News & Insights

Newsletter

December 11, 2023

Health Headlines – December 11, 2023


Medicare Advantage Payors Have Not Redressed 340B Underpayments

CMS recently published its remedy in response to the Supreme Court’s decision that CMS’s 340B outpatient drug payment policy violated the Medicare statute. Many hospitals that are 340B covered entities will now receive tens of millions of dollars in lump sum payments as reimbursement for what Medicare was required to pay 340B hospitals for outpatient drugs between January 1, 2018, and September 28, 2022. But unlike CMS, Medicare Advantage plans are refusing to compensate hospitals for 340B underpayments, leaving covered entities with millions of dollars of uncollected reimbursement for outpatient drugs provided to Medicare Advantage enrollees.

In September 2022, the United States Supreme Court unanimously held that CMS violated the Medicare statute when it reduced reimbursement rates for outpatient drugs for 340B hospitals. That Court, and the U.S. District Court for the District of Columbia on remand, left the issue of remedying past underpayments to CMS.

This November, CMS issued its long-awaited final rule (the Final Rule) outlining the remedy for underpaid 340B drugs for dates of service from January 1, 2018 to September 28, 2022. The Final Rule provides affected covered entities with a lump sum payment intended to pay the difference between what the hospital should have been paid and what the hospital was paid based on claims data submitted between 2018 and 2022.

Since the Supreme Court’s 2022 decision, Medicare Advantage payors have delayed taking action to remedy their underpayments dating back to 2018, saying they were awaiting instructions from CMS. As of now, many Medicare Advantage payors have not voluntarily corrected their underpayment of outpatient drugs purchased on a discounted basis through the 340B program.

King & Spalding has formed a response team to assist 340B hospitals with recovering these 340B underpayments. Our response team has evaluated the language in various Medicare Advantage contracts to determine providers' contractual rights considering the Supreme Court’s ruling and the Final Rule. To date, we have either worked out a contractual resolution or are pursuing reimbursement of underpayments in binding arbitration where payors have refused to honor their contractual obligations.

We invite you to attend our upcoming Roundtable, “Managed Care Update: The Latest in Medicare Advantage Reimbursement Issues and How to Stay Ahead,” to learn more about the Final Rule and its impact on how Medicare Advantage plans reimburse for 340B drugs. We will also discuss several other Medicare Advantage topics as well as contractual and litigation strategies to address arguments from Medicare Advantage plans that attempt to decrease hospital revenue. The link to register is available here.

Reporters, Jim Boswell, Atlanta, + 1 404 572 3534, jboswell@kslaw.com, and Elizabeth Key, Sacramento, +1 916 321 4821, ekey@kslaw.com.

First Settlement by OCR in a Phishing Cyber-Attack Investigation

On December 7, 2023, OCR released a statement that it was settling a phishing cyber-attack investigation into Lafourche Medical Group (the Medical Group) which specializes in emergency medicine, occupational medicine, and laboratory testing. The Medical Group, based in Louisiana, was the target of a phishing attack in March of 2021 which compromised the protected health information (PHI) of over 35,000 individuals. The settlement terms include payment to OCR of $480,000 and a corrective action plan that OCR will monitor for two years. This is the first settlement involving a phishing attack under the Health Insurance Portability and Accountability Act (HIPAA) rules.

The Medical Group self-disclosed the attack and the compromise of patient PHI in May 2021. According to OCR, its investigation revealed that the Medical Group “failed to conduct a risk analysis to identify potential threats or vulnerabilities to electronic [PHI] across the organization as required by HIPAA.” In addition, OCR “discovered that Lafourche Medical Group had no policies or procedures in place to regularly review information system activity to safeguard [PHI] against cyberattacks.” 

The corrective action plan, which is part of the settlement, includes the following terms:

  • Establishing and implementing security measures to reduce security risks and vulnerabilities to electronic PHI in order to keep patients’ PHI secure;
  • Developing, maintaining, and revising written policies and procedures as necessary to comply with the HIPAA rules; and
  • Providing training to all staff members who have access to patients’ PHI on HIPAA policies and procedures.

A copy of OCR’s press release can be found here.

Reporter, Amy L. O’Neill, Sacramento, +1 916 321 4812, aoneill@kslaw.com.

CMS Issues Interim Final Rule for CMS Enforcement of State Compliance with Reporting and Federal Medicaid Renewal Requirements

On December 4, 2023, CMS issued an interim final rule (the Interim Rule) (RIN 0938-AV26) to implement new enforcement authorities that CMS may use if states fail to comply with new reporting requirements or with federal Medicaid eligibility redetermination requirements following the end of the Medicaid continuous enrollment condition under the Families First Coronavirus Response Act (FFCRA). The new enforcement authorities include a .25 percentage point drop in federal matching funds each quarter reporting is not in compliance, required submissions of corrective active plans, suspending disenrollments from Medicaid for procedural reasons, and imposition of civil money penalties. The rule was effective December 6, 2023, and CMS is receiving comments through February 2.

Background on Medicaid Continuous Enrollment Condition

Under the FFCRA, the fifty states, the District of Columbia, and all 5 territories (the States) were able to claim a temporary 6.2% increase in their Federal Medical Assistance Percentage (FMAP) provided that they met several conditions, including that the states not disenroll persons enrolled in Medicaid as of or after March 18, 2020, until the end of the month in which the COVID-19 Public Health Emergency (PHE) ended. This condition is known as the Medicaid continuous enrollment condition.

All States claimed the increased FFCRA FMAP percentage, so the Medicaid continuous enrollment condition applied to all states until April 1, 2023, when the Consolidated Appropriations Act, 2023 (CAA 2023) amended the FFRCA to end the continuous Medicaid enrollment condition. Resultingly, States must conduct a full renewal of eligibility for each beneficiary (a process referred to as “unwinding”). CMS has previously provided guidance for States for unwinding from the continuous enrollment condition.

New Reporting Requirements

The CAA 2023 modified the Social Security Act (the Act) to include new reporting requirements that took effect after the continuous enrollment condition expired. The reporting requirements generally overlap with the States’ unwinding periods and pertain to the activities of the States relating to eligibility redeterminations during such period. However, CMS is interpreting certain reporting requirements to apply beyond information about a Medicaid or CHIP redetermination–for example, data on total call center volume, average wait times, and average abandonment rate–as it is impractical to limit the measures only to data related to eligibility determinations. The new reporting requirements are not wholly limited to the unwinding of the continuous enrollment condition.

Additional Enforcement Authorities

In addition to the new reporting requirements, the CAA 2023 included new enforcement authorities for CMS’s use if CMS determined a State to not be in compliance with the (1) new reporting requirements, (2) federal eligibility redetermination requirements, or (3) both. The Interim Rule provides CMS may take the following enforcement actions upon notice to the States:

  • Reduce the FMAP determined for the State by .25% for each fiscal quarter the State failed to satisfy reporting requirements.
  • Require a State to submit and implement a corrective action plan, or to revise and resubmit an already existing corrective action plan to address newly identified violations.
  • Require a State to suspend disenrollments from Medicaid that are for procedural reasons until the State takes appropriate corrective action.
  • Impose civil monetary penalties up to $100,000 for each day a State is not in compliance.

The Interim Rule provides that CMS interpret the additional enforcement authorities as giving CMS discretion to take into consideration certain mitigation circumstances related to States’ noncompliance when determining whether to utilize the aforementioned enforcement authorities. The mitigating circumstances include:

  • No harm or substantial risk of harm occurred by the noncompliance with the reporting and redetermination requirements; and
  • Extraordinary circumstances prevented the State's compliance, for example, systems outages or disasters.

The Interim Final Rule is available here.

 

Reporter, Christopher C. Jew, Los Angeles, + 1 213 443 4336, cjew@kslaw.com.

HHS Releases Cybersecurity Strategy for the Healthcare Sector

On December 6, 2023, HHS released a concept paper that outlines the Department’s cybersecurity strategy for the healthcare sector titled, “Healthcare Sector Cybersecurity Strategy.” HHS reports that cyber incidents in healthcare are on the rise with a 93% increase in large data breaches reported from 2018 to 2022 (rising from 369 to 712) and a 278% increase in large breaches involving ransomware. Cyber incidents affecting healthcare providers can cause significant care disruptions that put patients’ safety at risk. The strategy paper identified four new steps that HHS will take to build on its existing cybersecurity activities in the healthcare sector: 1) establishing voluntary cybersecurity performance goals for the healthcare sector; 2) providing resources to incentivize and implement these cybersecurity practices; 3) implementing an HHS-wide strategy to support greater enforcement and accountability; and 4) expanding and maturing the one-stop shop within HHS for healthcare sector cybersecurity. 

This year HHS conducted the 2023 Hospital Cyber Resiliency Landscape Analysis to examine hospitals’ current state of cyber security performance and needs. As a result of that analysis, HHS took action to update its voluntary healthcare-specific cybersecurity guidance and released free healthcare-specific cybersecurity trainings geared toward providing help with basic cybersecurity practices to small and medium-sized healthcare facilities. Currently, the HHS cyber security strategy includes the following activities:

  • Sharing cyber threat information and intelligence with the sector to mitigate risk from prominent and emerging threats;
  • Providing the sector with technical assistance, guidance, and resources to comply with data security and privacy laws;
  • Issuing cybersecurity guidance and threat alerts for medical devices; and
  • Publishing healthcare-specific cybersecurity best practices, resources, and guidance.

The recent HHS strategy paper identified four new concurrent steps that HHS will take to build on its existing cybersecurity activities in the healthcare sector. First, HHS will establish voluntary cybersecurity performance goals for the healthcare sector. These performance goals are designed to help healthcare institutions prioritize implementation of high-impact cybersecurity practices and will include both “essential” goals to outline minimum foundational practices for cybersecurity performance as well as “enhanced” goals to encourage healthcare providers to adopt more advanced practices.

Second, HHS will seek new authority and resources to incentivize and implement these cybersecurity practices as well as enforce new requirements through financial consequences. HHS wants to create two new programs—the first, an investments program, to help high-need healthcare providers cover the upfront costs associated with implementing “essential” cybersecurity performance goals, and the second, an incentives program to encourage all hospitals to invest in advanced cybersecurity practices to implement the “enhanced” cybersecurity performance goals.

Third, HHS will seek to implement an HHS-wide strategy to support greater enforcement and accountability so that all hospitals meet cybersecurity performance goals. HHS will propose incorporating these goals into existing regulations and programs. HHS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid, and the HHS Office for Civil Rights will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in spring of 2024, to include new cybersecurity requirements. HHS will seek authority and funding from Congress to investigate potential HIPAA violations, conduct proactive audits, and increase civil monetary penalties for HIPAA violations.

Fourth, HHS plans to expand and mature the one-stop shop within HHS for healthcare sector cybersecurity through its Administration of Strategic Preparedness and Response (ASPR). HHS hopes to have ASPR promote a greater uptake of government services and resources such as technical assistance and vulnerability scanning.

The full text of the Healthcare Sector Cybersecurity Strategy paper is available here.

Reporter, Kasey Ashford, Washington D.C., +1 202 626 2906, kashford@kslaw.com.

Also in the News

OIG Publishes the Fall 2023 Semiannual Report to Congress

On December 1, 2023, OIG issued the Fall 2023 Semiannual Report to Congress (the Report), which summarizes the agency’s activities from April 1, 2023 through September 30, 2023. The Report highlights over $3.44 billion in expected recoveries resulting from HHS-OIG audits and investigations. During the reporting period, OIG reported 707 criminal enforcement actions against individuals and/or entities that engaged in crimes impacting HHS programs, and 746 civil actions, which include false claims and unjust-enrichment lawsuits, civil monetary penalty settlements, and administrative recoveries related to provider self-disclosure matters. The report is available here.