails comply with Medicaid by setting unreasonable and inadequate rates.  Notably, Chief Justice Roberts, as deputy Solicitor General at the time, filed a brief in Wilder arguing that private citizens cannot force states to comply with Medicaid under Section 1983.  After Wilder, courts consistently held that Section 1983 provided a cause of action to enforce state compliance with Medicaid.  Over time, the circuit courts split regarding what the “Equal Access provision” requires.  Some courts held that it requires states to conduct a study before setting rates, while others held that it requires states to achieve results, such as setting rates that actually achieve equal access to care, regardless of a study.

However, in Gonzaga v. Doe, the Supreme Court  limited the availability of a cause of action under Section 1983.  Interestingly, now-Chief Justice Roberts argued before the Court in Gonzaga as well, this time successfully.  Since Gonzaga, circuit courts throughout the country have refusedto allow Medicaid providers and beneficiaries to file suit under Section 1983 to enforce Medicaid’s “Equal Access provision” holding that Medicaid does not confer individual rights.  Compare pre-Gonzaga Orthopaedic Hospital with post-Gonzaga Sanchez.  In effect, Roberts’ argument in Wilder is now law and private citizens can no longer file suit under Section 1983 when states cut rates and limit access to care.

Fortunately, providers and beneficiaries have one more option.  Rather than filing suit under Section 1983, providers and beneficiaries are now successfully pursuing claims under the Supremacy Clause.  Under this theory, a state law that cuts reimbursement rates and decreases access to care conflicts with the “Equal Access provision.”   Therefore, because the state law conflicts with federal law, and federal law is the supreme law of the land, the state law is null (unconstitutional).  Plaintiffs have filed successful actions under the Supremacy Clause in California, resisting attempts to cut Medi-Cal payments for purely budgetary reasons.  A similar suit was filed in Washington last year.  On January 28, the Connecticut Association of Healthcare Facilities also filed suit, pursuing a Supremacy Clause action to enforce the “Equal Access provision.”

Although plaintiffs are experiencing success under the Supremacy Clause, there are a few drawbacks.  Unlike a suit under Section 1983, an action under the Supremacy Clause does not generally result in legal damages or attorney’s fees.  Instead, a plaintiff simply enjoins the unlawful state action.  Moreover, Justice Scalia and Justice Thomas have observed that the Supremacy Clause does not provide a cause of action to enforce Medicaid.  Rather, the Justices note that the only remedy is the withdrawal of federal funds.  Therefore, under the only legal theory available to enforce Medicaid at this time, states generally face no financial responsibility for cutting rates and decreasing access.  Further, the only cause of action to enforce Medicaid may rest on shaky ground.

In summary, history demonstrates that federal preemption will play a major role in implementing health reform, and these lessons must not be ignored.  The ACA expands Medicaid rolls and relies greatly on state compliance.  States have a limited number of options in response to their increasing responsibilities.  Eventually, constitutional challenges will end and states will likely continue to provide Medicaid assistance.  However, financially strapped states may end up administering a watered down program that denies access to care.  Therefore, to achieve the goals of reform, it is vitally important that states face realistic consequences if they refuse to administer Medicaid in compliance with federal law.  Ultimately, however, if states continue to cut rates, a strict federal standard regarding Medicaid reimbursement may be necessary.

CMS Protects Seniors from Renegade Marketers

By Samantha B. Lansdowne, MSJ, CCMEP

On December 8, 2003, the Medicare Prescription Drug, Improvement, and Modernization Act (MMA) was enacted creating the Medicare Prescription Drug Benefit Program, better known as Part D, while revising the Medicare Advantage (MA) program, or Part C.  Since Medicare’s establishment by the Social Security Act of 1965, the creation of Part D is considered to be the most significant change to Medicare.  With the new regulations also came new rules relating to contracts, applications, bidding processes, and marketing.  The initial set of rules became effective March 22, 2005, and as the Centers for Medicare & Medicaid Services (CMS) gained more experience with the Part D program, a necessary revision was made to some existing marketing policies utilized by plans and their representatives in attracting seniors to their program.  On May 16, 2008, by way of its authority to establish marketing rules through rulemaking, CMS proposed new marketing regulations.

Subsequently, Congress passed the Medicare Improvements for Patients and Providers Act (MIPPA) on July 15, 2008, establishing new statutory marketing regulations for both the MA and Part D plans, which were similar or in some cases identical to the CMS regulations of May 16, 2008.  The MIPPA provisions enacted into statute the provisions that CMS had previously proposed, superseding the CMS regulatory proposals.  The new MIPPA regulations were to begin on January 1, 2009; however, CMS felt that some of the rules provided important protections for Medicare beneficiaries and should instead be in effect before the 2009 plan year marketing campaign began on October 1, 2008.  So in its authority to establish rules, CMS finalized on September 18, 2008 six new marketing provisions, in addition to modifying the disclosure and dissemination of Part D information provisions, and the file and use provision.

At the same time each year, senior citizens are barraged with information on which Medicare program they should enroll in.  They have several options to choose from: 1) the Original Medicare — a fee-for-service plan managed by the Federal Government, 2) Medicare Health Plans — health plan options that are approved by Medicare but run by private companies, 3) Medicare Prescription Drug Plans — plans that add prescription drug coverage to Original Medicare, some Medicare Cost Plans, some Medicare Private Fee-for-Service Plans, and Medicare Medical Savings Account Plans, and 4) Medigap (Medicare Supplement Insurance) Policies — health insurance policies sold by private insurance companies to fill “gaps” in Original Medicare coverage.  All of these options are “sold” through representatives of the various Medicare health plans.

During Senate hearings held in February 2008 on the topic “Selling to Seniors: The Need for Accountability and Oversight of Marketing and Sales by Medicare Private Plans,” state and federal regulators, plan sponsors, and consumers testified to “overly-aggressive, inappropriate, and sometimes deceptive practices used to market, sell, and enroll seniors into Medicare private plans.”  Therefore, CMS was concerned that plan representatives were engaging in sales and marketing activities that pressured beneficiaries to make plan selections for reasons other than those that best meet their healthcare needs.

The September 18, 2008 rule (CMS-4131-F) prohibited plans and their representatives from using the following “pressure techniques”: 1) contacting potential enrollees directly without the potential enrollee first initiating contact (examples include door to door solicitation, outbound telemarketing, or approaching an individual in a parking lot); 2) cross-selling of non-healthcare related products during Medicare sales or marketing activities; 3) providing of meals to prospective enrollees at promotional and sales events; 4) conducting sales presentations or distributing and accepting plan applications in provider offices or other places where healthcare is delivered, except in the case where such activities are conducted in common areas such as a conference room or cafeteria, and 5) conducting sales presentations or distributing and accepting plan applications at educational events, such as health information fairs or state or community-sponsored events.

In addition to the above changes in marketing, plans were now to hire and use only state-licensed representatives to conduct marketing activities in accordance with applicable State appointment laws.  This requirement helps to ensure that beneficiaries do not fall prey to under-educated, unscrupulous and or otherwise substandard representatives.  Further, plans are now to disclose certain beneficiary information at the time of enrollment, and fifteen days before the annual coordinated election period.  Disclosure of plan information continues to be an important feature that gives beneficiaries the necessary information in order for them to make an informed decision about their healthcare plan.

Lastly, CMS would no longer allow plans to file and use marketing materials within 5 days of submission (instead of the normally required 45 day period) based on their previous track record of consistently meeting all of the marketing standards set forth by CMS.  Instead, a uniform file and use policy will be applied to marketing materials that either use model language without substantive modification, or materials that are indentified by CMS as not containing substantive content warranting CMS review.  This will allow CMS to focus resources on materials that contain content that warrants further scrutiny.

As part of the rulemaking process, CMS received comments from managed care organizations and other insurance industry representatives, members of Congress, representatives of health care providers, beneficiaries, and many others.  While most comments were supportive, some of the proposed rulemaking was greeted with great opposition.  One concern was the time frame for implementation of certain provisions prior to the 2009 open enrollment period.  Critics wanted the new rules to go into effect after the 2009 period and others even argued for no sooner than 2010.  Another area that drew concern was the new uniform application of the file and use policy.  Opponents asked for additional clarification and even commented that there would be additional burden on CMS.  The new marketing rules attracted the most resistance.  CMS received many comments that the rules were overly restrictive, would prevent beneficiaries from learning about the full range of healthcare options available to them, and that further clarification was needed.  It is clear from reading the final rule though that CMS put a lot of thought into the changes being made.  Plans and their representatives will have no choice but to comply with the new regulations as both Congress and CMS favor the change.

Next Page »