Health Highlights

Contracting With Technology Vendors: Obligations and Compliance Strategies

By Jill DeGraff, Partner, Manatt Health | Helen R. Pfister, Partner, Manatt Health | Randi Seigel, Counsel, Manatt Health

Editor’s Note: In a recent webinar, Manatt Health examined how to protect privacy when communicating in the digital age. The session revealed how to benefit from the powerful new tools transforming healthcare communications—from portals and email to apps and the Internet of Things—while analyzing the risks under the Health Insurance Portability and Accountability Act (HIPAA). Last month, in part 1 of our program summary, we shared key insights into the enforcement landscape, HIPAA rules and best practices around six emerging technologies. In part 2, below, we discuss evaluating and contracting with technology vendors, as well as best-practice compliance strategies.

Click here to download a free copy of the presentation.


Evaluating and Contracting with Technology Vendors: The Four Key Steps of Covered Entity Obligations

Covered entities’ obligations when selecting and contracting with technology vendors require four key steps: evaluate, document, contract and monitor.

1. Evaluate

The first step in selecting a technology vendor is to evaluate the nature and scope of the arrangement with the vendor as it relates to privacy and security. It’s important to consider the type of protected health information (PHI) being shared and with whom, the technology being used to share the information, and how all these factors impact the risk profile for a particular vendor. This information not only supports an optimal vendor decision but also helps define key information that needs to be included in the contracting process if the vendor is selected.

When evaluating a vendor, it’s also critical to consider, if any of the data will be maintained offshore. Though offshore maintenance is permissible under HIPAA, there may be other state limitations that need to be taken into account, as well as the general risks of offshoring—particularly if the data is being maintained in a country where there are documented attempts at hacking or other malware attacks.

In addition, to the extent information is available, it’s important to determine if the vendor has a proven track record in effective healthcare security. (Of course, a startup certainly can have a robust security environment and often provides new, innovative ways to approach healthcare).

Always ensure that any vendor being considered provides a mechanism for conducting and completing mandatory HIPAA audits and is willing to share the security specifications. A due diligence list can be a helpful tool when assessing technology vendors. Among the important issues to include when creating a due diligence list for evaluating vendors are:

  • Access controls, including the ability to generate reports on access controls and procedures around adding and removing users.
  • Data backup processes.
  • Server redundancy and server security.
  • User authentication processes.
  • Retention policies, including their consistency both with applicable laws and the covered entity’s policies.
  • Verification that the vendor’s software has been certified as compliant by the Office of the National Coordinator for Health Information Technology (ONC).
  • Frequency of security testing and results of those tests. In addition, depending on the size and nature of the contract, it may be appropriate for a covered entity to have its own security officer do a site inspection before finalizing a vendor decision.

2. Document

Whatever level of due diligence is performed, it is crucial to document the evaluation and maintain a file of key documents. There should be written policies detailing what specifically needs to be documented, as well as who is responsible for updating the information. Maintaining documentation is not just essential for supporting an effective internal compliance process but also for ensuring compliance with the HIPAA Security Rule and defending oneself in the event of an audit.

3. Contract

Many covered entities have a standard template that they use for all their Business Associate Agreements (BAAs). When it comes to BAAs, however, one size does not fit all.

Each BAA should be written to be consistent with the master underlying contract between the two parties. BAA contracts should:

  • Confirm who owns the data,
  • Specify what can be done with the data,
  • Cover indemnification of the covered entity in the event of unauthorized use or disposal of data, and
  • Establish reasonable reporting timeframes for breach notifications.

Many vendors also will try to put liability caps into place that limit their liability, for example, to fees they were paid over the past 12 months. Covered entities need to assess their comfort level with any liability limits. They also need to make sure that the vendor has adequate cyber liability coverage in place.

It is important to track all BAAs, and if possible, in a centralized location—doing so can be challenging. Business associate relationships often originate in and are managed by business units rather than centralized legal or compliance departments. The fact that these relationships are dispersed throughout the organization makes it all the more critical to have a process in place for keeping track of them. The U.S. Department of Health and Human Services, Office for Civil Rights OCR has indicated that it requests a list of all of the BAAs when it performs random and targeted audits.

Service-Level Agreements (SLAs) are also commonly established between business associates and their customers. SLAs are often used to address more specific business expectations, particularly those that are relevant to HIPAA compliance. For example, SLAs can be used to address such HIPAA concerns as system availability and reliability, backup and data recovery, audit cycles, and the manner in which data will be returned to a customer after service termination.

4. Monitor

Covered entities need to remember that their vendors, ultimately, are their responsibility. Therefore, it is critical that they closely monitor vendor activities. Covered entities should:

  • Include vendors in their annual risk assessments,
  • Require vendors to provide copies of their own risk assessments,
  • Monitor and audit vendors’ activities, and
  • Follow up on any incident reported by a vendor that could be deemed a security breach.

Review of Compliance Strategies

Clearly, digital technologies improve communication and help organizations evolve into more inclusive, patient-centered, valued-based healthcare systems. The widespread adoption of new technologies challenges privacy professionals to move beyond serving as subject matter experts or HIPAA enforcers. They must now take on the added role of policy conveners who maintain governance frameworks for setting policies and procedures in the context of their organizations’ strategic objectives and privacy values.

In the fast-changing digital world, organizations must uniquely evaluate each new technology, analyzing its risks, advantages and disadvantages—and fully document the evaluation process and its results. They also must develop and adopt HIPAA policies that address all forms of digital technologies—and continually review and update those policies to keep pace with the ever-changing technological environment.

In addition, it is critical to train staff on the use of all technologies permitted by the covered entity and the policies governing that use. That training should be reinforced throughout the year, with emails and posters reminding staff to be mindful when using digital tools to communicate with each other and with patients.


The rise of digital tools opens up vast opportunities for improving both communication among staff and engagement with patients. Digital tools, also, however, can present serious privacy and security concerns, which can be exacerbated when needing to depend on outside vendors. Diligently adhering to the following steps can help protect organizations, even when choosing and working with external partners:

  • Evaluate every potential vendor thoroughly and thoughtfully.
  • Document all vendor evaluations.
  • Engage in a contracting process that is reflective of each vendor’s uniqueness and the electronic PHI at risk. Ensure contracts impose necessary requirements on vendors to provide adequate protections.
  • Monitor and audit covered entities’ activities, as they relate to the use of communication technologies.
  • Monitor and audit business associates.
  • Maintain an easily retrievable list of all business associates.
  • Address any risks. If there is a decision not to address a risk, document the reason for that decision.
  • Consider cyber liability insurance.

back to top

The FTC Continues to Challenge Healthcare Mergers

By Lisl J. Dunlop, Partner, Antitrust and Competition | Shoshana S. Speiser, Associate, Litigation

Confirming that hospital merger enforcement continues to be a priority under the new administration, the Federal Trade Commission (FTC) and the North Dakota Attorney General recently challenged Sanford Health’s proposed acquisition of Mid Dakota Clinic. According to the FTC, the acquisition would combine two of the largest providers across several practice areas in North Dakota’s Bismarck and Mandan metropolitan area.

On June 22, 2017, the FTC and North Dakota Attorney General filed a complaint in federal district court seeking a temporary restraining order and preliminary injunction to block Sanford Health from acquiring Mid Dakota Clinic, P.C. (MDC), its closest rival in the Bismarck-Mandan area. Sanford Health’s subsidiary, Sanford Bismarck, operates a 217-bed hospital in Bismarck, 8 primary care service clinics and a number of specialty clinics. Sanford Bismarck employs about 160 physicians, including 36 primary care physicians, 4 pediatricians, 8 obstetricians/gynecologists (OB/GYNs) and 4 general surgeons. MDC is a multispecialty medical practice in Bismarck that employs 61 physicians, including 23 primary care physicians, 6 pediatricians, 8 OB/GYNs and 6 general surgeons. MDC operates 6 clinics, a Center for Women and an ambulatory surgery center in Bismarck.

The transaction is relatively small, falling below the Hart-Scott-Rodino (HSR) notification thresholds. One overlap of concern raised by the FTC is the combination of the two providers’ OB/GYN groups, each of which consists of only 8 providers. Under the antitrust laws, however, the key issue is the impact on the market, not the size of the entities. In this case, the FTC estimates that the combined entity would have at least a 75% to 85% market share in primary care, pediatric and OB/GYN services and would be the only physician group offering general surgery physician services.

According to the complaint, the two parties currently compete for inclusion in commercial payers’ networks. The theory is that, absent both of these groups, it would be very difficult for a commercial payer to market a health plan to employers in the Bismarck-Mandan area. Elimination of the competition between Sanford Health and MDC, in turn, would increase the combined entity’s leverage and enable it to obtain higher reimbursement rates that would be passed on to employers and their employees. Once they were a combined entity, the two providers allegedly also would cease competing to improve their technology, expand their services, recruit high-quality physicians, and provide patients with convenient and accessible care.

In recent arguments before the FTC’s administrative court, the merging parties asserted that the FTC’s price-effect claims were inaccurate and that there can be no argument that stopping the merger would reduce quality. The parties believe that their merger will help the combined firm hire specialists and create synergies and efficiencies in the delivery of care.

Conclusion: Healthcare Antitrust Enforcement Is a Priority

This challenge serves as an important reminder that deals that raise FTC concerns are not limited to those that are HSR-reportable or are between large corporations or health systems. Healthcare entities should not assume that smaller transactions can slip through under the radar. The FTC has demonstrated that it keeps a close watch on seemingly small transactions and will not hesitate to bring challenges if the agency believes they are warranted.

In light of the FTC’s focus on healthcare, its strong track record of succeeding in its healthcare challenges, and the potentially high costs of unwinding even small transactions, all healthcare entities seeking to enter into mergers, affiliations or other collaborations should strongly consider consulting antitrust counsel.

back to top

Digital Health Strategies: Transforming Care Delivery and Quality

By Alice (Ali) Loveys, MD, FAAP, FHIMSS, ABP-CI, Senior Advisor, Manatt Health

Editor’s Note: Digital health is playing a significant role in driving delivery and payment model innovation in healthcare. Recognizing its importance across a wide range of critical applications—from enhancing the consumer’s decision journey to facilitating information sharing to providing remote care, access and monitoring—Manatt Health is creating a new “Health Update” series focused on digital health. The series kicks off with the article below on creating focused digital health departments that improve the patient care experience, as well as optimize research, training and communication.


Digital technologies and the Internet of Things have become woven into the fabric of our everyday lives. Consumers now expect the same level of digital integration that they experience in other areas of their lives from their healthcare providers.

Digital strategies can be particularly important—but also particularly complicated—in the healthcare arena for a number of reasons. The healthcare journey can be a stressful one for consumers. The issues are multifaceted, and the environment is unfamiliar and often daunting to patients and their families. The language and terms used can be foreign and require translation to everyday language to be understood. In addition, health systems can be large and hard to navigate, with multiple people involved in delivering, coordinating and paying for care. Faced with these complexities, patients may experience a general lack of control and fear about the outcome, if something goes wrong.

The connectivity that consumers have grown to expect may ease the challenges inherent in patient journeys. These touch points of connectivity represent important opportunities to gain consumer confidence, create loyalty, and ensure a satisfying experience.

Digital Health Departments: Aligned Yet Unique

Forward-thinking institutions are responding to patient expectations with new digital strategies. Similar to patients, the staffs at provider organizations have hopes that technology will improve their ability to deliver quality care.

To support their transition to the digital era, organizations are dedicating resources to expanding their information technology departments with special units focused on digital tools. With the multitude of available apps, portals, sensors and other rapidly developing technologies, organizations must have digital health strategies to help them prioritize and support their digital health (DH) initiatives. To be effective, DH strategies must align with the larger organizational vision and value propositions, governance and resource allocation planning, as well as include a clear roadmap for DH implementations.

While DH departments must be integrated with the larger information systems departments, they also are unique in several ways. DH departments need to remain nimble in exploring a range of possible ideas and testing them for proof of concepts. They have to be able to succeed or fail quickly. For each point along the healthcare delivery path, DH departments must research existing options—and decide whether to create vendor partnerships or support development in house. At the same time, they are responsible for convening and responding to the needs and suggestions of a broad array of stakeholders across their organizations.

In addition, DH departments may be called on to extend the reach of their organizations outside their building walls to support the virtual delivery of care. These virtual touch points may be direct-to-consumer care, provider-to-provider communications, and remote monitoring services. All of these require strong relationships with outside partners.

Of course, connectivity in and of itself is not a guarantee of improved outcomes. Therefore, DH requirements should include built-in analytics and evaluations to ensure digital services are meeting clinical and quality goals.

Beyond Patient Care

Patient care is not the only area that can benefit significantly from an effective DH strategy. In addition to improving patient care, digital tools promise innovations in training and education for the allied healthcare fields. They can support:

  • Revenue cycle management divisions with new tools for estimating costs of care and establishing new payment models.
  • Research departments with new tools for clinical trial recruitment and for rapidly disseminating research findings.
  • Caregivers with new tools for accessing information and personalized approaches for treating their loved ones.

DH Department Governance

Organizations may have started their forays into digital health prior to an official DH office being established. Therefore, as DH departments become formal structures, they need to implement enterprise portfolio management systems. This approach allows them to see all of the DH initiatives across the organization and prioritize a balanced portfolio with coordinated resources going forward.

Part of DH governance is to ensure continuity in the look, feel and navigation of digital tools for patients, staff and partners. DH leaders also must govern knowledge management, establishing and enforcing technology standards, security protocols and regulatory compliance programs.

In addition, DH leaders must effectively allocate resources and manage cross-functional teams of internal staff, vendors and partners. They must possess strong leadership and change management skills. Their success will be measured by their impact on key performance indicators, such as patient satisfaction, clinical quality metrics and efficient business models.


While facing a plethora of expectations from a wide range of invested parties, strong DH departments, with strong leadership, have the ability to transform and improve the delivery and quality of care across the entire patient experience. Organizations with proven DH strategies will lead their peers on education, research, training and outreach.

back to top

ERISA Procedural Rights Violations Can Still State Federal Claims

By John M. LeBlanc, Partner, Healthcare Litigation | Andrew H. Struve, Partner, Healthcare Litigation | Caitlin Ward, Associate, Litigation

Last year, the United States Supreme Court decided Spokeo v. Robins, holding that a procedural violation of a statute is insufficient to create a “concrete” injury and confer standing if the plaintiff suffered no real harm. Spokeo arose in the context of the Fair Credit Reporting Act, cite (FCRA), but the question remained how Spokeo would impact alleged procedural violations of the Employment Retirement Income Security Act, 29 U.S.C. §§ 1001 et. seq. (ERISA). Subsequent decisions have acknowledged Spokeo applies in ERISA cases, but also provide guidance as to how such procedural violations may still be enough to establish Article III standing under ERISA.

Spokeo, Inc. v. Robins

In Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016), as revised (May 24, 2016), the Court held that a plaintiff must show an injury in fact before pursuing a claim for violation of the FCRA, meaning “an invasion of a legally protected interest" that is "concrete and particularized" and "actual or imminent, not conjectural or hypothetical.” Spokeo, 136 S. Ct. at 1548. The Court concluded that even where a statutory scheme provided a private right of action to sue and receive damages for violations of a statutory provision, the mere procedural breach of a statute is insufficient to create a “concrete” injury sufficient to confer standing where there is no real harm. Id. at 1549. In the absence of such a concrete injury, the would-be plaintiff lacks standing to pursue her claim in federal court.

Not all violations of statutory procedural rights receive a free pass under Spokeo, however: The Supreme Court cautioned that the “violation of a procedural right granted by statute can be sufficient in some circumstances to constitute injury in fact.” (Emphasis added.) In such a case, a plaintiff need not allege any additional harm beyond that identified by Congress. Spokeo at 1549-50 (citing as examples Federal Election Comm’n v. Akins, 524 U.S. 11, 20–25 (1998) (confirming voters’ inability to obtain information that Congress had decided to make public is a sufficient injury in fact) and Public Citizen v. Department of Justice, 491 U.S. 440, 449 (1989) (holding failure to disclose information under the Federal Advisory Committee Act constitutes a sufficiently distinct injury to provide standing to sue)).

Application of Spokeo in ERISA cases

Although Spokeo arose in the context of the FCRA, it was immediately apparent that the decision had broader impact to many federal statutory schemes, including ERISA. Sure enough, courts quickly were called upon to apply Spokeo’s rule to ERISA claims, and have wrestled to determine when an alleged ERISA violation satisfies Spokeo’s injury-in-fact standard. Two cases in particular, Brooks v. Georgia Pacific LLC and Limbach v. Weil Pump Company, Inc., provide guidance on how to examine an alleged ERISA claim where the injury is a mere procedural violation (i.e. not the denial of benefits) for standing after Spokeo.

In Brooks, plaintiff sued his plan for failure to provide plan information in a timely manner, seeking $100 per day. 2017 WL 1534219 (W.D. La. Mar. 21, 2017), report and recommendation adopted, 2017 WL 1538606 (W.D. La. Apr. 26, 2017). Brooks did not allege that he suffered any specific harm beyond delayed receipt of the required information, but the trial court held he had concrete harm under the Spokeo analysis, reasoning that “in contrast to other cases where an erstwhile plaintiff seeks statutory damages for the bare transgression of a federal procedural protection divorced from any material harm, Brooks actually required a copy of the plan for purposes of understanding his benefits and rights, which he then used . . . to administratively appeal the determination.” Id. at *5.

In its analysis, the court relied on the fact that compensatory or monetary damages are not required to award a statutory penalty under ERISA. Id. at *4-5. Rather, “frustration, trouble, and expense are pertinent factors for the court to consider when deciding whether to impose a penalty against the administrator.” Id. Brooks alleged difficulty in identifying the plan administrator such that he “was frustrated by defendant’s . . . delay in providing him with a copy of the plan . . .” Id. Based on this frustration, defendant’s failure to provide information to Brooks retarded his efforts to administratively appeal his retirement benefits calculation and thus set forth a concrete injury. Id.

Similarly, in Limbach v. Weil Pump Company, Inc., plaintiff alleged her plan had failed to provide her with a summary plan description (aka SPD) in a timely way. 2017 WL 1379360 (E.D. Wis. Apr. 14, 2017). The court held that “[b]ecause the inability to obtain information is itself an injury in fact . . . the allegations of the complaint imply that the plaintiff would have found the information contained in the automatic disclosures valuable or useful, had [the plan timely] made the disclosures. The plaintiff’s not receiving the information in the prescribed times thus qualifies as a concrete informational injury.” Id. at *3-4.

Both Brooks and Limbach show the difficulty in defining Spokeo’s “injury-in-fact” requirement. Further, although Spokeo makes establishing a concrete injury for purposes of a claim for statutory injury more difficult, Brooks and Limbach demonstrate it is not impossible. At least for these two courts, what was commonly viewed as intangible (frustration) is a sufficient concrete harm.


In the wake of Spokeo, while a mere “procedural” violation of a federal statute, absent more, does not confer federal standing to sue, courts have made clear that plans will not be able to escape claims for violations of ERISA’s timely disclosure requirements and, presumably, other ERISA protections through reliance on Spokeo’s concrete injury requirement. Brooks and Limbach make it quite clear that, despite Spokeo, not all procedural ERISA violation claims will be dismissed for lack of standing.

In contemplating or assessing claims of ERISA violations, it will be critical for both plaintiffs and defendants to closely examine the alleged harm resulting from the alleged breach.

back to top

Proposed Medicare Updates: Physician Fee Schedule and MDDP

By Jill DeGraff, Partner, Manatt Health | Annemarie V. Wouters, Senior Advisor, Manatt Health


On July 13, 2017, the Centers for Medicare & Medicaid Services (CMS) released its annual proposed updates to the Medicare Physician Fee Schedule for calendar year 2018 (CY 2018 Proposed PFS).1 In this rulemaking, CMS also released proposed changes and updates to the Medicare Diabetes Prevention Program (MDPP), which is currently scheduled to begin on January 1, 2018. These proposed changes and updates, summarized below, are intended to clarify or modify:

  • The scope of MDPP services;
  • The eligibility and enrollment requirements for MDPP suppliers;
  • The eligibility and conditions of coverage for Medicare beneficiaries;
  • The structure of performance-based payments for MDPP suppliers; and
  • The program integrity standards, documentation and reporting obligations for MDPP suppliers.

CMS also proposes a three-month delay (until April 1, 2018) before Medicare beneficiaries can receive MDPP services. The proposed time lag would give MDPP suppliers more time to enroll in Medicare and implement their compliance programs before they begin to furnish and bill for MDPP services. CMS elected to defer coverage for virtual MDPP services, except for a limited number of makeup sessions.

Comments are due on September 11, 2017 by 5:00 p.m. ET.

Background on the MDPP

The MDPP consists of coaching sessions that follow an approved curriculum in clinical or community settings for prediabetic Medicare beneficiaries. The MDPP aims to prevent the onset of type 2 diabetes in MDPP participants by helping them to lose weight through sustainable long-term changes to their diets and adoption of other healthy behaviors. The MDPP is based on the National Diabetes Prevention Program, which is administered by the Centers for Disease Control and Prevention (CDC).

The MDPP model was first tested by the Center for Medicare and Medicaid Innovation (CMMI) in eight states. The current year (CY) 2017 Final PFS, which provides for the MDPP model’s expansion by January 1, 2018, implemented aspects of the MDPP expanded model. The CY 2018 Proposed PFS builds on, and in some cases modifies, these rules.

Proposed Changes

1. Extension of Time to Enroll MDPP Suppliers. To allow more time for organizations to enroll in Medicare before they begin furnishing and billing for MDPP services, CMS proposes a three-month delay in the effective date when MDPP services can first be provided to beneficiaries. If finalized, the effective date would be delayed until April 1, 2018. The effective date for MDPP supplier enrollment remains January 1, 2018. MDPP suppliers’ compliance with MDPP supplier eligibility requirements begins on January 1, 2018.

2. Structure of MDPP Services. Under the proposal, MDPP services would consist of at least 16 “core” in-person sessions held in months 1 through 6, followed by at least 6 in-person monthly “core” maintenance sessions held in months 7 through 12 and no less than monthly in-person “ongoing maintenance sessions” in months 13 through 36. The proposal increases the overall time limit for MDPP services to 36 months, up from 24 months under the CY 2017 Final PFS. Core and ongoing maintenance sessions are grouped into three-month intervals.

3. Beneficiary Eligibility. The CY 2018 Proposed PFS maintains the following eligibility criteria for beneficiaries to receive coverage for MDPP services:

  • Enrollment in Part B
  • BMI equal to or greater than 25 (or 23 for a self-identified Asian)
  • In the preceding 12 months before the first core session, an A1c test value between 5.7 and 6.4, a fasting plasma glucose of 110-125 mg/dL or a two-hour plasma glucose of 140-199 mg/dL
  • No previous type 1 or type 2 diabetes diagnosis
  • No end-stage renal disease

CMS clarifies that beneficiaries will lose eligibility if they receive an end stage renal disease (ESRD) diagnosis after starting to receive MDPP services. However, beneficiaries who receive a diabetes diagnosis after attending the first core session would remain eligible for MDPP services, subject to other limits on eligibility described below.

4. Limits on Eligibility.

  • Once-in-a-Lifetime Limits. Earlier rulemaking established a rule that restricts a beneficiary’s eligibility for core MDPP services to once in a lifetime. CY 2018 Proposed PFS applies the once-in-a-lifetime rule to ongoing maintenance services, as well. Acknowledging the difficulty that MDPP suppliers will have in verifying that a beneficiary has not already received MDPP services from another vendor, CMS intends to propose an administrative solution at a later time. In the meantime, it proposes 17 Healthcare Common Procedure Coding System (HCPCS) billing codes that sequence MDPP services and provide for payment by time interval and achievement of performance goals. The new codes are a step toward developing a system for querying whether a particular MDPP service has been previously billed for a beneficiary.
  • Attendance and Weight Loss Goals. Eligibility for core sessions is not tied to a beneficiary’s attendance or weight loss record. However, CMS proposes limits on eligibility for the ongoing maintenance sessions. For example, a beneficiary can maintain eligibility for the first ongoing maintenance interval (months 13 through 15) by:
    • Attending at least one in-person core maintenance session during the final core maintenance interval (months 10 through 12) and
    • Achieving or maintaining a minimum weight loss at one or more sessions during the final core maintenance interval
    Otherwise, a beneficiary’s eligibility for MDPP services ends after the core sessions (months 1-12) are complete. After the first ongoing maintenance interval, a beneficiary can maintain eligibility for subsequent intervals by attending all three ongoing maintenance sessions in the previous interval and maintaining a 5% weight loss from baseline at one or more of these sessions.
  • Makeup Sessions. Under the proposed rule, an MDPP supplier can offer an in-person or virtual makeup session to a beneficiary who misses a scheduled session.
  • Virtual Sessions. CMS acknowledges the emerging evidence that virtual delivery of MDPP services can deliver comparable benefits to in-person services and that the CDC’s Diabetes Prevention Recognition Program (DPRP) standards permit virtual makeup sessions. Accordingly, CMS proposes that virtual makeup sessions be permitted if they conform with DPRP standards, are offered based on a beneficiary’s request, and are not offered because the supplier cancels an in-person session. In addition, CMS proposes an upper limit of four virtual makeup sessions during the core intervals and three virtual makeup sessions during any rolling 12-month time period during the ongoing maintenance intervals.

    With the exception of virtual makeup sessions, CMS elects to defer coverage for virtual sessions. It explains that the original MDPP model tested only in-person sessions, implying a concern that CMS lacks authority under Section 1115A to include virtual modalities in the model’s expansion. To address this concern, CMS states in the CY 2018 Proposed PFS that it is developing a test for a virtual MDPP model through the Center for Medicare & Medicaid Innovation (CMMI).

5. Performance-Based Payment.

CMS proposes a performance-based payment methodology to replace the conceptual framework included in the CY 2017 Final PFS. Under the proposal, MDPP suppliers are paid in increments based on achievement of attendance and weight loss thresholds, with a maximum payout of $810 over the maximum 36-month service period. The table below summarizes the payment methodology. CMS declined to adopt a geographic or social risk adjustment with this methodology, but proposes an annual inflation adjustment tied to the Consumer Price Index for All Urban Consumers (CPI-U).



Source: Proposed Rule, Table 32
HCPCS codes that are marked in red are to be used when the minimum weight loss goal is not achieved.
* The minimum 5% weight loss from baseline must be achieved or maintained during the core maintenance session three-month interval.
**For coverage of services to continue in the next interval of ongoing maintenance sessions, minimum weight loss must be maintained during the preceding maintenance interval. A beneficiary must achieve or maintain the required minimum weight loss at 1+ in-person sessions during the preceding maintenance session interval. Otherwise, coverage for MDPP services ends.

6. Interim Preliminary Recognition for MDPP Suppliers. Under the CY 2017 Final PFS, an eligible MDPP supplier must be fully recognized for meeting CDC-approved performance standards. In an effort to build capacity for MDPP services, CMS proposes an interim standard that will grant “interim preliminary recognition” to DPP organizations with pending CDC applications. They must also meet the following requirements to enroll as an MDPP supplier:

  • Continued adherence to current 2015 CDC DPRP Standards for data submission, and submission of at least 12 months of performance data to CDC on at least one completed cohort (n = 5+), of whom 60% or more attended at least 9 sessions in months 1 through 6 and 60% or more attended at least 3 sessions in months 7 through 12.
  • The 12-month data submission to CDC includes at least 5 participants who attended at least 3 sessions in the first 6 months, and received MDPP services for at least 9 months.

CMS proposes to coordinate with the CDC to streamline submissions of cohort data. It also proposes to accept any interim preliminary recognition standard that the CDC advances in the future, which may occur in 2018.

7. MDPP Supplier Enrollment Application. CMS reports that the enrollment application for MDPP suppliers is still under development. While the enrollment application is being developed, CMS anticipates that the following information will be requested:

  • Identifying information for all coaches, including national provider identifiers (NPIs), first names, middle initials, last names, Social Security numbers and dates of birth in order for CMS to perform background checks (e.g., bars from federal program; felony convictions) and to distinguish between individuals who are entered in the Provider Enrollment, Chain and Ownership System.
  • Identification of all administrative locations—that is, physical locations associated with the supplier’s operations, from which coaches are dispatched or based and where MDPP may be serviced (but excluding community settings). CMS gives notice in the proposed rules that these sites may be subject to site visits before approval of an MDPP supplier’s enrollment application.
  • Updates, including coach roster changes or reportable adverse action history, to be reported within 90 days of a reportable event. Termination of a supplier’s Medicaid billing privileges are grounds for denial of an enrollment application or revocation.

8. Program Integrity. Given that MDPP is a new benefit and an expanded model, CMS acknowledges that many DPP suppliers will be new to the Medicare program. Accordingly, CMS has assigned MDPP suppliers to its “high risk” screening category and establishes detailed standards aimed at safeguarding the Medicare program from fraud, waste and abuse and protecting Medicare beneficiaries. CMS observes that these detailed compliance standards will increase the likelihood that MDPP suppliers will successfully operationalize their MDPP program integrity strategies. The enrollment and eligibility requirements for MDPP suppliers described above are representative of these detailed standards. Other examples include the following:

  • CMS will conduct independent background checks of proposed coaches to verify eligibility.
  • Coaches cannot begin to furnish MDPP services until CMS completes its background check.
  • Suppliers are required to maintain up-to-date information in the enrollment application at all times.
  • CMS can revoke an MDPP supplier’s eligibility if it knowingly permits an ineligible coach to bill for MDPP services or another individual or entity to bill the program under its billing number.
  • To help ensure that MDPP suppliers are operational and have the resources necessary to furnish MDPP services, they are required to maintain at least one administrative location and signage posted on the exterior of the building at a publicly accessible site. A private residence cannot be an administrative location.
  • An MDPP supplier must permit scheduled or unscheduled on-site inspections and access to books and records.
  • An MDPP supplier must adhere to specified documentation, data submission and recordkeeping requirements, including a 10-year minimum record retention requirement. Among other things, MDPP suppliers are required to maintain and submit a crosswalk file that documents beneficiary identifiers in claims and encounter data to permit auditing of performance data.
  • As safeguards against discriminatory access to MDPP services, MDPP suppliers can only deny services to beneficiaries based on the supplier’s published capacity limits. MDPP suppliers cannot condition access to MDPP services on the basis of a beneficiary’s weight or health status, but may deny services if a beneficiary significantly disrupts the session for other participants or becomes abusive. Denials must be documented in the beneficiary’s record.
  • MDPP suppliers must disclose information about the MDPP expanded model to beneficiaries, and answer, respond to and document their complaints and resolutions.
  • MDPP must maintain and handle any beneficiary personally identifiable information (PII) and protected health information (PHI) in compliance with HIPAA, other state and federal privacy laws, and CMS standards.

9. Beneficiary Engagement Incentives. CMS proposes parameters for allowing suppliers to provide items or services to beneficiaries as engagement incentives, including the following:

  • Timing. Incentives must be furnished during the engagement incentive period.
  • Permissible Items or Services. Incentives cannot be Medicare-covered items or services. They must be provided directly by the supplier or its agent, reasonably connected to the CDC-approved curriculum, and either a preventive care item or service or an item that advances clinical goals for the beneficiary (e.g., gym memberships, onsite child care, digital scales or pedometers).
  • Anti-Tying. The incentive may not be tied to the receipt of items or services outside the MDPP services or tied to the receipt of items or services from a particular provider, supplier or coach.
  • No Promotion. Incentives cannot be advertised or promoted as such; instead, an MDPP beneficiary may be made aware of its availability at a time when the beneficiary could reasonably benefit from it during the engagement incentive period.
  • In-Kind Technology. The retail value of engagement incentives in the form of in-kind technology cannot exceed $1,000 in aggregate. The MDPP supplier must retain ownership of any technology with a retail value greater than $100, and the technology must be retrieved from the beneficiary at the end of the engagement incentive period.
  • Cost-Shifting. The cost of incentives cannot be shifted to another federal healthcare program.
  • Documentation. Contemporaneous documents must be maintained for each item or service with a retail value greater than $25, and for each attempt to retrieve in-kind technology incentives.


While the CY 2018 Proposed PFS brings needed clarity and regulatory relief to increase capacity for MDPP beneficiaries to access the MDPP expanded model, CMS’ proposals lay bare the significant operational investments that must be made by MDPP suppliers to meet the model’s compliance standards by January 1, 2018. While the implementation of program integrity strategies is justified, it is not clear that the proposed payment structure is sufficient to compensate DPP suppliers to justify the added costs associated with becoming an MDPP supplier. CMS’ decision not to limit coverage of virtual sessions to makeup sessions raises further questions about the MDPP expanded model’s prospects for building capacity to meet the need and demand for MDPP services among Medicare beneficiaries.

1 Proposed Rule, Medicare Program: Revisions to Payment Policies under the Physician Fee Schedule and Other Revisions to Part B for CY 2018; Medicare Shared Savings Program Requirements; and Medicare Diabetes Prevention Program, accessed July 17, 2017 at The due date for comments is September 11, 2017, 5 p.m. EST.

back to top

Falling Uninsurance Rates Overshadow Continuing Subpopulation Disparities

By Kevin Casey McAvey, Senior Manager, Manatt Health

Each spring, the Center for Financing, Access, and Cost Trends at the U.S. Health & Human Services’ Agency for Healthcare Research and Quality (AHRQ) releases summary file data from its household survey conducted during the previous calendar year.1 These high-level results, derived from a sample of more than 13,000 families and 33,000 individuals, provide researchers with key insights about U.S. health insurance coverage rates and trends over time.2

AHRQ released its latest survey data in April, finding that:

  • 59% of U.S. residents were covered by private health insurance, an increase of 0.8 percentage points from the prior year;
  • 29% of U.S. residents were covered by public coverage (e.g., Medicare, Medicaid, Tricare), an increase of 0.6 percentage points from the prior year; and
  • 12% of U.S. residents remained uninsured, a decrease of 1.5 percentage points from the prior year. The decline was experienced across all surveyed age groups, genders, races/ethnicities and U.S. Census regions.3

Disparities Among Subpopulations

Amidst the declines in national uninsurance rates, prominent disparities remained among key subpopulations (Figure 1). Uninsurance rates remained significantly higher than national averages for younger adults between the ages of 19 and 34 (19-22%), Hispanics/Latinos (23%), and those classifying their marital status as “Separated” (23%) or “Never Married” (20%). Residents of the “South” U.S. Census Region, which includes several populous states that did not expand Medicaid (e.g., Texas, Florida), also had slightly higher uninsurance rates than the rest of the nation (15%).

The Importance of Public Coverage

AHRQ data reinforces how public coverage remained a main—if not primary—source of health insurance coverage for Americans young and old, under the age of 18 (43%) and over the age of 65 (57%). Those classifying themselves as Hispanic/Latino and Black also reported higher rates of public coverage (38% and 41%, respectively), as did widows and widowers (58%).

Figure 1: U.S. Health Insurance Coverage by Type of Coverage and Select Population Characteristics (Jan.-June 2016)



Data Source: Center for Financing, Access, and Cost Trends, Agency for Healthcare Research and Quality: Medical Expenditure Panel Survey Household Component, 2016, available here.

For more information on how Manatt Health uses data, modeling and analytics to support the development and implementation of data-driven policies, strategies and program actions, please contact Kevin McAvey at

1 Medical Expenditure Panel Survey—Household Component (MEPS-HC).

2 MEPS-HC monitors trends for the U.S. civilian non-institutionalized population; MEPS-HC Historical Sample Sizes.

3 AHRQ defines coverage in the following manner: “Private: Nonpublic insurance that provided coverage for hospital and physician care (including Medigap coverage)…Public only: People were considered to have public only health insurance coverage if they were not covered by private insurance and they were covered by Medicare, Medicaid, TRICARE, or other public hospital and physician coverage…Uninsured: The uninsured were defined as people not covered by Medicare, Medicaid, TRICARE, other public hospital and physician programs, or private hospital and physician insurance (including Medigap coverage) from January 1st through the…interview date.” See AHRQ Technical Notes for complete definitions.

back to top



pursuant to New York DR 2-101(f)

© 2023 Manatt, Phelps & Phillips, LLP.

All rights reserved