Welcome to this week's edition of the Health Law Update. In this Issue:

  • Making Sense of MACRA
  • Former Tuomey CEO Settles with DOJ for $1 Million
  • FTC Issues Compliance Guidance for Organizations that Share and Collect PHI
  • GAO Report Criticizes HHS’ HIPAA Cybersecurity Guidance and Program
  • Post-Election Webinar by the BakerHostetler Federal Policy Team
  • Events Calendar

Making Sense of MACRA

Bracing for the Medicare Part B Overhaul: Pick a Path, Pick a Pace

By Kristen McDermott Woodrum and Kaitlyn Appleby

The countdown has begun for the momentous Part B payment reforms created by the Medicare Access and Chip Reauthorization Act of 2015 (MACRA). On October 14, 2016, CMS released a final rule explaining, in nearly 2,400 pages, how its new Quality Payment Program, established under MACRA, will work when the first performance period goes live on January 1, 2017.

Through MACRA, Congress finally compromised and repealed the much-maligned sustainable growth rate (SGR) formula for Part B payments. While this aspect of the “doc fix” bill was widely publicized and easily understood, the other details of MACRA still remain a mystery to many. Recent surveys reveal that as of September, almost 30 percent of physicians had not even heard of MACRA, down from 50 percent in July.

The complexities of MACRA’s massive overhaul of Part B pose challenges to clinicians seeking to understand and prepare for its implementation. This concern was a common theme in the more than 4,000 comments CMS received on its proposed rule. CMS responded by outlining a staged approach to implementing MACRA reform in its final rule, calling CY 2017 (and perhaps CY 2018) a “transition year.” But the agency’s ultimate vision is ambitious and accelerates its transition to value-based accountable care.

Immediate Impacts: Out with the Old

The SGR is out, replaced by modest annual inflationary increases of 0.5 percent until 2019 and 0.25 percent starting in 2026. MACRA also sunsets three legacy quality reporting and performance programs: (1) the Physician Quality Reporting System (PQRS), (2) the Value-based Payment Modifier (VM) and (3) the Medicare EHR Incentive Program (commonly known as the “Meaningful Use” program). The legacy programs will officially end with their final payment adjustments in 2018 based on pre-sunset reporting periods.

In With the New: What is the Medicare Quality Payment Program?

The Medicare Quality Payment Program is not just a payment rule, it is a bold “milestone” effort to transform how care is delivered and to encourage Part B clinicians to transition from fee-for-service reimbursement to alternative payment models (APMs). The Quality Payment Program offers two paths: (1) the Merit-based Incentive Payment System (MIPS) and (2) Advanced Alternative Payment Models (Advanced APMs).

Through the Quality Payment Program, CMS is encouraging clinicians to accept risk for a defined episode of care or population through participation in the Advanced APMs with a 5 percent annual incentive payment. MIPS is the default pathway for clinicians who do not qualify to participate in an Advanced APM. Failure to participate in either an Advanced APM or the MIPS results in negative payment adjustments.

Who Must Participate?

Eligible clinicians include physicians, physician assistants, nurse practitioners, clinical nurse specialists, certified registered nurse anesthetists and groups that bill under Medicare Part B. Clinicians may elect to participate individually or as a group with a common tax identification number.

There are certain limited exclusions for:

  • Low Volume Clinicians: Clinicians with less than $30,000 in Medicare Part B allowed charges or 100 or fewer Medicare patients. CMS anticipates approximately 32.5 percent of eligible clinicians billing Part B services will qualify as low-volume clinicians in CY 2017.
  • New Medicare Enrolled Eligible Clinicians: New Medicare enrolled practitioners in their first year.

Picking a Path

Option 1: Advanced APMs

To participate in the Advanced APM pathway, clinicians must have a certain percentage of their patients or payments through an Advanced APM. The final rule describes the criteria for an APM to qualify as an Advanced APM.

  • As a threshold matter, the APM must be: an incentive model under Section 1115A of the Social Security Act (SSA), excluding a healthcare innovation award; the Shared Savings Program under Section 1899 of the SSA; or a demonstration under Section 1866 of the SSA, or a demonstration required by federal law.
  • Additionally, the APM must: (1) require participants to use certified electronic health record technology (CEHRT), (2) provide for payment for covered professional services based on quality measures comparable to those in the quality performance category under MIPS, and (3) either require that participating entities bear risk for monetary losses of more than a nominal amount under the APM, or be a Medical Home Model expanded under Section 1115A(c) of the SSA.

CMS is finalizing an initial set of Advanced APM determinations that will be released no later than January 1, 2017. CMS has already indicated the following APMs will qualify as Advanced APMs for CY 2017.

  • Comprehensive ESRD Care Model (Large Dialysis Organization (LDO) arrangement)
  • Comprehensive ESRD Care Model (non-LDO arrangement)
  • Comprehensive Primary Care Plus (CPC+)
  • Medicare Shared Savings Program ACOs - Track 2
  • Medicare Shared Savings Program ACOs - Track 3
  • Next Generation ACO Model
  • Oncology Care Model (two-sided risk arrangement)

CMS intends to change and grow this list as more APMs are proposed and developed in partnership with the clinician community and the Physician-Focused Payment Model Technical Advisory Committee. The agency anticipates (but has not formally confirmed) that the following APMs will qualify as Advanced APMs in CY 2018:

  • ACO Track 1+
  • New voluntary bundled payment model
  • Advancing Care Coordination through Episode Payment Models Track 1 (CEHRT track)

The final rule sets thresholds for the level of participation in Advanced APMs required for a Qualifying APM Participant (QP) for a year. Notably, the rule gives clinicians some credit for participation in non-Medicare APMs. CMS estimates that 5 to 8 percent of eligible clinicians will qualify for participation in Advanced APMs in CY 2017.

Option 2: MIPS

MIPS is the default pathway for eligible clinicians. CMS estimates that between 592,000 and 642,000 eligible clinicians will be required to participate in MIPS in CY 2017. But the agency anticipates that over time, an increasing number of clinicians will transition from MIPS into the Advanced APM pathway. Under MIPS, clinicians will receive payment adjustments based on data submitted in four categories: quality, improvement activities, advancing care information and cost. While the improvement activities category is new, the other categories contain elements of the legacy PQRS, VM and Meaningful Use programs.

While CY 2017 marks the first MIPS performance year, payments will not be impacted until CY 2019.

CMS intends that MIPS negative and positive payment adjustments will be equally distributed to ensure budget neutrality and estimates each of the adjustments will be $199 million when payments are first made in 2019. Additionally, CMS will pay $500 million for exceptional performance payments to eligible clinicians whose MIPS score is at least 70.

Picking a Pace

Recognizing the complexity of the Quality Payment Program and the tight implementation timeline, CMS introduced a “Pick Your Pace” option for eligible clinicians under the MIPS that decreases the reporting timeframe and scope of data.

  • Minimum Reporting. To avoid the negative 4 percent payment adjustment, in CY 2017 clinicians can report one measure in the quality performance category; one activity in the improvement activities performance category; or report the required measures of the advancing care coordination performance category.
  • Medium Reporting for Part of CY. Clinicians can report for less than the full CY but at least a full 90-day period on more than one quality measure, improvement activity or required measure in the advancing care information performance category to both avoid the negative 4 percent payment adjustment and possibly receive a positive MIPS payment adjustment.
  • Full Reporting for Partial or Entire CY. Clinicians can fully report to MIPS for a 90-day performance period or the entire CY to avoid the negative 4 percent payment adjustment and enhance the possibility for positive MIPS payment adjustments.

Preparing for the Long Haul

Success under the Quality Payment Program will involve changes to technology, infrastructure, physician support systems and clinical practices. CMS is providing $100 million over the next five years in technical assistance to MIPS-eligible clinicians in small practices, rural areas and practices located in geographic health professional shortage areas (HPSAs) and is evaluating the impact of MACRA on solo and small physician practices.

Eligible clinicians, even those familiar with the legacy reporting programs, must adapt to a whole new system of reporting and scoring. The MACRA rule further incentivizes these clinicians to examine their readiness to participate in APMs and weigh potential incentives against possible downside risk.

To prepare for the impending Part B reform, hospitals and physician groups should evaluate their current employment and professional services arrangements to ensure incentives and practice patterns are aligned with rewards under the Quality Payment Program. And as eligible clinicians adapt to these changes, an examination of reimbursement under fee-for-service commercial contracts (that may reward volume) will be warranted to ensure clinicians are rewarded for achievements in delivering quality accountable care.

Former Tuomey CEO Settles with DOJ for $1 Million

The U.S. Department of Justice (DOJ) recently reached a $1 million settlement with Ralph J. Cox III, the former CEO for Tuomey Health System, Inc. (Tuomey), in connection with his involvement in the notable Stark Law case. After protracted litigation, Tuomey agreed to pay $72.4 million in October 2015 to settle allegations that the system had violated the Stark Law. The government alleged that Cox, in hopes of addressing local competition from a new freestanding surgery center, caused Tuomey to enter into illegal compensation agreements with 19 physician specialists. Emphasizing that “the Justice Department and its law enforcement partners will hold individual decision makers accountable for their involvement in causing the companies and facilities they run to engage in unlawful activities,” the Cox settlement is significant given the high level positions Cox held as both CEO and board member.

Under the terms of the settlement agreement, which include a four-year exclusion from participation in federal healthcare programs, Cox will personally pay $1 million to resolve his involvement in the Tuomey case. To that end, the former CEO agreed to release Tuomey from any indemnification claims or reimbursement of the settlement payment amount. In reaching the settlement agreement, it appears the DOJ utilized sworn financial statements provided by Cox to verify his ability to pay the settlement amount. If the DOJ learns that Cox failed to disclose more than $150,000 of assets, it may rescind the settlement agreement or collect the full settlement payment amount plus 100 percent of the value of Cox’s undisclosed net worth.

Signifying that additional settlements with individuals may be forthcoming, Cox has agreed to cooperate fully with the DOJ’s ongoing investigation of other individuals and entities associated with the Tuomey case.

FTC Issues Compliance Guidance for Organizations that Share and Collect PHI

By Paulette M. Thomas

The Federal Trade Commission (FTC) recently issued Guidance to remind HIPAA compliant organizations that share and collect protected health information (PHI) for commercial activities that they must also comply with FTC Act disclosure requirements. The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce. The Guidance cautions that organizations should consider all disclosure statements made to consumers to ensure that when taken together, they don’t create a deceptive or misleading impression.

HIPAA Compliance

HIPAA regulations require that covered entities and business associates obtain an authorization to use and disclose an individual’s PHI for “commercial activities besides treatment, payment, health care operations, or other uses and disclosures permitted or required by the Privacy Rule.” As a result, “the consumer must first give you written permission through a valid HIPAA authorization,” according to the Guidance. The authorization must be in plain language so the individual can understand it and include specific terms and a description of how the individual’s information will be used.

FTC Act Compliance

The FTC cautions that while an organization’s authorization and disclosure practices may be compliant with HIPAA, they must also comply with the FTC Act. Section 5(a) of the FTC Act, codified at 15 U.S.C. § 45(a), prohibits unfair or deceptive acts or practices in or affecting commerce and applies to all persons engaged in commerce. Under the FTC Act, the legal standard for unfairness and deception are independent of each other. An act or practice may be found to be unfair where it causes, or is likely to cause, substantial injury to consumers that is not reasonably avoidable by the consumers themselves and not outweighed by countervailing benefits to consumers or to competition.

In order to determine whether a representation, omission, or practice is deceptive, the FTC uses a three-part test:

  1. The representation, omission, or practice misleads or is likely to mislead the consumer;
  2. The consumer’s interpretation of the representation, omission, or practice must be reasonable under the circumstances; and
  3. The misleading representation, omission, or practice must be material.

Action Items for Evaluating Organizational Compliance

Organizations should evaluate their promotional practices and requests to use an individual’s PHI for marketing or commercial purposes. To that end, the Guidance sets out the following considerations for assessing organizational compliance and strategies to avoid or reduce noncompliance risks:

  • Review user interface, privacy policy, terms of use, and notice of privacy practices for consistency of statements, and evaluate whether the information would be considered deceptive.
  • Evaluate the communication’s content for promises or assurances made to protect the privacy and security of the information, and determine if these are reasonable compared to the practices in place.
  • Review and evaluate the website content and navigational processes, and review for fine print or inconspicuous disclosures that may be relevant to headlines or conspicuous postings.
  • Be aware of targeted or vulnerable audiences such as the elderly when preparing communications.
  • Review alternative forms of communication such as texting or using mobile apps, and paper documents.
  • Coordinate with the organization’s marketing department and other stakeholders to implement a process to review communications prior to implementation or posting to the website.

GAO Report Criticizes HHS’ HIPAA Cybersecurity Guidance and Program

Recently, the Government Accountability Office (GAO) reviewed the U.S. Department of Health and Human Services’ (HHS) security and privacy oversight and identified significant gaps in the cybersecurity guidance provided by HHS to entities regulated by HIPAA. The report’s primary criticism emphasized that though HHS prepared a crosswalk with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the crosswalk included only 19 cybersecurity factors identified by NIST in the framework. This leaves 98 subcategories of NIST’s framework unaddressed and, according to the GAO, unnecessarily exposes EHRs (and therefore protected health information) to security threats.

  • Update HHS guidance for protecting electronic health information to address the remainder of the controls that HHS’ current guidance does not address from the NIST Cybersecurity Framework.
  • Improve technical assistance it provides to covered entities to ensure that it is pertinent to the identified problems.
  • Follow up on its corrective action recommendations after an investigation is concluded.
  • Establish benchmarks to assess the effectiveness of the audit program.

HHS’s response generally concurred with the GAO recommendations, although it also clarified that the nature of the NIST Cybersecurity Crosswalk is not to be a comprehensive guide for all entities seeking to protect electronic protected health information, but as one guide among many others HHS has made available for risk management purposes.

The remainder of the recommendations did not take into account that HHS is in the process of the Phase 2 audits or that the structure of corrective action plans requires long-term monitoring (two years or more), which HHS pointed out in its response to the GAO report.

The GAO emphasized that the NIST Cybersecurity Framework crosswalk lacked detailed guidance for risk assessments and corresponding risk management plans. For healthcare providers, both OCR’s 2016 resolution agreements, which have repeatedly emphasized the need for enterprise-wide risk assessments, and the GAO report findings regarding risk assessments and risk management guidance reflect the importance of undertaking a comprehensive risk assessment and appropriately managing those risks to prevent security threats to protected health information. Healthcare providers should at the least implement safeguards that meet the bare minimum requirements from HHS and utilize NIST guidance to fully secure protected health information.

Post-Election Webinar by the BakerHostetler Federal Policy Team

BakerHostetler’s Federal Policy team is working to analyze the impact of the 2016 election on federal policy issues. After all the votes are counted, please join the team, led by former Congressman Mike Ferguson, for a “morning-after briefing” during which we will analyze the election results and discuss how changes in the White House and on Capitol Hill may impact your company's or your organization’s bottom line.

We will be joined by special guests: Senator Sherrod Brown (D-OH), who is the top Democrat on the Senate Banking, Housing, & Urban Affairs Committee, and Congressman Patrick McHenry (R-NC), who is the House Chief Deputy Whip. Both lawmakers will share their reactions to the election and forecast legislative activity for 2017.

This 60-minute webinar takes place on Wednesday, Nov. 9, from 11 a.m. – noon EST. We will provide a high-level briefing of key issues, including:

  • How and when might the next administration and the new Congress tackle tax reform, inversions and repatriation?
  • What can we expect regarding possible changes to the Affordable Care Act, Medicaid reform and CHIP?
  • Will Dodd-Frank survive?
  • What is in store for the nation’s energy policy?
  • What is the future of the sequester on defense spending?
  • Will our new president and Congress find common ground in 2017?

For questions, contact Laura Thomas at 202.861.1707.

Events Calendar

November 16, 2016

Houston Partner Lynn Sessions will present “Anatomy of an Incident” at the Independent Insurance Agents of Houston Technology Conference 2016 in Houston, TX.

Houston Partner Lynn Sessions will present “Skills-Based Volunteers: Getting the Best from the Brightest” at the 2016 Power Tools for Nonprofits Conference, hosted by CenterPoint Energy and University of Houston, in Houston, TX.

November 29, 2016

Washington, DC, Senior Advisor Michael A. Ferguson will moderate a Pharma/Healthcare panel at the FiscalNote Reinvent Influence Summit in Washington, DC.