Insights

The proposed technical changes for the 2023 Medicare Advantage and Part D contract year (87 Fed. Reg. 1842 (January 12, 2022)) include revisions to the definition of the term “negotiated prices” that CMS previously contemplated but had held off implementing. The proposed change could reduce cost-sharing paid by beneficiaries at the point of service and reduce the amount of DIR that Part D plan sponsors report to CMS.

On Tuesday, December 8, the Supreme Court upheld Arkansas Act 900 (Act 900), which regulates the rates at which pharmacy benefits managers (PBMs) reimburse pharmacies for prescription drugs. The 8-0 decision (Justice Amy Coney Barrett abstained), marks a boundary on the broad scope of the Employee Retirement Income Security Act (ERISA), which preempts state laws that “relate to” employee benefit plans covered by the federal statute. 29 U.S.C. §1144(a).

Hospitals and providers across the country now have greater ability to leverage digital communications technology to provide telehealth services during the COVID-19 public health emergency. The Department of Health and Human Services (HHS) exercised emergency authorities to waive certain restrictions applicable to Medicare and Medicaid under Section 1135 of the Social Security Act. The new waivers issued over the last several days both expand telehealth benefits and allow greater flexibility in the manner telehealth is used by physicians and practitioners to address patient care needs.

On October 9, 2019, the Centers for Medicare & Medicaid Services (CMS) and the Office of the Inspector General of the Department of Health & Human Services (OIG) released their proposed rules to modernize the Physician Self-Referral Law1 (CMS NPRM), as well as the Anti-Kickback Statute2 and the Civil Monetary Penalties Law3 regulations (OIG NPRM). Both agencies’ NPRMs focus on creating flexibility for Medicare providers and suppliers to enter into value-based arrangements. The CMS and OIG NRPMs attempt to clarify how these long-standing anti-fraud regulations can be reformed to effect necessary shifts to a more efficient and patient-centered health care system. 

On January 31, 2019 the Department of Health and Human Services issued a long-awaited notice of proposed rulemaking to implement the Trump Administration’s efforts to curb drug price increases, as outlined in the American Patients First Blueprint. The proposed rule attempts to address the issue by eliminating discount safe harbor protection for reductions in price to prescription pharmaceutical products (or rebates) provided by manufacturers to plan sponsors under Medicare Part D and Medicaid managed care organizations (MCOs), whether negotiated by the plan or by pharmacy benefit managers (PBM) or paid through a PBM to the plan or Medicaid MCO. The proposed rules also would increase regulatory risk associated with rebates provided by manufacturers to commercial health plans (if the commercial health plan sponsor also provides Medicare Part D or Medicaid prescription drug coverage), which would result in the rules having an impact across a wider spectrum of the prescription drug coverage market than just federal health care programs. 

In its recent notice of proposed rulemaking setting policy for Medicare Advantage (MA) and the Prescription Drug Program (PDP) for calendar year 2020, CMS announced that it would establish extrapolation as a method to be used in risk adjustment validation (RADV) audits, and further, that it would not make any adjustments to account for errors in Medicare fee for service data in determining recovery amounts.

On November 28, 2017, CMS issued a notice of a proposed rulemaking for contract year 2019 policy and technical changes for the Medicare Advantage and Medicare Prescription Drug Programs. The major provisions of the Proposed Rule address implementation of the Comprehensive Addiction and Recovery Act of 2016 to combat the opioid epidemic, updating Part D E-prescribing standards, revisions to disclosure requirements, and the development of a preclusion list for providers. Additionally, the Proposed Rule modifies the medical loss ratio (MLR) requirement to allow Medicare Advantage organizations (MAOs) and Part D Plan (PDP) sponsors to include the full value of fraud reduction expenses, fraud prevention activities and medication therapy management programs as quality improvement activities in the numerator of the MLR. The Proposed Rule also simplifies the MLR reporting obligation for MAOs and PDP sponsors. CMS characterizes many of the proposed changes as implementation of President Trump’s Inauguration Day Executive Order directing agencies to alleviate regulatory burdens and costs imposed by the Affordable Care Act. Comments on the Proposed Rule, summarized below, are due January 16, 2018.

In February, the Centers for Medicare & Medicaid Services issued a final rule governing the reporting and return of overpayments for items and services reimbursed under Medicare Parts A and B. A new alert discusses how the final rule clarifies when an overpayment has been identified and how efforts precedent to identifying such overpayments will be important to future enforcement efforts under the FCA.

Earlier this month, the Center for Medicare and Medicaid Services (CMS) finalized its long-awaited rules governing overpayments to providers and suppliers by Medicare Parts A and B. 

The "what will Congress do" news leads can now stop. The Supreme Court issued its decision in King v. Burwell and Congress does not need to fix anything because, by a vote of 6-3 in an opinion written by Chief Justice John Roberts, the Supreme Court held that the subsidy provisions of the ACA are not broken, and that individuals who purchase insurance through the Federal Exchange are eligible for ACA subsidies. In a nutshell, the Court held that the most reasonable reading of the ACA provision making credits available to individuals who purchased insurance on an exchange "established by the State" makes tax credits available to individuals who purchased insurance through the Federal Exchange. The decision delves deeply into health insurance policy concepts as well as the dark-art of statutory interpretation and the underlying chaotic legislative process to find, ultimately, that it was "implausible" that Congress intended to limit tax credits to individuals who purchased insurance through a State Exchange. See King, 576 U.S. __ (2015), slip op. at 17.

On April 15, 2013, the U.S. Supreme Court denied certiorari to review a Third Circuit decision that Medicare Advantage Organizations (MAOs) have a direct right of recovery against primary payors under the Medicare Secondary Payer (MSP) Act, 42 U.S.C. § 1395y(b).  The case is GlaxoSmithKline LLC v. Humana Medical Plans, Inc., case number 12-690 in the U.S. Supreme Court. 

The Health Insurance Portability and Accountability Act (HIPAA) final rule expands liability for HIPAA violations and clarifies how the U.S. Department of Health and Human Services (HHS) will calculate the penalties for such violations. The final rule subjects an expanded population of entities (e.g., covered entities, business associates, and subcontractors) to larger monetary fines for violating an increased number of regulations. Fortunately, this increased liability is accompanied by more detailed guidance on the methodology HHS will use to assess monetary penalties. Together, these changes have significant implications for covered entities and business associates and highlight the importance of implementing sufficient security and privacy protocols.

In a February 19, 2013 unanimous decision in Federal Trade Commission v. Phoebe Putney Health System, Inc., the Supreme Court overturned the 11th Circuit Court of Appeals, holding that an acquisition of a competing hospital by a Hospital Authority created by the State of Georgia was not immune from antitrust scrutiny under the "state-action" doctrine.

The HIPAA omnibus rule contains important changes concerning business associate and downstream contractor liability. These changes implement provisions of the HITECH Act, which sought to make business associates more accountable for the use, disclosure and security of PHI. Under the HIPAA Final Rule, business associates and their subcontractors now face HIPAA enforcement actions and are directly liable for violating the HIPAA Security Rule as well as certain provisions of the Privacy and Breach Notification Rules.

On January 25, 2013, the Department of Health and Human Services issued the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules ("Final Rule"). The Final Rule addresses the status of data management organizations by amending the definition of a Business Associate and clarifying the definition of Health Information Organizations (HIO). The Final Rule designates as business associates: (1) a Health Information Organizations (HIO)*, E-prescribing Gateways, or other persons that provide data transmission services involving PHI to a covered entity and that requires routine access to such PHI; and (2) a person who offers a personal health record to one or more individuals on behalf of a covered entity (i.e., a personal health record vendor or PHV). 

On January 17, 2013, the Department of Health and Human Services (HHS) issued a long-awaited final rule addressing modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules.  The regulations contain fundamental changes to the Interim Final Rule (IFR), the most notable of which is the  elimination of the previous "risk of harm" standard and the implementation of a more objective risk assessment standard for security breach notification.  Covered Entities (CE) and Business Associates (BA) must comply with these new provisions by September 2013.

The Third Circuit has held that Medicare Advantage organizations (MAOs) have a direct right of recovery against primary payers under the Medicare Secondary Payer (MSP) Act. The Third Circuit decision arises out of a lawsuit brought by Humana, Inc., as an MAO, to recover for medical expenses paid by Humana on behalf of Medicare beneficiaries related to the use of Avandia, a drug marketed by GlaxoSmithKline (GSK). The decision is In re: Avandia Marketing, Sales Practices and Products Liability Litigation, GlaxoSmithKline, LLC, No. 11-2664 (3rd Cir. June 28, 2012). The court held specifically that the MSP provision in 42 U.S.C. § 1395y(b)(3)(A), provides MAOs with a private cause of action against primary payers. The court's decision is based on the plain text of Section 1395y(b)(3)(A), which establishes "a private cause of action for damages (which shall be in an amount double the amount otherwise provided) in the case of a primary plan which fails to provide for primary payment (or appropriate reimbursement) in accordance with [the requirements of the MSP Act]."

Late last week, the Centers for Medicare and Medicaid Services ("CMS"), the agency within the Department of Health and Human and Services that oversees the Medicare program, announced that it will delay, from January 1, 2011 to January 1, 2012, the start date for electronic filing of settlements, judgments, awards, or other payments made to Medicare beneficiaries, whether such payments are made by liability insurers, no-fault insurers, workers' compensation, or businesses that self insure their liability risks. In its announcement, CMS provided no explanation for the one-year extension.

On October 1, 2009, the US House Ways and Means Committee and the House Energy and Commerce Committee sent a joint letter to the Secretary of Health and Human Service urging her to "revise or repeal" the recent guidance offered by HHS in its interim final rule which included a harm standard for breach notification. If the guidance stands, Covered Entities and their Business Associates will not be required to notify affected individuals of a breach involving their PHI unless there is a "significant risk of financial, reputational or other harm to the individual." According to HHS, the risk of harm standard would allow CE's and BA's to forego notification in circumstances such as an inadvertent disclosure to another CE, or a disclosure that was immediately remedied. In the October letter, the Committee members explain that they specifically considered including a harm standard in the breach notification statute and rejected it (as have many states and other House and Senate committees considering a general breach notification law).

The Federal Trade Commission ("FTC" or the "Commission") sued a Roanoke, Virginia-based health system on July 23, 2009, claiming that its acquisition of an imaging center and an outpatient surgery center will lessen competition. The complaint alleges that Carilion Clinic's acquisition of the two outpatient provider entities -- the Center for Advanced Imaging ("CAI") and the Center for Surgical Excellence ("CSE") will eliminate the only non-hospital based competitor from each market, leaving only HCA as a competitor to Carilion. Specifically, the administrative complaint alleges that CAI and CSE "offered high-quality services at prices substantially lower than Carilion's" prior to the acquisitions. The FTC alleges that these acquisitions will decrease competition in the area while driving up prices for health plans and consumers.