Health Care Current: April 26, 2016
Can health care break the cycle of cyber attacks?
This weekly series explores breaking news and developments in the US health care industry, examines key issues facing life sciences and health care companies and provides updates and insights on policy, regulatory and legislative changes.
- My Take
- Implementation & Adoption
- On the Hill & In the Courts
- Around the Country
- Breaking Boundaries
Can health care break the cycle of cyber attacks?
“We will not negotiate with terrorists.”
Growing up in Washington, DC, I had friends and classmates from all over the world, many the children of ambassadors. As a result, international conflicts often felt quite personal, so, even at a young age, I took a keen interest.
On October 28, 1980, just prior to Election Day, I watched President Jimmy Carter and Ronald Reagan debate questions on security, domestic, economic, and foreign policy. With American hostages held in Iran for nearly a year, the US was clearly a target, and I wanted to understand how the next president would respond. Reagan famously stated, “There will be no negotiation with terrorists of any kind,” variations of which have become part of our lexicon. Of course, we now know that these situations are far more complex to prepare for and manage. As he spoke those words, many officials were working to negotiate the hostages’ release.
In recent weeks, several health care organizations have been held hostage by ransomware; hackers have been encrypting IT systems until payment is made. The malicious software is often introduced through an email attachment or by deceiving authorized users into downloading files from a website. The immediate impact can be severe and costly. But, the ultimate magnitude can be much more devastating and longer lasting that one might expect.
The initial costs of such an attack are straightforward. With systems down, productivity plummets and patient safety can be compromised. The cost of breach notifications and mitigation, public relations campaigns, legal fees, and necessary cybersecurity upgrades can quickly add up. But, longer-term costs can quickly eclipse the early stages. Loss of contracts and intellectual property, erosion of reputation, insurance premium increases, and even higher cost to raise capital can persist long after ransom is paid and systems are back online.
Why has health care become such a frequent target of cyber attacks? It’s simple:
- The data are valuable: Stolen personal health records can sell for up to $50 each on the black market, or about 50 times the value of a credit card number.1
- Penalties for a breach are high: HIPAA fines are based on the level of negligence and range from $100 to $50,000 per record, with some reaching upwards of $4 million in total.2,3
- Information is time-critical: With the adoption of electronic health records, providers now depend on systems to provide accurate, up-to-date information to make life-and-death decisions. Loss of these systems can cripple an organizations’ ability to care for patients.
- Many systems are inadequately protected: With complex IT systems, often containing outdated and, at times orphaned applications lacking appropriate controls, health care lags other industries. Additionally, only about a third of health care employees undergo security training twice a year; and 6 percent receive no training at all.4
- Vulnerabilities are expanding: With broader sharing of health information, more individuals from more organizations have access to systems. Third-party vendors and suppliers often utilize so-called “fourth party” vendors, creating additional opportunities for attack far from the source.
What can health care organizations do to protect their data? Heightened security, vigilance, and resilience will help health care organizations defend against and mitigate the impact of cyber attacks. Key considerations for organizations include:
- Secure: Has your health care organization deployed anti-malware capabilities? Does your organization encrypt confidential data, including patient data? Has your organization implemented a rigorous identity and access management system with strong authentication controls like one-time passwords?
- Vigilant: Does your organization monitor its network to enable timely detection of attacks and unusual behaviors? Does your organization have a cyber awareness program, including training on phishing attacks? Does your organization regularly perform vulnerability assessments and penetration testing?
- Resilient: Sadly, as some of the most secure systems of other industries have demonstrated, attacks will continue. And, some will succeed despite our best efforts. In this case, resilience is key. Does your organization have the right team and skills to respond to a cyber incident? Does your organization have plans to protect mission critical operations, and do you routinely exercise them? Are leaders in your organization prepared to interface with regulators, legal counsel, and law enforcement during a cyber crisis?
Many organizations are unprepared, and hackers “free” systems upon payment. Attacks are made, ransom is paid, perpetuating an unfortunate cycle. Victims quickly try to get back to business while criminals move on to their next target, confident in their future success. But, little is keeping them from coming back, so threats continue to hang over organizations.
This cycle needs to be broken, not only because of the enormous long-term costs to organizations, but also because of the threat these attacks pose more broadly. The future of health care, including the transition from volume to value, the focus on prevention and wellness, the acceleration of research, and the ability to manage population health, depends upon the secure exchange of electronic data. For these initiatives to be successful, individuals need to trust the system.
On January 20, 1981, after 444 days in captivity, the hostages were freed as President Reagan was inaugurated (and billions in Iranian assets were released). Not long afterward, my classmates and I lined the street in front of our high school, cheering as the motorcade of former hostages drove by. I wondered then as I wonder now how quickly we will be able to respond and neutralize the evolving threat of terrorism.
1 Robert Lowes, Medscape, “Stolen EHR Charts Sell for $50 Each on Black Market,” April 28, 2014
2 HIPAA Journal, “What are the penalties for HIPAA violations?” June 24, 2015
3 Max Green, Becker’s Health IT & CIO Review, “15 of the biggest data breach settlements and HIPAA fines,” October 14, 2015
4 Maria Korolov, CSO, “Non-technical health care employees are too complacent about the possibility of a data breach,” October 13, 2015
By Harry Greenspun, MD, Director, Deloitte Center for Health Solutions, Deloitte Services LP
CMS proposes to update payments for acute care hospitals and hold off on two-midnight rule
The US Centers for Medicare and Medicaid Services (CMS) is ending the 0.2 percent cut that accompanies the two-midnight rule and will pay hospitals back for the years the cuts were in place. CMS announced this in a proposed rule on changes to the Inpatient Prospective Payment System (IPPS) for acute care hospitals. After accounting for various payment adjustments, acute care hospital payments would increase 0.7 percent on average.
Other proposed policy changes include:
- Increased payment rates for some hospitals: Acute care hospitals that participate in the Hospital Inpatient Quality Reporting (IQR) Program and achieve meaningful use goals would see payments increase 0.9 percent in fiscal year (FY) 2017, which begins on October 1, 2016.
- Decreased payment rates for other hospitals: Acute care hospitals that do not participate in the Hospital IQR Program would see a one-fourth reduction in their payment update. Hospitals that have failed to achieve meaningful use would see payment reductions (three-fourths of the update that otherwise would apply).
- Changes to quality reporting and outcomes programs: CMS proposes five changes to the Hospital Acquired Conditions (HAC) program, including establishing requirements for newly opened hospitals and updating the scoring methodology. The HAC Program reduces payments to hospitals that are in the worst performing quartile for HACs. It also proposes to update reporting requirements for the Hospital Readmissions Reduction Program (HRRP). CMS would post hospital’s readmissions rates on Hospital Compare as soon as feasible after the end of the reviewing period.
- Changes to the Hospital Value-Based Purchasing (VBP) Program: CMS would include more hospital units in the reporting requirements and add outcome measures. The Hospital VBP Program adjusts payments to hospitals based on their performance on outcome measures.
Related: Last week, CMS also proposed to increase payments to skilled nursing facilities (SNF), inpatient rehabilitation facilities (IRF), and hospices. CMS would increase payments to SNFs by $800 million, which is higher than the $430 million last year. IRFs would see $125 million more than last year, but could see 2 percent reductions if they fail to satisfy requirements under the IRF Quality Reporting Program. Finally, payments to hospices would increase by 2 percent, and those organizations would have to report on two new quality measures.
Background: CMS established the two-midnight policy in 2013 to standardize how Medicare pays hospitals for patients with short stays – as inpatient or outpatient. CMS said that generally, hospital visits that do not span two midnights should be considered outpatient services and paid at the outpatient payment rate. In its initial calculations, CMS projected more stays would be billed as inpatient because hospitals receive higher payments for these services than outpatient services. CMS established the payment reduction to offset this projected increase in spending on inpatient services. Hospitals said this payment adjustment was unjustified, and the American Hospital Association subsequently sued CMS about the policy.
In September, a federal court required CMS to justify hospital payment reductions and reopen the rule to public comment (see the September 29, 2015 Health Care Current). The judge required CMS to further justify its calculations. CMS stated that analysts used 2011 claims to estimate that approximately 400,000 claims would move from outpatient to inpatient, while 360,000 would move from inpatient to outpatient status. CMS concluded that these shifts would lead to an increase in spending of $220 million in 2014.
Implementation & Adoption
Physicians who have an EHR and are in a PCMH or ACO outperform other physicians in many areas
A new study from the Office of the National Coordinator for Health Information Technology (ONC) and the US Centers for Disease Control and Prevention (CDC) found that physicians who use electronic health records (EHRs) and participate in either accountable care organization (ACO) or patient-centered medical home (PCMH) initiatives are more likely to routinely perform population management, quality measurement, patient communication, and care coordination activities. These findings are based on data from the 2012 National Ambulatory Medical Care Survey (NAMCS) Physician Workflow Survey.
EHR users are more likely than non-users to say they perform population health management activities (69 percent vs. 55 percent) and effectively communicate with their patients (89 percent vs. 50 percent) than non-EHR users. Physicians who are part of an ACO or a PCMH and used an EHR are more likely to perform all of the population health management activities than other physicians – both those with and without an EHR:
Several factors may contribute to these findings. For example, several of the population management, patient communication, and care coordination processes that had low levels of adoption in 2012 were included in Stage 2 of Meaningful Use, which was just beginning when the data was collected. Despite the timing, the findings from the study are consistent with other, more recent research that shows providers are more likely to perform these processes when they are part of a payment environment that promotes and incentivizes such strategies.
(Source: Jennifer King, Vaishali Patel, Eric Jamoom, and Catherine DesRoches, American Journal of Managed Care, “The Role of Health IT and Delivery System Reform in Facilitating Advanced Care Delivery,” April 2016)
New continuity of care requirements for HIX consumers will have a variable effect across the US
Sixteen states have more stringent continuity of care requirements than newly implemented federal requirements, according to an analysis by the Commonwealth Fund. In March, CMS released the final Notice of Benefit and Payment Parameters for 2017 (see the March 8, 2016 Health Care Current). In it, CMS finalized continuity of care protections for consumers in health plans sold through the federal exchanges.
The policy says that patients who are receiving active treatment from a provider who is then terminated from their health plan’s network must be allowed to continue that care with that provider through their treatment course. These new standards seek to ensure that patients are able to maintain relationships with their providers throughout their course of treatment.
The Commonwealth Fund found that the federal policy will affect plans and consumers differently, depending on the state they live in, as many states already have their own requirements:
Even though 11 states do not have similar protections to the federal requirements, consumers and plans will not see any changes in four of them – the ones with state exchanges.
(Source: Sabrina Corlette, Ashley Williams, and Kevin Lucia, The Commonwealth Fund, Obama Administration Moves Forward with New Continuity of Care Protections—How Will They Affect Existing State Laws?” April 13, 2016)
E&C hearing on MACRA: Physicians are optimistic about the law and working with CMS
The House Energy and Commerce committee held its second hearing on the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA). Representatives from four physician organizations testified before the committee and lauded CMS on its efforts to engage physicians. They said they remain optimistic that collaboration with CMS will continue.
One member asked the panel to identify the most promising aspects of MACRA implementation. Their responses were in four main areas:
The hearing also focused on what provider organizations can do to prepare physicians, even before CMS provides more detail in proposed MACRA regulations. The panel said that physicians should:
- Read materials to familiarize themselves with MACRA requirements
- Meet CMS Meaningful Use requirements
- Participate in the Physician Quality Reporting System (PQRS)
- Implement a formal quality improvement process and ensure that care adheres to accepted clinical guidelines
Many professional organizations are engaging their member physicians in planning for MACRA. For example, groups like the American Medical Association have created online materials, webinars, presentations, and continuing medical education training modules to prepare physicians and organizations. The panelists said that their organizations are working to build tools that for physicians to better assess which track, the Merit-Based Incentive Payment System (MIPS) or alternative payment models (APMs), may be best for them.
Related: The April 20, 2016 Reg Pulse Blog post notes that Dr. Bailet, a panelist at the hearing, is also the chair of the Physician-Focused Payment Technical Advisory Committee (PTAC), an independent advisory body established under MACRA to help review proposals for new payment and delivery models. Dr. Bailet said the group is working to develop bylaws and rules of engagement for reviewing proposals, as well as a methodology for scoring proposals. The statute requires HHS to establish criteria for new physician-focused payment models under MACRA by November 1, 2016.
On the Hill & In the Courts
CMS will delay Hospital Compare star ratings
CMS announced last week that it would not release new star ratings data on Hospital Compare until after gathering feedback from stakeholders. CMS had planned to publish the new hospital quality star ratings on April 21, 2016, but will hold off publishing the initial preview for two weeks while it solicits feedback for the next 60 days. Hospitals will now have 30 days after May 4, 2016 to review the ratings information before CMS releases them publically in July.
The American Hospital Association (AHA) and many members of Congress had urged CMS to delay its release of the quality ratings. AHA said that the star ratings methodology oversimplifies what it takes for hospitals to deliver high quality care. After a review of the initial data, only 87 hospitals found they would receive a five-star rating. Half of US hospitals would fall in the three-star range. A group of Congressional lawmakers sent a letter to CMS in early April saying that CMS should delay the program and consider revising its methods for calculating the ratings.
CMS to extend Bundled Payments for Care Improvement Initiative for two years
CMS will offer a two-year extension to health care providers participating in models two, three, and four of the Bundled Payments for Care Improvement Initiative (BPCI). CMS is extending the initiative to allow time for a more rigorous evaluation of whether it leads to better care at lower costs.
The BPCI program bundles payment for 48 conditions and includes all of a patient’s health care services for up to 90 days, starting with the patient’s admission. The payment covers all of the providers serving the patient, including the physicians and other clinicians, hospital, skilled nursing, home care services, rehabilitation, virtual care, and therapeutic and diagnostic services. The program is voluntary, but as of October 2015, 1,618 health care organizations – acute-care hospitals, physician group practices, home health agencies, inpatient rehabilitation facilities, long-term-care hospitals, and skilled-nursing facilities – are participating. CMS expects that most participating organizations will accept the extension.
The initiative encourages health care providers to improve care coordination during inpatient hospital stays and post-discharge.
New York ACOs improved on care quality but had modest cost savings
Many New York accountable care organizations (ACOs) outperformed other ACOs on quality measures in the second year of the Medicare Shared Savings Program (MSSP). In aggregate, these 21 ACOs saved Medicare $1.6 million.
New York has 29 MSSP ACOs, but the new report by the United Hospital Fund looked at the performance of 21 ACOs that had been in the program long enough to have generated results.
- New York ACOs scored an average of 86.1 out of 100 on the 33 required quality measures; the national average was 83.08
- Roughly 19 percent of all of the ACOs in New York qualified to receive shared savings, below the national average of 26 percent
- Four ACOs generated more than $35 million in savings to Medicare; the organizations shared $15.7 million of those savings with CMS
- Five generated nearly $13 million in savings for Medicare, but did not exceed the minimum savings rate and therefore were not eligible to share in the savings
- Twelve ACOs had higher spending than the target ($46 million in total); none of those organizations had to share in the higher spending
Data is only available for the first two years of the program. Length of time in the program, the number of beneficiaries, organizational and leadership models, and location can all affect performance on cost and quality. Tightly organized and managed ACOs generally perform better financially, whether physician or hospital run.
Analysis: Learning what is working and what isn’t will be important for other federal and state initiatives. Most of the ACOs were sponsored by existing provider organizations with a history of working together.
As discussed in the recent Deloitte Center for Health Solutions policy brief, Medicare accountable care organizations: Balancing risk and opportunity, providers interested in forming ACOs should consider a variety of factors before moving forward. These include how CMS tracks patients and aligns ACO performance to them, how ACOs are paid and what opportunities exist for participating organizations to share savings, and how performance will be measured.
Even organizations with advanced capabilities in care management and analytics should carefully analyze CMS rules around patient engagement, performance feedback, and provider types before selecting an ACO model.
(Source: Gregory Burke and Susan Brundage, “Performance of New York’s Accountable Care Organizations in year 2 of the Medicare Shared Savings Program,” United Hospital Fund, April 2016)
Around the Country
Report: Chronic disease could cost US $42 trillion by 2030
The Partnership for Chronic Disease projects that chronic disease could cost the US $42 trillion over the next 15 years. The estimate comes from two primary costs: $2 trillion in medical costs annually and $794 billion in lost employee productivity per year from 2016 to 2030.
More than 190 million Americans have one or more chronic disease. The researchers estimated that with modest behavioral changes, the US could save $116 billion a year. This estimate reflects potential savings primarily from four changes in healthy behavior:
- Reduced smoking rates
- 5 percent body weight loss by overweight and obese individuals
- 25 percent reduction in the number of heavy drinkers
- 15 percent increase in treatment adherence
With healthier behavior and treatment advances that might achieve goals like delayed Alzheimer’s onset, improved cancer survival, better treatment effectiveness, and improved care delivery, the US could save $418 billion a year. Combined, these improvements could save $6.3 trillion over the next 15 years.
Existing costs due to chronic conditions and potential savings from changing behavior and treatments differ by state. For example, Texas could have $166 billion in annual medical costs from individuals with chronic diseases. Behavior changes and treatment advances could save 70,000 Texans' lives every year. Colorado could save 276,000 lives over the next 15 years with behavioral improvements and treatment advances. More than half (56 percent) of Coloradans are overweight or obese, 36 percent eat less than one fruit per day, 19 percent eat less than one vegetable day, and 18 percent spoke cigarettes.
Related: Deloitte, in collaboration with the Massachusetts Institute of Technology Media Lab and Datawheel, recently launched Data USA, a comprehensive visualization of US public data. Users can drill down on certain data by region or topic to help them create stories, charts, and graphics. Last month, Sarah Thomas, Research Director at the Deloitte Center for Health Solutions, Deloitte Services LP, published Dangerous running mates, which delves into the relationship between obesity and diabetes.
(Source: “Partnership to Fight Chronic Disease in the States,” Partnership to Fight Chronic Disease, April 2016)
Advancing the use of incentives for health behaviors
The use of incentives to reward healthy behavior is not new, and many employers and health plans have been doing it for decades. But now, technology companies are introducing reward programs for consumers who go to lower-cost providers or get routine, recommended preventive screenings.
A few companies are expanding their core related services to develop online consumer comparison shopping tools. These tools allow consumers to earn cash incentives when they sign up through their employer or health plan and choose cost-effective care. For example, Vitals, a company most known for its physician ratings, has reported that its program helped employers save $12 million while consumers earned almost $1.5 million in rewards. Though the most expensive episodes of care are often unplanned, some services lend themselves to comparison shopping before people use the services. The key ingredient for these incentive programs to work is not only accurate price information but also information about quality to make sure people find high value care.
Another company, HealthEngine, rewards people up to $500 for getting recommended preventive services. Typically these services are covered with no cost-sharing because of a provision in the Affordable Care Act (ACA), so some employers and insurers offer incentives to consumers to encourage them to get the recommended care.
Related: A study published in Health Affairs this month highlighted a value-based insurance design (VBID) initiative in the state of Connecticut that found that relative to comparison states, during the program’s first two years, the use of targeted services and adherence to medications for chronic conditions increased while emergency room use decreased. Lipid testing among program participants increased by 15.4 percentage points in year one, and colorectal cancer screening rates increased by 5.6 percentage points. Connecticut was an early adopter of reducing cost-sharing for a variety of high-value health care services for state employees. Employers and health plans are interested in VBID as a tool that may reduce costs down the road by encouraging prevention and chronic care management early.
In March, CMS solicited public comment on use of VBID in Medicare Advantage plans. CMS will test VBID plans in Medicare Advantage in seven states beginning in January 2017 to see if structuring benefit design around certain clinical categories (typically chronic diseases) that are designed to reward the use of specific recommended therapies leads to improved quality of care and reduced costs in Medicare Advantage. Previously, Medicare Advantage plans have been prohibited from using VBID since it would mean varying benefit design for enrollees based on their health status, which had not been allowed. Under the ACA, CMS can now test innovative care delivery models like VBID. While the model will start with diabetes, chronic obstructive pulmonary disease, congestive heart failure, and patients with certain heart conditions, CMS is asking for input on what other conditions it could incorporate in the future.
(Source: Richard A. Hirth et al, Health Affairs, “Connecticut’s value-based insurance plan increased the use of targeted services and medication adherence,” April 2016)