Government News
of the Week:
Medicare Compliance, Medicare Advantage and Part D, and Other Federal and State Developments

1. In good news for hospitals, CMS announced on June 19 that it won't require treating physicians to supervise "incident-to" therapeutic services at hospital outpatient departments with provider-based status. In a July update (Transmittal 1536) to the outpatient prospective payment system (OPPS), CMS says it is revising the Medicare Benefit Policy Manual "to remove language stating that services furnished in provider-based departments of hospitals must be rendered under the direct supervision of a physician 'who is treating the patient.'"

This will put an end to the controversy sparked by Medicare Transmittal 82, dated Feb. 8. It required provider-based clinics to furnish therapeutic services under the direct supervision of a physician who is treating the patient. Hospitals will breathe a collective sigh of relief because they felt Transmittal 82 had put them between a rock and a hard place: either pay a treating physician to play a more hands-on role at the clinics, or shutter the clinics.

CMS said in the new OPPS update (Change Request 6094) that recent revisions in Transmittal 82 have caused confusion. However, CMS added, the transmittal's language on teaching physicians has been part of the Medicare manual for years. But lawyers and hospitals maintain it was a significant departure from current practice and Medicare regulations.

That's all moot now because hospitals can return to a pre-Transmittal 82 world in which treating physicians refer patients to provider-based clinics, whose supervising physicians generally oversee the care and are immediately available in case of emergency, but generally don't have a treatment relationship with the patient.

"It's gratifying that CMS listened to the hospital industry and rescinded a policy that could potentially harm patient care by creating additional regulatory requirements that could not be met in some circumstances, which could result in closure of certain clinics, such as infusion therapy clinics, thereby creating access problems," says Washington, D.C., attorney Andy Ruskin, who is with the law firm of Morgan, Lewis & Bockius. "This is also fiscally sound policy, as it would have been potentially wasteful for the medical director of these clinics to have to see each of the clinic's patients with some frequency, provide care, and presumably bill for the services, even though the patient is already under the care of a specialist."

Until Transmittal 82 muddied the waters, incident-to services furnished at a hospital outpatient department with provider-based status needed to have only some physician — not necessarily the treating physician — furnish the supervisory services required in regulation 42 C.F.R. § 410.27(f). The goal: to make sure that there is a physician available if something goes wrong. It appears now that hospitals can return to this policy.

Visit AIS's Government Resources; click on "CMS Program Transmittals/Change Requests."

Reprinted from the June 23, 2008, issue of REPORT ON MEDICARE COMPLIANCE.

2. Thousands of providers that received Medicare payments during calendar year 2006 had federal tax debts totaling about $2 billion, the Government Accountability Office (GAO) said in a report (GAO-08-618) released June 20. And even though some facilities' owners are accumulating "substantial wealth and assets," such as multimillion-dollar homes, there is little that CMS and the IRS can do about the situation right now, GAO says. CMS responded that it will start levying certain Medicare payments in October, among other activities.

As the investigative arm of Congress, GAO was asked to probe federal contractors, grant recipients and exempt organizations to see if they are paying their taxes. Results of those investigations led lawmakers to ask if providers receiving Medicare and Medicaid payments also are abusing the federal tax system, the report explains. For this audit, GAO determined (1) the magnitude of the debts, (2) examples of abusive or criminal activities, and (3) whether CMS can prevent providers with tax problems from enrolling in Medicare or can levy their Medicare payments.

GAO looked at IRS tax records and CMS data and found that more than 27,000 providers had unpaid federal taxes (mostly individual income and payroll taxes) during 2006. But GAO admits that the $2 billion total is "substantially understated" because the IRS data did not include entities that never filed tax returns or that underreported their incomes, among other things.

The report singled out 25 providers "using primarily the amount of tax debt and number of delinquent tax periods as selection factors." The facilities included hospitals, hospices and skilled nursing facilities. "Many were established businesses (such as corporations) that owed payroll taxes withheld for their employees," GAO says. "Rather than fulfill their role as 'trustees' of this money and forward it to IRS as required by law, these Medicare providers diverted the money for other purposes. In one case, a home health company received over $15 million in Medicare payments but did not pay $7 million in federal taxes," the report says.

Employers and their corporate officers are subject to civil and criminal penalties if they don't submit payroll taxes to the government, GAO points out. The IRS records showed that some of the facilities had been delinquent on their taxes for several years. "Our review of the 25 Medicare providers found that IRS attempted to work with the businesses and individuals to achieve voluntary compliance, pursuing enforcement actions later rather than earlier in the collection process," the report says. "Our review of IRS records with respect to the 25 cases showed that IRS did not issue paper levies to the Medicare contractors to levy the payments of Medicare providers for 10 of the 25 cases. As a result, many of the Medicare providers in our case studies continued to receive Medicare payments while failing to pay their federal taxes."

GAO explains that the Taxpayer Relief Act of 1997 lets IRS continuously levy certain federal payments that are made to delinquent taxpayers, but says CMS has not been fully incorporated into the program. Also, CMS doesn't have regulations or policies to (1) make its contractors get consent from providers to let IRS disclose their federal tax debts, and (2) require screenings of providers to show unpaid taxes. "As a consequence, CMS has no mechanism to prevent providers with substantial unpaid federal taxes from becoming Medicare providers or receiving payments from Medicare," GAO says.

In response, CMS said it will have incorporated fee-for-service payments made through its central accounting system into the levy program by October 2008. CMS also pointed out that prospective durable medical equipment suppliers will be required to be free of tax debt since it issued a proposed rule in January. CMS added that it is considering applying this to other provider types.

Read the report at www.gao.gov/cgi-bin/getrpt?GAO-08-618.

Reprinted from the June 30, 2008, issue of REPORT ON MEDICARE COMPLIANCE.

3. The University of Utah Hospital and Health Clinics is undergoing the daunting task of informing about 2.2 million of its patients that data tapes containing their billing records were stolen on June 2.

A metal box containing the tapes was stolen from the personal vehicle belonging to an employee of an independent storage company under contract with the health system, it said in a June 10 prepared statement. "The driver violated the protocols his company had established to ensure secure data transportation," namely using his own car instead of a secure company van and leaving the tapes in his car overnight.

University Health Care says it contacted the Salt Lake County Sheriff's Department, the FBI and the U.S. Postal Service about the theft, but that the incident is probably a random car burglary. There is no indication that the information has been accessed, it adds. The system is offering a $1,000 reward for the return of the tapes.

The records included patient names, birth dates, physician names, insurance information, driver's license numbers and diagnosis codes, but no credit card information. For about 1.3 million patients, the records contained Social Security numbers (SSNs).

The contractor told the university that this is the first incident of this kind in the 40 years the company has been in business. And the driver has been with the company for 18 years. But University Health Care has suspended deliveries of backup tapes to the contractor, pending a review of its transportation procedures.

The health system held a news conference, set up a Web site and established an information line for patients. It is also providing free credit monitoring and restoration services to patients whose records included SSNs.

University privacy officials did not respond to requests for comment made by AIS.

Go to http://healthcare.utah.edu/billingrecordstheft.

Reprinted from the July 2008 issue of REPORT ON PATIENT PRIVACY

4. Maryland Gov. Martin O'Malley (D) unveiled on June 23 the Maryland Health Insurance Partnership, a health insurance premium subsidy program to help small businesses purchase coverage. Under the program, small businesses will apply for the subsidies through the Maryland Health Care Commission (MHCC). After being deemed eligible, they will be able to purchase certain health insurance products offered by CareFirst Blue Cross Blue Shield, Coventry Health Care, Inc. UnitedHealth Group or Aetna Inc., according to O'Malley's office.

Participating plans will offer products that encourage member wellness through health risk assessment tools and "incentivized" preventive care, wellness activities, or disease management. The governor's office says it expects more than 1,500 businesses will apply for the partnership subsidy this year. The commission, the office added, will begin accepting applications in September, and coverage under the program will begin Oct. 1.

Small businesses with between two and nine full-time employees that have not offered health insurance to their employees during the past 12 months are eligible to receive a subsidy of up to 50% of the health plan's premium, according to O'Malley's office. To be eligible, the employees must have an average annual salary below $50,000. In addition, the subsidy is divided between the employer and the employee, based on their contribution to the coverage costs.

The state estimates that roughly 10,000 employees are eligible for subsidized premiums under the program, Bill Casey, vice president of government affairs at CareFirst, tells AIS. He explains that "once the MHCC qualifies them, they can buy those products through the carrier" or through a broker.

Aetna spokesperson Walt Cherniak adds that the total subsidy to the employer and its employees could be as high as $2,000 a year per individual and up to $5,000 a year per family. Cherniak says he is not aware of any other state that has this kind of program.

CareFirst will continue to offer all of its current line of small-business products, but only three will be eligible to those employers that qualify for the subsidy, Casey says. Each carries a $1,200 annual deductible for individuals, he states. The products that will be offered are BlueChoice HMO, a health savings account-compatible plan; BlueChoice Opt-Out Plus, a point-of-service product; and BluePreferred PPO, which also is HSA-compatible, according to Casey. He adds that the plans have no deductible for preventive care services.

"We don't know what our competitors are offering at this point, so it's kind of difficult to judge this particular marketplace" in terms of how many members the plan will pick up through the subsidized offering, Casey says. But he adds, "We would certainly hope that a substantial number of those would come to [CareFirst]."

"The plans we're going to offer are current HMO and point-of-service plans that are consumer-directed," Cherniak tells AIS. The subsidized members will have access to "Aetna's Simple Steps to a Healthier Life program, which includes a health risk assessment and online health and wellness tools," he says. Cherniak explains, "We selected these [products] as part of the partnership because they have lower premiums and are likely to be more attractive to first-time buyers of employer-based insurance." He says it represents a "subset of the broader portfolio of plans offered to small employers across the state."

5. Despite many precautions and security procedures already in place, there were two "data breaches" of genetic information from studies housed in the National Institutes of Health's fledgling database, NIH officials told members of the agency's highest-level advisory committee at its meeting on June 6. The breaches occurred in November and December 2007.

All investigators who receive federal funding to conduct research known as genomewide association studies (GWAS) are required as of January to submit information to the database of genotypes and phenotypes (dbGaP). Because the point of the database is to share the information, investigators are also allowed to access studies after going through a kind of internal NIH vetting process.

In the first breach case, an investigator who had approval for one set of data was able to access a second set, for which he did not have authorization. The second incident could be seen as more troubling. An investigator who applied for access to data was denied, but that decision was mistakenly recorded as an approval, and she was able to download the information she had sought.

Officials say the computer software "glitches" that led to these unauthorized releases of data have been corrected, and they are not aware of any subsequent similar incidents. To prevent a repeat, they have also installed an ongoing auditing system and made other changes to beef up security. Still, the breaches do show the vulnerabilities of computer software, they admitted.

"We…recognize, and I think all of us are well aware of this in our own practices, in a research environment, that software problems happen, and that is particularly true when you are using a newly developed software system and increasingly one that is extraordinarily complicated," Christine Seidman, a member of the advisory committee and of the committee's working group overseeing the database, said at the meeting.

"So while we [in reviewing the incidents] have emphasized the importance for ongoing monitoring of the system and assessment of the database, overall we think that it remains safe and secure and appropriate for the use for which it is intended."

Creation of the database marked a seminal moment for research, a recognition of the value and efficiency of collaboration to further medical discoveries. Recognizing the sensitivity of genetic data, NIH took great care — and several years — to develop complex submission and access policies, convening public meetings and issuing proposed policies to solicit input.

It also imposed a multi-layer oversight structure for the database, with the Advisory Committee to the Director (ACD) of NIH as the top layer (before NIH Director Elias Zerhouni himself). It was at the ACD meeting earlier in June that officials first publicly discussed the data breaches.

The NIH policy calls for investigators with NIH funding to submit de-identified genetic data to dbGaP and, in doing so, "submit documentation that describes how the investigators will protect privacy and confidentiality of research participants," according to the policy.

The dbGaP itself has been in place for the voluntary deposit of appropriate studies since December 2006, but mandatory submission did not begin until January of this year. Access to the data once it is deposited must first be approved by an internal NIH data access committee; 12 DACs serve the 27 NIH institutes and centers, processing dbGaP access requests and handling other related matters.

According to NIH reports at the meeting and minutes of the working group's meeting in January, the first data breach occurred with an investigator who was trying to access information in the "GAIN" dataset (i.e., the Genetic Association Information Network), which is a partnership involving NIH, universities and pharmaceutical companies.

Although the investigator had been granted access to data from one "consent group," the system allowed him to also access a second set of data. The National Center for Biotechnology Information (NCBI), which runs the database, "caught" this error after the user, who thought he had appropriately accessed the data, contacted the database help desk in mid-December to complain that the files were "incomplete." He had accessed the information in November. Officials determined that this ability to access non-approved datasets existed for about a week.

The second incident involved data from the landmark Framingham Heart Study, ongoing since 1948. It consists of data on more than 9,300 participants and 900 families, who, according to NIH, "had their DNA tested for 550,000 genetic variations. In addition, the participants' clinical data gathered during the study, such as test results or weight, are included."

The data access committee for the National Heart, Lung, and Blood Institute turned down an investigator's request to access the Framingham data, but the system recorded the decision as an approval, and she downloaded data. This error was detected when the DAC chair was entering a decision on another request and realized he wasn't able to select a box to indicate disapproval.

In both instances, the chairmen of the relevant DACs personally contacted the two investigators, told them their access was not approved, and asked that the data be destroyed. Subsequently, each investigator reapplied for access to the verboten data, and it was granted.

Al Graeff, who is NCBI's deputy director, said at the meeting that these incidents were "taken very seriously," and a number of meetings were held to discuss them. He said that new automated and manual procedures were added to the system. In addition, "we did a total rewrite of the software code" to prevent these errors in the future, Gray said.

ACD member David Botstein called the incidents "unfortunate" but "not serious." "The response was prompt and appropriate," said Botstein, director of the Lewis-Sigler Institute for Integrative Genomics at Princeton University, who added that the breaches should be kept in perspective.

"The harm that could have been done is modest in comparison to the possible harm from clinical trials" in other instances when results are compromised due to investigator conflicts, he said.

Visit http://grants.nih.gov/grants/gwas.

Reprinted from the July 2008 issue of REPORT ON PATIENT PRIVACY

6. Amid ongoing litigation, Hawaii has quietly delayed implementation of its new Medicaid managed care contract to care for 37,000 aged, blind and disabled (ABD) members until Feb. 1, 2009, backing off from the original Nov. 1 start date. After competitive bidding, the state awarded the $1.5 billion contract Feb. 1 to subsidiaries of UnitedHealth Group and WellCare Health Plans, Inc.

Not-for-profit AlohaCare, an incumbent locally based Medicaid plan, continues to protest its loss of the QUEST Expanded Access (QExA) procurement to the two for-profit competitors, arguing that the state's bidding process was flawed. Ed Kemper, AlohaCare's outside counsel, told AIS June 30 he expects a written opinion soon from the federal judge who at a June 18 hearing denied AlohaCare's request for a temporary restraining order and injunction to prevent UnitedHealth and WellCare from moving forward on the contract.

"There is no appeal yet because there's been no written decision by the judge," Kemper explained. "Once there's a final judgment, we can appeal it to the Ninth Circuit." In oral statements, the federal judge threw out most of AlohaCare's case for lack of standing to bring a lawsuit. "Unless there's a dramatic change in her written opinion, we're appealing," he said.

Separately, a disability rights group called the Hawaii Coalition for Health filed a federal lawsuit June 10 seeking protection of patients' rights, which the group alleges have been placed at significant risk in the Medicaid contract because of potentially limited access to care and other issues. A hearing on the group's motion for a preliminary injunction is scheduled for July 21.

At the federal level, Rep. Neil Abercrombie (D-Hawaii), wrote to CMS May 1, citing his worry over the speed of Hawaii's procurement process and questioning whether it met the due-diligence requirement. He said the terms of the contract appear to allow awardees to raise bid amounts to include the payment of Hawaii state premium taxes required of for-profit plans. Abercrombie also raised concerns about adequate access and provider networks.

CMS responded May 21 that states may consider Medicaid's portion of a permissible health care-related tax as an allowable cost for the purposes of developing Medicaid reimbursement rates. CMS said states must follow "a free and open" procurement process, and said it has extensive rules that states must follow to ensure access and adequate provider networks.

Currently, CMS is not involved in the Hawaii matter, agency spokeswoman Mary Kahn told AIS June 30. "There is no role for CMS at this point. The state is going to delay implementation of the contracts awarded to United and WellCare until Feb. 1, and that delay does not require our approval."

AlohaCare asserts that the Hawaii Dept. of Human Services favored for-profit, out-of-state plans in the QExA procurement process by asking for bids on a pretax basis even though for-profit health insurers must pay a 4.265% premium tax in Hawaii.

More than 160,000 people now covered by Temporary Aid to Needy Families (TANF) are enrolled in QUEST, Hawaii's statewide mandatory Medicaid managed care program, the state reports. AlohaCare, which has been in QUEST since its inception, has about 59,000 members; Hawaii Medical Services Association, about 82,000; Kaiser Permanente's Hawaii Region, about 19,000; and Summerlin Life & Health Insurance Co., the program's only for-profit plan, has approximately 1,700 members.

Hawaii last year got a federal waiver to shift the ABD population from fee-for-service Medicaid into managed care plans, issued the request for proposals (RFP) last October, got submissions from five bidders in December and awarded contracts Feb. 1 to United's Evercare Hawaii subsidiary and WellCare's Ohana Health Plan. Evercare Hawaii said it expects about 16,000 ABD members in the first year of operation.

United did not return a call for comment about its preparations for the pact.

Reprinted from the July 3, 2008, issue of MEDICARE ADVANTAGE NEWS.

7. Illinois did not contribute approximately $2.1 million to CMS on behalf of the state's Medicare-Medicaid dual-eligible individuals from January through October 2006, HHS Office of Inspector General (OIG) said in an audit of the state's Medicare Part D subsidies. Under federal rules, states must make contributions to the subsidies provided to full-benefit dual eligibles under the Part D benefit. After sampling 30 months, OIG found that Illinois did not make any contributions for 22 of the months. Although the state's Medicare Prescription Drug, Improvement, and Modernization Act (MMA) monthly file included full-dual information for 18 of the 22 months, CMS did not include the information in the MMA return file that identifies the amount billed to the state. For the remaining four beneficiary-months, the state did not include full-dual information in its MMA file, nor did CMS in its MMA return file. OIG recommended that the state (1) work with CMS to develop a process for reconciling the MMA file to the MMA return file to ensure that required contributions are identified and made for all full-benefit dual eligibles; and (2) identify and accurately report all full-benefit dual eligibles to CMS in the MMA file. Illinois agreed with OIG's recommendations. Go to www.oig.hhs.gov/oas/reports/region5/50700009.htm.

Reprinted from the July 2008 issue of MEDICARE PART D COMPLIANCE NEWS

8. Walter Reed Army Medical Center officials are investigating the possible disclosure of about 1,000 Military Health System beneficiaries' medical information, the facility said on June 2. Officials were notified of the breach on May 21 and have been working to notify all of those involved. "Preliminary results of an ongoing investigation have identified a computer from which the data [were] apparently compromised," a prepared statement says. "Data security personnel from Walter Reed and the Department of the Army continue to investigate the source and causes for the information compromise."

Reprinted from the July 2008 issue of REPORT ON PATIENT PRIVACY

9. Wisconsin law enforcement officials are frustrated because they say the are having trouble getting timely information about suspects who have been hospitalized, according to a June 15 article in the Green Bay Press-Gazette. In one example, a prosecutor told the newspaper that it was charging a woman with homicide by intoxicated use of a motor vehicle after she was in a car accident that killed two young women. But she also was injured and was being treated in a hospital. Prosecutors filed the charges and wanted set up an initial appearance for her less than a week after the crash, but had problems getting answers from the hospital about when she was to be released, according to the Press-Gazette. "It makes your job very difficult," one official said. A spokesperson for the hospital told the newspaper that Wisconsin law may prevent hospital staff from releasing information on patient discharges if that information is contained in his or her health record. But if one person is verbally telling another the discharge date, it is less certain whether the state law covers that, the spokesperson said.

Reprinted from the July 2008 issue of REPORT ON PATIENT PRIVACY

10. Sens. Mel Martinez (R-Fla.) and John Cornyn (R-Texas) say they will introduce a bill intended to detect and prevent Medicare fraud and identity theft. The Senior and Taxpayers Obligation Protection Act (STOP Act) "will help stop Medicare fraud before it starts" by giving CMS and HHS the tools to detect and prevent rather than pay and chase, the lawmakers said in a June 19 prepared statement. The bill also would require HHS to change the current procedure of using Social Security numbers as Medicare Beneficiary Identifiers to stop identity theft among seniors.

Reprinted from the July 2008 issue of REPORT ON PATIENT PRIVACY

Additional government news appears in
AIS's HEALTH BUSINESS DAILY

Hot Products

New • 2008 Managed Medicare & Medicaid Factbook • 2008 Directory of Health Plans • Pharmacy Benefit Survey Results Best Sellers • 2000-2007 Pharmacy Benefit Trends & Data • HCCA-AIS Medicaid Compliance News • Health Plan Facts Trends and Data 2007-2008 • Medicare Part D: Analysis of CMS Rules • PBM Contracting & Transparency Issues and Models See full listing of products at AIS Marketplace

Hot Products

New • 2008 Managed Medicare & Medicaid Factbook • 2008 Directory of Health Plans • Pharmacy Benefit Survey Results Best Sellers • 2000-2007 Pharmacy Benefit Trends & Data • HCCA-AIS Medicaid Compliance News • Health Plan Facts Trends and Data 2007-2008 • Medicare Part D: Analysis of CMS Rules • PBM Contracting & Transparency Issues and Models See full listing of products at AIS Marketplace