Yesterday, the FEHBlog listened to a population health management webinar presented by the National Diabetes Education Project.  The upshot of the webinar, presented by an MD and a public health researcher is that people who don’t smoke, eat sensibly, and exercise at least moderately will live a longer life and encounter a quick, low cost death. 80% of heart disease and 40% of cancers are attributable to life style. In other words, everyone should work together to prolong longevity and compress morbidity.  The speakers encouraged employers to take this tack with their employees. Each dollar spent on treating employee illnesses and injuries reportedly is tied to $2-3 lost on absenteeism and presenteeism.  The last factoid didn’t ring true to the FEHBlog because depression causes the most presenteeism problems and more spending on health care probably would reduce the ancillary cost of depression. But oh well, point taken. The speakers referred participants to Diabetes at Work, HERO Health, and a new blog by Dee Eddington (a thought leader). Tomorrow the FEHBlog plans to listen to a webinar put on by Eddington Associates.

Healthgrades.com has released its latest list of top hospitals — broken out by top 50 and top 100.  The closest top hospitals near the FEHBlog’s residence outside DC are in Baltimore and Richmond. No Washington DC metropolitan area hospitals! Here’s a link to Fierce Healthcare’s article on the top hospitals.

Finally, the Healthcare Cost Institute which is a consortium of large health insurance companies has created a website that will allow consumers to compare healthcare prices according to this Ihealthbeat article. Here’s link to the site which is called guroo.com . “The data set includes claims for more than 40 million U.S. residents. Consumers can use Guroo to query the prices for 70 services, such as diagnostic tests and office visits, in more than 300 cities, 41 states and Washington D.C.” Transparency is good.

The Affordable Care Act imposes a 40% excise tax on the cost of employer sponsored health coverage, including our beloved FEHBP, over certain dollar thresholds.  The tax is scheduled to take effect in 2018.  Like most ACA provisions this high cost plan excise tax a/k/a the Cadillac plan tax is a riddle inside an enigma. Today the IRS released 24 pages of preliminary guidance on the Cadillac tax.  The IRS is accepting public comment on this release and the Cadillac tax until May 15, 2015.

Congress returns to Washington this week. The legislature needs to resolve or at least kick down the road the Homeland Security funding issue this week.

Right after the FEHBlog hit publish on Friday’s TGIF post, the Department of Health and Human Services let loose two huge regulations — the proposed Medicare Advantage and Medicare Part D funding rule for 2016 and the final ACA notice of benefit and payment parameters also for 2016. The links are to the HHS Fact Sheets.

Here’s a link to the Hill’s article on the Medicare Advantage rule.  “The new rate proposal announced Friday would decrease payments
“modestly” by about 0.95 percent, said Sean Cavanaugh, deputy
administrator and director of the Center for Medicare and Medicaid
Services (CMS).” This reduction is bound to be controversial as Medicare Advantage is a popular program but the ACA is driving these reductions.

A hat tip to Tim Jost at the Health Affairs  blog, who has already written detailed reports on OPM’s final multi-state plan rule and the 2016 benefits and payments parameter notice.  This parameters notice continues to tighten the leash on the qualified health plans operating in the exchanges which includes OPM’s multi-state plan options. The most relevant portion of the notice for FEHB plans is its discussion of the transitional reinsurance contribution.

Here is the relevant preamble (p. 84) discussion of the transitional reinsurance contribution rate (self insured and self administered plans are exempt from this fee for 2015 and 2016)

Although we stated in the 2015 Payment Notice (79 FR 13776) that, for operationalreasons, HHS would not permit contributing entities to elect to make the entire benefit year’s reinsurance contribution by January 15, 2015, 2016, or 2017, as applicable, we have resolved those operational barriers, and now offer contributing entities the option to pay: (1) the entire 2014, 2015 or 2016 benefit year contribution in one payment no later than January 15, 2015, 2016, or 2017, as applicable (or, if such date is not a business day, the next applicable business day), reflecting the entire uniform contribution rate applicable to each benefit year (that is, $63 per covered life for 2014, $44 per covered life for 2015, and $27 per covered life for 2016); or (2) in two separate payments for the 2014, 2015, or 2016 benefit years, with the first remittance due by January 15, 2015, 2016, and 2017, as applicable (or, if such date is not a business day, the next applicable business day) reflecting the first payment of the bifurcated contribution (that is, $52.50 per covered life for 2014, $33.00 per covered life for 2015, and $21.60 per covered life for 2016); and the second remittance due by November 15, 2015, 2016, or 2017, as applicable (or, if such date is not a business day, the next applicable business day) reflecting the second payment of the bifurcated contribution (that is, $10.50 reinsurance fee per covered life for 2014,$11.00 per covered life for 2015, and $5.40 per covered life for 2016).

By operation of the ACA, the fee will sunset for 2017 for all types of plans.

Finally, the FEHBlog nearly intrigued by this Modern Healthcare article reporting that

As hospitals increasingly lose patients to medical care delivered in
clinics and home settings, hospital operators are escalating their
efforts to shrink capacity. Hospitals are operating with fewer beds or closing outright, in some cases to make way for new ambulatory-care centers.

OPM’s revised final rule on the ACA’s multi-state plan program was released today.

The Wall Street Journal and Reuters reports that the government is having a difficult time evicting hackers from the State Department’s unclassified email system.  This is another incident in which email scams have created a real mess. (Lawyers are not exempt from these “phishing” scams as illustrated by this American Bar Association Journal article.)  The FEHBlog brings up these problems because this Fortune Magazine article reports that Aetna has discovered a path to email security based on among other factors, its use of the DMARC technology pioneered by PayPal. It’s helpful to learn about best practices.

Bloomberg Business is reporting that U.S. health care spending is on the rise again. “The analysis, from the Altarum Institute research group and based on preliminary government data, shows health spending increasing by 5 percent last year, compared to 3.6 percent in 2013. If confirmed by the final tally, health-care spending during 2014 would mark the biggest jump since before the recession.” It’s not surprising that spending jumped last year as newly insured folks sought needed care.  (Here’s a link to a 2015 CBO report on Health Care and the Federal Budget). 

Year to year hospital care spending didn’t budge which is surprising because hospital prices should have moderated as the amount of uncompensated care decreased. The biggest pop (5.7%) –not surprisingly — was in prescription drugs.  Drug Channels features an interesting story about the continuing uptick in generic drug prices.

 CVS Health raised the alarm yesterday about a new class of injectable drugs called PCSK9 inhibitors that are expected to receive Food and Drug Administration approval for marketing in the middle of this year. This class of drugs which is designed to reduce levels of “bad” LDL cholesterol in the bloodstream, may cost insurers more than the Hepatitis C drugs because a lot more people are afflicted with bad cholesterol levels.

Estimates of annual pricing for PCSK9 inhibitors are in the range of $7,000-$12,000. Even if PCSK9 inhibitors are indicated for a very narrow patient population, cost estimates show that this new class of drugs will eclipse initial costs of Sovaldi seen at its launch. In addition, PCSK9 inhibitors are biologics, so there will not be a simple pathway to cheaper generics for at least a decade.

Carriers should start discussing how to manage this new class of drugs with their prescription benefit managers now.

Speaking of warnings, Kaiser Health News reports that a Palm Beach County, Florida, jury held MDVIP, the nation’s largest concierge care management firm, liable for malpractice committed by one of its contracted doctors.  The firms offers patients quick access to physician care in return for an annual fee. The $8.5 million verdict is considered to be the first such judgment against a concierge management firm. This decision, which is on appeal, should remind MDVIP and health plans should remind the importance of making crystal clear to consumers the fact that network providers are independent contractors.  

Here’s a link to an interesting Health Affairs blog post on the efforts by Lowes with 260,000 employees to engage their employees in the company’s efforts to control health care costs.  Lowes is concentrating on building employee trust in its efforts.

As part of its evolution in engaging employees, Lowe’s now pioneers a model that offers employees free access to third-party personal health assistants who are unaffiliated with a specific health care provider, insurance company, or even Lowe’s. As the company’s benefits program continues to evolve, Lowe’s is seeing a noticeable change — employees trust the independent third party and listen to its counsel. The health assistant, available to help employees with anything related to their care, has proven to be an unbiased resource and trusted partner.

99% of the 20,000 employees using such an assistant are satisfied with their health benefits, and Lowe’s sees that the program is producing significant savings. .

A belated Happy Valentine’s Day to our beloved FEHB Program!

Congress is out of session this week for the Presidents’ Day holiday. Here is a recap on last week’s activities on the Hill from This Week in Congress.  When Congress returns, its members will need to immediately resolve Department of Homeland Security funding (or kick the can down the road a little farther). In one month, the federal debt ceiling which has been suspended for about the last year will be reinstated. MarketWatch reports that the Treasury Department will be able to work its magic to avoid a default for several months thereafter. Also by the end of March Congress will need to either repeal and replace or further extend the current patch on the Medicare Part B sustainable rate of growth formula. This formula is used to calculate Part B payments to doctors. Absent some sort of fix, Medicare Part B payments to doctors will drop by 18% on April1 and that’s no April Fools Day prank.

Speaking of repeal and replace, I heard Avik Roy on the radio over the weekend speaking about the Republican alternative to the ACA. Here is a link to his Forbe’s article discussing the PATIENT Care bill. He explains that

The first version of the Patient CARE Act was co-authored [last year] by Senators Tom Coburn (Okla.), Richard Burr (N.C.), and Orrin Hatch (Utah). Coburn retired in December, and so Burr and Hatch added Rep. Fred Upton (R., Mich.), Chairman of the House Energy and Commerce Committee.  [Sen. Hatch is now Chairman of the Senate Finance Committee.]

Hacking remains in the news. Today the New York Times reports that a cybercriminal gang infiltrated the computer networks of a bunch of banks to the tune of about $1 billion in stolen cash.  According to this report both this computer crime and the computer crime perpetrated against Sony late last year kicked off with a phishing attack by which an unsuspecting employee clicked on an virus packed attachment to an email.

Herbert Lin, a cybersecurity researcher at Stanford, wrote an op-ed piece in Friday’s Wall Street Journal. He illustrated the importance of cyberliability insurance with this analogy.

Buildings today, for example, are much more resistant to fire damage because of changes driven by careful underwriting.

Health Data Management reports on the Obama Administration’s efforts to create a joint public-private defense against this scourge.

Meanwhile, Anthem announced on Friday that it is using All Clear ID as the credit monitoring and repair service for its members affected by another major computer crime.  The FEHBlog is a fan of All Clear ID‘s service. While an affected member can sign up for credit monitoring services, if an affected member decides or forgets to do so and later discovers a credit problem, he or she can call All Clear ID and the company will work to fix the problem.  More information is on the anthemfacts.com website.

And the beat goes on.

Yesterday, the Internal Revenue Service issued the final versions of the forms and instructions that FEHB plans, other health plans and insurers, and employers, including the government, will use to perform the reporting required under Internal Revenue Code Sections 6055 and 6056 of the Internal Revenue Code (as added by the ACA). The 6055 reporting (IRS Form 1095-B) is used by health plans to document plan member compliance with ACA’s individual shared responsibility mandate. The 6056 reporting (Form 1095-C) is used by large employers (50 or more full time employees) to document their compliance with the ACA’s employer shared responsibility mandate. Tim Jost on Health Affairs reviews the final forms and instructions here. OPM created a Section 6056 reporting website yesterday for the benefit of federal agencies. “Agencies need to work with shared service centers and payroll to collect and report on these requirements for the FEHB Program.”  The first reports are due early next year for the 2015 reporting year.

Today, the ACA regulators issued FAQ XXIII on excepted benefits. The regulators are now only XXVI FAQs behind the Superbowl which just hit XLIX.  The FEHBlog understands that next year will be Super Bowl 50 (not L) and thereafter the Super Bowls will revert to Roman numerals.When will the ACA regulators catch up?

The Military Times had an article on Congressional hearings held earlier this week on the recent recommendations of the Military Compensation and Retirement Modernization Commission which the FEHBlog discussed last month.

Some lawmakers zeroed in on the commission’s recommendation that the Pentagon eliminate most of Tricare’s health services and move millions of military dependents and retirees into private-sector health care policies similar to those offered to federal civilians.
Rep. Joe Heck, R-Nev., chairman of the personnel panel of the House Armed Services committee, who is also a trained physician, raised concerns about the commission’s claim that Tricare is reimbursing doctors at rates lower than government-run Medicare and fair-market value.
“As a health-care provider for over 30 years, I question that assumption,” Heck said.
That prompted a forceful response several commissioners, including former House member Steve Buyer and retired Adm. Edmund Giambastiani.
Buyer called Tricare “a broken system,” while Giambastiani said Tricare is “in a death spiral.”

Finally, thanks to the Washington Post’s Federal Eye blog, the FEHBlog found this nifty map / chart displaying the population of federal employees by Congressional District and county in 2014.

The big news today (as reported in the Wall Street Journal) is the the Nation’s third largest pharmacy chain Rite Aid has entered into an agreement to purchase a prescription benefit manager called EnvisionRx for $2 billion.  Of course this in not the first time that Rite Aid has bought a PBM. As Drug Channels discusses and the FEHBlog recalls, Rite Aid bought the Advance PCS PBM from Eli Lilly for $1.5 billion in 1998 and then sold PCS for $1 billion two years later. Advance PCS is now part of CVS Caremark.. Drug Channels explains why he thinks that this purchase will be successful for Rite Aid. Competition is good.

The Washington Post reports that the White House is creating a Cyber Threat Intelligence Integration Center modeled on the National Counterterrorism Center. The new center will be fall under the Office of the Director of National Intelligence.  The center will focus on identifying threats and acting as a crisis center when major attack like Sony and Anthem occur. The new center “is a good and important step,” [former NCTC Director Michael] Leiter said. “But it is far from a panacea.”

The Washington Post also reports on good cybersecurity work being done in South Korea — which is under cyberattack from North Korea.

Kwon Seok-chul, CEO at computer security firm Cuvepia Inc., said it has been tough to convince executives that it’s more effective to catch bad guys after they’ve infiltrated a network instead of trying to keep them out, which he believes is impossible anyway.
Kwon said his company’s latest monitoring product keeps a log of all activity, dividing it into authorized users and possible attackers. When certain conditions are met, the program sounds an alarm. A response team, he said, can sit back and watch what hackers copy and respond before damage is done. The security team can cut the hacker’s connection or trick the intruder into stealing empty files.
“Because hackers are in your palm, you can enforce any measures that you want,” said Kwon, member of an advisory board for South Korea’s cyberwarfare command.

The article explains that this software acts as a police officer to monitor server firewalls.  This is an encouraging article.

The FEHBlog has been discussing the Anthem security breach in recent posts. The Better Business Bureau offers these tips to consumers in the immediate wake of the breach.

Health Data Management reports how Anthem and other health industry stakeholders participate in a security alliance called the HiTrust Alliance which according to Health Data Management allowed the stakeholders to conclude that this particular hacking attack was limited to Anthem.

The FEHBlog noted on Friday that the Wall Street Journal, among other press sources, is reporting that the confidential data was not encrypted on Anthem’s servers. This rang a bell with the FEHBlog because as a lawyer he knows that the 2009 HITECH Act’s unsecured protected health information breach notice provisions encourages insurers and health care providers to encrypt confidential data. And insurers and health care providers do encrypt mobile devices like laptops and thumb drives. If encrypted mobile devices are lost or stolen, which can happen, encryption will protect the lost or stolen data.

The FEHBlog has puzzled over whether this new incident will push health care companies to encrypt servers holding confidential databases. Servers of course are not mobile devices.  The FEHBlog ran across this interesting blog post from a Columbia University computer science professor who explains why encrypting confidential data held on servers may not be particularly useful:

In a case like the Anthem breach, the really sensitive databases [on the servers] are always in use. This means that they’re effectively decrypted: the database management systems (DBMS) are operating on cleartext, which means that the decryption key is present in RAM somewhere. It may be in the OS, it may be in the DBMS, or it may even be in the application itself (though that’s less likely if a large relational database is in use, which it probably is). What’s to stop an attacker from obtaining that key, or perhaps from just making database queries?
The answer, in theory, is other forms of access control. Perhaps the DBMS requires authentication, or operating system permissions will prevent the attacker from getting at the keys. Unfortunately—and as these many data breaches show—these defenses are not configured properly or aren’t doing the job. If that’s the case, though, adding encryption isn’t going to help; the attacker will just go around the crypto. There’s a very simple rule of thumb here: Encryption is most useful when OS protections cannot work.
What do I mean by that? The most obvious situation is where the attacker has physical access to the device. Laptop disks should always be encrypted; ditto flash drives, backup media, etc. Using full disk encryption on your servers’ drives isn’t a bad idea, since it protects your data when you discard the media, but you then have to worry about where the key comes from if the server crashes and reboots.  

In sum, there is no simple answer to this significant problem.

The Drug Channels blog reports on what the surprisingly deep discounts on Gilead’s Hepatitis C drugs offered to PBMs after AbbVie’s competing drug hit the market portends for biosimilar drug pricing:

Biosimilars are unlikely to be fully interchangeable with their innovator products. Competition between a biologic drug and a biosimilar is much more likely to resemble brand-to-brand competition than it is to resemble the dynamics of brand-to-generic competition.
As a result, the conventional wisdom—summarized in this still relevant 2009 Federal Trade Commission (FTC) report—believes that a biosimilar’s discount will be only 10% to 30% off the innovator’s price.
However, the large hepatitis C discounts suggest that biosimilars may drive deeper discounts for formulary placement. Although the hepatitis C products are not therapeutically equivalent, we are seeing big discounts to both government and commercial payers.

That’s good news.  The Wall Street Journal’s Pharmalot blog reports that prescription drug manufacturer Pfizer has invested $16 billion to purchase one of the largest sellers of biosimilar drugs in Europe, Hospira.  The European Union has been approving biosimilars for over a decade now.

Following up on the Anthem security breach, the Wall Street Journal reports that the confidential data stolen from Anthem’s had not been encrypted. Businesses have reduced the impact of lost and stolen laptop computers by encrypting them. However, server held data usually has not been encrypted. The article explains that

Scrambling the data, which included addresses and phone numbers, could have made it less valuable to hackers or harder to access in bulk. It also would have made it harder for Anthem employees to track health care trends or share data with states and health providers, that person [familiar with the matter] said.

That practice is bound to change. In an interview with Adam Meyer, chief security strategist of threat intelligence consultancy SurfWatch Labs, the Journal further reported

Based on what Anthem has shared publicly about the attack, what do you think happened?

An engineer discovered the incursion when he saw a database query being run using his credentials, which suggests the attackers probed the company’s Web server or other Web services for weaknesses, or gained access through spear phishing, in which they induced employees to click on an emailed link. Upon breaching the system, they likely hunted for administrators’ accounts, giving them access to sensitive information, such as names and Social Security numbers, which are typically hosted in the company’s enterprise resource planning application. From there, they likely queried the database behind the ERP app and began to siphon data to a cloud storage provider. Using trusted accounts to transfer data to trusted storage enabled them to remain undetected. 

The FEHBlog attended an Online Trust Alliance town hall meeting yesterday. He heard Twitter’s postmaster explain that Twitter routine send fake phishing emails to its staff. Any staff member who clicks on the message is “publicly shamed,” whatever that means.  He also head Federal Trade Commissioner Julie Brill speak. She discussed the FTC’s recent staff report called the Internet of Things which concerns the explosion of interconnected devices. Here’s a link.  

Although Anthem had cyber-liability insurance, the Financial Times reports that this massive breach will shake up the market for this insurance. A Lloyd’s representative is recommending that the government bear the risk similar to terrorism insurance.

In a spot of good news, Reuters reports that CMS has agreed to cover low dose CT scans as a means of lung cancer screening for to “Medicare beneficiaries aged 55-77 who are current smokers or who quit within the last 15 years, and who racked up at least 30 “pack years.” The latter is possible if they smoked one pack a day for 30 years, for instance, two packs a day for 15 or three packs a day for a decade.” FEHB plans which have loads of Medicare prime members became obligated to cover this service in-network with no enrollee cost sharing at the beginning of 2015. Under the U.S Preventive Services Task Force’s guidelines applicable to FEHBP plans and other group health plans:

The USPSTF recommends annual screening for lung cancer with low-dose computed tomography in adults ages 55 to 80 years who have a 30 pack-year smoking history and currently smoke or have quit within the past 15 years. Screening should be discontinued once a person has not smoked for 15 years or develops a health problem that substantially limits life expectancy or the ability or willingness to have curative lung surgery.

Absent this CMS action, FEHB plans would have been on the hook for the cost of all of these tests.

Finally, here’s an interesting tidbit from Seeking Alpha about the CVS pharmacy chain which quit selling tobacco products last year: