Health Care Current: March 18, 2014

Steps for managing cyber threats

This weekly series explores breaking news and developments in the U.S. health care industry, examines key issues facing life sciences and health care companies and provides updates and insights on policy, regulatory and legislative changes.

Is compliance enough? Five steps for managing cyber threats in an ever-evolving risk landscape

Almost daily, it seems we are hearing of new technologies that can make our lives easier or more enjoyable. Our cellphones can lock our doors and change channels on our TV sets. We can now plug devices into our car to track driving habits in exchange for lower insurance rates. But, with these new technologies come greater risks to our security and privacy. Stronger protections need to be deployed, so we lock our cellphone screens with passcodes and set our car alarms when we run into the store.

Our personal lives aren’t the only ones affected: new information technologies and innovative business models are transforming the health care industry in exciting ways. The industry is beginning to focus on creating seamless interoperability among organizations, greater efficiencies in the delivery of care and increased consumer engagement through access to electronic health records and use of mobile health devices and apps. While creating forward movement and excitement in the industry, the very innovations that are driving growth and system improvement may also expose organizations to potentially more threats to security and privacy.

Huge amounts of data are moving back and forth beyond organizational walls between health plans, providers, non-traditional business partners and consumers. The frequency of cyber attacks is steadily increasing, and likewise, regulators are moving to increase the level of security and privacy of health information. Health care organizations and their business associates are expected to comply with protections that were strengthened last year in the Omnibus Final Rule for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and providers participating in the Medicare and Medicaid Electronic Health Record (EHR) Incentive Program must have completed a security risk analysis as part of Meaningful Use requirements for Stages 1 and 2.

But, will compliance with these safeguards be enough to manage cyber risk in this quickly evolving landscape? Possibly not — and the stakes are rising:

  • Breaches of security and privacy can cause real harm:misuse or theft of confidential personal information may have serious consequences for individuals, including miscommunication of diagnostic and treatment details, inappropriate or undesired sharing of health information with employers and others, and identity theft. For businesses, a breach may cause immediate damage to critical infrastructure, disrupt business operations, expose core business strategies and open the door for theft and fraud — all of which may diminish consumer trust and damage brand reputation. And, health care executives cite potential breaches as one of the top hindrances to investments in mobile health (see story below).
  • Financial penalties are increasing: organizations must come into compliance with provisions of the HIPAA Omnibus Final Rule that went into effect on September 23, 2013, or could face penalties up to $1.5 million per violation.

Comprehensive checklists, like the audit protocol established by the U.S. Department of Health and Human Services (HHS), can be useful to assess whether an organization has processes, controls, and policies in place related to privacy, security, and breach notifications. But checking off requirements might not be enough to prepare for potential breaches and attacks. Health care organizations — including all of their employees, contractors, suppliers and other business associates — should recognize that they could still be at risk even if they meet compliance requirements. All possible sources of risk should be considered across the full spectrum of a company’s relationships, systems, processes, and products (including mobile medical devices), as risk can occur at each point that protected health information exchanges hands.

To move beyond compliance and become strategic about risk, companies should become securevigilant and resilient. Many companies are already focusing on becoming secure by working to establish protections around critical assets and information. Companies should also become vigilant by raising threat awareness throughout the organization and developing the capability to identify patterns of behavior that may detect a compromised position or even predict threats. To becomeresilient, companies should strengthen their capacity to recover quickly when breaches occur (or a disaster happens), which means mobilizing the diverse resources that may be needed to minimize business disruption, costs and impact on brand reputation.

What might it take to become strategic about cyber risk? Here are five steps to consider:

  1. Hold senior management accountable: appoint one respected senior executive to lead and embed cyber risk management goals into the evaluation process of top executives
  2. Establish purpose and direction: clearly articulate your cyber risk strategy and support it by requisite action through funding and resourcing
  3. Break down silos: cyber risk is an enterprise level issue, and lack of information-sharing is a top inhibitor for effective risk management
  4. Trust but verify: conduct monthly or quarterly reviews about key risks and risk metrics and address roadblocks
  5. Be creative about cyber risk awareness: consider the human factor in your organization and try war-gaming, tablet applications, or other creative ways to raise awareness across the enterprise

Preparing for potential cyber threats isn’t as easy as locking a cellphone with a passcode or setting a car alarm with the push of a button. But companies that manage cyber risk more strategically – in a securevigilant and resilient way – could be in a better position to significantly limit damage by quickly detecting and dealing with any compromise.

Email | LinkedIn

PS – for information on Cyber Risk Services, contact Mark Fordand Pete Micca.

                                                                                                                                                                                                Back to top

My Take

By Russ Rudish, Global Health Care Leader, Deloitte Touche Tohmatsu Limited 



Subscribe to receive the Health Care Current via email

Implementation & Adoption

HIX enrollment reaches 5 million as of March 17; Avalere predicts 5.4 million total enrollees

This week, HHS released updated health insurance marketplace (HIX) enrollment numbers. As of Monday, March 17, the agency claims that more than 5 million individuals have signed up for a HIX plan. However, the update did not include more specific information about enrollment beyond numbers that were included in the previous report on March 11. This more detailed report outlines that, as of March 1, more than 4.2 million people have enrolled and selected a plan. During the month of February alone, nearly 943,000 people chose qualified health plans (QHPs) through the federally-facilitated and state-run HIXs. Additional report findings include:

  • 25 percent of enrollees are between the ages of 18 and 34
  • 83 percent of enrollees are eligible for financial assistance (federal subsidies)
  • 63 percent selected silver-level plans, and 18 percent selected bronze-level plans
  • 60 percent enrolled through the federally-facilitated HIX

HHS officials said they expect the figures to continue increasing until the March 31 open enrollment deadline and will continue to advertise and market the HIXs, especially to the young adult population. Individuals who are not enrolled in a health insurance plan by March 31 will face a fine of $95 or 1 percent of their annual income, whichever is greater. The Congressional Budget Office (CBO) predicted that approximately 6 million people would enroll in QHPs by March 31 (1 million less than they originally estimated).

Related: shortly after HHS released the February enrollment numbers, Avalere Health projected that 5.4 million would enroll in the HIXs by the end of open enrollment. Avalere developed this projection by examining monthly enrollment numbers from individuals who enrolled in Medicare stand-alone prescription drug plans during the initial open enrollment period in 2006 along with figures from the HHS HIX enrollment report and publically available state resources. During the initial Part D enrollment period, 22 percent of the final enrollees signed up for plans during the last month.

State breakdown of HIX enrollment as of March 1:

Click here for a larger view of the map.

Source: HHS, “Health Insurance Marketplace: March Enrollment Report,” March 11, 2014,

                                                                                                                                                                                                  Back to top

CMS issues proposed changes to HIX, insurance market standards

Late last Friday, CMS issued a proposed rule which includes several updates to policies affecting applicable insurers, HIXs, navigators and non-navigators, and other entities. Specifically, CMS proposes the following:

  • Modifications to requirements around benefits and limits adjustments: under the Affordable Care Act (ACA), insurers must guarantee availability and renewability of coverage unless an exception applies. CMS proposes that modifications made by insurers to products in order to be in compliance with federal or state laws would be considered a modification of coverage, rather than a product withdrawal. In addition, CMS proposes that changes not made pursuant to federal or state law would still be considered a modification of coverage and not a product withdrawal if the product is offered by the same insurer, is offered as the same product type (e.g., preferred provider organization [PPO]), covers the majority of the same counties in its service area, has the same cost sharing structure with a few exceptions and provides the same covered benefits.
  • Modifications to risk corridors formula: CMS proposes changes to the ceiling on allowable administrative expenses in the calculation of risk corridors. Citing ongoing uncertainty and changes in the market in 2015, CMS proposes to adjust the limit on allowable administrative costs from 20 to 22 percent and the limit on profits from 3 to 5 percent in the risk corridors calculation.
  • State navigator restrictions: CMS proposes several modifications applicable to navigators, non-navigator assistance personnel, certified application counselors (CAP) and CAP-designated organizations in the federally-facilitated HIX to allow HHS to impose civil monetary penalties on individuals and organizations if they provide false or fraudulent information to consumers, encourage applicants to submit false or fraudulent information or encourage consumers to apply for certain QHPs over others. CMS also proposes to prohibit states from imposing certification requirements in several areas onto navigators, non-navigator assistance personnel, CAPs and CAP-designated organizations. For example, states would not be permitted to impose finger-printing or background checks if meeting the requirement makes it impossible for navigators to comply on a timely basis; such requirements could be preempted.

CMS announced other changes in the proposal that apply to fixed-dollar indemnity plans in the individual market, SHOP exchanges and the quality rating system for HIX plans. CMS will accept comments on the proposed changes until 30 days after publication in the federal register.

                                                                                                                                                                                                  Back to top

Survey: U.S. uninsured rate declines to 15.9 percent

Last week, the Gallup-Healthways Well-Being Index released survey results indicating that the U.S. uninsurance rate is dropping. According to the survey, 15.9 percent of the U.S. population is uninsured compared with 17.1 percent in the fourth quarter of 2013. The results equate to approximately 3 to 4 million newly insured individuals. Certain characteristics were associated with greater decreases in uninsurance:

  • Income level: rates of uninsurance among individuals earning less than $36,000 per year dropped 2.8 percent since the fourth quarter of 2013
  • Ethnicity: Black Americans saw the largest decrease in uninsurance, dropping 2.6 percent since last quarter
  • Age: individuals age 26-34 and 35-64 experienced decreased uninsured rates, dropping 1.6 and 1.7 percent, respectively
  • Source: the number of individuals who have employer-sponsored health insurance dropped more than 2 percent from last quarter, while most other sources of insurance increased

According to Gallup and Healthways, if the trend of lower uninsurance rates continues, it could reach the lowest quarterly level since the survey began in 2008.

                                                                                                                                                                                                  Back to top

Survey: data breaches present the greatest barrier to mHealth adoption

A survey performed by Axway recently found that nearly half (45 percent) of health care information technology and business professionals view data breaches as the most significant barrier to adoption of mobile health (mHealth). The survey, conducted during the Healthcare Information and Management Systems Society (HIMSS) 2014 conference, revealed that concerns in being able to meet privacy and security regulatory and compliance requirements follow as a close second to breaches. Respondents believe that widespread mHealth adoption is not too far away: 39 percent believe it will occur in the next one to three years, while 90 percent believe mHealth adoption will be widespread within five years.

Note: while the sample in this survey was small (n = 39), it reflects a growing trend in concern over privacy and security issues in the health care industry. On September 23, 2013, the HIPAA Omnibus Final Rule went into effect, which holds covered entities liable for actions committed by business associates and strengthens the limitations on use and disclosure of protected health information. Organizations found out of compliance with the new regulations could face up to $1.5 million per violation. For more information, see “Update: Privacy and security of protected health information.”

                                                                                                                                                                                            Back to top

Report: EHR program incentive payments to eligible hospitals and physicians increase, but many dropped out after the first year

According to a General Accountability Office (GAO) review of the Meaningful Use EHR Incentive Programs, the number of hospitals and physicians that received incentive payments increased from 2011 to 2012. However, a substantial number of those who participated and received payments in 2011 dropped out of the program in 2012. Specifically, participation in the Medicaid EHR Incentive Program decreased over that period in the 36 states that completed determinations: 60.8 percent of eligible professionals and 35.7 percent of eligible hospitals did not continue into 2012. The Medicare program had a higher retention rate: only 9.5 percent of eligible hospitals and 16.3 percent of eligible physicians dropped out during the same period. While there are substantial differences in participation between the two programs, GAO notes that eligible providers are not required to participate in consecutive years to maximize incentive payments through the Medicaid EHR program, and the program does not penalize providers who do not participate. As of January, CMS has paid a total of $20.9 billion to 4,400 providers and 342,000 physicians and eligible professionals through the Meaningful Use EHR Incentive Programs.

Related: last week, the RAND Corporation released an analysis of physician satisfaction along a number of measures. According to the results obtained from interviews with 28 practices, many physicians believe that EHR technologies “significantly worsen professional satisfaction in multiple ways. Poor EHR usability, time-consuming data entry, interference with face-to-face patient care, inefficient and less fulfilling work content, inability to exchange health information between EHR products, and degradation of clinical documentation were prominent sources of professional dissatisfaction.” Physicians did indicate that EHRs give them better access to patient data, improve quality of care and enhance communication with patients and among providers. In an attempt to address some of these concerns, the American Medical Association has created a multi-stakeholder effort that will work with EHR vendor and user communities to improve EHR usability and to help physicians “become better purchasers and users.”

Analysis: incentive programs can often be only as effective as their incentives: although the Medicaid and Medicare programs have different rules, both have decreasing incentives for each year of participation. The complexity of future stages and overhead of Meaningful Use reporting/attestation increases while the incentives are reduced or eliminated; this could cause some additional drop out. However, in the end, well-executed EHR initiatives might be able to avoid the problems of poor physician satisfaction and leverage the potential for better care management.

                                                                                                                                                                                              Back to top

NCQA previews 2014 PCMH standards required to receive recognition

Last Monday, the National Committee for Quality Assurance (NCQA) released a preview of the 2014 patient-centered medical home (PCMH) standards required to receive NCQA PCMH recognition. The new PCMH standards, which will be finalized later this month, have a greater focus on the following:

  • Team-based care: outline specific roles and responsibilities for care team members and include the patient as part of the team (NCQA considers team-based care a “must pass” for all recognition levels)
  • Care management, especially for high-need populations: take socioeconomic and personal factors into account to target individuals with high utilization or cost; consider behavioral health needs and seek to better manage poorly controlled conditions
  • Alignment of quality improvement activities with the “triple aim:” factor in cost, quality, and patient experience
  • Integration of behavioral health: relay scope of behavioral health services information to patients and establish referral agreements with providers of behavioral health services
  • Sustained transformation: sustain PCMH standards over long periods of time

To date, 35,677 clinicians have earned NCQA PCMH recognition, and 37 states and the District of Columbia have initiatives that use NCQA PCMH standards in care improvement. A total of 27 elements under six standards will be included in the PCMH 2014 guidelines, under which NCQA rates practices and assigns a score of 35-100 (encompassing three levels).

Related: recently, the Journal of the American Medical Association (JAMA) published results from a study conducted on PCMH practices with NCQA recognition in Southeast Pennsylvania. For more about study, see the March 4, 2014 Health Care Current.

                                                                                                                                                                                                 Back to top

Hospital employment drops while overall health care jobs increase in February

Based on the latest Bureau of Labor Statistics employment report, hospital employment declined an estimated 1,200 jobs in February. Meanwhile, overall health care hiring grew, as the industry added 9,500 jobs last month. This marks the third month in a row that hospital employment has decreased, for a total decrease of at least 10,000 jobs since December. Other preliminary findings suggest that ambulatory-care, physician office and outpatient care center office employment increased over the previous month, while home health care and nursing and residential care facility employment decreased. As of February, nationally, hospitals employed nearly 4.8 million people, and the health care industry employed 14.6 million workers.

Related: last week, the American College of Healthcare Executives released a study finding that hospital CEO turnover increased over the last year. According to the analysis, turnover among hospital CEOs reached 20 percent in 2013, up from 17 percent in 2012 and 16 percent in 2011. States experienced different levels of turnover: Alaska, Oklahoma, and Arkansas had the highest turnover rate, while Vermont and Rhode Island experienced no turnover in hospital CEOs. The study cites increasing retirement among Baby Boomers, health care consolidation, and complexity of the evolving health care environment as potential causes behind this trend.

                                                                                                                                                                                               Back to top

On the Hill & In the Courts

CMS releases Meaningful Use hardship exemption guidelines for Stage 2

Last week, CMS and Office of the National Coordinator for Health IT (ONC) released guidance on the Meaningful Use hardship exemption. According to the guidance, CMS is only accepting 2015 payment adjustment applications, and providers who successfully attested to Meaningful Use in 2013 will not be subject to the 2015 payment adjustment. Eligible professionals and hospitals have until July 1 and April 1, 2014, respectively, to submit hardship exceptions to CMS to avoid payment adjustments in 2015. Notably, providers may apply for a one-year delay of payment adjustments in the event of “2014 Vendor Issues.” These include the inability of an EHR vendor to obtain certification in 2014 or to implement Meaningful Use due to 2014 EHR certification delays.

Related: federal officials have faced pressure from health care stakeholders recently. Leaders from 48 national provider organizations sent a letter to HHS Secretary Kathleen Sebelius expressing concern over the upcoming Meaningful Use deadlines and requesting timeline extensions for Stage 1 and 2 requirements. One of the 48 groups included the College of Healthcare Information Management Executives (CHIME), whose senior director of federal affairs, Jeff Smith, stated last week, “What was released is absolutely going to be helpful to a certain cross section of providers facing challenges relating to availability and implementation of 2014 EHRs. While they didn't take our exact policy prescription, it is clear they have heard us.” Meanwhile, six senators recently sent a letter requesting additional information regarding guidance from CMS on Meaningful Use hardship exemptions for 2014 after CMS Administrator Tavenner announced the agency would be more flexible in providing exemptions for the incentive program.

                                                                                                                                                                                                Back to top

CBO budget review: growth in Medicare spending per person will slow compared to prior years

Last week, CBO released its monthly budget review and projected that health care spending growth per Medicare beneficiary will slow in comparison to previous decades, while the number of Medicare beneficiaries is projected to increase by more than one-third over the next decade. CBO projects Medicare spending will grow at an average annual rate of 1.5 percent; spending in the federal program grew annually at an average of 4 percent between 1985 and 2007. According to CBO, this projection is due to three factors:

  • Constraints on payment rates: the sustainable growth rate will account for some of the effect, but the slowing rate will mostly be due to constraints put in place by the ACA
  • Quantity and intensity of beneficiary services provided: recent years have seen a substantial slowing in utilization of services among beneficiaries; CBO expects this to continue for a number of years
  • Younger beneficiary population: the Baby Boomer population is creating an influx of younger Medicare beneficiaries who spend less on health care than their older counterparts

CBO also projects that net federal spending for major health care programs (Medicare, Medicaid and the Children’s Health Insurance Program [CHIP]) will increase from 4.5 percent to 6 percent of gross domestic product between 2013 and 2024. In addition, a majority (three-fifths) of federal spending in 2024 will go to support individuals age 65 and older; the remaining two-fifths will be spent on care for individuals who are blind or have a disability and able-bodied, non-elderly individuals.

                                                                                                                                                                                          Back to top


Around the Country

CCIIO releases blueprint for states seeking new HIX approval

Last Thursday, the Center for Consumer Information and Insurance Oversight (CCIIO) released its blueprint for the approval process states must follow to alter their HIXs for plan year 2015. As noted in the blueprint, states have four options for models: state-based, state-based Small Business Health Options Program (SHOP), federal partnership, and federally-facilitated HIX. The blueprint outlined procedures for all states that wish to change their operation status and confirmed that technical assistance and establishment grant funding is available to states through 2014. States seeking to operate a state-based HIX, state-based SHOP or federal partnership HIX must submit a declaration letter by May 1, 2014, and complete a blueprint by no later than June 1, 2014. HHS will assume a state is maintaining its current operations if the agency does not receive a declaration letter detailing otherwise on or before May 1, 2014.

Note: for the 2014 plan year, 16 states and the District of Columbia have operated state-based HIXs, seven states opted to run partnership HIXs, and the remainder opted to operate through the federally-facilitated HIX, which enrolls individuals using

                                                                                                                                                                                                 Back to top

Study: churning to vary substantially from state-to-state

Last week, Health Affairs published study results that suggest eligibility changes for enrollees in government-financed health programs will be a challenge for all states. According to the researchers, churning—“loss of coverage and frequent transitions in the source of coverage”—could vary substantially depending on the states in which individuals live: District of Columbia is projected to have the most churning, while Mississippi is likely to have the least. In addition, the results suggest that richer states with lower poverty rates and higher per capita incomes would be more likely to experience churning between Medicaid and HIX plans.

While individuals who live in states that have expanded Medicaid would fare better than those living in non-expansion states, the researchers found that, even if all 50 states expanded Medicaid, churning would still occur. This is due to the estimate that about half of adults eligible for Medicaid or subsidized marketplace coverage encounter income fluctuations on an annual basis. Results would be worse in states that have not expanded Medicaid because childless adults often are not eligible for Medicaid through traditional eligibility paths if their income drops below the federal poverty level (FPL). The researchers suggest a series of policy recommendations for states that could allow consumers to continue their coverage even if their income fluctuates. These include adopting a 12-month continuous Medicaid eligibility period in states, assessing eligibility for Medicaid using forecasted annual incomes instead of monthly incomes, using Medicaid funds to buy coverage through HIX plans for people with incomes below 138 percent of the FPL and/or creating a Basic Health Program.

Note: several states (Arkansas, Iowa and Michigan) have implemented programs that could help reduce churning by using federal Medicaid dollars to purchase plans for certain individuals on the state’s HIX. On March 7, CMS released the final rule for states who wish to establish a Basic Health Program. For more information, see the March 11, 2014, Health Care Current.

                                                                                                                                                                                              Back to top

Breaking Boundaries

Study: engaged use of telemedicine reduces nursing home hospitalizations, generates savings

Health Affairs published results from a study of 11 nursing homes and found that those who switched from on-call physician coverage to physician coverage via telemedicine saw better results, especially when staff was fully engaged in its use. Nursing homes who were more engaged in the use of telemedicine technology after-hours reduced hospitalization rates by 11.3 percent compared to 5.2 percent in the facilities with less engagement. Additionally, the study that found the more engaged facilities generated cost savings of approximately $151,000 per year for Medicare as a result of fewer hospitalizations. Researchers conducted the study in a Massachusetts for-profit nursing home chain that had a telemedicine provider contract to cover urgent or emergent calls on weeknights and weekends. The pre-intervention period ran from October 2009 through October 2010, and the intervention period began when six of the facilities received the telemedicine technology in November 2010. While the results of the study may not be generalizable, they suggest that engagement in telemedicine use during off-hours is critical to help generate cost savings for Medicare. In addition, the researchers note that payment and financing models need to be adopted to strengthen the business case for nursing home adoption of such technologies.

                                                                                                                                                                                       Back to top

Study: robotic-assisted prostate surgery yields better results than traditional surgery

An observational study conducted by the University of California, Los Angeles (UCLA) Jonsson Comprehensive Cancer Center found that prostate cancer patients who underwent robotic-assisted surgery had 5 percent fewer instances of positive surgical margins than the control group (patients who had traditional “open” surgery). The surgical margin status measures the amount of cancer cells found at the edge of the removed specimen, and a positive margin in prostate cancer has been shown to lead to greater risk for recurrence and death. Researchers reviewed the margin status of 5,556 patients who received robotic surgery compared to 7,878 that had open surgery from 2004 to 2009. In addition to fewer cancer cells (13.6 percent vs. 18.3 percent), robot-assisted prostate surgery also led to a one-third reduction in the likelihood that a patient would need additional therapy within 24 months of surgery. While the upfront cost of robotic-assisted prostate surgery is high, the long-term cost could be lower, and patients could see fewer side effects from radiation and hormone treatment.

Related: meanwhile, another study found that complications in robotic-assisted laparoscopic surgeries could be underreported. Since 2000, approximately 1 million patients have undergone robotic surgical procedures and of those, 245 reported complications and 71 resulted in death. Further investigation through media scans and court records found more than a dozen cases that were never filed and two that were only filed after media reports. In their conclusion, the researchers called for a more comprehensive review of the true incidence of complications with these surgeries to help ensure the safety of patients.

Analysis: recently, hospitals have been engaged in an “arms race” and are adopting robotics capabilities to attract both surgeons and patients. But, researchers argue there is little data showing benefits of the technology. There have been several studies that have suggested there is a higher cost associated with their use due to the technology acquisition, maintenance and longer operating times. This study indicates a superior outcome when used in prostate surgeries; while the difference is not large, it is clinically significant. However, since this was not a randomized trial, selection bias may have played a role. Additional studies on both the clinical and financial impact of this advanced technology are needed to shed more light on whether there is true benefit.

                                                                                                                                                                                       Back to top

Did you find this useful?