In This Issue:
HIPAA and Emerging Technologies
Protecting Privacy in the Digital Age: Key Questions Answered
Suit Over Hospitals’ Alleged Anticompetitive Marketing Sent to Trial
Few Medicare Part D Plans Offer Vaccines Without Cost-Sharing
HIPAA and Emerging Technologies
By Jill DeGraff, Partner, Manatt Health | Helen Pfister, Partner, Manatt Health | Randi Seigel, Counsel, Manatt Health
Editor’s Note: According to a HIMSS Mobile Technology Survey of healthcare provider employees, about 90% say they are using mobile devices to engage patients in their healthcare—and 36% believe app-enabled patient portals are the most effective patient engagement tool. A Spyglass Consulting Report reveals that an astounding 96% of physicians use text messaging for patient care coordination—and 30% say they’ve received protected health information (PHI) via text.
Clearly new technologies are transforming healthcare. In a recent webinar, Manatt Health examined how to benefit from these powerful new tools while analyzing the risks under the Health Insurance Portability and Accountability Act (HIPAA). In the first of a two-part series, Manatt summarizes below key insights shared on the enforcement landscape, HIPAA rules and best practices around six technologies—portals, email, bring your own device (BYOD), texting, mobile apps and the Internet of Things (IoT). Click here to view the full webinar free on demand—and here to download a free copy of the presentation.
The Enforcement Landscape and the Trump Administration
Cybersecurity is a high priority across the Trump administration. In April, the Department of Health and Human Services (HHS) announced that it will establish a cyberthreat nerve center, modeled after Homeland Security’s National Cybersecurity and Communications Integration Center, to assess cyberthreats and share best practices. This move reflects the acknowledgment that healthcare is a critical part of our infrastructure with national security implications.
The new director for the HHS Office of Civil Rights (OCR), Roger Severino, has declared that his office’s enforcement actions will adapt to new data security threats, including those raised by ransomware, interoperability and mobile apps. The OCR audits—which began Phase 1 in 2011—position OCR for stricter enforcement. Phase 1 uncovered a number of weaknesses threatening HIPAA compliance across key areas, including risk analysis and management, content and timeliness of breach notifications, notices of privacy practices, individual access, privacy standards, device/media controls, training and transition security.
The OCR now has begun Phase 2 audits. Added focus areas include an inventory of devices and other information system (IS) assets; evidence of IS audit logs, access reports and security incidence tracking; and an inventory of business associates.
The OCR’s enforcement tools include civil monetary penalties and the requirement to establish a corrective action plan. Penalties can range from a minimum of $100 (when there is no knowledge of the violation) up to a maximum of $50,000 per violation, capped at $1.5 million annually for each identical violation.
The OCR can use statistical sampling to establish a prima facie case for the number of violations. It also can consider several aggravating or mitigating factors in its calculations, including the number of people affected, the length of time during which the violation occurred, the nature of the harm, the history of prior compliance, and the size of the covered entity or business associate.
Why Is Health the Target of Cyberattacks?
The nature of PHI makes health a prime target for cyberattacks. PHI contains immutable identifiers—such as birth dates and Social Security numbers. Consequently, PHI has higher value on the black market than, for example, credit card information.
To compound the problem, the healthcare industry has invested less in cybersecurity than other sectors have, making it a prime target. In 2015, records of about 100,000 patients were compromised by cyberattacks against healthcare organizations. In May 2017, a ransomware attack infected tens of thousands of computers in 100 countries. The threat to patient safety makes providers particularly vulnerable to ransomware attacks.
Defining the Terms
In discussing HIPAA compliance in relation to new technologies, it’s important to understand the terms:
PHI is defined under HIPAA as any individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity. PHI includes limited data sets (a set of information that includes certain identifiers). It does not include de-identified information (information from which identifying information has been removed and which cannot be re-identified).
Covered entities include healthcare providers, health plans and healthcare clearinghouses.
Business associates are individuals or entities that create, receive, maintain or transmit PHI on behalf of a covered entity for functions under the HIPAA Rule or that provide certain types of services to a covered entity.
Tech vendors generally are considered business associates. There is, however, an exception for tech vendors that serve solely as conduits for PHI and only have transient access to the protected information, such as broadband providers or cellular carriers.
Whether mobile app developers are business associates depends on the services they provide. If they are creating, receiving, maintaining or transmitting PHI, they would be considered business associates. If there is uncertainty, it’s better to err on the side of caution and assume a mobile app developer that touches PHI is a business associate.
Understanding the Security Rule
The HIPAA Privacy Rule contains requirements regarding paper and electronic PHI (ePHI), while the Security Rule addresses only ePHI. The Security Rule requires covered entities to establish three types of safeguards to protect ePHI:
Administrative safeguards are administrative actions, policies and procedures that are designed to manage a covered entity’s implementation of security measures. For example, one standard under the administrative safeguard category requires covered entities to establish security management processes to prevent, detect and correct security violations.
Physical safeguards are physical measures to protect covered entities’ ePHI, such as restricting workstation access to authorized individuals and controlling the introduction or removal of hardware and software to ensure there are no breaches.
Technical safeguards address the technology processes that covered entities must implement to protect ePHI. Technical safeguards include access control, such as establishing a unique ID for each user. They also cover integrity provisions that are designed to ensure that ePHI is protected from improper alteration or destruction.
Implementation specifications can be required or addressable. A covered entity must implement required specifications. In contrast, the covered entity can determine what is reasonable in the context of its operations to implement an addressable standard. If a covered entity determines not to implement an addressable specification, it must document the reasons for its decision and, if appropriate, implement an equivalent alternative measure.
In addition to requiring the three categories of safeguards, the Security Rule also imposes certain organizational requirements. Covered entities must (1) have reasonable and appropriate policies and procedures in place to comply with the Security Rule; (2) maintain a written record of any actions, activities or assessments required by the Security Rule; (3) have business associate agreements in place; and (4) retain all documentation for at least six years.
HIPAA’s Breach Notification Rule
A breach is defined as the acquisition, access, use or disclosure of PHI in a way that is not permitted by the Privacy Rule and that compromises the PHI’s privacy or security. The OCR, which oversees HIPAA, presumes that any loss of unencrypted data is a reportable breach. Therefore, all covered entities must have breach identification policies in place that require reporting any breach within a reasonable time frame—certainly within 60 days of discovery. A breach is deemed to be “discovered” on the first day that it is known to the covered entity or would have been known by exercising reasonable diligence.
Any unauthorized use or disclosure of PHI is presumed to be a breach. The burden is on the covered entity to evaluate a potential breach and determine whether or not an actual breach has occurred.
Communication Technology Trade-offs
There are trade-offs between making it easy for providers and patients to use familiar channels to communicate, such as email and texting, and protecting ePHI from improper disclosure. Below are the advantages, disadvantages and risks six technologies present, with tips on how organizations can protect themselves.
Patient portals generally present the fewest HIPAA security concerns because most were built to comply with HIPAA and meaningful use requirements. They meet patient and physician demands, because they provide 24/7 access—although that access can be clunky. Through portals, providers can control the content that is shared with patients, as well as determine what is accessed and by whom in order to create full audit and access logs.
Portals also offer clear terms of service and privacy notices, as well as transparency around how providers will use the data. In addition, patients have to affirmatively consent to sign up and use the portal. Finally, portals factor in strong HIPAA safeguards through user authentication, including unique usernames and passwords.
Portals also have some disadvantages, however. Due to the authentication process requiring remembering another login and password, patients have been slow to adopt portals. In addition, portals can be costly and complex to implement, discouraging innovation. To ensure optimal use, it’s important to have clear policies in place around use of the portal.
Email offers major advantages. It is easy to adopt, can be uploaded to electronic health records (EHRs) and can be encrypted. Patients also can consent to receive unencrypted information. On the OCR’s “frequently asked questions” page for HIPAA, it clearly indicates that the Privacy Rule allows covered entities to communicate electronically, such as through email, with their patients provided they apply reasonable safeguards.
Email also presents some disadvantages and risks. It’s impossible to authenticate the user through a unique name or password or to verify that the email’s recipient is the person for whom it was intended. In addition, there are issues around transmission security. If encrypted email is utilized to address transmission security, then patients need to install a program to view encrypted emails, presenting a barrier to communication. Other risks include integrity control, given that email content (including the sender information) can be easily changed; servers residing outside the United States, where there may be limited information about HIPAA and other controls; and the potential for PHI-sensitive emails to appear on the Internet.
There are many steps organizations can take to protect themselves when using email to communicate with patients, including:
Obtaining patient consent to communicate with them via email
Developing a “light warning” disclosure of possible security risks as part of the patient consent
Creating protocols and practices for communicating PHI via email
Restricting the use of personal email by the care team
Removing the patient’s name, initials or medical record number from the subject line
Ensuring highly sensitive information, such as Social Security numbers, are never included in any part of an email
Bring Your Own Device (BYOD)
Employees are increasingly using their own devices at work. There are many advantages to this approach, including a high adoption rate, as people always have their phones with them; cost and time savings, since there is no need to educate people on how to use their own devices; and native technologies already on the phones that can be used for patient and provider communications.
There are several disadvantages, as well. Obviously, the less secure personal devices are, the greater an organization’s risk for PHI breaches. In addition, unless a mobile device management tool is installed on each phone, there is limited ability to enforce passwords or authentication; protect the devices; wipe the devices; or disable phones, if they are lost.
In considering implementing a BYOD approach, the first step is to evaluate and document the risks and benefits. Even if an organization decides to implement a BYOD policy, it may not make sense for all employees to participate. For example, organizations may want to require individuals with access to particularly sensitive and/or highly regulated information to use company-controlled devices for professional and patient communications. Other best practices include creating a detailed policy; incorporating the employer’s right to access, monitor and audit devices; ensuring staff is trained on the policy and documenting their signed agreement to comply with its terms; enforcing the use of strong passwords; installing mobile device management tools; and creating an off-boarding process to ensure the removal of any ePHI.
Texting is commonplace in many organizations—and drafting an official texting policy, permitting or not permitting it, is an essential part of a HIPAA compliance program. Texting offers many advantages, including increased patient engagement, easy adoption and faster response than email. It also provides greater access control, since people control access to their phones—and typically don’t text from any other devices. In addition, cyberthreats are difficult to execute with SMS texting.
As with all approaches, however, there are risks as well as benefits. Secure messaging apps require web-accessible devices or smartphones and may require usernames and passwords. There are also added HIPAA compliance responsibilities for tech vendors and downstream business associates. In addition, traditional SMS is not encrypted, and while cyberthreats are difficult to execute, when they do occur they’re hard to detect. Finally, full texts appear even on locked screens, opening up the potential for inadvertent disclosure.
When communicating through text, it is critical to obtain patient consent. In addition, it is important to document the information that was communicated via text in the patient’s medical record. Other best practices include evaluating the use of public messaging platforms; properly wiping mobile devices after they have been discontinued for work; and taking an inventory of all mobile devices used for texting PHI, whether provider or employee-owned.
Does the Office of the National Coordinator (ONC) for Health Information Technology say that organizations can use texting to communicate health information? The answer is that it depends. Text messages are generally not secure, and the sender does not know for certain that the intended recipient received the message. However, the ONC confirmed that organizations may approve texting after performing a risk analysis or implementing a third-party solution that incorporates measures to establish a secure communication platform.
Despite the risks, the ONC recognizes the value in texting. There’s a growing body of evidence that texting is an effective way to promote health, drive behavioral change, manage chronic diseases, encourage medication adherence, support prenatal care, and motivate weight loss and physical activity. Participants in text pilots report high user satisfaction and positive self-reported behavioral changes. Program managers find increased enrollment rates when participants are able to “opt in” immediately to a texting program.
In contrast, pilots show significantly lower rates of adoption when potential enrollees provided their contact information and consent in writing through a third party, who then entered the enrollment information and set up the texting capabilities. The time lag between setup and confirmation, the provision of incorrect or incomplete information by potential participants, and the lack of direct engagement in the enrollment process all led to the lower adoption rates.
When implementing texting, it is important to consider whether encrypted texting is reasonable for a given context and will increase patient engagement. If encryption won’t bring added benefits, unencrypted texting may be most appropriate.
Texting: Not Just a HIPAA Concern
There is overlapping jurisdiction with the Federal Communications Commission (FCC) when HIPAA-covered entities use SMS text messaging. A text message is treated like any other call made to a residential line or a cellular phone and brings an additional consumer protection into play—the Telephone Consumer Protection Act (TCPA). Even if a text’s content is permissible under HIPAA, the TCPA restricts the use of an automatic telephone dialing system to call a cellular phone number without the recipient’s prior express consent.
If a message is informational and noncommercial, individuals “who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instruction to the contrary.” According to Hudson v. Shape Healthcare (9th Circuit), the call need not be made “for the exact purpose for which the number was provided,” as long as the call bears some relation to the product or service for which the number was given. It is important to be cautious, however, because there are a wide range of court decisions and findings.
Developing a Policy for Texting
Organizations that permit SMS texting must develop policies and procedures, both for texting with patients and for texting among professionals. Policies should include workforce training on the appropriate use of work-related texting, at a minimum, as part of compliance training programs to ensure there are annual reminders to clinicians. In addition, organizations should maintain device and media controls for mobile devices of professionals who create, receive or maintain text messages. Policies also should delineate permitted use cases, detailing when texting is permitted and placing limits on the types of PHI that can be shared via text.
All policies and procedures should encourage more secure alternatives for communicating highly sensitive information. If organizations have patient advisory councils, they should be part of the discussions around risks and benefits and participate in the policymaking process.
When developing a policy specific to patients, it’s important to include procedures for verifying phone numbers and authenticating identity; decide on the scope and form of consent (i.e., opt-in requirements); and disclose to patients that they will be receiving unsecured messages, as well as inform them about opt-out procedures. When designing policies for texting between professionals, consider using a HIPAA-secured platform to support care team collaboration, secure devices to allow native features but prevent photo storage, implement device controls, prohibit texting medical orders, and reinforce the need to document texts in medical charts.
Mobile apps offer a wealth of advantages. They provide user-centric solutions and optimize the use of native device technologies, such as cameras. In addition, cloud-based platforms provide access to state-of-the-art security and robust computing power. They also bring cost efficiencies through flexibility that allows covered entities to start with small pilots and scale up, as needed.
Apps also come with some disadvantages. As more technologies are introduced, there is a multiplier effect in the challenges of compliance management that also can affect downstream business associates. In addition, there is no one-size-fits-all approach to implementing security safeguards.
There are best practices to protect organizations communicating through mobile apps. It is critical to evaluate the technology environment in which the app is providing a service and perform an appropriate risk analysis. It also is essential to develop app-specific policies and procedures within the context of the risk framework, as well as within an organization’s broader governance framework. This process includes actively engaging the stakeholders who will be using the app, both to gather input and to provide training.
The Internet of Things (IoT)
The IoT offers significant benefits. Generally speaking, these are medical-grade devices subject to Food and Drug Administration (FDA) cybersecurity standards. They very often will be tied to making a clinically relevant decision, so it is crucial that they are secure and that there are appropriate policies and procedures in place. Organizations should be diligent in ensuring providers and vendors are adhering to all the safeguards in the Security Rule.
The IoT also presents undetected vulnerabilities and risks, particularly around device inventory and management, firmware patches and updates, and transmission security. In addition, there are challenges around the need to wipe ePHI between deployments.
As with all the new technologies, the best protection for an organization is to define clearly device management procedures. There should be satisfactory assurances that there is full compliance with the FDA’s Quality System Regulation.
Coming Next Month…
In next month’s “Health Update,” we will feature part 2 of our “HIPAA and Emerging Technologies” summary, focused on evaluating and contracting with vendors, as well as reviewing compliance strategies.
Protecting Privacy in the Digital Age: Key Questions Answered
By Jill DeGraff, Partner, Manatt Health | Helen Pfister, Partner, Manatt Health | Randi Seigel, Counsel, Manatt Health
Editor’s Note: During our recent webinar on “HIPAA and Emerging Technologies,” we received so many compelling questions from our more than 600 registrants that there was not enough time to cover them all. Below we respond to some of the most commonly asked questions that we didn’t get the chance to address during the program. (See the article above for part 1 in our series summarizing the webinar’s content.)
Click here to view the full webinar free on demand—and here to download a free copy of the presentation.
Question 1: What should a consent contain that authorizes a covered entity to communicate with a patient over email?
Answer 1: Neither the Health Insurance Portability and Accountability Act nor the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS)—the agency that interprets and enforces HIPAA—requires a patient to provide consent prior to a covered entity communicating with that patient via email. However, HIPAA does require the application of reasonable safeguards when communicating with patients via email to ensure they are aware of the risks involved. Therefore, as a best practice, covered entities should obtain affirmative consent from patients before initiating email communications.
On its HIPAA Frequently Asked Questions (FAQ) page, the OCR says:
“Patients may initiate communications with a provider using e-mail. If this situation occurs, the healthcare provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”1
The FAQ provides clear guidance on the specific information that covered entities should include when obtaining patient consent:
The risks associated with using unencrypted email. (A third party may be able to access and read the information, since it is transmitted over the Internet.)
The risks of having treatment information included in emails. (Someone other than the intended recipient may be able to access the email account and read the message.)
The patient’s right to revoke consent.
The avoidance of using email to address urgent medical matters.
In the HIPAA FAQ, the OCR also states that if a patient specifically requests that a covered entity communicate with him or her via email, the covered entity should acquiesce:
“…an individual has the right under the Privacy Rule to request and have a covered healthcare provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a healthcare provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.”
In short, the OCR guides covered entities to follow the communication preferences of their patients. If the patient prefers email communication, the provider should accommodate that request, as long as it is reasonable. Conversely, if the patient is not comfortable with unencrypted email, the provider should offer a more secure alternative. As a practice tip, we recommend that very sensitive information, such as Social Security numbers, diagnosis information and substance abuse treatment information, not be communicated over email given the heightened risks associated with inadvertent disclosures of this information.
Question 2: What are the risks of maintaining PHI on servers outside of the United States (offshore)?
Answer 2: While HIPAA itself does not prohibit maintaining protected health information (PHI) outside of the United States, there are state laws or contractual requirements between covered entities and federal or state agencies that may impact a covered entity’s ability to do so.
Section 1902(a)(80) of the Social Security Act prohibits a state from providing any “payments for items or services provided under the State plan or under a waiver to any financial institution or entity located outside of the United States.” The Centers for Medicare and Medicaid Services (CMS), however, has issued guidance in accordance with the Affordable Care Act (ACA) stating that Medicaid agencies are permitted to provide payments to contractors operating offshore for tasks—including administrative functions—that support the administration of the Medicaid program.2
Despite the permissibility of offshoring under federal law, four states’ Medicaid agencies have executive orders and contract requirements in place that prohibit any of their contractors (such as Medicaid managed care plans) from using offshoring services.3 Some states, such as New York, do not prohibit offshoring in law or regulation but have banned it through contract requirements and internal policy. New York, for example, prohibits Medicaid managed care plans from offshoring any administrative or management functions of those plans. Other states, such as New Jersey and Missouri, do permit offshoring but only under limited circumstances.
In addition, CMS requires Medicare Advantage and Part D sponsors that contract with offshore vendors to perform Medicare-related work that uses beneficiary PHI to provide CMS with specific offshore subcontractor information and complete an attestation regarding protection of beneficiary PHI. Medicare Advantage and Part D sponsors must provide that information to CMS within 30 calendar days of signing an offshore contract.4 They also must advise CMS any time there are changes to the functions that the current offshore contractor provides.5
Question 3: Should sanctioned attempts by digital security specialists to break into protected systems and networks be part of HIPAA-compliant risk assessment and risk management programs?
Answer 3: The HIPAA Security Rule does not specifically require covered entities and business associates to hire digital security specialists to test system vulnerabilities through sanctioned attempts to break into protected systems and networks. Instead, within the flexible framework of the Security Rule, a covered entity or business associate must determine whether implementing this security measure is reasonable and appropriate, based on the following factors:
The size, complexity and capabilities of the covered entity;
The covered entity’s technical infrastructure, hardware and software security capabilities;
The costs of security measures; and
The probability and criticality of potential risks to electronic PHI.
The best practice is to have a governance structure in place to support a formal process for addressing policy questions, such as the length of time between periodic reviews and thresholds that might trigger re-evaluation.
Question 4: How has the healthcare industry’s growing acceptance of commercial cloud services affected the regulatory standards for determining compliance with the HIPAA Security Rule?
Answer 4: HIPAA’s administrative safeguards include the requirement to reassess security measures in response to environmental and operational changes. One major change is the rising number of cyberattacks waged against healthcare organizations, as illustrated by The World Privacy Forum’s interactive map of reported medical data breaches in the United States. Another is the increased risk that malicious actors targeting smaller covered entities and business associates can gain access to the systems and networks of a broader clinical network.
Concurrent with the rise in cyberattacks is the healthcare industry’s growing acceptance of commercial cloud services. This rising acceptance of cloud services represents another environmental and operational change that warrants examination by covered entities and business associates.
The OCR’s release of guidance on HIPAA and cloud computing demonstrates the recognition of the increasing prominence of cloud services. Among other things, the guidance encourages covered entities and business associates to consult a resource offered by the National Institute of Standards and Technology (NIST)—the NIST Definition of Cloud Computing. The rise in cyberattacks, coupled with the availability of HIPAA-enabled cloud service platforms, may change the calculus for some covered entities in how they assess the factors that go into determining what are reasonable and appropriate measures to implement.
Another point well worth noting: In April 2017, the U.S. Department of Health and Human Services (HHS) announced that it is establishing a cybersecurity “nerve” center that is modeled after the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. The nerve center’s primary purpose will be to assess cyberthreats, such as the WannaCry ransomware attack, and quickly disseminate best practices for countering these measures. The new center is a positive step toward ensuring a greater coordinated response to cyberattacks. As the center becomes firmly established, more changes can be anticipated that will influence the determination of reasonable and appropriate security measures.
2ACA, P.L. No. 111-148, § 6505; although Medicaid agencies cannot pay for healthcare benefits or services to any entity located offshore or provided by offshore providers, payments for administrative functions are permitted. CMS, State Medicaid Directors Letter #10-026, December 2010.
3Department of Health and Human Services. Office of Inspector General, OEI-09-12-00530, Offshore Outsourcing of Administrative Functions by State Medicaid Agencies (2014) (OIG Report), available at http://oig.hhs.gov/oei/reports/oei-09-12-00530.pdf.
4See Nov. 9, 2015, 2016 Readiness Checklist for Medicare Advantage Organizations, Prescription Drug Plans, and Cost Plans, p. 8.
5See HPMS Memo Sept. 20, 2007.
Suit Over Hospitals’ Alleged Anticompetitive Marketing Sent to Trial
By Lisl J. Dunlop, Partner, Antitrust and Competition | Shoshana S. Speiser, Associate, Litigation
Conspiracies between competitors can be hard to prove, even when other parties to the alleged conspiracy have settled. On May 31, 2017, a federal judge denied summary judgment and ruled that the Department of Justice (DOJ) and Michigan Attorney General’s suit against W.A. Foote Memorial Hospital, d/b/a Allegiance Health (Allegiance), for anticompetitive marketing practices will proceed to trial. United States v. W.A. Foote Memorial Hospital, No. 5:15-cv-12311 (E.D. Mich. May 31, 2017).
As we reported in a previous article, in June 2015, the DOJ and Michigan Attorney General sued four Michigan hospital systems—Hillsdale Community Health Center of Branch County (Hillsdale); Allegiance; Community Health Center of Branch County; and ProMedica Health System Inc.—for unlawfully agreeing to allocate territories for the marketing of competing healthcare services.
Since then, all of the defendants other than Allegiance have settled with the DOJ. The settlements prohibit the three health systems from entering into any future agreements to divide marketing territories and require them to institute compliance measures designed to prevent similar violations. The remaining issue is whether Allegiance agreed with Hillsdale that Allegiance would not market its competing services in Hillsdale’s territory.
According to the DOJ, the agreement between Allegiance and Hillsdale constitutes a per se violation of the antitrust laws and is illegal under an abbreviated or “quick look” rule of reason analysis. The “quick look” analysis is reserved for conduct that appears obviously anticompetitive. Further, the DOJ alleged that as a result of this agreement, patients, physicians and employers were deprived of information regarding healthcare choices and of free health screenings and educational materials.
Summary Judgment Motion
On Jan. 12, 2017, Allegiance filed a motion for partial summary, arguing that a full rule of reason analysis should be applied to the case because the alleged conduct (1) will not clearly result in adverse effects on competition and (2) has plausible procompetitive justification. Allegiance also argued that no agreement exists, and that its conduct was the result of a unilateral business decision to obtain referrals for services on which the hospitals do not compete.
A week later, the DOJ filed a motion for summary judgment arguing that there was an agreement for per se unlawful allocation of marketing territory, and that the agreement is illegal under a “quick look” rule of reason analysis.
According to Judge Judith Levy, the DOJ provided a compelling argument that there was an agreement. The DOJ’s case relied heavily on emails and discussions between senior executives at Allegiance and Hillsdale that referred to the hospital systems’ relationship as a “gentlemen’s agreement.” In particular, the court highlighted an email from Allegiance’s CEO, Georgia Fojtasek, sent after she learned of a marketing mailing sent to Hillsdale County and in which she stated that she told Hillsdale’s CEO that Allegiance “specifically agreed to screen out Hillsdale zip codes” and that they “would find out what happened and be sure the appropriate apologies are send [sic].”
This evidence, however, was contradicted by other evidence, which included Fojtasek’s deposition testimony insisting that there was no agreement, and Allegiance’s actions reflected a unilateral business strategy. Judge Levy held that the inconsistencies between the parties’ arguments must be resolved by determining witness credibility, which can only be accomplished at trial. Because the court was unable to determine whether an agreement exists or how it was structured, the court was also unable to determine which method of analyzing the agreement, if it exists, should apply.
The case is scheduled for a bench trial in October.
This case reinforces that antitrust regulators closely scrutinize business agreements—both formal and informal—between competitors and vigorously prosecute those that they perceive as restricting competition. The courts, in turn, carefully consider the regulators’ accusations and will not dismiss them quickly or lightly, and also carefully consider the credibility of the reasons underlying potentially anticompetitive interactions with competitors. Participants in the healthcare market must proceed with caution when interacting with competitors and be mindful of not only their actions, but also the reasons underlying those actions and how they may be documented.
Few Medicare Part D Plans Offer Vaccines Without Cost-Sharing
By Annemarie V. Wouters, Senior Advisor, Manatt Health | Katie Manthe, Manager, Manatt Health | Devin A. Stone, Manager, Manatt Health
Vaccination coverage among U.S. adults is low and well below the Healthy People 2020 Targets, despite the widespread availability of safe and effective vaccines and the long-standing recommendations by the Centers for Disease Control (CDC) and the Advisory Committee on Immunization Practices (ACIP).1,2 The 2010 Affordable Care Act (ACA) eliminated some coverage and financial barriers to adult vaccinations offered by private health insurance and Medicaid, but did not substantially change vaccine coverage or cost-sharing for Medicare beneficiaries enrolled in Medicare Part D.3,4
Medicare Part D plans are required to cover all commercially available vaccines not covered under Medicare Part B that are reasonable and necessary to prevent illness, but cost-sharing is permitted.5,6 Despite Centers for Medicare and Medicaid Services’ (CMS's) encouragement to provide vaccines without cost-sharing, few Part D plans provided vaccines without out-of-pocket spending requirements in 2017.7
Medicare Part D plans include Part D prescription drug stand-alone plans (PDPs) for beneficiaries in Original Medicare and Medicare Advantage Part D (MA-PD) plans. A subset of MA-PD plans, starting in 2017, also are participating in the CMS Centers for Medicare and Medicaid Innovation value-based insurance design model initiative (MA-PD VBID), which targets value-based insurance design for seven conditions (diabetes, chronic obstructive pulmonary disease, congestive heart failure, patients with past stroke, hypertension, coronary artery disease, mood disorders).8
Manatt Health Study Reveals Whether Part D Plans Were Encouraging Vaccinations
In 2017, Part D enrollment across all types of Part D plans was approximately 44 million (including employer-sponsored plans) with about 40% in PDPs.9,10 This study focuses on 34.2 million Part D enrollees across MA-PD (including MA-PD VBID) and PD plans. It excludes enrollees from demonstrations, national programs for all-inclusive care for the elderly (PACE) plans, employer group waiver plans (EGWPs) and employer direct contract plans that are excluded from the Part D data file.11
Manatt Health analyzed whether, during calendar year 2017, Part D plans were encouraging beneficiary vaccinations by placing vaccines within one of several possible zero-dollar cost-sharing tier designs or formulary structures. Beginning in 2012, CMS permitted Part D plans to create a “Vaccine Tier” for zero-dollar cost-share to promote vaccine utilization.12 While the inclusion of a dedicated Vaccine Tier or, alternatively, a Select Care/Select Diabetes tier that contains vaccine products as part of a multiple-tier formulary structure is not a requirement, sponsors who choose to offer one of these formulary structures must set the cost-sharing at zero dollars.13 Plans may also offer other tiers with zero-dollar cost-share, such as preferred drug tiers.
Manatt examined ten vaccines recommended by ACIP and the CDC for adults older than 65 years or for adults with certain risk factors. The vaccines are used to prevent various diseases such as tetanus, diphtheria, and pertussis, herpes zoster (shingles), hepatitis A and B, chicken pox, and meningococcal disease, including Boostrix®, Zostavax®, Varivax®, Menomune®, Havrix®, Vaqta®, Engerix-B®, Recombivax HB®, Twinrix® and Tenivac.14 Our findings show that:
In CY 2017, few Part D plans of any type (MA-PD, MA-PD VBID, PDP) designate a dedicated Vaccine Tier with zero-dollar cost-share. No MA-PD VBID or PDP plans have a dedicated Vaccine Tier. In MA-PD plans (including MA-PD VBID), only 6%–7% of enrollees have access to a zero-dollar cost-share dedicated Vaccine Tier. (See Figure 1.)
Slightly more but still few Part D plans of any type (MA-PD, MA-PD VBID, PDP) offer zero-dollar cost-sharing for vaccines regardless of tier label (e.g., Vaccine Tier, Select Care Tier, preferred brand tier). No MA-PD VBID or PDP plans offer zero-dollar cost-sharing regardless of tier label. In MA-PD plans (including MA-PD VBID), about 9%–10% of enrollees have access to zero-dollar cost-share regardless of the tier label. (See Figure 1.)
In the first year of implementation, MA-PDP VBID plans do not apply value-based insurance design to vaccines. No MA-PDP VBID plans place vaccines in a zero-dollar cost-share tier.
Copayments were the primary cost-sharing vehicle for those Part D plans (MA-PD, MA-PD VBID, PDP) that require cost-sharing for vaccines. Depending on the vaccine, 53%–80% of enrollees in either MA-PD or PD plans were responsible for vaccine copayments, while 20%–47% of enrollees were responsible for coinsurance. Enrollee coinsurance responsibility was more frequent for Zostavax® than for the other vaccines surveyed. (See Figure 2.)
Figure 1. MA-PD Plan Enrollment With a Dedicated Vaccine Tier or a Zero-Dollar Cost-Share Tier (CY 2017)
Sources: National Drug Classification (NDC) codes for adult vaccines taken from the Medi-Span database (September 2016); Medicare Prescription Drug Plan Formulary, Pharmacy Network, and Pricing Information quarterly public use files (PUFs) for CY 2017 (first quarter of 2017); 2017 Part D Plan Benefit Package (PBP) files. Medicare Advantage (MA)/Part D Contract and Enrollment Data files for January 2017. The Medi-Span database was used to identify all National Drug Classification (NDC) codes associated with the ACIP adult vaccines chosen for this study15 as of September 2016. Formulary coverage for vaccines is based on the Medicare Prescription Drug Plan Formulary, Pharmacy Network, and Pricing Information quarterly public use files (PUFs)16 for CY 2017 (first quarter of 2017), in addition to the 2017 Part D Plan Benefit Package (PBP)17 files.18 Enrollment for each plan was obtained from the Medicare Advantage (MA)/Part D Contract and Enrollment Data files for January 2017.19
Notes: Analysis of all MA-PD plan enrollees, including MA-PD VBID plans. No PDP plans had a Dedicated Vaccine Tier. Excludes enrollees from demonstrations, national programs for all-inclusive care for the elderly (PACE) plans, employer group waiver plans (EGWPs) and employer direct contract plans.
Figure 2. MA-PD and PDP Enrollment by Vaccine Cost-Sharing Type Among Plans Requiring Vaccine Cost-Sharing (CY 2017)
Sources: National Drug Classification (NDC) codes for adult vaccines taken from the Medi-Span database (September 2016); Medicare Prescription Drug Plan Formulary, Pharmacy Network, and Pricing Information quarterly public use files (PUFs)1 for CY 2017 (first quarter of 2017); 2017 Part D Plan Benefit Package (PBP)1 files. Medicare Advantage (MA) / Part D Contract and Enrollment Data files for January 2017. The Medi-Span database was used to identify all National Drug Classification (NDC) codes associated with the ACIP adult vaccines chosen for this study20 as of September 2016. Formulary coverage for vaccines is based on the Medicare Prescription Drug Plan Formulary, Pharmacy Network, and Pricing Information quarterly public use files (PUFs)21 for CY 2017 (first quarter of 2017), in addition to the 2017 Part D Plan Benefit Package (PBP)22 files.23 Enrollment for each plan was obtained from the Medicare Advantage (MA) / Part D Contract and Enrollment Data files for January 2017.24
Notes: Analysis of all MA-PDP, MA-PDP VBID and PDP enrollees that required cost-sharing. Excludes enrollees from demonstrations, national PACE plans, EGWPs and employer direct contract plans.
Most Part D Plans Continue to Require Out-of-Pocket Costs
Although CMS recommends that Part D plans encourage adult vaccination through zero-dollar cost-sharing, most Part D plans continue to require patients to pay out-of-pocket costs. Notably, plans currently participating in the CMS MA-PD VBID model initiative are also not applying zero-dollar vaccine cost-sharing as a value-based benefit design principle at this time. For more information about this or other Medicare Part D analyses, please contact Annemarie Wouters at email@example.com.
1U.S. Department of Health and Human Services. “Healthy People 2020.” Washington, D.C. 2011. https://www.healthypeople.gov/2020/topics-objectives/topic/immunization-and-infectious-diseases/objectives.
2U.S. Department of Health and Human Services. The National Vaccine Program Office. “National Adult Immunization Plan.” February 2016. https://www.hhs.gov/sites/default/files/nvpo/national-adult-immunization-plan/naip.pdf, accessed 5/23/2017.
3Affordable Care Act. Sections 2001 and 1302.
4CMS. Memo to State Medicaid Directors. November 20, 2012. “Essential Health Benefits in the Medicaid Program.” https://www.medicaid.gov/Federal-Policy-Guidance/Downloads/SMD-12-003.pdf, accessed 5/23/2017.
5CMS. Medicare Prescription Drug Benefit Manual. Chapter 6, Section 20.4 and 30.2.7. https://www.cms.gov/Medicare/Prescription-Drug-Coverage/PrescriptionDrugCovContra/Downloads/Part-D-Benefits-Manual-Chapter-6.pdf, accessed 5/23/2017.
6CMS. Medicare Prescription Drug Benefit Manual. Chapter 6, 30.2.7. https://www.cms.gov/Medicare/Prescription-Drug-Coverage/PrescriptionDrugCovContra/Downloads/Part-D-Benefits-Manual-Chapter-6.pdf, accessed 5/23/2017.
7CMS. “Announcement of Calendar Year (CY) 2016 Medicare Advantage Capitation Rates and Medicare Advantage and Part D Payment Policies and Final Call Letter.” April 2015. https://www.cms.gov/medicare/health-plans/medicareadvtgspecratestats/downloads/announcement2016.pdf, accessed 5/23/2017.
8CMS. “Fact Sheet: Medicare Advantage Value-Based Insurance Design Model.” October 3, 2016. https://www.cms.gov/Newsroom/MediaReleaseDatabase/Fact-sheets/2016-Fact-sheets-items/2016-10-03-2.html, accessed 5/23/2017.
9Medicare Advantage, Cost, PACE, Demo, and Prescription Drug Plan Contract Report - Monthly Summary Report (Data as of April 2017). https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MCRAdvPartDEnrolData/Monthly-Enrollment-by-Plan.html.
10Medicare Advantage, Cost, PACE, Demo, and Prescription Drug Plan Organizations - Monthly Report by Plan - April 2017. https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MCRAdvPartDEnrolData/Monthly-Enrollment-by-Plan-Items/Monthly-Enrollment-by-Plan-2017-04.html?DLPage=1&DLEntries=10&DLSort=1&DLSortDir=descending.
11Part D Record Layout for 2016 and 2017 Quarterly File Update. https://www.cms.gov/Research-Statistics-Data-and-Systems/Files-for-Order/NonIdentifiableDataFiles/Downloads/PDPLayoutMonthly2016Update.pdf, last accessed 4/11/2017.
12CMS. “Announcement of Calendar Year (CY) 2016 Medicare Advantage Capitation Rates and Medicare Advantage and Part D Payment Policies and Final Call Letter.” April 2015. https://www.cms.gov/medicare/health-plans/medicareadvtgspecratestats/downloads/announcement2016.pdf, accessed 5/23/2017.
13CMS. “Announcement of Calendar Year (CY) 2017 Medicare Advantage Capitation Rates and Medicare Advantage and Part D Payment Policies and Final Call Letter.” April 4, 2016. p. 198. https://www.cms.gov/Medicare/Health-Plans/MedicareAdvtgSpecRateStats/Downloads/Announcement2017.pdf, accessed 5/23/2017.
14Centers for Disease Control and Advisory Committee on Immunization Practices (ACIP). “Recommended Immunization Schedules for Adults,” CY 2016. https://www.cdc.gov/vaccines/schedules/hcp/adult.html, last accessed 4/11/2017.
15Wolters Kluwer. MEDI SPAN ELECTRONIC DRUG FILE (MED-FILE) V2; published 09/2016, accessed March 2017.
16Centers for Medicare & Medicaid Services. Prescription Drug Plan Formulary, Pharmacy Network, and Pricing Information Files. https://www.cms.gov/research-statistics-data-and-systems/files-for-order/nonidentifiabledatafiles/prescriptiondrugplanformularypharmacynetworkandpricinginformationfiles.html.
17Centers for Medicare & Medicaid Services. Benefits Data for MA and Part D. https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MCRAdvPartDEnrolData/Benefits-Data.html?DLSort=0&DLEntries=10&DLPage=2&DLSortDir=ascending [PBP CY 2016 and 2017 files accessed March 2017].
18CMS. “Medicare Advantage Value-Based Insurance Design Model.” https://innovation.cms.gov/initiatives/vbid/, accessed May 11, 2017.
19Centers for Medicare & Medicaid Services. Medicare Advantage / Part D Contract and Enrollment Data. https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MCRAdvPartDEnrolData/index.html?redirect=/mcradvpartdenroldata/.
20Wolters Kluwer. MEDI SPAN ELECTRONIC DRUG FILE (MED-FILE) V2; published 09/2016, accessed March 2017.
21Centers for Medicare & Medicaid Services. Prescription Drug Plan Formulary, Pharmacy Network, and Pricing Information Files. https://www.cms.gov/research-statistics-data-and-systems/files-for-order/nonidentifiabledatafiles/prescriptiondrugplanformularypharmacynetworkandpricinginformationfiles.html.
22Centers for Medicare & Medicaid Services. Benefits Data for MA and Part D. https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MCRAdvPartDEnrolData/Benefits-Data.html?DLSort=0&DLEntries=10&DLPage=2&DLSortDir=ascending [PBP CY 2016 and 2017 files accessed March 2017].
23CMS. “Medicare Advantage Value-Based Insurance Design Model.” https://innovation.cms.gov/initiatives/vbid/, accessed May 11, 2017.
24Centers for Medicare & Medicaid Services. Medicare Advantage / Part D Contract and Enrollment Data. https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/MCRAdvPartDEnrolData/index.html?redirect=/mcradvpartdenroldata/.