Cybersecurity Saturday

HIPAA Privacy and Security Rules

Cybersecurity Saturday

David ErmerCybersecurity, HIPAA Privacy and Security Rules
Photo by Christine Sandu on Unsplash

The Wall Street Journal reports today that

Investigators probing a massive hack of the U.S. government and businesses say they have found concrete evidence the suspected Russian espionage operation went far beyond the compromise of the small software vendor publicly linked to the attack.

Close to a third of the victims didn’t run the SolarWinds Corp. software initially considered the main avenue of attack for the hackers, according to investigators and the government agency digging into the incident. The revelation is fueling concern that the episode exploited vulnerabilities in business software used daily by millions. * * *

The attackers “gained access to their targets in a variety of ways. This adversary has been creative,” said Mr. Wales, whose agency, part of the U.S. Department of Homeland Security, is coordinating the government response. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”

That is chilling news. What should be done?

In that regard, Fortune seeks to untangle the U.S. cybersecurity “mess” for us. The article explains

Restructuring [the U.S. cybersecurity] system is core to the work of the Cyberspace Solarium Commission, a task force commissioned by Congress to help reform U.S. cybersecurity. “Our focus [is] on making the market more effective at driving good behavior,” says commissioner Suzanne Spaulding, a senior adviser for cybersecurity and counterterrorism at the Center for Strategic and International Studies. “If the market isn’t performing the way it should, why isn’t it?” 

The commission spent the past year drawing up a wide-ranging list of recommendations, and in January, 26 of them became law as part of the 2021 National Defense Authorization Act. The NDAA creates a White House–level Office of the National Cyber Director and grants new private-sector threat-response powers to the federal Cybersecurity and Infrastructure Security Agency—significant changes that commission members hope will prompt closer collaboration between government and industry on security standards. “A lot of the recommendations, some of us have been making for years,” says Cilluffo, who’s also a commissioner. “But the political will was not where it needed to be. Now, we don’t need any reminders.”

Solarium’s mandate has been extended for at least another year, and its next round of advocacy and recommendations will focus more squarely on the private sector. The goal: creating better incentives for building secure software and sharing intelligence about cyberthreats.

On the personnel front, GovConWire reported last week that

Sources said Biden is likely to name [Jen] Easterly to the newly created role of national cyber director at the White House to help guide the current administration’s cybersecurity strategy and oversee digital security efforts of agencies.

Easterly is head of resilience at Morgan Stanley and previously served as deputy director for counterterrorism at the National Security Agency between 2011 and 2013. She served in the National Security Council as special assistant to the president and senior director for counterterrorism during the Obama administration.

Healthcare Dive also noted that “The Biden administration hired Chris DeRusha as federal CISO, tasking him with coordinating cybersecurity policy across federal agencies. DeRusha previously served as the top cybersecurity officer for the Biden presidential campaign.”

Cyber Scoop adds with respect to the ongoing investigation that

[L]awmakers are demanding answers from the National Security Agency about another troubling supply chain breach that was disclosed five years ago.

A group of lawmakers led by Sen. Ron Wyden, D-Ore., is asking the NSAwhat steps it took to secure defense networks following a years-old breach of software made by Juniper Networks, a major provider of firewall devices for the federal government.

Juniper revealed its incident in December 2015, saying that hackers had slipped unauthorized code into the firm’s software that could allow access to firewalls and the ability to decrypt virtual private network connections. Despite repeated inquiries from Capitol Hill— and concern in the Pentagon about the potential exposure of its contractors to the hack — there has been no public U.S. government assessment of who carried out the hack, and what data was accessed.

Lawmakers are now hoping that, by cracking open the Juniper cold case, the government can learn from that incident before another big breach of a government vendor provides attackers with a foothold into U.S. networks. 

Tuesday Tidbits

David ErmerCOVID-19, COVID-19 vaccine, HIPAA Privacy and Security Rules, U.S. Healthcare
Photo by Patrick Fore on Unsplash

The Wall Street Journal has performed a tremendous public service by publishing a state-by-state guide to obtaining a COVID-19 vaccination. The information is current as of yesterday and will be updated weekly.

STAT News reports that Regeneron and Eli Lilly are pleased with progress being made in their respective trials of monoclonal antibody cocktails to treat COVID-19. “George Yancopoulos, Regeneron’s chief scientific officer, said in a statement that even with vaccines available, the antibody will be able help break the chain of infection, and may prove useful for individuals who are immunocompromised or unable to be vaccinated.”

Employee Benefits News offers an interesting story about how employers are confronting the opioid public health emergency.

Health Payer Intelligence discusses Blue Shield of California’s efforts to consolidate and simplify medical billing. What’s more,

[Blue Shield of California] aim[s] to achieve real-time claims settlement. In 2020, Blue Shield of California shortened its claim settlement timeframe from a maximum of 30 days down to six days, but in 2021 the company plans to reduce that timeframe further.

“For us, ‘real-time’ claims settlement means anywhere from three to nine seconds,” [Shayna] Schulz[, senior vice president of transformation and operations at Blue Shield of California] explained.

“We have a proof of concept that we’ve already done where we’ve been able to process one claim—but it starts with one—in nine seconds. We’re highly optimistic that we can rapidly scale this in 2022. And that’s going to be a game-changer for many hospitals.”

Indeed.

Because the FEHBlog cannot forget the SolarWinds backdoor hack, Cyber Scoop lets us know that

Email security firm Mimecast on Tuesday confirmed that the hackers behind the SolarWinds espionage campaign compromised a software certificate the firm uses to secure connections to Microsoft cloud services. The revelation underscores how deeply embedded the suspected Russian hackers have been in major technology companies as part of a campaign that has also breached multiple U.S. federal agencies. * * * Mimecast is one of many big tech firms to be implicated in the hacking campaign, which has also exploited bugged software made by SolarWinds, a Texas-based federal contractor. The attackers have viewed Microsoft’s source code and stolen the red-team tools that security firm FireEye uses to test clients’ defenses.

Finally, STAT News published today the story written by one of its star reporters Sharon Begley about lung cancer contracted by never-smokers.

Cigarette smoking is still the single greatest cause of lung cancer, which is why screening recommendations apply only to current and former smokers and why 84% of U.S. women and 90% of U.S. men with a new diagnosis of lung cancer have ever smoked, according to a study published in December in JAMA Oncology. Still, 12% of U.S. lung cancer patients are never-smokers.

Scientists disagree on whether the absolute number of such patients is increasing, but the proportion who are never-smokers clearly is. Doctors and public health experts have been slow to recognize this trend, however, and now there is growing pressure to understand how never-smokers’ disease differs from that of smokers, and to review whether screening guidelines need revision.

“Since the early 2000s, we have seen what I think is truly an epidemiological shift in lung cancer,” said surgeon Andrew Kaufman of Mount Sinai Hospital in New York, whose program for never-smokers has treated some 3,800 patients in 10 years. “If lung cancer in never-smokers were a separate entity, it would be in the top 10 cancers in the U.S.” for both incidence and mortality.

Ms. Begley was a never-smoker who succumbed to lung cancer on January 16, 2021. RIP.

Thursday Miscellany

David ErmerCOVID-19, HIPAA Privacy and Security Rules, Rx coverage, U.S. Healthcare
Photo by JOSHUA COLEMAN on Unsplash

President Biden has issued a blizzard of executive orders over the last day and a half. The Hill summarizes them in this article, and for more details you can find the text of each order on Whitehouse.gov.

STAT News reports that

The Biden administration is willing to consider almost anything to boost the nation’s dwindling supply of Covid-19 vaccines.

A new strategy document released Thursday, totaling nearly 200 pages, offers the first clear list of the options President Biden has before him, though it doesn’t specifically say he’ll actually take all of the steps. On the list are some controversial ideas, like cutting the amount of vaccine being administered to each American. He’s also made it clear he wants to utilize the Defense Production Act to ramp up production of key supplies, and some more straightforward options like buying more doses.

Governors and mayors around the country have complained in recent weeks that they do not have enough vaccines to meet current demand. Biden, too, has acknowledged that the supply of physical vaccines is not where it needs to be to vaccinate a majority of Americans. Already, the Trump administration stopped holding vials in reserve, in hopes of releasing more vaccines to the public.

As of today, the CDC reports that nearly 38 million doses of the two dose vaccines have been distributed and around 17.5 million have been administered. 2.1 million of those doses have been administered at long term care facilities.

In that regard, the AP reports that

Drugmaker Eli Lilly said Thursday its antibody drug can prevent COVID-19 illness in residents and staff of nursing homes and other long-term care locations.

It’s the first major study to show such a treatment may prevent illness in a group that has been devastated by the pandemic. 

Residents and staff who got the drug had up to a 57% lower risk of getting COVID-19 compared to others at the same facility who got a placebo, the drugmaker said. Among nursing home residents only, the risk was reduced by up to 80%.

The study involved more than 1,000 residents and staff at nursing homes and other long-term care locations like assisted living homes. The vast majority tested negative at the start of the study. Some were assigned to get the drug, called bamlanivimab and which is given through an IV, and others got placebo infusions.

Also on the prescription drug front, STAT News informs us that

The Food and Drug Administration has approved a monthly injectable medication, a regimen designed to rival pills that must be taken daily.

The newly approved medicine, which is called Cabenuva, represents a significant advance in treating what continues to be a highly infectious disease. In 2018, for instance, there were approximately 36,400 newly infected patients living with HIV in the U.S., according to the Centers for Disease Control and Prevention. About 1.7 million people worldwide became newly infected in 2019, according to UNAIDS.

Although several medicines exist for treating HIV, ViiV Healthcare is banking on the improved convenience of getting a monthly shot, even if it must be administered by a health care provider. The company, which is largely controlled by GlaxoSmithKline (GSK), gathered data showing nine of 10 patients in pivotal studies claimed to prefer the shot over taking pills each day.

The Wall Street Journal reports on a phenomenon that has attracted the FEHBlog’s attention — the low levels of flu infections this winter across the Northern Hemisphere, including the U.S.

The WHO says the measures people and governments are taking to prevent the spread of Covid-19, such as wearing masks and limiting public gatherings, have probably helped keep the flu in check. Increased flu vaccination rates may also be contributing, it says.

Another hypothesis holds that the broad spread of SARS-CoV-2, the virus that causes Covid-19, in countries like the U.S. may play a role in blocking the flu by lifting people’s immunity against other viruses. One study in the spring of 2020 in New York City found that people testing positive for SARS-CoV-2 were far less likely to be carrying other common viruses such as influenza viruses. Still, research into that hypothesis is just beginning.

What is clear is the historically low number of people with the flu.

The FEHBlog also ran across another interesting Cyberscoop article with more of the backstory on the SolarWinds backdoor hack as uncovered by Microsoft.

Attackers behind an espionage campaign that exploited software built by the federal contractor SolarWinds separated their most prized hacking tool from other malicious code on victim networks to avoid detection, Microsoft said Wednesday.

The findings make clear that, while the hackers have relied on a variety of tools in their spying, the tampered SolarWinds software functioned as the cornerstone of an operation that Microsoft described as “one of the most sophisticated and protracted” of the decade. Multiple U.S. federal agencies focused on national security have been breached in the campaign, which U.S. officials have linked to Russia. * * *

After the SolarWinds trojan was delivered to organizations, the attackers spent about a month pinpointing victims, according to Microsoft. As early as May 2020, the hackers were doing the “real hands-on-keyboard activity” of moving through victim networks for valuable data, Microsoft said.

The hackers were meticulous in covering their tracks. They prepared unique malicious code implants for each victim machine, according to Microsoft, and changed timestamps of the digital clues they left behind to complicate the recovery process for organizations. Microsoft called the former technique an “incredible effort normally not seen with other adversaries and done to prevent full identification of all compromised assets.”

Tuesday Tidbits

David ErmerHIPAA Privacy and Security Rules, Mental health care, OPM, U.S. Healthcare
Photo by Patrick Fore on Unsplash

Surprise! The FEHBlog mentioned the other day that he considered the Trump Administration’s proposed HIPAA Privacy Rule amendments to be a dead letter because they had not been scheduled to be published in the Federal Register today, the last day of the Trump Administration’s Federal Register. Well, as it turns out, that proposed rule showed up in the Federal Register public inspection list today with a Federal Register publication date of Thursday January 21. In any event. as the FEHBlog mentioned, the Biden Administration will be decide the fate of this rule making, which for what it’s worth the FEHBlog considers to be a helpful improvement.

Also today, OPM released a preview of the 2020 Federal Employee Viewpoint Survey results. “A preview of the governmentwide results are heartening,” said Acting Director Michael Rigas. “Through the toughest times, employees have been resilient and motivated while supervisors and senior leaders alike have served employees well by embracing their roles to keep employees safe and informed.”  Well done, OPM and federal agency employers and employes.

The FEHBlog is a fan of new health plan designs. Fierce Healthcare reports that

UnitedHealthcare is launching a new, virtual primary care option as part of an effort to expand access to local clinicians in its employer-sponsored plans.

Virtual primary care will be available to members in certain employer plans across 11 states, UnitedHealthcare said in an announcement. The insurer expects to expand the offering to additional states over the course of the year.

The goal, UnitedHealth said, is to make it easier for patients to establish and maintain an ongoing relationship with a primary care provider.

“The UnitedHealthcare Virtual Primary Care service and updated policy help expand the use of virtual care from delivering care to people who are sick, to now also focusing on preventing and detecting disease before it starts and, if needed, helping people more conveniently manage certain chronic conditions,” said Anne Docimo, M.D., chief medical officer at UnitedHealthcare,” in a statement.

Creative.

In another creative move, Fierce Healthcare calls our attention to the following:

As healthcare continues to evolve, legacy players are aiming to be the first to gain access to the latest innovations.

At Anthem, that effort has meant launching its own Digital Incubator, which pairs financial backing with mentorship and opportunities for partnerships with universities and corporations.

“Essentially, we are looking to get access to cutting-edge healthcare products,” said Kate Merton, staff vice president and head of Anthem Digital Incubator, in an interview with Fierce Healthcare. “We work with our entrepreneurs early in the cycle to make sure they’re developed with the mindset of the payer, of the consumer and the provider all in one.”

ADI offers a number of pathways for innovators to take and operates in both digital and physical platforms, with its first incubation space opening in Palo Alto, California.

On the mental healthcare front —

  • IFEBP informs us that the Department of Labor’s Employees Benefit Security Administration, which enforces ERISA, “released the Fiscal Year (FY) 2020 Mental Health Parity and Addiction Equity Act (MHPAEA) fact sheet on investigations.”
  • “The U.S. Department of Health and Human Services (HHS) and the Office of the Surgeon General (OSG)—in collaboration with the National Action Alliance for Suicide Prevention (Action Alliance)—released The Surgeon General’s Call to Action to Implement the National Strategy for Suicide Prevention. This new report outlines the actions that communities and individuals can take to reduce the rates of suicide and help improve resilience.”

Midweek Update

David ErmerCOVID-19, COVID-19 vaccine, HIPAA Privacy and Security Rules, Rx coverage, U.S. Healthcare
Photo by Manasvita S on Unsplash

Bloomberg reports that Johnson & Johnson now expects to receive Food and Drug Administration emergency use authorization for its single dose COVID-19 vaccination in late February or early March 2021 which is later than initially anticipated.

J&J’s vaccine offers advantages in ease of distribution and administration [over the currently authorized Pfizer and Moderna vaccines]. Health systems have been navigating relatively complex two-shot campaigns for vaccines from Pfizer and Moderna. J&J’s shot will likely protect people with a single dose, and can be stored at refrigerator temperatures for three months; the Pfizer and Moderna vaccines must be frozen. Speaking Wednesday at a JPMorgan Healthcare Conference event, [Moncef] Slaoui said he expects the J&J shot to have 80% to 85% efficacy, surpassing the objective the company outlined in its clinical trial design.

Speaking of the virtual annual JPMorgan Healthcare Conference, the National Law Review reports on Day 1 of the conference here and Day 2 of the conference there. Take a gander at this interesting tidbit from Day 1

[Blue Shield of California CEO] Paul Markovich spoke to the need for real-time quality information that can result in real-time feedback and incentivization to physicians and other providers, rather than the costly and slow HEDIS pursuits we see today.  One health plan noted that it spends about $500 million a year going into physician offices looking at medical records for HEDIS pursuits, but the information is totally “in the rearview mirror” as it is too old when finally received and digested to allow for real-time treatment changes, improvement or planning.  Markovich suggested four initiatives (including the above, pay for value and shared decision making through better, more open data access) that he thought could save $100 billion per year for the country.  Markovich stressed that all of these four initiatives required a digital ecosystem and asked for help and partnership in creating one. He also noted that the State of California is close to creating a digital mandate and statewide health information exchange that could be the launching point for this exciting vision of data sharing and a digital ecosystem where the electronic health record is the beginning, but not the end of the healthcare data journey.

Health Payer Intelligence informs us that

The tension between payers and pharmaceutical companies over drug pricing has carried into 2021, as evidenced by a press release from America’s Health Insurance Plans (AHIP) criticizing pharmaceutical companies for January 2021 drug pricing increases.

“Americans are being hurt by out-of-control drug prices, which are set and fully controlled by Big Pharma alone,” Matt Eyles, president and chief executive officer of AHIP, said in a related blog post.

“The incoming Biden-Harris administration should focus on bipartisan, workable solutions to protect patients, taxpayers, and all Americans from higher drug prices, especially in the midst of the ongoing COVID-19 crisis.”

Meanwhile STAT News reports that

In an unexpected move, the high-profile billionaire [Mark Cuban] has launched the Mark Cuban Cost Plus Drug Company, which its website says is “dedicated to producing low-cost versions of high-cost generic drugs” and claims that everyone will get the same low price for every drug it makes.

As part of its mission, the company pledged to provide “radical transparency” about its manufacturing, distribution, and marketing costs. The plan is to add a flat 15% margin to wholesale prices to ensure profitability, but Cuban also promised there will be no hidden costs, no middlemen, and no rebates available only to insurers.

“This is our first step towards taking on the pricing of generic drugs,” Cuban tweeted in announcing the company, which will start by producing a medicine to treat parasites, but plans to introduce more than 100 other medicines by the end of 2021. There are also plans to build a factory in Dallas by next year, according to its web site.

The article reminds us that

[In 2018] several large hospital systems form[ed] Civica Rx, a nonprofit that contracts with manufacturers to ensure sufficient supplies to hospitals across the U.S. The idea is to entice companies, which make injectable and infused medicines but have a minimum amount of sales, to ramp up investment in production. The Civica network, which began with $100 million in capital and loans from three philanthropic organizations, now has more than 50 health systems that represent more than 1,200 hospitals and over 30% of all licensed U.S. hospital beds. The nonprofit is also teaming with the Blue Cross Blue Shield Association and 18 of its health plans to supply copycat medicines and combat rising prices.

Bleeping Computer provides us with an update on the SolarWinds backdoor hack, including an explanation of how the hack was implemented and the hacker’s various malware strains.

A week ago, the FBI, CISA, and the NSA also disclosed in a joint statement that a Russian-backed Advanced Persistent Threat (APT) group is likely behind the SolarWinds hack.

“The U.S. government and many private-sector experts have stated the belief that a foreign nation-state conducted this intrusive operation as part of a widespread attack against America’s cyberinfrastructure,” SolarWinds CEO Sudhakar Ramakrishna said today.

“To date, our investigations have not independently verified the identity of the perpetrators.”

Midweek Update

David ErmerACA, HIPAA Privacy and Security Rules, U.S. Healthcare
Photo by Michele Orallo on Unsplash

On Monday of this week, the FEHBlog carefully was reading through Division BB of the Consolidated Appropriations Act 2021, Pub. L. No.  116-260, and he discovered to his great surprise that the new law adds a new subsection 8902(p) to the FEHB Act. Division BB, Section 102(d)(1) found at page 1616 of the enrolled bill version of H.R. 133.

The FEHBlog was surprised because Division BB like virtually every federal healthcare mandate for the past 25 to 30 years has taken the shortcut of reaching all health plans and providers by amending the Public Health Service Act (“PHSA”), ERISA, and the Internal Revenue. However, in two laws passed in 2020, the CARES Act and Division BB, Congress expressly has amended the FEHB Act too.

This new FEHBA Section 8902(p) applies the No Surprises Act and a patient rights provision (Public Health Service Act (“PHSA”) Section 2799A-1,-2, -7)) contractually to FEHB plan carriers and statutorily to the health care providers who serve FEHB plan members. This means that several of the Division BB provisions about which the FEHBlog has expressed concern, e.g. the continuity of care provision (PHSA Section 2799A-3) and the provider directory provision (PHSA Section 2799A-5) do not apply to FEHB plans. You may recall that the FEHBlog expressed concern about the continuity of care provision because the FEHBP has offered transitional care to it members for over 20 years. Why upset the apple cart?

In any event, the No Surprises law will be a real bear to implement and administer. What’s more, Becker’s Hospital News reports that “The arbitration system implemented by New Jersey in 2018 to resolve surprise billing disputes between insurers and out-of-network providers is advantageous to hospitals and other providers, according to a study published Jan. 5 in Health Affairs.

1. The authors found that providers won 59 percent of arbitration decisions, and health plans won in 41 percent of decisions in the study period.

2. The average arbitration awards were considerably higher than typical in-network payment amounts. The average award was $7,222. This payment award is nine times higher than the median in-network price for the rendered service.

The FEHBlog was intrigued to read this morning about Optum’s acquisition of one of the largest healthcare clearinghouses in the country, Change Healthcare. Assuming timely shareholder and regulatory approvals, the deal is expected to close in the second half of this year. Interestingly, “Neil de Crescenzo, President and CEO of Change Healthcare * * * will serve as OptumInsight’s chief executive officer, leading the combined organization.”

Becker’s Hospital Review lists fourteen health systems with strong balance sheets. Becker’s cautions that “This is not an exhaustive list. Hospital and health system names were compiled from credit rating reports and are listed in alphabetical order.” Nevertheless it’s worth a gander.

The Department of Health and Human Services announced today the launch of

the HPV VAX NOW campaign with the long-term goal of increasing human papillomavirus (HPV) vaccination rates among young adults ages 18–26. The campaign will specifically target young adults and healthcare providers in Mississippi, South Carolina, and Texas — states with some of the lowest HPV vaccination rates in the country.

Currently, fewer than half of young adults in the United States have received one or more doses of the HPV vaccine, and only 22% have completed the vaccine series. According to the Centers for Disease Control and Prevention (CDC), HPV causes nearly 36,000 cases of cancer in men and women each year in the U.S.  

HPV VAX NOW aligns with the OASH immunization “Catch-up to Get Ahead” campaign as part of HHS’ efforts to improve vaccination uptake in the United States. “With the increased awareness of vaccination opportunities that HHS has prioritized during the COVID pandemic, now is an important time for young adults to complete their HPV vaccine series.” said Dorothy Fink, M.D., Deputy Assistant Secretary for Women’s Health.

The HPV VAX NOW campaign is launching during Cervical Cancer Awareness Month, bringing attention to one of the six cancers and pre-cancerous cervical lesions that the HPV vaccine prevents.

The federal government’s Cybersecurity and Infrastructure Security Agency released a joint statement yesterday from the FBI, CISA, the Office of the National Intelligence Director and the National Security Agency about the status of their work on investigating and remediating the SolarWinds backdoor hack. The statement explains each agency’s role in this work.

Midweek update

David ErmerACA, Congress, HIPAA Privacy and Security Rules, U.S. Healthcare
Photo by Manasvita S on Unsplash

Per the Office of Personnel Management, “The effective date of the Open Season change is the first day of the first full pay period in January. For annuitants this date will always be January 1.” It turns out that Sunday January 3, 2021, is the first day of the first full pay period in January 2021. How convenient.

The Consolidated Appropriations Act, 2021, does include the three standard FEHBP appropriations provisions — a prohibition on applying full Cost Accounting Standards coverage to FEHB contracts (Sec. 611), an abortion coverage restriction (Secs. 613, 614), and a limited contraceptive coverage mandate (Sec. 726) which the Affordable Care Act has overridden. What’s more this new law extends the option of FEHBP and FEGLI coverage to 120 tribal grant schools thereby filling a coverage gap erroneously created by the Affordable Care Act. This option is exercised by the tribal employers who must make the minimum federal civil servant government contribution toward the benefit coverage.

For the past 20 years or so, the FEHBP has offered plan members transitional care protection pursuant to President Clinton’s Bill of Consumer Rights which states in pertinent part as follows:

Consumers who are undergoing a course of treatment for a chronic or disabling condition (or who are in the second or third trimester of a pregnancy) at the time they involuntarily change health plans or at a time when a provider is terminated by a plan for other than cause should be able to continue seeing their current specialty providers for up to 90 days (or through completion of postpartum care) to allow for transition of care.

FEHB plan carriers intending to terminate a network provider for cause generally could comply with this requirement by giving affected members 90 days advance notice of the change.

It turns out that Section 113 Division BB of the Consolidated Appropriations Act, 2021, includes an Affordable Care Act amendment ensuring continuity of care. The requirements of this new law bear similarities to the FEHBP’s transitional care protections. However, as always, the devil is in the details. For example, the new law’s transitional care provisions apply to any provider contract termination, including passive non-renewals, whether triggered by the provider or the payer, with the limited exception of payer termination for fraud or failure to meet applicable quality standards. FEHB plans and OPM have a year to sort out the details before the new requirements take effect on January 1, 2022.

In other news —

The Senate moved forward today on overriding President’s veto of the FY 2021 National Defense Authorization Act but not on the $2000 COVID-19 relief direct stipend per the Wall Street Journal:

Moving through the procedural steps for overriding Mr. Trump’s veto of the National Defense Authorization Act could take up much of the Senate’s time before Sunday. Sen. Bernie Sanders (I., Vt.), in a push for a stand-alone vote on increasing the size of the direct checks, has stopped Mr. McConnell from fast-tracking votes on the NDAA override. As a result, the final vote on the NDAA may not take place until Saturday due to a series of procedural steps.

The Senate took one of those steps late Wednesday, voting 80-12 to move forward with the bill, in another show of broad, bipartisan support for the legislation Mr. Trump vetoed.

Bleeping Computer updated us on how the federal government is addressing the SolarWinds backdoor hack.

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all US federal agencies to update the SolarWinds Orion platform to the latest version by the end of business hours on December 31, 2020. CISA’s Supplemental Guidance to Emergency Directive 21-01 demands this from all agencies using Orion versions unaffected in the SolarWinds supply chain attack.

Saturday Stats and More

David ErmerCongress, COVID-19, COVID-19 vaccine, HIPAA Privacy and Security Rules, U.S. Healthcare

Based on the CDC’s Cases in the U.S. website, here is the FEHBlog’s chart of new weekly COVID-19 cases and deaths over the 14th through 51st weeks of this year (beginning April 2 and ending December 23; using Thursday as the first day of the week in order to facilitate this weekly update):

and here is the CDC’s latest overall weekly hospitalization rate chart for COVID-19:

The FEHBlog has noted that the new cases and deaths chart shows a flat line for new weekly deaths  because new cases greatly exceed new deaths. Accordingly here is a chart of new COVID-19 deaths over the period (April 2 through December 23):

The latest CDC FluView will be available on Monday December 28. Next week the FEHBlog will begin to include COVID vaccines in these charts.

The FEHBlog had planned to start reviewing the Affordable Care Act changes in the Consolidated Appropriations Act, 2021, but because the status of that bill unfortunately is in limbo, he instead will note two other Congressionally passed bills that are expected to receive the President’s signature:

H.R. 1418

The McCarran-Ferguson Act of 1945 “limited the application of [federal] antitrust laws to the business of insurance as long as and to the extent state law regulated the business of insurance. However, if states would not regulate insurance, the Sherman and Clayton Acts, as well the Federal Trade Commission Act still applied.” Needless to say the States with the assistance of the National Association of Insurance Commissioners made sure that the States did not unwittingly create such a regulatory gap. In any event. the McCarran- Ferguson Act continued to apply federal anti-trust law, specifically the Sherman Act of 1896, to prohibit “any agreement to boycott, coerce, or intimidate, or act of boycott, coercion, or intimidation” (15 U.S.C. Sec. 1013).

H.R. 1418 adds to the McCarran- Ferguson Act a further exception for health insurance, dental insurance and limited scope dental benefits. In other words health insurers and dental insurers will be subject to both federal and state laws against restraint of trade. The garden variety exceptions to extension of federal anti-trust law appear quite narrow to the FEHBlog.

“(A) to collect, compile, or disseminate historical loss data; (B) to determine a loss development factor applicable to historical loss data; (C) to perform actuarial services if such contract, combination, or conspiracy does not involve a restraint of trade; or (D) to develop or disseminate a standard insurance policy form.”

ThinkAdvisor adds

Matt Eyles, president of America’s Health Insurance Plans (AHIP), said in a statement about passage of H.R. 1418 that implementation of the bill would add layers of bureaucracy to health insurers and destabilize markets.

“Removal of this exemption adds tremendous administrative costs while delivering absolutely no value for patients and consumers,” Eyles said.

Consumer Reports put out a commentary welcoming passage of H.R. 1418.

“The antitrust exemption has essentially allowed health insurers to act as a monopoly, making demands in lockstep on the terms they will offer consumers and health care providers,” the advocacy organization said in a comment on bill passage. “The resulting squeeze puts pressure on providers to cut corners on service in order to increase the profits the health insurers can extract.”

How much can insurers extract when those profits are strictly regulated by the Affordable Care Act?

H.R. 7898

This bill, which the FEHBlog previously has mentioned, requires HHS’s Office for Civil Rights to consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place, when imposing penalties or other remedies for HIPAA Security Rule violations.

The bill defines “Recognized security practices” to mean

the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title).

The bill expressly does not create liability for HIPAA covered entities and business associates which decide not to adopt such practices. The bill is retroactive to the effective date of the 21st Century Cures Act of 2016.

In other healthcare legal news:

  • Reuters reports that on December 23, 2020, a federal district judge in Maryland “blocked a last-minute Trump administration rule aimed at lowering drug prices as of next week. The rule, scheduled to take effect on Jan. 1, would have tied reimbursements for 50 drugs by Medicare, a U.S. government insurance program, to the lowest prices paid by certain other countries. U.S. District Judge Catherine Blake in Maryland ruled that the administration had rushed the rule without giving the public a chance to comment, in violation of federal law.” Case No. 1:20-cv-03531 (D. Md). The temporary restraining order is effective for 14 days.
  • MedCity News reports that

The American Hospital Association, along with several other organizations, filed an emergency stay of enforcement motion to prevent the Department of Health and Human Services’ hospital price transparency rule from going into effect Jan. 1. The rule requires each hospital operating in the U.S. to make public pricing information, including the prices they negotiate with commercial health insurers. Last week, the Centers for Medicare and Medicaid issued a bulletin announcingits plans to audit a sample of hospitals for compliance with the rule starting in January.

The motion was filed with the U.S. Court of Appeals for the D.C. Circuit in its appeal of a lower court order affirming the legality of this rulemaking (Case No. 20-5193). In its opposition to this motion, the Justice Department observed that

This Court granted plaintiffs’ request for an expedited briefing and argument schedule to “allow the Court to hear and decide this case before” January 1, 2021. Pls. Mot. to Expedite, at 5 (July 3, 2020). The Court is likely to rule on the merits of this appeal imminently, thereby resolving plaintiffs’ legal challenge. Should the Court affirm the district court’s rejection of plaintiffs’ claims, plaintiffs would not be entitled to any relief, including a stay of the agency’s rule. Should the Court agree with plaintiffs’ legal challenge, by contrast, plaintiffs would be entitled to appropriate relief.

The FEHBlog will keep an eye out for this opinion next week.

Monday Roundup

David ErmerACA, Congress, HIPAA Privacy and Security Rules, Rx coverage
Photo by Sven Read on Unsplash

Tonight the House is voting on the Consolidated Appropriations Act, 2021(Amendment to H.R. 133), which includes the Fiscal Year 2021 omnibus spending bill, COVID-19 relief measures, and a whole lot more. After the House votes, the Senate will vote and send the Congressionally approved bill along to the President for his expected signature.

Late this afternoon, the FEHBlog found, thanks to the Hill, a complete version of the bill which included 400 pages of complicated amendments to the Affordable Care Act (Division BB). However, when the FEHBlog tried to find that version on the House Rules Committee website tonight in connection with this post, he couldn’t. There’s no sense delving into those healthcare provisions until a law is passed. In the words of John Godfrey Saxe (according to WikiQuotes), “Laws, like sausages, cease to inspire respect in proportion as we know how they are made.”

(P.S. This morning Bloomberg reports that Congress passed H.R. 133 by wide margins. Congress wisely also passed a seven day extension of the current continuing resolution funding the federal government because as Bloomberg reports)

Before the president can sign the full package, it must be enrolled on parchment paper, physically delivered to the White House and reviewed by administration lawyers — a process complicated by the pandemic and coming Christmas holiday.)

Moving on, under current law, a prescription drug manufacturer cannot sell a prescription drug at a price below the best price paid by Medicaid. Only Medicare Part D is excepted from that rule. Today, the Centers for Medicare and Medicare Services (“CMS”) finalized a rule that creates a second exception for value based pricing arrangement. CMS explains:

Under current regulations, prescription drug manufacturers face challenges accounting for VBP arrangements in their Medicaid best price reporting to CMS. This has the unintended consequence of hindering providers, insurers and prescription drug manufacturers in their efforts to develop innovative payment models for new drug therapies and other innovative treatments. Current regulations also discourage payers and manufacturers from designing new payment arrangements based on the value their product may provide.

With the new flexibilities under this final rule, manufacturers will be more willing to negotiate with payers, including Medicaid, with drug pricing being driven by the value of their drug to the individual patient. This is significant, especially in the era of new genetic-based treatments which may initially be expensive, yet in the long run offer significant value to the patient and payer. Payers will be able to negotiate prices with manufacturers for these genetic-based treatments based upon outcomes and evidence-based measures such as reduced hospitalizations, lab visits, and physician office visits, ensuring that if such measures fail to support the value of a drug, the payer is not held accountable for the full price. 

Today’s final rule codifies a broad definition of VBP, which can better align pricing and payment to observed or expected evidence and/or outcomes-based measures in a targeted population. The final rule also allows manufacturers to report multiple best prices instead of a single best price when offering their VBP arrangements to all states. By making these changes, effective in January 2022, CMS hopes to encourage VBP arrangements and negotiations to help make new, innovative therapies more available to all patients. As a result, it is estimated that these new VBP approaches could save up to $228 million in Federal and state dollars through the year 2025.  

Bravo. This action will support FEHB plan efforts to control drug costs.

On the Solarwinds backdoor hack front, Federal News Network discusses its impact on federal government cybersecurity efforts.

Weekend update

David ErmerCongress, COVID-19, COVID-19 vaccine, HIPAA Privacy and Security Rules, U.S. Healthcare, Uncategorized
green pine trees during snow season
Snow trees on trail by Ian Schneider on Unsplash.com

The Wall Street Journal reports that

Lawmakers raced to put finishing touches on a roughly $900 billion coronavirus aid package, pushing up against a midnight deadline to complete the agreement and pass it through Congress. 

With a disagreement on the Federal Reserve’s emergency lending powers settled earlier in the weekend, negotiators on Sunday were finalizing details for the rest of the bill. Senate Majority Leader Mitch McConnell (R., Ky.) said Sunday afternoon that negotiators were hours away from completing the deal. * * *

The emerging agreement is expected to provide $300 a week in enhanced federal unemployment benefits, a $600 direct check to many Americans, as well as aid for schools, vaccine distribution and small businesses. Final votes in the House and Senate could occur as early as Sunday.

Lawmakers raced to put finishing touches on a roughly $900 billion coronavirus aid package, pushing up against a midnight deadline to complete the agreement and pass it through Congress. 

With a disagreement on the Federal Reserve’s emergency lending powers settled earlier in the weekend, negotiators on Sunday were finalizing details for the rest of the bill. Senate Majority Leader Mitch McConnell (R., Ky.) said Sunday afternoon that negotiators were hours away from completing the deal. * * *

The emerging agreement is expected to provide $300 a week in enhanced federal unemployment benefits, a $600 direct check to many Americans, as well as aid for schools, vaccine distribution and small businesses. Final votes in the House and Senate could occur as early as Sunday.

The House is expected to vote on a 24-hour extension of government funding Sunday evening, setting up votes on the relief agreement and broader spending bill for Monday. The aid package is tied to a roughly $1.4 trillion annual spending package and Congress has passed a series of temporary spending bills in recent days to keep the government funded while it finished the negotiations.

Significantly, Politico reports that “Congress is set to include a long-elusive ban on “surprise” medical bills as part of a major spending deal lawmakers were working to finalize Sunday evening.”

(P.S. Govexec.com confirms that Congress passed a one day extension of the continuing resolution Sunday night.)

On the COVID-19 front —

The Centers for Disease Control now has a COVID-19 vaccines website which indicates that as of 1 pm today 2,838,225 doses of vaccine have been distributed and 556,208 doses have been administered in the first week.

In accordance with CDC Advisory Committee on Immunization Practices recommendations, the current phase 1A of distribution is directed at healthcare personal and nursing home residents, The Wall Street Journal reports that ACIP today approved phases 1B and 1C as follows:

The next group would include people ages 75 and older, whose hospitalization and death rates are the highest of all age groups. It would also include teachers, factory workers, police and firefighters, grocery store workers and others who are considered essential to the functioning of the economy and at high risk of exposure to Covid-19.

Another group would follow them, comprised of people between the ages of 65 and 74, anyone age 16 or over with a medical condition that puts them at high risk of complications from Covid-19, and other essential workers. They include people who work in transportation and logistics, food service, water and wastewater, and energy sectors.

The ACIP vote was 13-1. State governors are the ultimate decision makers in their states but the FEHBlog understands the governors generally defer to ACIP. As the FEHBlog has noted the vaccines are being directly distributed to federal agencies too.

On the COVID-19 treatment front, the Wall Street Journal reports that

Doctors are treating a new flood of critically ill coronavirus patients with treatments from before the pandemic, to keep more patients alive and send them home sooner.

Last spring, with less known about the disease, doctors often pre-emptively put patients on ventilators or gave powerful sedatives largely abandoned in recent years. The aim was to save the seriously ill and protect hospital staff from Covid-19.

Now hospital treatment for the most critically looks more like it did before the pandemic. Doctors hold off longer before placing patients on ventilators. Patients get less powerful sedatives, with doctors checking more frequently to see if they can halt the drugs entirely and dialing back how much air ventilators push into patients’ lungs with each breath.

“Let us go back to basics,” said Dr. Eduardo Oliveira, executive medical director for critical-care services for AdventHealth Central Florida, which recommends its doctors stick with pre-pandemic guidelines for ventilator use. “The less you deviate from it, the better.”

Advances also include new drugs, most notably steroids, for severely ill patients.

In other healthcare news, Health Payer Intelligence informs us that

Payers may consider promoting ambulatory surgery centers as the ideal site of care for joint replacement surgeries, UnitedHealth Group’s recent research findings suggested.

“Findings from new UnitedHealth Group research underscore the importance of optimizing sites of care to improve patient safety and reduce costs,” the report summarized.

The study analyzed data 2018 and 2019 procedures conducted at Optum’s ambulatory surgery centers. The researchers used low- and medium-severity surgeries to from the baseline and gauge shifts in costs and savings. They used the Ambulatory Surgery Centers Quality Collaboration’s recommended outcome measures to assess quality of care.

On the SolarWinds backdoor hack front, check out this ArsTechnica article:

Of the 18,000 organizations that downloaded a backdoored version of software from SolarWinds, the tiniest of slivers—possibly as small as 0.2 percent—received a follow-on hack that used the backdoor to install a second-stage payload. The largest populations receiving stage two were, in order, tech companies, government agencies, and think tanks/NGOs. The vast majority—80 percent—of these 40 chosen ones were located in the US.

These figures were provided in an update from Microsoft President Brad Smith. Smith also shared some insightful and sobering commentary on the significance of this almost unprecedented attack. His numbers are incomplete, since Microsoft sees only what its Windows Defender app detects. Still, Microsoft sees a lot, so any difference with actual numbers is likely a rounding error.

The FEHBlog had been wondering why not all of the victims of the backdoor hack were breached. It was a conscious decision by the hackers.