A belated Happy Valentine’s Day to our beloved FEHB Program!

Congress is out of session this week for the Presidents’ Day holiday. Here is a recap on last week’s activities on the Hill from This Week in Congress.  When Congress returns, its members will need to immediately resolve Department of Homeland Security funding (or kick the can down the road a little farther). In one month, the federal debt ceiling which has been suspended for about the last year will be reinstated. MarketWatch reports that the Treasury Department will be able to work its magic to avoid a default for several months thereafter. Also by the end of March Congress will need to either repeal and replace or further extend the current patch on the Medicare Part B sustainable rate of growth formula. This formula is used to calculate Part B payments to doctors. Absent some sort of fix, Medicare Part B payments to doctors will drop by 18% on April1 and that’s no April Fools Day prank.

Speaking of repeal and replace, I heard Avik Roy on the radio over the weekend speaking about the Republican alternative to the ACA. Here is a link to his Forbe’s article discussing the PATIENT Care bill. He explains that

The first version of the Patient CARE Act was co-authored [last year] by Senators Tom Coburn (Okla.), Richard Burr (N.C.), and Orrin Hatch (Utah). Coburn retired in December, and so Burr and Hatch added Rep. Fred Upton (R., Mich.), Chairman of the House Energy and Commerce Committee.  [Sen. Hatch is now Chairman of the Senate Finance Committee.]

Hacking remains in the news. Today the New York Times reports that a cybercriminal gang infiltrated the computer networks of a bunch of banks to the tune of about $1 billion in stolen cash.  According to this report both this computer crime and the computer crime perpetrated against Sony late last year kicked off with a phishing attack by which an unsuspecting employee clicked on an virus packed attachment to an email.

Herbert Lin, a cybersecurity researcher at Stanford, wrote an op-ed piece in Friday’s Wall Street Journal. He illustrated the importance of cyberliability insurance with this analogy.

Buildings today, for example, are much more resistant to fire damage because of changes driven by careful underwriting.

Health Data Management reports on the Obama Administration’s efforts to create a joint public-private defense against this scourge.

Meanwhile, Anthem announced on Friday that it is using All Clear ID as the credit monitoring and repair service for its members affected by another major computer crime.  The FEHBlog is a fan of All Clear ID‘s service. While an affected member can sign up for credit monitoring services, if an affected member decides or forgets to do so and later discovers a credit problem, he or she can call All Clear ID and the company will work to fix the problem.  More information is on the anthemfacts.com website.

And the beat goes on.

Yesterday, the Internal Revenue Service issued the final versions of the forms and instructions that FEHB plans, other health plans and insurers, and employers, including the government, will use to perform the reporting required under Internal Revenue Code Sections 6055 and 6056 of the Internal Revenue Code (as added by the ACA). The 6055 reporting (IRS Form 1095-B) is used by health plans to document plan member compliance with ACA’s individual shared responsibility mandate. The 6056 reporting (Form 1095-C) is used by large employers (50 or more full time employees) to document their compliance with the ACA’s employer shared responsibility mandate. Tim Jost on Health Affairs reviews the final forms and instructions here. OPM created a Section 6056 reporting website yesterday for the benefit of federal agencies. “Agencies need to work with shared service centers and payroll to collect and report on these requirements for the FEHB Program.”  The first reports are due early next year for the 2015 reporting year.

Today, the ACA regulators issued FAQ XXIII on excepted benefits. The regulators are now only XXVI FAQs behind the Superbowl which just hit XLIX.  The FEHBlog understands that next year will be Super Bowl 50 (not L) and thereafter the Super Bowls will revert to Roman numerals.When will the ACA regulators catch up?

The Military Times had an article on Congressional hearings held earlier this week on the recent recommendations of the Military Compensation and Retirement Modernization Commission which the FEHBlog discussed last month.

Some lawmakers zeroed in on the commission’s recommendation that the Pentagon eliminate most of Tricare’s health services and move millions of military dependents and retirees into private-sector health care policies similar to those offered to federal civilians.
Rep. Joe Heck, R-Nev., chairman of the personnel panel of the House Armed Services committee, who is also a trained physician, raised concerns about the commission’s claim that Tricare is reimbursing doctors at rates lower than government-run Medicare and fair-market value.
“As a health-care provider for over 30 years, I question that assumption,” Heck said.
That prompted a forceful response several commissioners, including former House member Steve Buyer and retired Adm. Edmund Giambastiani.
Buyer called Tricare “a broken system,” while Giambastiani said Tricare is “in a death spiral.”

Finally, thanks to the Washington Post’s Federal Eye blog, the FEHBlog found this nifty map / chart displaying the population of federal employees by Congressional District and county in 2014.

The big news today (as reported in the Wall Street Journal) is the the Nation’s third largest pharmacy chain Rite Aid has entered into an agreement to purchase a prescription benefit manager called EnvisionRx for $2 billion.  Of course this in not the first time that Rite Aid has bought a PBM. As Drug Channels discusses and the FEHBlog recalls, Rite Aid bought the Advance PCS PBM from Eli Lilly for $1.5 billion in 1998 and then sold PCS for $1 billion two years later. Advance PCS is now part of CVS Caremark.. Drug Channels explains why he thinks that this purchase will be successful for Rite Aid. Competition is good.

The Washington Post reports that the White House is creating a Cyber Threat Intelligence Integration Center modeled on the National Counterterrorism Center. The new center will be fall under the Office of the Director of National Intelligence.  The center will focus on identifying threats and acting as a crisis center when major attack like Sony and Anthem occur. The new center “is a good and important step,” [former NCTC Director Michael] Leiter said. “But it is far from a panacea.”

The Washington Post also reports on good cybersecurity work being done in South Korea — which is under cyberattack from North Korea.

Kwon Seok-chul, CEO at computer security firm Cuvepia Inc., said it has been tough to convince executives that it’s more effective to catch bad guys after they’ve infiltrated a network instead of trying to keep them out, which he believes is impossible anyway.
Kwon said his company’s latest monitoring product keeps a log of all activity, dividing it into authorized users and possible attackers. When certain conditions are met, the program sounds an alarm. A response team, he said, can sit back and watch what hackers copy and respond before damage is done. The security team can cut the hacker’s connection or trick the intruder into stealing empty files.
“Because hackers are in your palm, you can enforce any measures that you want,” said Kwon, member of an advisory board for South Korea’s cyberwarfare command.

The article explains that this software acts as a police officer to monitor server firewalls.  This is an encouraging article.

The FEHBlog has been discussing the Anthem security breach in recent posts. The Better Business Bureau offers these tips to consumers in the immediate wake of the breach.

Health Data Management reports how Anthem and other health industry stakeholders participate in a security alliance called the HiTrust Alliance which according to Health Data Management allowed the stakeholders to conclude that this particular hacking attack was limited to Anthem.

The FEHBlog noted on Friday that the Wall Street Journal, among other press sources, is reporting that the confidential data was not encrypted on Anthem’s servers. This rang a bell with the FEHBlog because as a lawyer he knows that the 2009 HITECH Act’s unsecured protected health information breach notice provisions encourages insurers and health care providers to encrypt confidential data. And insurers and health care providers do encrypt mobile devices like laptops and thumb drives. If encrypted mobile devices are lost or stolen, which can happen, encryption will protect the lost or stolen data.

The FEHBlog has puzzled over whether this new incident will push health care companies to encrypt servers holding confidential databases. Servers of course are not mobile devices.  The FEHBlog ran across this interesting blog post from a Columbia University computer science professor who explains why encrypting confidential data held on servers may not be particularly useful:

In a case like the Anthem breach, the really sensitive databases [on the servers] are always in use. This means that they’re effectively decrypted: the database management systems (DBMS) are operating on cleartext, which means that the decryption key is present in RAM somewhere. It may be in the OS, it may be in the DBMS, or it may even be in the application itself (though that’s less likely if a large relational database is in use, which it probably is). What’s to stop an attacker from obtaining that key, or perhaps from just making database queries?
The answer, in theory, is other forms of access control. Perhaps the DBMS requires authentication, or operating system permissions will prevent the attacker from getting at the keys. Unfortunately—and as these many data breaches show—these defenses are not configured properly or aren’t doing the job. If that’s the case, though, adding encryption isn’t going to help; the attacker will just go around the crypto. There’s a very simple rule of thumb here: Encryption is most useful when OS protections cannot work.
What do I mean by that? The most obvious situation is where the attacker has physical access to the device. Laptop disks should always be encrypted; ditto flash drives, backup media, etc. Using full disk encryption on your servers’ drives isn’t a bad idea, since it protects your data when you discard the media, but you then have to worry about where the key comes from if the server crashes and reboots.  

In sum, there is no simple answer to this significant problem.

The Drug Channels blog reports on what the surprisingly deep discounts on Gilead’s Hepatitis C drugs offered to PBMs after AbbVie’s competing drug hit the market portends for biosimilar drug pricing:

Biosimilars are unlikely to be fully interchangeable with their innovator products. Competition between a biologic drug and a biosimilar is much more likely to resemble brand-to-brand competition than it is to resemble the dynamics of brand-to-generic competition.
As a result, the conventional wisdom—summarized in this still relevant 2009 Federal Trade Commission (FTC) report—believes that a biosimilar’s discount will be only 10% to 30% off the innovator’s price.
However, the large hepatitis C discounts suggest that biosimilars may drive deeper discounts for formulary placement. Although the hepatitis C products are not therapeutically equivalent, we are seeing big discounts to both government and commercial payers.

That’s good news.  The Wall Street Journal’s Pharmalot blog reports that prescription drug manufacturer Pfizer has invested $16 billion to purchase one of the largest sellers of biosimilar drugs in Europe, Hospira.  The European Union has been approving biosimilars for over a decade now.

Following up on the Anthem security breach, the Wall Street Journal reports that the confidential data stolen from Anthem’s had not been encrypted. Businesses have reduced the impact of lost and stolen laptop computers by encrypting them. However, server held data usually has not been encrypted. The article explains that

Scrambling the data, which included addresses and phone numbers, could have made it less valuable to hackers or harder to access in bulk. It also would have made it harder for Anthem employees to track health care trends or share data with states and health providers, that person [familiar with the matter] said.

That practice is bound to change. In an interview with Adam Meyer, chief security strategist of threat intelligence consultancy SurfWatch Labs, the Journal further reported

Based on what Anthem has shared publicly about the attack, what do you think happened?

An engineer discovered the incursion when he saw a database query being run using his credentials, which suggests the attackers probed the company’s Web server or other Web services for weaknesses, or gained access through spear phishing, in which they induced employees to click on an emailed link. Upon breaching the system, they likely hunted for administrators’ accounts, giving them access to sensitive information, such as names and Social Security numbers, which are typically hosted in the company’s enterprise resource planning application. From there, they likely queried the database behind the ERP app and began to siphon data to a cloud storage provider. Using trusted accounts to transfer data to trusted storage enabled them to remain undetected. 

The FEHBlog attended an Online Trust Alliance town hall meeting yesterday. He heard Twitter’s postmaster explain that Twitter routine send fake phishing emails to its staff. Any staff member who clicks on the message is “publicly shamed,” whatever that means.  He also head Federal Trade Commissioner Julie Brill speak. She discussed the FTC’s recent staff report called the Internet of Things which concerns the explosion of interconnected devices. Here’s a link.  

Although Anthem had cyber-liability insurance, the Financial Times reports that this massive breach will shake up the market for this insurance. A Lloyd’s representative is recommending that the government bear the risk similar to terrorism insurance.

In a spot of good news, Reuters reports that CMS has agreed to cover low dose CT scans as a means of lung cancer screening for to “Medicare beneficiaries aged 55-77 who are current smokers or who quit within the last 15 years, and who racked up at least 30 “pack years.” The latter is possible if they smoked one pack a day for 30 years, for instance, two packs a day for 15 or three packs a day for a decade.” FEHB plans which have loads of Medicare prime members became obligated to cover this service in-network with no enrollee cost sharing at the beginning of 2015. Under the U.S Preventive Services Task Force’s guidelines applicable to FEHBP plans and other group health plans:

The USPSTF recommends annual screening for lung cancer with low-dose computed tomography in adults ages 55 to 80 years who have a 30 pack-year smoking history and currently smoke or have quit within the past 15 years. Screening should be discontinued once a person has not smoked for 15 years or develops a health problem that substantially limits life expectancy or the ability or willingness to have curative lung surgery.

Absent this CMS action, FEHB plans would have been on the hook for the cost of all of these tests.

Finally, here’s an interesting tidbit from Seeking Alpha about the CVS pharmacy chain which quit selling tobacco products last year:

The Wall Street Journal is reporting tonight that Anthem, a major health insurer, was struck by an enormous hacking attack.  Anthem certainly appears to be handling the matter appropriately.  Anthem detected the attack, immediately hired an investigator, reported the crime to the FBI, and less than a week after the detection, publicized the attack today.

Following up on a few items that the FEHBlog has been following —

• Here is a link to a Federal News Radio report explaining how the President’s FY 2016 budget affects each department and major agency in the government.   The Washington Post reports on six ways that the budget could impact federal employees.  Finally, the Post reports that 

Regarding the Federal Employees Health Benefits Program, the budget repeats previous proposals to make domestic partners eligible, expand the types of plans available, centralize the purchasing of pharmaceuticals as a cost-saver, and allow plans to charge more to enrollees who do not participate in certain wellness programs deemed appropriate for them. Those proposals would require the approval of Congress.

In the FEHBlog’s view, centralizing the purchasing of pharmaceuticals is an odd proposal that is inconsistent with the Affordable Care Act’s push for better integrated care which is the FEHBP status quo. 

• Speaking of prescription drug costs, Bloomberg reports that “The average discount for [Gilead’s very expensive Hepatitis C drugs] “took investors by surprise and is higher than consensus of 25 to 30 percent or so,” said Michael Yee, a San Francisco-based analyst at RBC Capital Markets, in an e-mail.  Competition is good. 

The Super Bowl is less than three hours away. The FEHBlog does not care for either team, but as an American and an NFL fan he feels duty bound to watch the game.

Congress will be in session again this week. Last week, the Senate Homeland Security and Government Oversight Committee, which is responsible for OPM and the FEHBP, announced its subcommittee chairs for the new Congress.  Sen. James Lankford (R Okla) will chair the Subcommittee on Regulatory Affairs and Federal Management.  Here is a link to This Week in Congress’s latest update.

Tomorrow, the President will release his FY 2015 budget proposal. Here is a link to the Hill’s report on five things to watch for in the budget. Ed Lorenzen, a senior advisor to the Committee for a Responsible Federal Budget, “”pointed out that the president’s budget serves a useful purpose for appropriators in Congress each year because it contains line-by-line details of agencies’ needs.” That;s why the FEHBlog will be taking a look at the budget documents.

Forbes reports that the budget will include additional funding for personalized medicine, which is good news. The Republicans in Congress are expected to be receptive to this Administration initiative. Personalized or precision medicine builds on the human genome project.

The Wall Street Journal reports that many hospitals and doctors, who are sick of voluminous, detailed quality measures, want to move to global measures that look at patient health outcomes. But there are other views too.

On Friday, the National Quality Forum, a nonprofit advisory group, submitted recommendations on 199 performance measures for Health and Human Services to consider in 20 federal programs. Christine Cassel, the group’s president and chief executive, said many of the proposals seek to better align measures among various programs and replace narrow process-oriented metrics with “measures that matter.” For example, one recommendation would replace individual metrics on the percentage of diabetes patients who get foot exams, eye exams and blood-glucose checks with a composite measure of diabetes control.
But some doctors question whether the measures that exist can adequately measure quality. And there is little agreement on what measures matter most or are more likely to produce good value. “In many areas of patient care, we do not yet have high-quality outcome measures with enough specificity to drive improvement,” American Medical Association Executive Director James L. Madara wrote in a letter to the quality forum earlier this month.
Some doctors complain that whether patients get better is often out of their control; that outcomes measures take more work, not less; and that being held accountable for outcomes could prompt doctors to avoid treating the sickest patients.

This problem is even more acute for insurers that are judged by the health care quality measures but generally are much more removed than doctors from the healthcare decision making. In any event, the flip side of the coin illustrated in this article from today’s New York Times, is how to assess whether, and steer patients away from, doctors are engaged in ordering unnecessary tests care.

Following up on Wednesday’s posts, the Military Compensation and Retirement Modernization Commission released its final report yesterday afternoon. That report (around p. 104) proposes that TRICARE be replaced with a program similar to the FEHBP and administered by OPM.  However, in contrast to FEHB plans, this new program would be integrated with military treatment facilities.Congress, of course, would have to approve this recommendation by enacting a new law. So you can stand down from Red Alert.

Also All Clear ID has posted the slides from its National Data Privacy Day webinar here. The FEHBlog found them helpful.

Also this week, the GAO released a report concluding that “spending for an episode of care in the private sector varied across metropolitan statistical areas (MSA) for coronary stent placement, laparoscopic appendectomy, and total hip replacement, even after GAO adjusted for geographic differences in the cost of doing business and differences in enrollee demographics and health status.” The report pins the differential on the inpatient hospital bills.

The Food and Drug Administration approved a generic proton pump inhibitor drug that can be substituted for the purple pill / blockbuster drug Nexium to treat GERD / heartburn. This should save health plans a ton of money once the six month generic exclusivity period expires for the first approved generic manufacturer which is an American subsidiary of Teva.

Gallup and Healthways released a discouraging report on obesity rates in the U.S. The obesity rate (Body Mass Index of 30 or more) is up 2 percentage points since 2008 to 27.7%.

Finally, earlier today, the Office of National Coordinator of Health IT (“ONC”) released a draft report of a 10 year plan to achieve full inoperability of electronic medical records according to this iHealthBeat report. The federal government missed a golden opportunity by failing to include interoperability standards in the meaningful use requirements for government subsidized electronic medical records five years ago. ONC outlined the following actions to be achieved by 2017.

Establishing a coordinated governance framework and process for nationwide interoperability based on stakeholder consensus;
Improving technical standards and implementation guidance for sharing data;
Enhancing incentives for achieving interoperability and data sharing goals that are based on a common clinical data set; and
Clarifying privacy and security requirements needed to guarantee secure transmission, access and use of sensitive patient data  

The draft is open for public comment until April 3, 2015.

For over two decades the FEHBlog has been reading about the need to move health insurance from fee for service to quality based payments.  Modern Healthcare today has a helpful article about the progress being made on this front by insurers, employers, and the Centers for Medicare and Medicaid Services. Although progress is being made, making this change is easier said than done because providers understandably don’t have a lot of appetite for taking on risk.

January 28 is National Data Privacy Day in the U.S., Canada, and Europe.  The FEHBlog celebrated by listening to a webinar on the cost of data breaches presented by AllClear ID.  The panelists noted that there has been a sharp drop in the number of laptop thefts causing data breaches as businesses across the board have been switching to encrypted laptops. The top causes now are hackers and staff mistakes (either by the business itself or one of its subcontractors / business associates). The panelists suggested conducting data breach response drills and of course purchasing cyber liability insurance. The FEHBlog will provide a link to the webinar slides when they become available.