CMS Issues Proposed Rule Updating Payment Rates and Policies for End Stage Renal Disease and Acute Kidney Injury Dialysis Treatment - On June 27, 2024, CMS issued a proposed rule updating payment rates and policies under the End-Stage Renal Disease (ESRD) Prospective Payment System (PPS) for renal dialysis services provided to Medicare beneficiaries on or after January 1, 2025 (the Proposed Rule).
CMS’s Proposed Rule also would update the Acute Kidney Injury (AKI) dialysis payment rate and would extend Medicare payments to beneficiaries with AKI receiving dialysis in a home setting. Comments are due by August 26, 2024.
Proposed Updates to the ESRD PPS for 2025
The ESRD PPS provides a bundled, per-treatment payment to facilities rendering ESRD care that includes all renal dialysis services furnished for outpatient maintenance dialysis. The proposed 2025 PPS base rate is $273.20. The current 2024 base rate is $271.02. CMS estimates that this update will increase total payments to all ESRD facilities by 2.2% from 2024.
CMS has also proposed that starting in 2025, oral-only renal dialysis drugs and biological products will be included in the ESRD PPS.
Further, CMS proposed a new wage index that would be used to adjust ESRD PPS payment for different geographic areas. Under prior rules, hospital wage index values for each geographic area have been used to adjust regional ESRD PPS payment. In this Proposed Rule, CMS noted that prior comments have suggested that because hospitals have a different proportion of registered nurses, technicians and administrative staff compared to ESRD facilities, relying on hospital wage values may not accurately represent the relative wages paid to ESRD facilities.
Under CMS’s proposed wage index, the ESRD PPS Payment geographic adjustment will be based on data from the Bureau of Labor Statistics Occupation Employment Wage & Statistics, as well as cost reports from freestanding ESRD facilities, instead of relying on hospital wage index values. CMS has also proposed to expand outlier eligibility to all drugs and biological product that were previously considered composite rate services prior to the creation of the ESRD PPS in 2011.
Proposed Changes to ESRD Quality Incentive Program
Starting in 2027, CMS has proposed to replace the current test for determining whether to reduce payment to facilities that do not meet a minimum total performance score. The current test (the Kt/V Dialysis Adequacy Comprehensive clinical measure) is a single performance standard test for facilities. The new test will focus on separate scores for outcomes related to four different categories: (i) adult hemodialysis (HD) Kt/V, (ii) adult peritoneal dialysis (PD) Kt/V, (iii) pediatric HD Kt/V, and (iv) pediatric PD Kt/V.
Proposed Payment Changes for Dialysis Services Furnished to Individuals with AKI
Starting in 2025, CMS has proposed to allow payment for AKI renal dialysis services rendered to Medicare beneficiaries in their homes. CMS has also proposed to allow ESRD facilities to bill Medicare for add-on payment adjustments for training for home dialysis care as to Medicare beneficiaries with AKI.
The Proposed Rule also updates the AKI dialysis payment rate to $273.20, the same as the base rate proposed for the ESRD PPS.
The Proposed Rule was published in the Federal Register on July 5, 2024, and is available here.
Reporter, Will Mavity, Los Angeles, + 1 213 218 4043, wmavity@kslaw.com.
OCR Settles Alleged HIPAA Violations for $950,000 Following 2017 Ransomware Attack — On July 1, 2024, the HHS Office of Civil Rights (OCR) announced that Pennsylvania-based healthcare system, Heritage Valley Health System (Heritage Valley), has agreed to pay $950,000 to settle potential violations of the HIPAA Privacy, Security, and Breach Notification Rules. In addition, Heritage Valley agreed to a corrective action plan (CAP) to address alleged gaps in its HIPAA compliance program. The settlement with Heritage Valley is the third HIPAA enforcement action by HHS in a case involving ransomware.
The settlement stems from a global ransomware cyber-attack that occurred in 2017. HHS opened a compliance review after the media reported that Heritage Valley experienced a data security incident. HHS conducted a comprehensive investigation into Heritage Valley’s compliance with HIPAA. This investigation found several alleged potential violations of HIPAA, including:
- Failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic PHI (ePHI) across the organization;
- Failure to implement a contingency plan to respond to emergencies, like a ransomware attack, that damage systems that contain ePHI; and
- Failure to implement policies and procedures to allow only authorized users access to ePHI.
In addition to agreeing to pay $950,000 for the alleged HIPAA violations, Heritage Valley agreed to implement a CAP in which OCR will monitor Heritage Valley for three years to ensure compliance with HIPAA. The agreed upon CAP will require Heritage Valley to make the following corrective measures:
- Conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Implement a risk management plan to address and mitigate security risks and vulnerabilities identified in their risk analysis;
- Review and develop, maintain, and revise, as necessary its written policies and procedures to comply with the HIPAA Rules; and
- Train its workforce on its HIPAA policies and procedures.
Ransomware breaches continue to be a top enforcement priority for OCR. According to OCR, there has been a 264% increase since 2018 in large breaches reported to OCR involving ransomware attacks.
The Resolution Agreement and Corrective Action Plan can be found here. The OCR Press Release regarding the Resolution Agreement can be found here.
Reporter, Elizabeth Key, Sacramento, +1 916 321 4821, ekey@kslaw.com.