FEHBlog

Monday Roundup

David ErmerACA, Congress, COVID-19, Rx coverage, U.S. Healthcare
Photo by Sven Read on Unsplash

From Capitol Hill, Roll Call offers the House Speaker’s perspective on the debt ceiling negotiation, and the Washington Post does the same for the Senate Majority Leader. The FEHBlog is becoming more optimistic that the debt negotiations will be successful.

From the Omicron and siblings front, the FEHBlog was pleasantly surprised to see that his favorite Covid columnist David Leonhardt of the New York Times, has returned from his four-month long book leave. In his return column, he lists seven surprises that happened during his leave. Here is the Covid surprise.

A milder Covid winter. In each of the past two winters, the country endured a terrible surge of severe Covid illnesses, but not this winter.

His column includes this chart of COVID hospitalizations.

New York Times February 6, 2023

Mr. Leonhardt explains —

It’s a sign that the virus has become endemic, with immunity from vaccinations and previous infections making the average Covid case less severe. If anything, the best-known Covid statistics on hospitalizations and deaths probably exaggerate its toll, because they count people who had incidental cases. Still, Covid is causing more damage than is necessary — both because many Americans remain unvaccinated and because Covid treatments are being underused, as German Lopez has explained.

Mr. Leonhart’s comment should come as no surprise to FEHBlog readers. Nevertheless, it’s encouraging to read it in the New York Times.

It’s worth noting that the first high peak from the left is Alpha which the Covid vaccines (released in December 2020) helped stem. The middle high point was Delta, and the highest point is Omicron which Paxlovid (released in December 2021) and other treatments helped stem. The public health authorities back in the day discussed a three-legged stool to deter Covid — one leg was immunity, the other was prevention (vaccines, etc.) and the third was treatments, which we did not broadly have until December 2021. What’s more the Omicron siblings have defeated some antiviral treatments but not Paxlovid.

On a related note of interest to care providers, CMS yesterday called attention to its regularly update Current Emergencies website which a chock-a-block full of helpful information.

From the Affordable Care Act and ERISA fronts

  • Fierce Healthcare discusses provider and payer reactions to the ACA’s regulators’ recently closed request for public input on the apprpropriate scope of the ACA’s essential health benefits requirement.
  • The Miller & Chevalier law firm discusses an important 9th Circuit U.S. Court of Appeals decision on remedies available in ERISA claim disputes. The decision favored the ERISA plans and their thir party administrators as well as the objective of health plan cost control.

From the executive personnel front —

  • Fierce Healthcare invites us to meet Express Script’s new president Adam Kautzner.
  • Healthcare Dive introduces us to CVS Health’s senior vice president and chief diversity, equity and inclusion officer Shari Slate.

From the broader U.S. healthcare business front —

The Wall Street Journal reports

CVS Health Corp. is close to an agreement to acquire Oak Street Health Inc.for about $10.5 billion including debt, a deal that would rapidly expand the big healthcare company’s footprint of primary-care doctors with a large network of senior-focused clinics, according to people with knowledge of the matter.

The companies are discussing a price of about $39 a share, the people said. The deal, if it goes through, could be announced as soon as this week, they said. CVS is scheduled to report earnings on Wednesday.

The Journal adds that “Oak Street, which has more than 160 centers across 21 states, focuses on the care of patients enrolled in Medicare” and that the deal would push CVS Health “far deeper” into direct provision of healthcare.

Beckers Payer Issues informs us

Alphabet, the parent company of Google, saw its medical stop-loss insurance business grow “nearly sixfold” last year, tech news site The Verge reported Feb. 2. The business, called Granular, provides medical stop-loss coverage to employers and is a subsidiary of Verily, Alphabet’s life sciences business.

Healthcare Dive tells us

  • Looking at 2,000 U.S. hospitals’ websites, only about a quarter were in full compliance with federal price transparency rules, according to a new analysis from PatientRightsAdvocate.org.
  • The majority of hospitals have some required files posted, but most are incomplete, illegible or do not clearly identify prices both associated with payer and plan, according to the report. Some 6% of the hospitals posted no usable pricing files.
  • This latest report calls out both major for-profit and nonprofit chains across the country for not following the rules, including HCA Healthcare, Tenet, Providence and UPMC, which lacked any compliant hospitals.

From the Rx coverage / drug research front —

BioPharma Dive reports

  • Gilead has secured an expanded U.S. approval for its breast cancer medicine Trodelvy, announcing Friday the Food and Drug Administration cleared the antibody treatment for the most commonly occurring form of the tumor type. 
  • Previously approved only for rarer, “triple-negative” breast tumors, Trodelvy can now be used to treat patients with metastatic breast cancer that’s hormone receptor, or HR, positive, but negative for a protein called HER2. This type of breast cancer accounts for an estimated 70% of all new cases, according to Gilead. 
  • The FDA’s decision is a win for Gilead, which gained Trodelvy when it paid $21 billion to acquire Immunomedics in 2020. But clinical trial results showed the drug’s benefit was modest, and Gilead will face competition from a rival drug sold by AstraZeneca and Daiichi.

The Raleigh NC News and Observer discusses a late stage breast cancer injectable drug that Duke University researchers have converted into an FDA approved pill. “[Duke researcher Donald] McDonnell expects elacestrant, which will be marketed as Orserdu, to completely replace the injectable treatment regimen. Not only is the pill less taxing for patients, clinical trials also found it to be more effective.”

STAT News reports

Japanese drugmaker Eisai reported Monday the first U.S. sales of Leqembi, its treatment for Alzheimer’s disease, although exact numbers were not provided and people taking the drug appear to be paying out of pocket because insurance coverage has not yet been established. * * *

The Food and Drug Administration approved Leqembi on Jan. 6. It costs $26,500 per year and is administered by infusion every two weeks. The drug has the potential to be a commercial blockbuster, but only if Medicare can be convinced to pay for it. Unless Medicare changes the way it pays for drugs like Leqembi, Eisai expects a slow commercial rollout.

“Engagements with payers is steadily ongoing towards insurance coverage,” Eisai said Monday, although no new details about its communications with Medicare were provided. “Several” private insurers were “advancing their formulary discussions” about Leqembi reimbursement, Eisai also said, although specific coverage decisions, if any, were not disclosed Monday.

Weekend Update

David ErmerCongress, COVID-19, U.S. Healthcare

The House of Representatives and the Senate are holding Committee business and floor voting this week. The President will give the State of the Union address tomorrow at 9 pm.

Following up on the May 11 end of the Covid public health emergency decision, CNBC informs us that the federal government’s free vaccine supply with be exhausted in “early fall,” likely October.

Vaccine pricing in the early fall 

Moderna CEO Stephane Bancel told CNBC last month that the company is preparing to sell the vaccines on the private market as early as this fall. Pfizer CEO Albert Bourla told investors during the company’s earnings call this week that he is preparing for the vaccines to go commercial in the second half of the year.

Pfizer and Moderna have said they are considering hiking the price of the vaccines to somewhere around $110 to $130 per dose once the U.S. government pulls out of the vaccine program.

Paxlovid pricing and available supply

Pfizer has not announced how much the antiviral will cost once it goes commercial. The federal government is paying about $530 for a five-day treatment course. It’s unclear how much patients will have to pay out of pocket and how much of the price insurance will cover.

Dawn O’Connell, who heads the federal office responsible for the U.S. stockpile, said last August that the Health and Human Services Department expected to run out of Paxlovid by mid-2023.

[Dr. Ashish] Jha [the Omicron czar] said on Tuesday that there are still millions of doses of Paxlovid and omicron boosters in the U.S. stockpile. “They will continue to be available for free to all Americans who need them,” Jha said of the remaining federal supply.

From the public health front —

  • NPR Shots reflects on the end of the 2021-2022 tripledemic. The FEHBlog was pleasantly surprised that the Omicron X.BB surge was manageable even after the flu and RSV surges faded. In the FEHBlog’s layman’s view as a grandfather, the RSV surge was an unavoidable one-time event. The silver lining in that particular cloud is that a single-shot vaccine against RSV for infants appears on the horizon. The flu, like Omicron, will be with us for the foreseeable future.
  • The New York Times Magazine featured a thought-provoking article on menopause.
  • Fortune Well discusses available and future cancer vaccines.

Cybersecurity Dive

David ErmerCybersecurity

From the cybersecurity front, Health IT Security interviewed Senator Mark Warner (D Va) “about the healthcare cybersecurity challenges discussed in his recent policy options paper and how he plans to address them.”

The healthcare sector will likely remain an enticing target for threat actors in the coming years, but a more streamlined approach to tackling cyber risk at the federal level is urgently needed. Warner shed light on this issue by first addressing the current patchwork of cyber leadership within the federal government.

“There are four different cabinet secretaries and sixteen different federal agencies that touch on healthcare,” Warner pointed out.

Even within HHS, agencies such as the Office for Civil Rights (OCR), the Office of the National Coordinator for Health Information Technology (ONC), and the Health Sector Cybersecurity Coordination Center (HC3) all have varying levels of oversight and expertise.

The question now, Warner explained, is “how do you put somebody in charge, or at least in charge of coordinating, so that you can take a holistic approach?”

This role would ideally help HHS “speak with one voice regarding cybersecurity in [healthcare],” the policy options paper stated, facilitating communication and collaboration between HHS and other entities such as the Cybersecurity and Infrastructure Security Agency (CISA).

Interesting.

From a cybersecurity vulnerabilities front,

Cybersecurity Dive informs us

The rising threat of flawed software will get even worse, as common vulnerabilities and exposures (CVEs) will average more than 1,900 per month, according to a report released Wednesday by insurance provider Coalition.

The monthly total will include 270 high-severity and 155 critical vulnerabilities, which often give attackers the ability to remotely take control of computer systems.

The San Francisco-based company said 94% of organizations scanned in 2022 had at least one unencrypted service that was exposed to the internet.

and

A total of 98% of organizations worldwide have integrations with at least one third-party vendor that has been breached in the last two years, according to a report released Wednesday from SecurityScorecard and the Cyentia Institute. 

Third-party vendors are five times more likely to exhibit poor security, the report found. Half of organizations have indirect links to at least 200 fourth-party vendors that have suffered prior breaches. 

The information services sector maintained on average 25 vendor relationships, which is the largest number of any sector and more than double the overall average of third-party vendors, which was 10. Healthcare averaged 15.5 vendors and the financial services industry averaged the lowest number, with 6.5. * * *

A separate report from Black Kite shows attacks on 63 vendor organizations during 2022 impacted almost 300 companies. On average, there were 4.7 impacted companies per vendor in 2022, compared with 2.5 per vendor in 2021. 

The most common vector of these attacks was unauthorized network access, accounting for 40% of the incidents, according to Black Kite. 

While the exact method of access is not usually disclosed or immediately known, unauthorized network access often is due to phishing, stolen credentials or vulnerabilities in access control, according to Bob Maley, CSO at Black Kite.

On a related note, an ISACA expert considers trends in cyberattacks.

Looking deeper into the crystal ball, Security Week discusses

The arrival of cryptanalytically-relevant quantum computers (CRQCs) that will herald the cryptopocalypse will be much sooner – possibly less than a decade. 

At that point our existing PKI-protected data will become accessible as plaintext to anybody; and the ‘harvest now, decrypt later’ process will be complete. This is known as the cryptopocalypse. It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.

Beckers Health IT informed us on February 1, 2023:

More U.S. hospitals and health systems have reported that their websites went down this week after a cyberattack that Russian hacking group Killnet claimed responsibility for.

Becker’s reported Jan. 31 on 17 hospitals and health systems that were affected. These six organizations were also reportedly hit, according to news reports and tech company BetterCyber:

1. Banner Health (Phoenix)

2. Boulder City (Nev.) Hospital

3. CHA Hollywood Presbyterian Medical Center (Los Angeles)

4. ChristianaCare (Newark, Del.)

5. Presbyterian Healthcare Services (Albuquerque, N.M.)

6. University of Iowa Health Care (Iowa City)

On January 30, 2023, the Heath Sector Cybersecurity Coordination Center (HC3) released an analyst note on this threat. The next day, HC3 issued a sector alert about “Multiple Vulnerabilities in OpenEMR Electronic Health Records System.”

Three vulnerabilities were identified in an older version of OpenEMR, a popular electronic health records system, which can allow for a cyberattacker to access sensitive information and even compromise the entire system. The prevalence of ransomware attacks and data breaches impacting the health sector make these vulnerabilities especially important. These vulnerabilities were fixed in newer versions of OpeEMR, and therefore upgrading to the most recent version will fully patch them.

On a related note, Cyberscoop points out, “ChatGPT isn’t a malware-writing savant, and much of the hype around it obscures just how much expertise is required to output quality code.”

From the cyber breach front, last Thursday, the HHS Office for Civil Rights announced a HIPAA Security Rule alleged violation settlement with Banner Health,

a nonprofit health system headquartered in Phoenix, Arizona, to resolve a data breach resulting from a hacking incident by a threat actor in 2016 which disclosed the protected health information of 2.81 million consumers.  The settlement is regarding the Health Insurance Portability and Accountability Act (HIPAA) Security Rule which works to help protect health information and data from cybersecurity attacks.  The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.  As a result, Banner Health paid $1,250,000 to OCR and agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information.

From the ransomware front, all the FEHBlog has this week (do we really need more?) is Bleeping Computer’s The Week in Ransomware.

While the week started slowly, it turned into a big ransomware mess, with attacks striking a big blow at businesses running VMware ESXi servers.

The attacks started Friday morning, with threat actors targeting unpatched VMware ESXi servers with a new ransomware variant dubbed ESXiArgs.

The attacks were fast and widespread, with admins worldwide soon reporting that they were encrypted in this new campaign.

What makes this attack so devastating is that many companies operate much of their server infrastructure on VMware ESXi, allowing the encryption of one device to encrypt multiple servers simultaneously.

The good news is that some admins have been able to recover their servers by rebuilding disks from flat files, but some have reported being unable to do so as those files were also encrypted.

We also saw new research released this week, with Microsoft warning that over a hundred threat actors deploying ransomware and LockBit deciding to create a new decryptor based on Conti.

Finally, REsecurity released a report on the new Nevada ransomware-as-a-service recruiting and gearing up for future attacks.

Friday Factoids

David ErmerCDC, COVID-19, Federal employment benefits, OPM, U.S. Healthcare
Photo by Sincerely Media on Unsplash

From the Centers for Disease Control front —

  • According to the CDC’s Weekly Interpretative Report on its Covid Data Tracker, Omicron cases, hospitalizations, and deaths continued to trend down last week while community-level statistics improved. The CDC report leads with an analysis of Omicron variants. Only 4% of U.S. counties have a high level of Covid infections based on the CDC’s Communities approach.
  • The CDC’s weekly Fluview continues its string of reports that “Seasonal influenza activity continues to decline across the country.”
  • MedPage Today reports
    • “The CDC warned of a multistate outbreak of an extensively drug-resistant strain of Pseudomonas aeruginosa linked to various brands of artificial tear drops.
    • “An investigation identified artificial tears as a common exposure for many patients. Patients reported using over 10 different brands of artificial tears; EzriCare Artificial Tears, an over-the-counter product, was most common.
    • “Pending additional guidance from the CDC and FDA, “patients and healthcare providers should immediately discontinue using EzriCare Artificial Tears,” the CDC said in an advisory to its Health Alert Network.”

From the health plan design front, the FEHBlog has run across helpful articles from the Kaiser Family Foundation, the Advisory Board, and Forbes on the impact of the May 11, 2023, end of the Covid national and public health emergency. From a health plan standpoint, the biggest considerations are the end of (a) out-of-network testing and vaccine mandates and (b) the mandate to provide free rapid covid tests. Sometime in 2023, the federal government’s funding for Covid vaccines and Paxlovid will be exhausted, and health plans will need to pick up the slack.

From the FEHB front Govexec tells us

The Office of Personnel Management’s own Federal Employee Benefits Surveys, cumulatively covering hundreds of thousands of feds, have consistently reinforced this point—showing around 80% or more of feds identify strong benefits programs (led by federal retirement annuities, the Thrift Savings Plan and Federal Employees Health Benefits insurance programs) as a major part of why they stick with their jobs.  

The Employee Benefit Research Institute recently published a new report exploring such issues—one zeroing in on what makes a job “sticky” for employees, covering data and anecdotal evidence on private- and public-sector employment over the last 40 years.  

Craig Copeland, EBRI’s director of Wealth Benefits Research parsed these findings for Government Executive and affirmed that attractive federal benefits remain crucial in helping agencies retain feds. 

“Yes, it is still clear that public sector employees—including feds—are more likely to stay at their job longer than other sectors, at least up until recent years,” Copeland told Government Executive. “The defined benefits plans that public sector jobs usually provide typically are an important part of the reason that public sector employees stay longer—as well as because of the overall typically better benefits offered to public sector employees when compared with the average private sector employee.” 

However, Copeland said that it’s hard to say if these long-term trends—the popularity of strong benefits and the stickiness of the public-sector jobs that offer them—persist among the growing younger slice of feds. 

Ruh roh.

From the U.S. healthcare business front

  • The American Health Association (AHA) went bananas over the Justice Department’s unexpected withdrawal of aging antitrust guidance that favors the healthcare industry. Fierce Healthcare also discusses DOJ’s action
  • Also, from the AHA
    • Alabama hospitals lost $1.5 billion since the beginning of the pandemic, despite receiving federal COVID-19 relief funds. At the same time, costs increased $2.6 billion, leaving over half of the state’s hospitals currently operating in the red, Kaufman Hall reports. 
    • Indiana hospitals have lost $1.2 billion since 2019, with expenses for labor, medical supplies, drugs and other purchased services up by $3.2 billion, leaving many of the state’s hospitals with negative operating margins, according to a Kaufman Hall analysis.
  • The American Hospital Association’s 2023 legislative strategy is unveiled in a Politico article.

Happy Groundhog Day

David ErmerACA, Congress, Federal employment benefits, Medicare, OPM, Telehealth, U.S. Healthcare

The Hill reflects on the history of Groundhog Day. By the way, “on Thursday, Punxsutawney Phil predicted six more weeks of winter.”

Each year on the first Friday in February, [February 3, 2023], the National Heart, Lung, and Blood Institute, The Heart Truth® and others around the country celebrate National Wear Red Day® to bring greater attention to heart disease as a leading cause of death for Americans and steps people can take to protect their heart. Promote Wear Red Day in your community with resources such as printable stickers, posters, and social media graphics, including customizable ones.

From Capitol Hill, Roll Call tells us that “Senate committees will be able to get to work next week after the Senate adopted resolutions constituting their membership for the 118th Congress before departing Thursday afternoon.”

STAT News interviews the Chair and Ranking Member of the Senate’s Health, Education, Labor and Pensions Committee, Senators Bernie Sanders and Bill Cassidy respectively.

Both senators cited addressing the national shortage of nurses as high on the bipartisan to-do list. The chairman also said he thinks expanding community health centers and improving dental coverage could get both parties’ buy-ins, while Cassidy pointed to mental health care legislation and probing the rollout of efforts to eliminate patients’ surprise medical bills.

Unsurprisingly, however, Sanders’ top priority is slashing drug costs — and he’s banking on voter polling to push GOP members, or at least put them in an uncomfortable spot with constituents. 

From the Medicare front, Health Payer Intelligence provides an overview of reactions to yesterday’s CMS 2024 Medicare Advantage Advance Notice with changes for Medicare Advantage plans and Medicare Part D.

The Kaiser Family Foundation offers a detailed study of prior authorization requests for Medicare Advantage enrollees in 2021. Adverse decisions on prior authorization requests. The number of requests varied by Medicare Advantage carrier. Six percent of all prior authorizations were partially or entirely denied. 11% of prior authorization requests were appealed, and 82% of appeals were decided in the Medicare Advantage enrollee’s favor. What an interesting batch of percentages.

From the U.S. healthcare business front, BioPharma Dive reports

Sales of Eli Lilly’s new diabetes drug Mounjaro grew strongly in the final quarter of 2022, the company reported Thursday, challenging the market position of competing medicines from rival Novo Nordisk. 

Fourth quarter sales totaled $279 million, bringing the total for 2022 to $483 million following the drug’s June launch. The fast sales put Mounjaro, approved to improve blood sugar control in people with Type 2 diabetes, on pace to quickly reach blockbuster status. Studies have shown the drug to have a powerful weight-loss effect as well, supporting Lilly’s current efforts to expand the drug’s approval to include obesity treatment.  * * *

On an earnings call Thursday, Lilly executives said the company is having trouble keeping Mounjaro production high enough to match patient demand. More manufacturing capacity is being added, with a site in North Carolina expected to start production sometime later this year, CFO Anat Ashkenazi said on the call.

Russ Roberts spoke with Dr. Vinay Prasad on this week’s Econtalk episode. The topic is “Pharmaceuticals, the FDA, and the Death of Duty.” During the episode, Dr. Prasad identified Dr. Bernard Fisher as one of his heroes. Dr. Fisher passed away in 2019 at age 101. I had never heard of Dr. Fisher, but his story should be shared.

Healthcare Dive informs us.

Healthcare consumers appear to be increasingly comfortable switching providers when their current one isn’t meeting their needs, according to a report from Accenture. About 30% of patients selected a new provider in 2021 — up from 26% in 2017, the report found. A quarter switched providers in 2021 because they were unhappy with their care — up from 18% in 2017. Switching providers is especially true among younger generations, like Gen Zers and millennials, who were six times more likely to switch providers than older people, according to the report.

From the miscellany department —

  • Health Affairs Forefront delves into the data produced to date by the government’s payer transparency rules.
  • Fierce Healthcare tells us about a recent expansion of CVS Health’s virtual primary care service.
  • Benefit consultant Tammy Flanagan writing in Govexec, follows the path of a federal employee’s retirement application.

Midweek update

David ErmerACA, CDC, CMS, Congress, COVID treatment, FDA, Medicare, NIH, No Surprises Act, U.S. Healthcare

From our Nation’s capital, HHS Secretary Xavier Becerra made a statement honoring Black History Month which began today.

The Wall Street Journal reports

President Biden and House Speaker Kevin McCarthy began face-to-face debt-ceiling discussions [today], with the latter expressing cautious optimism that they can come to a deal to avoid the first-ever default of the country’s debt.

The Hill tells us

  • Senate Minority Leader Mitch McConnell (R-Ky.) has pulled Sen. Rick Scott (R-Fla.), who tried to oust him as the Senate’s top Republican in a bruising leadership race, off the powerful Commerce Committee.  
  • McConnell also removed Sen. Mike Lee (R-Utah), who supported Scott’s bid to replace McConnell as leader, from the Commerce panel, which has broad jurisdiction over a swath of federal agencies.  

Speaking of federal agencies, Healthcare Dive informs us

The Federal Trade Commission is penalizing GoodRx for sharing users’ sensitive health information with advertisers, in the agency’s first enforcement action under the Health Breach Notification Rule.

The FTC filed an order with the Department of Justice on Wednesday that would prohibit GoodRx from sharing user health data with third parties for advertising purposes, among other guardrails. GoodRx has also agreed to pay a $1.5 million fine, though the company admitted no wrongdoing. The order needs to be approved by a federal court in order to go into effect.

Also, the President issued a Statement of Administration Policy objecting to Republican legislative efforts to end the national and public health emergencies for the Covid pandemic without further delay. The Statement explains why the White House has opted to end those emergencies on May 11.

In that regard, Health Payer Intelligence notes

CMS announced that there will be a special enrollment period on the Affordable Care Act marketplace for individuals who lose their Medicaid coverage due to the public health emergency unwinding.

“Today, CMS is announcing a Marketplace Special Enrollment Period (SEP) for qualified individuals and their families who lose Medicaid or CHIP coverage due to the end of the continuous enrollment condition, also known as ‘unwinding,’” the FAQ sheet explained.

The special enrollment period will stretch from March 31, 2023 to July 31, 2024. In order to be eligible for the special enrollment period, individuals must be eligible for Affordable Care Act marketplace coverage and must have lost their Medicaid, Children’s Health Insurance Program (CHIP), or Basic Health Program (BHP) coverage.

From the Omicron and siblings front, Beckers Hospital Review points out

The FDA altered its emergency use authorizations on Paxlovid and Lagevrio, two COVID-19 treatments, on Feb. 1 to revoke a requirement for a positive COVID-19 test before a provider can prescribe them. 

“The agency continues to recommend that providers use direct SARS-CoV-2 viral testing to help diagnose COVID-19,” the FDA said in an emailed statement. But, “in rare instances, individuals with a recent known exposure (e.g., a household contact) who develop signs and symptoms consistent with COVID-19 may be diagnosed by their healthcare provider as having COVID-19” even if they test negative.

From the public health front —

  • The Commonwealth Fund issued a report titled “U.S. Health Care from a Global Perspective, 2022: Accelerating Spending, Worsening Outcomes.” The FEHBlog’s perception is quite sunny compared to this gloomy report.
  • The National Institutes of Health is celebrating American Heart Month.
  • The National Cancer Institute offers an interesting newsletter on its work.
  • The Wall Street considers dangerous fungi that are infecting people as a result of climate change.

From the No Surprises Act front, according to Healthcare Dive, the Texas Medical Association has filed a fourth lawsuit concerning the law. This time the TMA objects to the regulators’ entirely appropriate decision to increase the arbitration administration fee from $100 split between the parties to $700 similarly split. The arbitration or IDRE process was being bombarded with arbitration requests from providers. The fee increase will focus more provider attention on the open negotiation period that precedes the arbitration. “The suit also challenges the laws’ restrictions on batching claims, which allows arbitration processes only on claims with the same service code, requiring providers to go through a separate payment dispute process for each claim related to an individual’s care episode, according to the suit.” Quelle domage.

From the U.S. healthcare business front

  • Beckers Payer Issues reports, “Humana posted revenues of nearly $93 billion in 2022 and a net loss of $15 million in the most recent quarter, according to its year-end earnings report published Feb. 1.  The company also appointed Steward Health Care President Sanjay Shetty, MD, to lead its healthcare services business, CenterWell, which includes pharmacy dispensing, provider and home health services. Dr. Shetty will start April 1. In addition, the company promoted its Medicare president, George Renaudin, to president of Medicare and Medicaid, effective immediately.”
  • Beckers Hospital Review examines whether Amazon can disrupt the pharmacy industry.

From the Medicare front, the Centers for Medicare and Medicaid Services released

the Calendar Year (CY) 2024 Advance Notice of Methodological Changes for Medicare Advantage (MA) Capitation Rates and Part C and Part D Payment Policies (the Advance Notice). CMS will accept comments on the CY 2024 Advance Notice through Friday, March 3, 2023. CMS will carefully consider timely comments received before publishing the final Rate Announcement by April 3, 2023.

Tuesday’s Tidbits

David ErmerCMS, Congress, COVID treatment, COVID-19, HSA, Mental health care, NIH, No Surprises Act, Patient safety, Rx coverage, U.S. Healthcare
Photo by Patrick Fore on Unsplash

From Capitol Hill, Roll Call reports

The Biden administration will send its budget for the next fiscal year up to Capitol Hill on March 9, according to a memo from top White House aides.

That’s about a month later than the statutory deadline, which is the first Monday in February, though that target is often missed and there’s no penalty for doing so.

National Econonic Council Director Brian Deese and Office of Management and Budget Director Shalanda Young laid out the timing in a memo to “interested parties” that also discussed agenda topics for Wednesday’s scheduled meeting between President Joe Biden and Speaker Kevin McCarthy, R-Calif.

The memo, first reported by ABC News, said Biden will ask McCarthy to “commit to the bedrock principle that the United States will never default on its financial obligations,” a reference to the upcoming fight over the statutory debt ceiling. Treasury Secretary Janet L. Yellen has warned that the U.S. could be in danger of missed payments by early June if Congress doesn’t act to raise or suspend the $31.4 trillion debt limit.

The memo also says Biden will urge McCarthy and House Republicans to release their own fiscal 2024 budget blueprint that spells out the spending cuts they want to attach to any debt limit deal and how their budget will balance if they plan to extend expiring tax cuts.

Senator Tina Smith (D MN) and a bipartisan group of colleagues sent several large health insurers a letter requesting answers to questions about ghost networks. It turns out the ghost networks are online provider directories with errors. The FEHBlog thinks that the Senators should be pressuring the No Surprises Act regulators to implement the provider directory accuracy provision in that law.

From the Omicron and siblings front, the New York Times explores why Paxlovid, a reliable treatment, is underprescribed by doctors.

Doctors prescribed it in about 45 percent of recorded Covid cases nationwide during the first two weeks of January, according to White House data. In some states, Paxlovid is given in less than 25 or even 20 percent of recorded cases. (Those are likely overestimates because cases are underreported.)

Why is Paxlovid still relatively untapped? Part of the answer lies in a lack of public awareness. Some Covid patients also may decide that they don’t need Paxlovid because they are already vaccinated, have had Covid before or are younger. (My colleagues explained why even mild cases often still warrant a dose of Paxlovid.) * * *

Experts have increasingly pointed to another explanation for Paxlovid’s underuse: Doctors still resist prescribing it. Today’s newsletter will focus on that cause.

Some doctors have concerns that are rooted in real issues with Paxlovid and inform their reluctance to prescribe it. But experts are unconvinced that those fears are enough to avoid prescribing Paxlovid altogether, especially to older and higher-risk patients.

“What I’m doing for a living is weighing the benefits and the risks for everything,” said Dr. Robert Wachter, the chair of the medicine department at the University of California, San Francisco. In deciding whether to prescribe Paxlovid, he said, the benefits significantly outweigh the risks.

This isn’t very encouraging.

From the U.S. healthcare business front —

Beckers Hospital Review reports

Six years after regulators approved Amjevita, a biosimilar to the nation’s most lucrative drug, Humira, Amgen’s drug jumped on the U.S. market Jan. 31 with two list prices.

The biosimilar to AbbVie’s most profitable drug will either cost 5 percent or 55 percent less than Humira’s price, according to Amgen. Humira costs $6,922 for a month’s supply, meaning Amjevita’s price — depending on the buyer — will be $6,576 or $3,115. The higher price is designed to entice pharmacy benefit managers, and the lower one is for payers, according to Bloomberg

As Humira’s 20-year, $114 billion, 247-patent-strong monopoly ends with the first biosimilar, more copycat versions are set to premiere in the next few months.

STAT News dives deeper into the implications of Amgen’s pricing approach.

AHIP responded yesterday to CMS’s final Medicare Advantage plan audit rule.

“Our view remains unchanged: This rule is unlawful and fatally flawed, and it should have been withdrawn instead of finalized. The rule will hurt seniors, reduce health equity, and discriminate against those who need care the most. Further, the rule would raise prices for seniors and taxpayers, reduce benefits for those who choose MA, and yield fewer plan options in the future. 

“We encourage CMS to work with us, continuing our shared public-private partnership for the health and financial stability of the American people. Together, we can identify solutions that are fair, are legally sound, and ensure uninterrupted access to care and benefits for MA enrollees.” 

Is the next step the courthouse?

Money Magazine offers a list of hospitals that provide bariatric surgery with Leapfrog safety grades.

From the mental healthcare front, Fierce Healthcare tells us

Parents can now be added alongside providers, health insurers and employers to the list of stakeholders with growing concerns about mental health, according to a study by the Pew Research Center.

The study found that 40% of parents call the fact that their children might be struggling with anxiety and depression their No. 1 concern—something they’re extremely or very worried about—followed by 35% of parents who put the fear that their children are being bullied into that category.

From the tidbits department —

  • The NY Times lists ten nutrition myths that experts wish would be forgotten.
  • The NIH Directors blog explains why a “New 3D Atlas of Colorectal Cancer Promises Improved Diagnosis, Treatment.”
  • The National Association of Plan Advisors points out that “Despite a rebound in out-of-pocket health care spending in 2021, health savings account (HSA) balances increased on average over the course of the year, the Employee Benefit Research Institute (EBRI) recently found. Its analysis of HSA balances, contributions, and distributions also found, “patients sought health care services more frequently in 2021—and spent more out of pocket, as well—than they did in 2020, yet the average end-of-year balance was higher than the average beginning-of-year balance.”

Monday Roundup

David ErmerACA, CMS, COVID-19, Electronic health records, Medicare, OPM, Patient safety, U.S. Healthcare
    Photo by Sven Read on Unsplash

    Today was another busy day.

    The biggest surprise is that OPM begun refreshing its website and has revealed its logo.

    U.S. Office of Personnel Management logo
    New OPM Logo

      From the public health front —

      • The Hill reports that the President plans to end the national and public health emergencies for the Covid pandemic on May 11, 2023. Congress took steps to arrange for a soft landing in the Consolidated Appropriations Act 2023, which likely is a factor in reaching this executive decision.
      • Health IT Analytics tells us, “Researchers from New York University (NYU) Grossman School of Medicine and the Robert Wood Johnson Foundation (RWJF) unveiled the Congressional District Health Dashboard (CDHD), an online data tool that provides health data for all 435 US congressional districts and the District of Columbia.” Interesting.
      • The New York Times informs us, “A new report [on maternal health in the U.S.] highlighted the dangers faced by Native American women, who face the greatest risks during and after pregnancy. Native American women were 3.5 times as likely to die during this critical period, compared with white women, the study found.” This rang a bell with the FEHBlog because the FEHB Program included Native American employers who have contracted with OPM for FEHB coverage for their employees. “During and after pregnancy, Black women also faced heightened odds of death that were almost double those of white women, along with a risk of dying specifically from pregnancy complications that was 2.8 times that of white women.” No child should be deprived of a mother due to inadequate healthcare.
      • Yale New Haven Hospital offers insights on heart disease for lay people/patients.
      • Medpage Today discusses recently extended and updated Body Mass Indices (BMIs0 for children and adolescents.
      • LifeSciences Intelligence reports that “In a recent news release, the Emergency Care Research Institute (ECRI) highlighted gaps in communication regarding medical device recalls, noting that these gaps could be a significant threat to patient safety. This commentary was a part of the organization’s Top 10 Health Technology Hazards report.”

      From the Affordable Care Act front, the ACA regulators today promulgated a proposed rule that would create

      a new independent pathway through which individuals enrolled in plans or coverage sponsored or arranged by objecting entities that have not opted for the existing accommodation (including those enrolled in individual health insurance coverage issued by such an objecting entity) could access contraceptive services at no cost. Specifically, these proposed rules would create a mechanism, independent from the employer, group health plan, plan sponsor, institution of higher education, or issuer, through which individuals could obtain contraceptive services at no cost from a willing provider of contraceptive services. This individual contraceptive arrangement would be available to the participant, beneficiary, or enrollee without the objecting entity having to take any action facilitating the coverage to which it objects. Simply put, the action is undertaken by the individual, on behalf of the individual. * * *

      These proposed rules, if finalized, would rescind the moral exemption to covering contraceptive services without cost sharing, while keeping intact the religious exemption and without narrowing its scope or the types of entities or individuals that may claim the religious exemption. These proposed rules would also maintain the optional accommodation for sponsors of group health plans and institutions of higher education arranging student health insurance coverage that qualify for the religious exemption. 

      Here’s a link to the regulator’s fact sheet. This strikes the FEHBlog has a wise solution to this knotty problem.

      From the healthcare business front —

      The American Hospital Association relates

      Last year was the worst financial year for U.S. hospitals and health systems since the start of the COVID-19 pandemic, as growth in expenses outpaced growth in revenues and volumes, according to the latest report on hospital finances from Kaufman Hall. 

      “The increases were driven in part by a competitive labor market, as well as hospitals needing to rely on more expensive contract labor to meet staffing demands,” the report notes. “Increased lengths of stay due to a decline in discharges also negatively affected hospital margins.” 

      Hospitals experienced negative operating margins for most of the year, with approximately half of the nation’s hospitals ending the year in the red. According to the report, hospitals’ expense pressures “are unlikely to recede in 2023.”

      STAT News discusses business focused on improving human longevity.

      Health Payer Intelligence reports

      The US Department of Health and Human Services (HHS) has released a final rule that aims to introduce more oversight into the Medicare Advantage risk adjustment data validation and payment process. * * * Under the finalized rule, CMS will not extrapolate audit findings for payment years 2011 through 2017, the CMS fact sheet stated. CMS will collect non-extrapolated overpayments for plan years 2011 through 2017. Extrapolation will begin with the plan year 2018 risk adjustment data validation audit using any extrapolation technique that is statistically valid. The audits will center on high-risk plans.

      The Wall Street Journal adds “A Centers for Medicare and Medicaid Services official, Deputy Administrator and Center for Program Integrity Director Dara Corrigan, said the estimated recoveries for 2018 would be around $479 million, and the agency projected a total of about $4.7 billion over a decade. The large recoveries wouldn’t actually occur until 2025 and after, however.”

      Will this regulation drive companies out of Medicare Advantage? Time will tell. In the meantime here is a link to HHS’s fact sheet.

      Weekend Update

      David ErmerCongress, COVID-19, Mental health care, No Surprises Act
      Photo by JOSHUA COLEMAN on Unsplash

      Congress will be in session this week for Committee and floor business.

      The No Surprises Act’s RxDC reporting deadline is this Tuesday, January 31, for the 2020 and 2021 reporting years. RxBenefits informs us, “Optum, Caremark, and Express Scripts have finalized their submission files and confirmed that all submissions would be completed before January 31, 2023, if not already filed.”

      From the public health front —

      • NPR Shots explains why your kids are germ vectors, albeit adorable ones.
      • Fortune Wells reports that “Researchers at the Institute of Psychiatry, Psychology & Neuroscience at King’s College London have developed a blood-based test that can detect Alzheimer’s disease up to 3.5 years before a clinical diagnosis.” This test would help people decide whether they need the new Biogen/Eisai drug assuming Medicare approves it.
      • Fortune Well also points out how employers can reduce workplace stress.
      • Kaiser Family Foundation provides us with recent upbeat data on long Covid.

      Cybersecurity Saturday

      David ErmerCybersecurity

      From the cybersecurity policy front, Cybersecurity Dive tells us

      The public-private cybersecurity supergroup, the Joint Cyber Defense Collaborative, is turning its attention to a 2023 agenda that will address risks to vulnerable industries and sensitive elements of civil society.

      JCDC will assess risk in energy and water infrastructure sectors alongside the use of open-source software in industrial control systems, the group revealed Thursday. 

      It also wants to increase cybersecurity and reduce risk for small- and medium-sized critical infrastructure providers. JCDC will collaborate with managed service providers, managed security service providers and remote monitoring and management as part of the effort.

      FedScoop reports

      The National Institutes of Standards and Technology intends to release version 2.0 of its Cybersecurity Framework in the coming years, and this week, the agency teased some of the “potential significant updates” that may land in that new framework.

      On Thursday [January 24, 2023], NIST published a concept paper outlining significant changes to the Cybersecurity Framework and opening them to public feedback over the next several weeks. 

      The framework is a voluntary guide to help organizations in all sectors to better understand, manage, reduce, and communicate cybersecurity risks. It is used widely, along with NIST’s Risk Management Framework, by federal agencies to plan their own cybersecurity approaches.

      Of the proposed changes in the concept paper, the most notable are broadening the scope of the framework beyond critical infrastructure use cases to better include other organizations like small businesses and higher education institutions; including more guidance for implementation; and emphasizing the importance of cybersecurity governance and cybersecurity supply chain risk management, among others.

      and

      The National Institutes of Standards and Technology has issued the first version of its Artificial Intelligence Risk Management Framework that federal agency leaders and lawmakers hope will govern use of the technology.

      The Department of Commerce agency Thursday released the initial document, which it emphasized will continue to evolve as the department receives further input from industry and the scientific research community.

      Publication of the document comes as the use of AI technology receives increased public attention with the launch of new mainstream tools including Chat-GPT.

      In the framework documentNIST sets out four key functions that it says are key to building responsible AI systems: govern, map, measure and manage.

      Nextgov informs us

      The Office of Personnel Management plans to launch a federal cyber workforce dashboard to provide agencies with a better tool to address workforce needs, according to a demo of the proposed dashboard held during a National Institute of Standards and Technology webinar on Tuesday [January 24, 2023].

      An OPM spokesperson told Nextgov the cyber workforce data dashboard is a new tool that will have two versions: a public version looking at governmentwide data and an agency-specific version—where each agency will have a more granular view—to help support their workforce needs. The spokesperson added that OPM has been showing the dashboard to cyber workforce community stakeholders, such as the Office of the National Cyber Director and the Office of Management and Budget.

      This past week has been Data Privacy Week. Spiceworks explains how to convert Data Privacy Week to Data Privacy Year. Security provides thoughts and advice from data security leaders. For example

      Corey Nachreiner, Chief Security Officer at WatchGuard Technologies:

      “Data Privacy Day provides a yearly reminder that data privacy and data security are inextricably linked. Even as laws around the world increasingly recognize the rights of individuals to control how information about them is collected, used and stored, they are also putting greater responsibility on companies for being good stewards of that data and holding them accountable when they aren’t. But protecting data from malicious actors is everyone’s responsibility.”

      From the cyber vulnerabilities front —

      Cybersecurity Dive reports

      Malicious actors are using remote management and monitoring software to launch phishing attacks against federal employees, authorities warned Wednesday

      The Cybersecurity and Infrastructure Security Agency, National Security Agency and Multi-State Information Sharing and Analysis Center said since June 2022 cybercriminals have sent help desk themed phishing emails to civilian executive branch agency staff using their personal and government email addresses. 

      The lure aims to get the targeted workers to link to malicious domains in order to steal money from the targeted victims. However, authorities warn the same tactics could be used by APT actors in order to gain persistence within a network. 

      Health IT Security also offers an article on this topic.

      Fortune Magazine alerts us,

      As tech transformations—for example a business unit built around A.I. or a new app geared toward personalized customer experience—have picked up steam in recent years, so have cyber risks and data privacy concerns.

      But when organizations look internally for risk mitigation and compliance with data privacy laws, there’s a lack of qualified people to do so, according to a new report by ISACA, a professional IT governance association. Both technical privacy and legal/compliance teams are understaffed, enterprise privacy budgets are underfunded, and there are skills gaps. The findings are based on a global survey of 1,890 data privacy professionals who hold positions in IT, audit, compliance, and risk management, for example.

      Health IT Security reports that “UCHealth and UCLA Health Report Healthcare Data Breaches
      The healthcare data breach at UCHealth stemmed from a third-party vendor, and the UCLA Health breach was tied to the organization’s use of analytics tools.”

      The Cybersecurity and Infrastructure Security Agency added known exploited vulnerabilities to its catalog — here and here.

      Health IT Security adds

      Ransomware remained a primary healthcare cyberattack tactic in Q4 2022, BlackBerry noted in its new Global Threat Intelligence Report. BlackBerry’s Threat Research and Intelligence team leveraged data collected by its own security solutions between September 1 and November 30, 2022, along with information from public and private intelligence sources.  

      Throughout the 90-day period, researchers observed threat actors using a variety of tactics, from downloaders to ransomware, infostealers, and remote access Trojans (RATs). For the healthcare sector in particular, ransomware “still poses the biggest threat,” the report indicated.

      From the ransomware front, The Wall Street Journal reports

      U.S. authorities seized the servers of the notorious Hive ransomware group after entering its networks and capturing keys to decrypt its software, the Justice Department said Thursday, calling its effort a “21st-century cyber stakeout.”

      The group linked to Hive ransomware is widely seen by authorities and cybersecurity experts as one of the most prolific and dangerous cybercriminal actors in recent years. It has been linked to attacks on more than 1,500 victims including hospitals and schools—and has extorted more than $100 million in ransom payments, the Justice Department said.

      Bravo. Bleeping Computer’s The Week in Ransomware focuses on this important development.

      Yesterday [January 26, 2023], an international law enforcement operation seized the Tor websites for the Hive ransomware operation and disclosed that they had secretly hacked the organization’s servers in July 2022.

      For the past six months, the police have monitored their communications, intercepted decryption keys, and helped victims with free decryptors.

      While no arrests were made, this was a massive blow to a prominent player in this cybercrime space while preventing $100 million in ransom payments.

      Here’s the Justice Department’s press release.

      Furthermore, an ISACA expert writes about common misconceptions about ransomware.

      From the cyber defense front, the Wall Street Journal provides advice on assessing the likelihood of a ‘Catastrophic” cyber attack, and Security Week explains how to end to password dependency.