Health Update

Let’s Get to Work: OIG Releases 2015 Work Plan, Focusing on Long-Term Care and Health Reform

Author: Michelle McGovern, Associate, Healthcare Industry

The U.S. Department of Health and Human Services (HHS)--Office of Inspector General (OIG) released its 2015 Work Plan (Work Plan) on October 31, 2014, and included a broad range of focus areas featuring, among other things, adverse events and other quality issues at long-term care providers and significant oversight of Affordable Care Act (ACA) initiatives.

OIG Work Plans, released annually, summarize new and ongoing areas of regulatory review, and indicate areas of focus for the OIG in the coming year. In general, Work Plans provide healthcare stakeholders with a road map of regulatory focus, and signal areas where government audits, investigations and evaluations may be likely.

Providers whose policies, procedures and operations have not met the regulatory requirements that underpin the areas of review outlined in the Work Plan (in addition to failing to meet any other necessary requirements, whether or not named in the Work Plan) can be subject to assessments, civil monetary penalties and administrative sanctions, where appropriate.

In the Work Plan, areas of focus are divided by topic, and new issues are highlighted. In keeping with past years’ Work Plans, oversight relating to ACA initiatives includes the greatest number of new focus areas. Although OIG focus areas are generally on state and federal implementation of ACA initiatives, as many such initiatives are moving from their inception to early operational stages, it will be especially important for stakeholders to ensure that they are tracking and complying with any new regulatory guidance relating to the ACA.

For non-ACA areas of focus, the Work Plan includes a number of new issues, outlined below, and discusses focus areas that have been featured in past Work Plans that will remain priorities in 2015. While stakeholders should familiarize themselves with areas where regulators will be newly focusing their attention—the focus of this article—it is equally important to ensure compliance in areas that have consistently been considered key targets for regulator attention.

Key takeaways from the 2015 Work Plan are as follows:

1. Hospital-Related Policies and Practices

This year, the Work Plan added two new areas of focus in hospital-related policies and practices. The first is a review of hospital wage data used to calculate Medicaid payments, with a specific focus on how hospitals control wage data reporting, which is used to calculate Medicare payments. The Work Plan said incorrectly reported wage data totaled in the hundreds of millions, resulting in a change in policy on how hospitals report deferred compensation costs by the Centers for Medicare & Medicaid Services (CMS).

In addition, OIG added adverse and temporary harm events in post-acute care for Medicare beneficiaries receiving care in long-term care hospitals (LTCHs) to the Work Plan for 2015. The Work Plan provided that LTCHs are the third most common type of post-acute facility, accounting for around 11 percent of Medicare costs for post-acute care.

Adding adverse events in LTCHs to the Work Plan–which already provides for monitoring of such events in inpatient rehabilitation facilities–is in line with the sharp focus that has been placed on long-term care facilities in general in recent years. OIG, CMS and regional and local regulators have worked to root out fraud, bolster quality and control costs at these providers, which care for some of the most clinically complex (and costly) federal program beneficiaries.

In addition to the new areas of OIG inquiry, the Work Plan included areas of past inquiry that made headlines in 2014. For instance, the Work Plan noted that OIG will begin determining the impact of the controversial “two-midnight” rule, which provides that physicians should admit as inpatients only individuals who are expected to need at least two nights of hospital care. The Work Plan states that “previous OIG work identified millions of dollars in overpayments to hospitals for short inpatient stays that should have been billed as outpatient stays.” It also notes that the rule should impact hospital billing, Medicare payments and the calculation of co-payments.

Currently, the two-midnight rule’s enforcement mechanism is limited to the Probe and Educate process. In April, its enforcement date was extended through March 31, 2015. For providers hoping that enforcement would remain limited, the rule’s mention in the Work Plan may well signal the start of widespread enforcement of the unpopular legislation.

Another highly publicized area of inquiry relates to compounded drugs, which drew national attention after a contaminated compounded product caused a spinal meningitis outbreak in 2012. The Work Plan notes that OIG will evaluate whether Medicare’s oversight of acute care hospitals that compound products on-site addresses recommended practices for compounding oversight. While this focus area is currently on Medicare oversight of acute facilities that prepare compounded products, provider audits may not be far behind.

2. Nonhospital Providers

The Work Plan also identified as a new focus area independent clinical laboratory billing, noting that the aim of the inquiries would be to root out clinical laboratories that routinely submit improper claims to Medicare and request return of overpayments. The addition of this area to the Work Plan is in response to past audits and investigations, which have singled out clinical laboratories as high risk for noncompliance with Medicare billing requirements.

3. Part A and B Program Management

The Work Plan calls for scrutiny of the Pioneer Accountable Care Organization (ACO) Model, established as part of the ACA effort to coordinate care for—and reduce program costs related to—Medicare fee-for-service beneficiaries. OIG states that it will conduct risk assessments of internal controls over administration of the model. As discussed in greater detail below, this area of review focuses on program administration, rather than participating providers themselves.

4. Medicare Part D

With respect to Medicare prescription drug coverage under Part D, the Work Plan recommends that CMS improve its oversight of Medicare Part D plan sponsors’ Pharmacy and Therapeutics (P&T) committee conflict-of-interest procedures, in order to ensure that P&T committee members are not improperly influencing the prescription of certain drugs. The Work Plan cited an OIG report which found that CMS’s oversight of plan sponsors’ P&T committee compliance was lacking.

5. Medicaid Compliance

Of the four new areas of OIG focus relating to fee-for-service Medicaid, three were related to reforms under the ACA. In 2015, OIG plans to review whether states are collecting prescription drug rebates from pharmaceutical manufacturers for Medicaid MCOs. Prior to the enactment of the ACA, drugs dispensed to Medicaid MCO enrollees were excluded from this requirement.

OIG also will be reviewing payments made to states under the Community First Choice (CFC) state plan option, which was added by the ACA and permitted states to provide home- and community-based services and supports to individuals who would otherwise have required institutional care. Review in this area will focus on whether payments are proper and allowable.

In addition, OIG will be reviewing the expenditures states claimed under the Balancing Incentive Program (BIP), a program introduced in the ACA, which provided enhanced federal matching funds for eligible expenditures on long-term services and supports. In general, funds provided under the BIP were contingent on eligible states agreeing to make certain structural changes designed to increase access to long-term services and supports, and they were required to use funds to provide new or expanded offerings of such services.

In an area unrelated to the ACA, the OIG indicated that it would focus on transfers of Medicaid beneficiaries from group homes and nursing facilities to hospital emergency rooms, noting that high transfer incidents can correlate to poor quality of care.

With respect to Medicaid managed care, the Work Plan stated that OIG would seek to identify Medicaid managed care payments made on behalf of deceased beneficiaries and on behalf of beneficiaries ineligible for Medicaid.

6. ACA-Related Reviews

The Work Plan provides for broad oversight of ACA programs across HHS, in an effort to ensure that such programs meet the aims of providing access to health insurance, improving quality of and access to healthcare, and lowering healthcare costs. The Work Plan states that OIG is prioritizing its 2015 work in three main areas: the health insurance marketplaces (including financial assistance payments), federal program reforms and public program grant expenditures. In general, areas of OIG inquiry focus on reforms at the program management, rather than provider-specific, level.

The Work Plan indicates that areas of focus relating to health insurance marketplaces, financial assistance payments and market stabilization payments will be whether taxpayer funds are being used for intended purposes. This includes a range of review areas encompassing, but not limited to:

  • The accuracy of advance premium tax credits (APTCs) and cost-sharing reduction payments made to individual enrollees in the exchange marketplace;
  • Review of ACA establishment grants for state insurance marketplaces to ensure that the marketplaces were implemented in accordance with the terms and conditions of federal agreement; and
  • Whether CMS internal controls over APTCs are sufficient.

The Work Plan provides that OIG will review the effectiveness and efficiency of marketplace eligibility and enrollment systems. Inquiries will be made relating to premium tax credits, eligibility determinations and inconsistencies in data reported by applicants versus data received from federal sources.

Inquiries will also be made regarding the management and administration of insurance exchange marketplaces and of system controls to ensure that consumer data is kept safe.

In addition to the specific areas of focus set forth in the Work Plan, and summarized above, the Work Plan states that OIG will initiate “at least 5-10” additional reviews addressing ACA programs. According to the Work Plan, the reviews could focus on a range of topics, including emerging marketplace issues, Medicaid expansion, Medicare payment and delivery models or new grant programs.

7. No New Updates, Effective Date

There were no new areas of focus in the Work Plan in the following subject matter areas:

  1. Nursing homes
  2. Hospices
  3. Home health services (Medicare)
  4. Medical equipment and supplies
  5. Prescription drugs
  6. Part A and B contractors
  7. Information technology security, protected health information and data accuracy
  8. Medicare Advantage
  9. Home health services and community-based care (Medicaid)
  10. State management of Medicaid
  11. Medicaid information system controls and security

The Work Plan, which is effective as of October 2014, also lists CMS-related legal and investigative actions, and addresses areas of compliance focus in more than 100 HHS-administered programs, including Administration for Children and Families, Centers for Disease Control and Prevention, Food and Drug Administration, and National Institutes of Health.

For further information on all aspects of the Work Plan, a full copy is available at

back to top

Mental Health Parity: Trends Emerging in New York Signal State Action Following Federal Regulations

Authors: Ashley Antler, Associate, Healthcare Industry | Ron Blum, Partner, Litigation, Corporate Investigations and White Collar Defense

Editor’s Note: A recent surge of activity in New York indicates that mental health parity is on the radar of state legislators, officials and regulators. In November 2013, the federal government released final regulations clarifying requirements to ensure parity between mental health and substance use disorder benefits and medical/surgical benefits. Beginning in 2014, federal parity requirements were extended to the individual and small group insurance markets, significantly broadening their reach.

On the heels of this federal activity, New York legislators have expanded state law protections, while state officials and regulators have taken steps to enforce federal and state parity laws more vigorously. Legal developments in New York are notable for their breadth, the diversity of stakeholders involved and their occurrence following the issuance of the final federal regulations, signaling a renewed state focus on this area of the law.1

In a new article published in the New York State Bar Association Health Law Journal, Manatt discusses the confluence of legal developments in New York State following the issuance of federal parity requirements and highlights emerging trends. Key points are summarized below. Click here to download the full article.


The Mental Health Parity and Addiction Equity Act of 2008

The Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA)2 is intended to ensure equality between mental health and substance use disorder benefits and medical/surgical benefits offered by health plans. MHPAEA augmented prior federal parity protections by:

  • Mandating that financial requirements (such as co-payments, deductibles and coinsurance) and treatment limitations applicable to mental health and substance use disorder benefits be no more restrictive than predominant limits applicable to medical/surgical benefits.
  • Prohibiting separate cost-sharing or treatment limitations.
  • Requiring plans to provide benefits for out-of-network mental health and substance use disorder treatment if they do so for medical/surgical treatment.
  • Requiring plans to make available the criteria for medical necessity determinations and reasons for denial of mental health and substance use disorder benefits, if requested.3

MHPAEA applies to large group health plans and issuers of large group health insurance. The Affordable Care Act (ACA)4 and its implementing regulations extend MHPAEA’s requirements to the individual and small group insurance markets, with limited exceptions.5

Federal Regulations

In February 2010, the Departments of the Treasury, Labor and Health and Human Services published interim final regulations outlining requirements under MHPAEA, which applied to group health plans and group health insurance issuers for plan years beginning on or after July 1, 2010.6

In November 2013, these Departments issued final regulations clarifying protections under MHPAEA and the interim rules, which became effective for plan years beginning on or after July 1, 2014.7 The final regulations generally track the interim rules but clarify requirements in several areas, including:

  • Intermediate levels of care, such as residential treatment.
  • Nonquantitative treatment limitations, such as medical management standards limiting or excluding benefits based on medical necessity or appropriateness.

New York State Mental Health Parity Law

New York’s mental health parity law, known as Timothy’s Law, was passed in 2006.8 It requires “broad-based coverage for the diagnosis and treatment of mental, nervous or emotional disorders or ailments…at least equal to coverage provided for other health conditions.”9 Unlike the federal parity law, it requires coverage of the diagnosis and treatment of mental health and substance use disorders.10 Because Timothy’s Law requires large group health plans that provide medical/surgical benefits also to include mental health and substance use disorder benefits, it triggers the federal parity law requirement that mental health and substance use disorder benefits be on par with medical/surgical benefits.

New York State Legislative Developments

In June 2014, New York State enacted legislation related to insurance coverage for patients suffering from substance use disorders.11 This statute:

  • Strengthens existing substance use disorder coverage mandates and aligns such coverage with federal mental health parity requirements.
  • Enhances utilization review (UR) requirements, concerning qualifications of clinical reviewers, clinical review criteria and the speed of decisions, as well as coverage while decisions are pending.
  • Clarifies regulatory enforcement obligations with respect to those reforms.
  • Creates a substance use disorders work group to study and make recommendations.

New York State Attorney General Enforcement

The New York State Office of the Attorney General has also assumed an active role in the state’s mental health parity enforcement.12 In the first half of 2014, the Attorney General’s Office entered into agreements with three insurance companies concerning compliance with the mental health parity laws.13

Two of these investigations focused on insurance coverage of mental health and substance use disorder treatment at residential treatment facilities. In particular, the Attorney General has required insurance companies to cover medically necessary treatment at residential treatment facilities and provide reimbursement in the event an individual incurred costs for, but was denied coverage of, such services.

The enforcement actions also demonstrate the Attorney General’s scrutiny of the processes employed to determine the medical necessity of mental health and substance use disorder benefits. The Attorney General has compared insurers’ denial rates of mental health and substance use disorder services to medical/surgical services. The recent Attorney General agreements establish detailed requirements for UR procedures and allow for potential reimbursement of expenses incurred as a result of claims denied on medical necessity grounds.

The recent enforcement actions:

  • Make it clear that insurers in New York State should closely scrutinize compliance with parity requirements.
  • Highlight regulators’ increasing interest in intermediate levels of care, including residential treatment.
  • Signal that plans should review their benefits in this area.

New York State Regulatory Guidance

In the same month that the new substance use disorder legislation was enacted, New York State’s Department of Financial Services (DFS), the state agency with oversight of insurance companies doing business in New York, issued a Circular Letter on the impact of MHPAEA, the MHPAEA final regulations and the ACA on mental health and substance use disorder benefits in New York’s health insurance market.14 The Circular Letter replaces agency guidance from 2009 and 2010.

Notably, the Circular Letter highlights federal guidance regarding intermediate levels of care, including residential treatment. It also explains the application of federal rules to this benefit.

Federal guidance issued in connection with the final regulations clarifies treatment of “intermediate levels of care,” such as residential treatment, within the six benefit classifications laid out in the federal rules. The preamble to the final rule makes it clear that plans and issuers may not exclude intermediate levels of care from parity requirements by claiming that these benefits do not fall within one of the six benefit classifications. They must assign intermediate mental health and substance use disorder benefits to the six classifications in the same way they assign intermediate medical/surgical benefits.

Emerging Mental Health Parity Trends

We see two key trends emerging from these mental health parity developments:

  1. Focus on residential treatment. The final federal rules, the New York Attorney General’s enforcement actions and the state regulatory guidance highlight coverage of intermediate levels of care—particularly residential treatment—as a parity issue. Regulators in other states may also turn their attention to residential treatment. With the ACA’s mandate that mental health and substance use disorder benefits be included as one of ten essential health benefits, intermediate levels of care are poised to garner more attention.
  2. Increased scrutiny of utilization review. The procedures underlying medical necessity determinations are another recent focus of federal regulations, state legislation and the New York Attorney General. The final parity regulations clarify requirements concerning a plan’s disclosure of information relevant to an individual’s claim for benefits.15 In addition, state substance use disorder legislation mandates detailed UR requirements unique to the inpatient substance use disorder setting. Closer inspection of UR procedures to determine medical necessity is also reflected in the Attorney General’s recent parity enforcement actions.

Looking Ahead

It remains to be seen whether mental health parity activity in other states will reflect the efforts of multiple legal actors—legislators, regulators and state Attorneys General—as has been the case in New York. Given the expansion of federal parity requirements to the individual and small group populations, however, it is reasonable to expect further developments around mental health parity in New York and around the country.

1 New York is not alone in focusing on this issue. For example, in April 2013, the Connecticut Insurance Department entered into an agreement with Anthem Health Plans, Inc., to readjust claims submitted by behavioral health providers that were impacted by changes in billing codes applicable to behavioral health services. Press Release, State of Conn. Ins. Dep’t, “Insurance Commissioner: Anthem to Readjust Claims for Behavioral Health Providers” (Apr. 14, 2013). See also Accusation, In the Matter of Kaiser Found. Health Plan, Enforcement Matter No. 11-543 (Dep’t of Managed Health Care in the State of Cal., June 24, 2013) (Doc. No. 124055).
2 29 U.S.C. § 1185a.
4 Pub. L. No. 111-148.
5 Under the ACA, as of January 1, 2014, all new “non-grandfathered” small groups and individual market plans are required to cover ten “essential health benefit” categories, which include mental health and substance use disorder benefits, and are required to do so at parity with medical/surgical benefits. The Department of Health and Human Services has estimated that the ACA’s reforms extending MHPAEA requirements to the individual and small group markets and providing previously uninsured Americans with access to health insurance coverage will extend the federal parity protections to an estimated 62 million Americans. Kirsten Beronio et al., Dep’t of Health & Hum. Serv., Office of the Assistant Sec’y for Planning and Evaluation, ASPE Research Brief, “Affordable Care Act Expands Mental Health and Substance Use Disorder Benefits and Federal Parity Protections for 62 Million Americans” (Feb. 20, 2013), available at
6 Interim Final Rules Under the Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act of 2008, 75 Fed. Reg. 5410 (Feb. 2, 2010).
7 Final Rules Under the Paul Wellstone and Pete Domenici Mental Health Parity and Addiction Equity Act of 2008 (hereinafter, “Final Rules Under MHPAEA”), 78 Fed. Reg. 68240, 68240 (Nov. 13, 2013).
8Laws of New York, 2006, ch. 748; N.Y. Ins. Law §§ 3221 (1)(5), 4303(g) & (h).
9 N.Y. Ins. Law §§ 3112(1)(5)(A) & 4303(g)(1). Timothy’s Law sets forth minimum benefits coverage requirements for mental, nervous and emotional disorders and also requires heightened coverage for adults and children with “biologically based mental illness” (which includes schizophrenia/psychotic disorders, major depression, bipolar disorder, delusional disorders, panic disorder, obsessive-compulsive disorder, bulimia and anorexia) and children with “serious mental disturbances.” Id. §§ 3112(1)(5)(B)-(C) and 4303(g)(2)(A)-(B). However, under federal parity law, plans must go beyond these minimum requirements to the extent that such benefits are less generous than comparable medical/surgical benefits.
10 Id. §§ 3221(1)(6) and 4303(k).
11 Assembly Bill No. 10164/Senate Bill No. 7912, codified as Chapter 41, Laws of New York, 2014.
12 Other states’ Attorneys General have also focused their attention on access to mental health services. For example, the Massachusetts Attorney General has entered into agreements with several insurance carriers for failure to cover mental health services and has written to America’s Health Insurance Plans (AHIP), the trade association for health insurance carriers, urging compliance with mental health coverage requirements under Massachusetts law. Letter from Martha Coakley, Attn’y Gen. of Mass., to Karen Ignagni, President and CEO, AHIP (May 2, 2013).
13See Press Release, N.Y.S. Office of the Attn’y Gen., “A.G. Schneiderman Announces Settlement with Health Care Insurer for Wrongfully Denying Mental Health Treatment Claims” (Jan. 15, 2014); Press Release, N.Y.S. Office of the Attn’y Gen., “A.G. Schneiderman Announces Settlement with Health Insurer That Wrongly Denied Mental Health Benefits to Thousands of New Yorkers” (March 20, 2014); Press Release, N.Y.S. Office of the Attn’y Gen., “A.G. Schneiderman Announces Settlement with Emblem Health for Wrongly Denying Mental Health and Substance Abuse Treatment for Thousands of New York Members” (Jul. 9, 2014).
14 N.Y.S. Dep’t of Fin. Serv., Ins. Circular Letter No. 5, “Impact of Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA), Affordable Care Act (ACA) and the MHPAEA Final Rule on Mental Health and Substance Use Disorder Benefits in New York’s Health Insurance Market” (hereinafter, “Ins. Circular Letter No. 5”) (June 4, 2014).
15See, e.g., 45 C.F.R. § 146.136(d). In issuing final regulations, the federal government expressed an interest in “transparency” regarding application of nonquantitative treatment limitations, and ensuring that individuals have necessary information to compare nonquantitative treatment limitations of medical/surgical benefits and mental health/substance abuse benefits and to ensure that parity protections are provided. See Final Rules Under MHPAEA, supra note 7, at 68247-48.

back to top

Risk-Based Regulation of Clinical Health Data Analytics

Author: Deven McGraw, Partner, Healthcare Industry

Editor’s Note: The percentage of physicians using an advanced electronic medical record (EMR) system has almost tripled in the last five years, with hospital use skyrocketing from about 9% in 2008 to more than 80% in 2013.1 The benefits of this increase in EMR adoption are already being realized. In recent studies, 88% of providers report that their EMR produces clinical benefits and 75% say that their EMR has improved care quality.2

Patients are also increasingly using the Internet and mobile tools to collect and share health information. It is estimated that there are more than 40,000 mobile health applications and 247 million people have downloaded a health app.3

The integration of the traditional health information ecosystem with the patient-facing ecosystem is well under way. Beginning in 2014, providers participating in the federal EMR incentive program are required to provide patients with digital access to downloadable and sharable clinical data relevant to their health.4 The Department of Health and Human Services (HHS) is considering rewarding providers for accepting digital data from patients, and many healthcare organizations already are implementing care models that integrate patient-submitted health information.5

Supporters of initiatives to digitize medical information hope to leverage clinical patient data to glean better, faster insights into which types of treatments and prevention strategies work best in which subpopulations. To gain full value from EMRs, providers need to apply health data from medical records for learning purposes. A new article, published in the Colorado Technology Law Journal, explores the potential harms from misuse of medical information, the current ways federal regulations address such harms, and why current rules governing the reuse of medical information for analytic purposes are not sufficiently targeted to minimize risks. It also shares the characteristics of a reimagined legal framework that more effectively balances protections and risks. Key points are summarized below. Click here to download the full paper.


What Is Unique About Health Data?

Health information—particularly the type collected in clinical care settings—is among the most sensitive categories of personal information. From a medical record, one could learn a range of intimate information about a person’s life, extending to inferences about the health of family members. Research shows that people consistently express concerns about the privacy of their health information beyond those they have about their non-health information.6

Privacy legal regimes typically include special protections for health or medical information. In the Health Insurance Portability and Accountability Act (HIPAA), Congress tasked HHS with developing privacy and security regulations governing identifiable health information used and disclosed by healthcare providers, plans and clearinghouses. States also have laws governing the use and disclosure of health information.

Another factor distinguishing health information from other types of personal data is the potential to contribute to the social good, particularly when used collectively. In general, laws governing personal health information allow uses of health data for public health, health improvement initiatives and other public policy needs. Consequently, laws intended to protect the confidentiality of health data also need to accommodate uses of that data that contribute to the common good.

Potential Health Privacy Harms

According to privacy scholar Ryan Calo, harms from a breach of privacy can be both:

  • Subjective, referring to the perception of unwanted observations, resulting in unwelcome mental states; or
  • Objective, referring to the unanticipated or coerced use of information concerning a person against that person.7

Examples of subjective privacy harms include discrimination in any area of life; damage to reputation, whether real or perceived; or any form of embarrassment. Objective harms include financial harm, physical harm or identity theft.8

Harm to individuals’ trust in the healthcare system also can be a consequence of failure to protect health privacy. In a recent survey, one out of eight responders admitted that he or she had withheld health information from a provider because of security concerns.9

This lack of trust in the healthcare system has implications for both individual and population health. Individuals who do not seek treatment or lie about their conditions are far less likely to obtain appropriate care. In addition, a health system in which some portion of data is inaccurate or incomplete is less likely to generate valuable analytics for population health improvements.10

Federal Regulation of Risks to Health Information

When it comes to the collection, use and reuse of health information, the most relevant federal law is HIPAA—but it does not apply to all health information. The details of HIPAA’s privacy and security protections are found in its regulations. For the most part, the rules are designed to minimize privacy risks. For example, the Privacy Rule applies only to individually identifiable health information. De-identified data that raises low risk is not subject to regulation as long as the de-identification is done through an approach the Privacy Rule recognizes.11 The Privacy Rule also allows data that has been stripped of some common identifiers to be used for research, public health and administrative operations without the need for prior specific patient authorization.12

Another way HIPAA regulates risk is by allowing most routine uses of identifiable patient information without the need to obtain prior consent from the data subject. The law requires fairly specific authorization, however, for activities that arguably are not routine. “Treatment, payment and healthcare operations” are considered routine. Research is not, however. Therefore, it requires authorization from the individual data subject or a waiver after a review by an Institutional Review Board (IRB) or Privacy Board (committees designated to review and monitor biomedical research involving human subjects).13

Other federal rules apply to specific types of health information or to health information in particular circumstances. For example:

  • The rules governing federally-funded substance abuse programs require specific patient authorization before information identifying the patient as a substance abuser may be disclosed to third parties.14
  • The Common Rule regulates research using identifiable health information that is conducted using federal funding from certain government agencies. Consistent with HIPAA, it requires the approval of an IRB and prior authorization of the data subject for research uses of health information.15

Why Isn’t the Current Regulatory Framework for the Reuse of Health Data Sufficiently Risk-Based?

HIPAA currently creates disincentives for using the results of health data analytics for learning purposes. The HIPAA Privacy Rule presumes that the risk of harm to patients is greater from research uses of data than operational uses. Under current law, healthcare operations include:

  • “Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; and
  • “Population-based activities relating to improving health or reducing healthcare costs, [and] protocol development.16

Research is defined as a “systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.”17 The Common Rule uses the same definition.

The paradox is that two studies analyzing the same data for quality improvement purposes, exposing the same data points, to address the same questions and done by the same institution, will be treated as operations if the results are only shared internally and as research if the intent is to share them externally.

Rethinking the Regulatory Framework

Ideally, the regulation of the collection and use of health information for learning purposes should be based on risk of harm, including potential damage to patient trust. HIPAA and the Common Rule both presume that the publication of study results renders any reuse of information for learning purposes more risky. But any risks that derive from publication can be accommodated—for example, by requiring that results be published in de-identified form.18

What Raises the Risk of Privacy Harm?

1. Internal vs. external

A more reasonable regulatory framework would treat the use of clinical data to evaluate safety, quality and efficacy the same way operations are treated, as long as the provider maintains sufficient oversight and control over data use decisions. HIPAA’s more relaxed regulatory treatment of healthcare operations presumes that “internal” uses of health information for analytic purposes do not heighten privacy risks.

Should this “internal use” designation be limited to circumstances where the raw, patient-level data does not leave the physical confines of the organization—or is it possible to consider a use “internal” if the organization has sufficient contractual or other controls over the uses of the information? The Privacy Rule permits providers to share patient data with other entities covered by HIPAA for operations purposes (including quality analytics) for patients they have in common. In addition, current rules favor a definition of “internal” that allows for some external sharing under contractual controls.19 For example, the Privacy Rule permits providers to hire contractors or “business associates” to perform contractually specified services on their behalf.

Further consideration of “internal vs. external” issues should include:

  • Patients’ reasonable expectations regarding uses and disclosures of their health information;
  • Whether the entities receiving the data are subject to HIPAA or some other form of public accountability; and
  • Incentives for data sharing structures that minimize risks, such as “federated” or “decentralized” research networks.

2. Level of data sensitivity

A more risk-based regulatory framework could require heightened protections for studies involving identifiable patient information. The Privacy Rule provides uniform safeguards for all types of health information, except psychotherapy notes, which are afforded enhanced protections.20 Other privacy laws, however, provide certain types of data with greater protections. As noted, identifiable health data from federally funded substance abuse treatment programs are subject to heightened protections.21 In addition, federal law protects against genetic information being used to discriminate in employment and health insurance.22

Many states also protect sensitive data more stringently than non-sensitive data.23 In addition, they provide minors with privacy rights for certain types of health data.24

More risk-based policies for analytics should consider whether heightened protections are needed for vulnerable populations, such as minority and low-income communities that tend to be the least trusting of research uses of their data.25 Very ill people also are vulnerable, because they tend to ascribe low value to privacy.26 Yet these populations have the greatest need for the value outcomes of data sharing for learning purposes. Therefore, the rules established to protect them also should encourage more robust analysis.

Failure to Establish and Adhere to FIPPs-Based Policies

The principles of fair information practices (FIPPs) are the foundation of most privacy laws. Consequently, failure to adhere to FIPPs with respect to reusing health information for learning purposes arguably increases the risks of privacy harms. Areas that may raise high risks for health data include:

1. Openness and transparency

The HIPAA Privacy Rule requires that providers give patients a Notice of Privacy Practices.27 The notice must include the permitted uses and disclosures of a patient’s healthcare information that do and do not need authorization, as well as the rights of patients to access their health information and request corrections. While this information is important, transparency to patients also should include insights into the actual uses and disclosures of health information, such as the types of learning activities to which their data can contribute.

2. Data minimization

The HIPAA Privacy Rule requires healthcare providers to use the minimum amount of health information necessary for the purpose for which the data is accessed.28 Although the “minimum necessary” standard has been part of the Privacy Rule since its inception, no guidance has been released on how to apply it. Failure to establish controls on how much data is utilized potentially increases the risk of harm.

3. Collection, use and disclosure limitations

How much information is collected for analytic purposes and to how many people it is exposed also can be factors in calculating risk of harm.29 If there are sufficient controls on the amount of information collected and the persons to whom it is exposed, the risk of harm is reduced.

4. Security safeguards

HIPAA-covered entities—including providers and their business associates—are required to implement reasonable security safeguards for data in paper format and abide by the HIPAA Security Rule for electronic identifiable health information. Failure to maintain such safeguards—or to release information into environments where safeguards are weak or uncertain—raises the risk of harm.

5. Accountability and oversight

Analytic uses of health information that qualify as research under the Privacy Rule trigger specific provisions with respect to accountability, including Privacy Board or IRB review. In contrast to the accountability and oversight requirements governing research, analytic activities that qualify as healthcare operations under HIPAA are not subject to particular oversight requirements beyond those that apply to other routine uses of health information. Use of health information for analytic purposes should be subject to some oversight mechanism, with the degree of rigor dependent on the risks of harm.

Characteristics of a Reimagined Framework

A risk-based framework of protections for analytic uses of clinical health information could include a sliding scale of protections, accountability and oversight requirements that is based on risks of harm, rather than solely on whether or not the results of the analysis will be shared for “generalizable knowledge.” The framework would reduce specific requirements on research reusing clinical data that:

  • Is performed internally or under tight contractual controls;
  • Minimizes (both with respect to content and exposure to others) the information used for analysis;
  • Involves health data not posing additional risk due to the vulnerability of subjects;
  • Is transparent to the public (or at least the community of likely data subjects); and
  • Reports results in a way that does not raise additional privacy risks.

Additional safeguards would be applied to analytics that do not meet the characteristics of lower risk.


Patients are harmed by the failure to learn from clinical data, as well as by the failure to protect it adequately. An effective health data analytics policy framework should effectively address both harms.

1Press Release, U.S. Department of Health & Human Services, Doctors’ and Hospitals’ Use of Health IT More Than Doubles Since 2012 (May 22, 2013), available at
2Office of the Nat’l Coordinator for Health IT, Improved Diagnostics and Patient Outcomes. HEALTHIT.Gov. http://www/ (last visited Feb. 17, 2014).  
3Darrell West, How Mobile Devices Are Transforming Healthcare, ISSUES IN TECHNOLOGY INNOVATION (May 2012), available at mobile health west/22 mobile health west.pdf 
445 C.F.R. § 170.314 (e) (1) (2014).
5See CENTER FOR CONNECTED HEALTH, (last visited Mar. 27, 2014).
7Ryan Calo, The Boundaries of Privacy Harm, 86 INDIANA L.J. 1131, 1142 (2010).
8Id. at 1143.
9Israel T. Agaku, Akinyele O. Adisa, Olalekan A. Ayo-Yusef, & Gregory N. Connolly, Concern about Security and Privacy, and Perceived Control over Collection and Use of Health Information Are Related to Withholding Health Information from Healthcare Providers, 21 J. AM. MED. INFORM. ASSOC. 374 (2014).
10Michael V. Larie, Dennis A. Pitta & Lea Prevel Katsanis, Consumer Concerns for Healthcare Information Privacy: A Comparison of U.S. and Canadian Perspectives., 12 RES. IN HEALTHCARE FIN. MGMT. 93 (2009).
11There are two acceptable methods under HIPAA to de-identify health data. One approach is the “Safe Harbor” method that removes 18 categories of identifiers. The other approach is the statistical method that uses expert statistical analysis to achieve “very small” chance of re-identifying the data. 45 C.F.R. § 164.514 (2013).
1245 C.F.R. § 164.514 (2014).
13See 45 C.F.R. § 512(i) (2014). The authorization requirement can be waived if the IRB or Privacy Board finds that the following criteria have been met: (1) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals; (2) the research could not practicably be conducted without the waiver or alteration; and (3) the research could not practicably be conducted without access to and use of the protected health information.
1442 U.S.C. §§ 290dd-2(a)-(b) (1998).
15Under the Common Rule, informed consent can be waived if the IRB finds and documents that the research involves no more than minimal risk to the subject(s), that a waiver will not adversely affect the rights and welfare of the subject(s), that the research could not be practicably carried out without a waiver, and that the subjects will be provided with additional pertinent information after participation. 45 C.F.R. § 46.116(d) (2001).
16 45 C.F.R. § 164.501 (2014).
18 De-identified data is not regulated by either HIPAA or the Common Rule. Nevertheless, de-identification does not result in zero risk of re-identification. Deven McGraw, Building Public Trust in Uses of Health Insurance Portability and Accountability Act De-identified Data, 20 J. AM. MED. INFO. ASS’N. 29, 30 (2012). Consequently, risk-based regimes for regulating health data analytics may need to include additional safeguards to address even the residual risk of re-identification.
19 This approach is one that has been recommended by the federal Health IT Policy Committee. Office of the Nat’l Coordinator for Health IT, Recommendations to the National Coordinator for Health IT. HEALTHIT.GOV, (last visited Oct. 7, 2014).
20 45 C.F.R. § 164.501 (2013); 45 C.F.R. § 164.508(a)(2) (2013).
21 42 U.S.C. §§ 290dd-2(a)-(b) (1998).
22 Genetic Information Nondiscrimination Act of 2008, 42 U.S.C. §§ 2000ff(-1)-(-11_ (2008).
23See, e.g., with respect to HIV-related information: MO. REV. STAT. § 191.656 (2012); HAW. REV. STAT. § 325-101 (2013); N.Y. PUB. HEALTH LAW ARTICLE 27-F; ARIZ. REV. STAT. ANN. § 36-664 (2013).
24See, e.g., with respect to obtaining outpatient substance abuse treatment. WASH. REV. CODE ANN. § 70.96A.096 (2013).
25See, e.g., Donald Musa et al., Trust in the Health Care System and the Use of Preventive Health Services by Older Black and White Adults, 99 AM. J. PUB. HEALTH 1293 (2009): Vanessa B. Sheppard et al., Providing Health Care to Low-Income Women: A Matter of Trust, 21 FAM. PRAC. 484 (2004); Lorenzo Moreno et al., Personal Health Records: What Do Underserved Consumers Want? MATHEMATICA ISSUE BRIEF, May 2007, available at 
26 A recent survey of 2,125 members of the online social network PatientsLikeMe, made of adults with health conditions, showed that an overwhelming majority would be willing to share health data if it could help others in some way: 94% would be willing to share to help doctors improve care; 94% would be willing to help other patients like them; and 92% would be willing to share to help researchers learn more about their disease. Four out of five respondents (84%) would be willing to share their health information with drug companies to help them make safer products, and 78% would do so to let drug companies learn more about their disease. 94% believe their health data should be used to improve the care of future patients who may have the same or similar condition. PatientsLikeMe Survey Shows Vast Majority of People With Health Conditions Are Willing To Share Their Health Data, PATIENTSLIKEME (Jan. 23, 2014, 10:00 AM).
27 45 C.F.R. § 164.520 (2013).
28 49 C.F.R. §§ 164.502(b), 164.514(d) (2013).
29 Indeed, the mere collection of consumer data, due to possibilities of breach, misuse or unauthorized access can implicate privacy interests. JUSTIN BROOKMAN & G.S. HANS, WHY COLLECTION MATTERS: SURVEILLANCE AS A DE FACTO PRIVACY HARM (Future of Privacy Forum Bog Data & Privacy Workshop Paper Collection 2013), available at

back to top

Now You Have a Second Chance to Benefit from Manatt’s New Webinar, “HIPAA and the Learning Health System: Balancing the Risks and Benefits of the Digital Healthcare Revolution”

Click Here to View the Program Free on Demand—and Earn CLE. Click Here to Download the Presentation Free.

The United States is undergoing a digital healthcare revolution. The percentage of physicians using an advanced electronic medical record (EMR) system almost tripled in the last five years. Hospital use skyrocketed from about 9% in 2008 to more than 80% in 2013. We already are seeing the benefits, with 88% of providers reporting EMRs produce clinical benefits and 75% reporting quality improvements.

But there is a hurdle to realizing big data’s full value. While the Health Insurance Portability and Accountability Act (HIPAA) allows EMR data to be used easily for internal quality improvements, applications that support building a “learning health system” trigger more stringent regulation. HIPAA actually may present a barrier to leveraging EMRs and other digital data to fuel medical learning and treatment advances.

How should HIPAA evolve to fit the digital healthcare environment? How can we upgrade our regulatory framework to support a true learning health system? How can we use digital data to glean better, faster insights for improving patient care? We shared the answers to these critical questions at a recent Manatt webinar, “HIPAA and the Learning Health System.” If you weren’t able to attend the original airing, we want to be sure you don’t miss out on this important information. Click here to view the program free, on demand. For a free PDF of the presentation, click here.

During the session, you’ll hear Deven McGraw--Partner, Healthcare Industry at Manatt, Phelps & Phillips, LLP, and the chair of the Privacy and Security Workgroup of the federal Health Information Technology (HIT) Policy Committee—lead a panel of senior leaders from key providers in sharing:

  • The potential health information privacy harms—and why health information is unique.
  • The current federal regulation of health information risks—and why today’s framework for reusing health data is not sufficiently risk-based.
  • The explanation of the HIPAA paradox—and the limits it places on creating a learning health system.
  • The characteristics of a reimagined framework—and how regulatory change can be achieved.
  • The route to establishing analytic practices that lower risks while driving learning.

Don’t miss this chance to discover how to resolve the HIPAA paradox—and create a system that both protects privacy and advances learning. NOTE: The program has been approved for 1.0 general/professional practice credit in NY and CA.

Presenters: Deven McGraw, Partner, Healthcare Industry, Manatt, Phelps & Phillips, LLP | Rachel Nosowsky, Deputy General Counsel, University of California | John P. Houston, Esq., Vice President, Privacy and Information Security & Associate General Counsel, Information Security Group, UPMC

back to top

How Consumers Might Game the 90-Day Grace Period and What Can Be Done About It

Authors: Michael Kolber, Associate, Healthcare Industry | Hans Leida, Principal and Consulting Actuary, Milliman

Editor’s Note: Under the Affordable Care Act (ACA), individuals receiving a federal subsidy are entitled to a three-month premium nonpayment grace period. As long as an individual has paid at least the first month’s premium of the year, in any subsequent month the individual has three months to make the premium payment before coverage is terminated. The grace period has obvious benefits for consumers, yet has created significant apprehension among providers who worry they will go unpaid when coverage is retroactively terminated. Unfortunately, this provision could have even broader adverse implications for the healthcare system.

The grace period law could encourage subsidized individuals to regularly pay only nine months of premiums and receive, in effect, 12 months of coverage. Should this gaming become widespread, it could increase premiums for everyone who purchases coverage in the individual exchanges. In a new Health Affairs Blog post, summarized below, Manatt Health and Milliman team to examine the grace period’s potential impact—and some possible solutions. Click here to read the full post.


On September 12, the federal Centers for Medicare and Medicaid Services (CMS) announced that it has changed the way it administers the federal exchange. Under the new policy, individuals in a grace period renewing into the same product (with the same insurer) would generally have to pay past-due premiums to effectuate coverage for the following year. Although this change may make it less likely for individuals to game the system inadvertently, gaming will still be possible by simply purchasing a different product. State-based exchanges would be well-advised to adopt a policy similar to the one CMS is implementing, as well as explore other options to mitigate the potential for gaming.

Grace Period Overview

Many states have existing laws that require insurers to provide a grace period for premium nonpayment before coverage is terminated. For example, New York law establishes a 30-day grace period. If an individual misses a payment, the individual has 30 days to pay or coverage is terminated retroactively to the last payment date.

The ACA grace period operates quite differently. First, it lasts three full months. Second, it is limited to individuals who are receiving federal subsidies and have already paid at least one full month’s premium for the calendar year. Third, insurers are required to pay claims for the first month of the grace period and notify healthcare providers that they may not be paid for the second and third months of the grace period. If the patient does not pay all premiums for the three-month period, coverage is terminated only to the end of the first month of the grace period. Therefore, the insurer can reject claims for only the second and third months of the grace period, despite not being paid premium for the first month either, other than the premium subsidy it receives from the government for that month.

Gaming the Grace Period

Critics of the ACA grace period argue that it creates an incentive to get four months of coverage for the price of one. But there are two very good reasons individuals are unlikely to embrace this strategy during the first nine months of the year:

  • Enrollees are only allowed to purchase health insurance coverage during the annual open enrollment period or if a qualifying life event triggers a special enrollment period. Therefore, an individual who lets his or her coverage lapse in February and exhausts the grace period would not be able to purchase coverage again until the next open enrollment period. Any medical claims incurred would be entirely the patient’s responsibility in the interim. Such an individual may be able to purchase a short-term insurance policy outside an open enrollment period, but short-term policies are not subject to the consumer protections afforded under the ACA.
  • An individual who lets coverage lapse in February and is not exempt from the ACA’s individual mandate to maintain health coverage will have to pay a tax penalty. A short-term insurance policy does not count as minimum essential coverage under the law, so would not exempt an individual from the tax penalty.

But the calculus is considerably different in the last three months of the year. The individual mandate has an exemption for short coverage gaps. If an individual has a gap in coverage of less than three months, he or she does not need to pay the penalty for those months. (Individuals are allowed only one short coverage gap per calendar year.) An individual who stops paying premiums October 1 will still have coverage for all of October and will lose only November and December coverage so will not have to pay a tax penalty.

Furthermore, the open enrollment period will occur concurrently with the individual’s grace period, so the individual can select a plan for the following year and will have coverage January 1, as long as that individual pays the January 1 premium. Significantly, failure to have paid a premium in the past is not an exception to the ACA’s guaranteed availability rule. Until CMS’s recent guidance, this appeared to mean that an individual who chose not to pay his or her October, November, and December 2014 premiums could go to the exchange during open enrollment and select the very same plan the individual was enrolled in for 2014, and the insurer would be required to accept that enrollment, as long as the individual paid the 2015 premiums.

New Rules for Federal Exchanges

Under CMS’s new interpretation, individuals who are in a grace period that began in October, November, or December and remain in the same health insurance product would need to pay all premiums due in the grace period (including months in 2014) to ensure they remain enrolled in coverage in 2015. This new approach will mitigate some of the gaming, but there are still less convenient opportunities to game.

For example, an individual who switches products, such as from a preferred provider organization (PPO) to a health maintenance organization (HMO), but stays with the same insurer, would not need to repay the 2014 premiums to receive 2015 coverage. Similarly, an individual who switches insurers would not need to pay 2014 premium amounts to receive 2015 coverage.

CMS does not explain how its new rule is consistent with the federal guaranteed availability law, which, in general, entitles anyone to purchase any health insurance coverage on the market, without respect to health status—or whether the applicant has paid all premiums that were due in the past. Nevertheless, it does appear to be possible to interpret the guaranteed availability requirement to permit this approach.

A separate provision of the ACA, guaranteed renewability, entitles individuals to renew coverage at their option, but has an exception that permits insurers to terminate coverage if premiums are not paid. The logic of CMS’s new interpretation appears to be that, as long as coverage has not yet been terminated (e.g., the individual is in a grace period) and the individual wants to remain in the same product, the individual is taking advantage of the guaranteed renewability right and can have the renewal denied if he or she has not paid past premiums.

The CMS bulletin does not automatically apply in the states that are operating their own exchanges. The consequences of gaming in state exchanges could be significant.

Potential Implications for Premium Rates and Exchange Participation

It seems likely that CMS’s new approach for the federally facilitated exchanges will reduce the number of gamers in those markets somewhat. In states that do not adopt CMS’s approach (or some other method to reduce gaming), the impact will likely be greater.

It is also likely, however, that the impact will be smaller in the first years of the exchanges. Many of those newly enrolled may not yet realize the potential for gaming, may have objections to gaming or may be averse to the perceived risk of being in a grace period. On the other hand, given the significant potential cost savings for gamers, it seems plausible that—eventually—many low-income individuals will adopt this strategy to further reduce their premium costs. Some patients may even “game” inadvertently by forgetting to pay premiums until they fall ill.

Estimates indicate that approximately 60% of the ACA-compliant risk pool nationwide—85% of the exchange population—would be able to game the system. If even a relatively small fraction chooses to do so, it could have real consequences for premium rates—perhaps requiring an increase of up to several percentage points. Insurers with a greater concentration of subsidy-eligible enrollees could see larger impacts.

As more enrollees move to ACA-compliant plans from grandfathered or transitional plans, it is possible that there will be significant additional enrollment of subsidy-eligible members. There are several mitigating factors to consider:

  • In 2014, many individuals did not sign up for coverage effective January 1. In fact, much enrollment came during a “surge” later in the spring. Individuals who signed up late have generally already used their short coverage gap exemption, and cannot use it again in the fall. Furthermore, the late enrollees may be more likely to be younger and healthier than those who signed up for coverage starting January 1. That means the population most likely to game in 2014 is also most likely to have already used up their short coverage gaps. Then again, many enrollees may find that paying the individual mandate penalty for the last few months of 2014 is still cheaper than purchasing coverage.
  • More generally, enrollees who are receiving full subsidies (for example, when the subsidy is sufficient to pay the entire premium for a bronze plan) or nearly full subsidies may be less likely to game, as their net premium costs are small.
  • In general, healthy individuals will have more incentive to game than individuals with ongoing medical expenses. Because healthy individuals also tend to be younger, gamers may tend to have lower premium rates than average. This may lessen the proportional impact of gaming on the risk pool slightly.

In the long run, insurers that offer plans on exchanges will likely incur additional costs that are due to unpaid premiums. These costs are in addition to the significant fees insurers must pay to exchanges. By rule, exchange fees must be spread across an insurer’s premium rates for the entire ACA risk pool, both on and off the exchange.

It is less clear how the impact of uncollected premiums due to gaming may be included in rates. Based on guidance to date, it appears that insurers may be required to include the impact of gaming in their profit and risk loads, rather than as direct administrative costs. In either case, both administrative costs and profit margins are allowable rating variations at the plan level, so it is possible that insurers will be permitted to allocate the costs of grace period gaming solely to rates for plans offered on the exchange rather than spreading them across the entire single risk pool.

On the other hand, if insurers are required to spread the cost of gaming across the entire ACA risk pool as with exchange fees, it will put an insurer that participates in the exchange at even more of a competitive disadvantage relative to an otherwise equally situated insurer that does not. (Of course, the insurer that does not participate in the exchange will forgo a significant number of potential enrollees--i.e., the subsidy-eligible population--and, in 2015 and 2016, will forgo the risk mitigation available under the federal risk corridor program.) In this scenario, if the exchange insurer starts to lose off-exchange enrollment to competitors because of this disadvantage, it has the effect of widening the competitive gap. Nonsubsidized individuals are again likely to migrate off the exchange if similar coverage is available at lower cost there.

Over time, this dynamic could lead to a bifurcation of the market, with one set of insurers serving the subsidized population on the exchange (at higher premium rates) and a second set of insurers operating off the exchange (at lower premium rates).

The ACA introduces a risk adjustment mechanism that may help lessen the likelihood of market bifurcation (but does not address gaming). Risk adjustment aims to transfer a portion of premiums from insurers with low-risk populations to those with higher-risk populations using a “risk score” and a complex transfer formula. Assuming gamers will be individuals with low risk scores, and given that risk scores are weighted based on months of enrollment, it seems likely that insurers with gamers will tend to have higher average risk scores than those with a population that does not game and is comparable in demographics and health status, all else being equal. However, in practice “all else” will not be equal. Given the complexity of the transfer formulas and the unproven nature of the model, it is unclear to what degree risk adjustment may mitigate the impact of gaming for insurers on the exchange.

Given the mitigating considerations for 2014, regulators have a window of opportunity to address the situation. Because CMS has interpreted the guaranteed availability and guaranteed renewability rules to permit insurers to reject renewals unless an individual pays all premiums due in a grace period, states have the flexibility to apply the federal law in the same way. Other state policy options appear to be less effective at preventing gaming or may be impermissible under federal law. For example:

  • Some states have considered a “lockout” period in which individuals who did not pay premiums in the previous year would not be permitted to buy insurance for at least part of the next year. But these lockout periods likely violate the ACA guaranteed availability provision.
  • States might also seek a waiver of the three-month grace period requirement. Beginning with coverage in 2017, CMS and the Internal Revenue Service (IRS) are permitted to grant states’ requests for waivers from provisions of the ACA. But this is a long-term solution for an issue that may have a more immediate impact.

Most insurers already prefer that consumers set up auto-debits with a bank account or credit card to pay their premiums. Gaming presents another reason to encourage auto-debits, as they make it slightly more cumbersome to stop paying premiums at the end of the year. But one study found that about a quarter of subsidy-eligible exchange enrollees may lack bank accounts, which makes traditional auto-debits challenging.

Healthcare providers are already evaluating whether they can refuse to schedule appointments with patients who are in a grace period. State law, ethical codes, and contracts with health plans may prevent a provider from not seeing a patient who is in a grace period but still technically has insurance coverage. However, if it does become difficult for patients to schedule appointments while in grace periods, this could provide some disincentive to gaming.


If states do not follow CMS’s lead, insurers may need to reevaluate product and exchange strategies. Even CMS’s new rule is unlikely to stop dedicated gamers. This concern may prompt policymakers to reconsider the three-month grace period altogether.

back to top

The Medicare Shared Savings Program Proposed Rule: Key Highlights

Authors: Kier Wallis, Manager | Jonah Frohlich, Managing Director | Annemarie Wouters, Senior Advisor | Anna Barnwell, Senior Analyst | Chris Cantrell, Senior Analyst

Editor’s Note: On December 2, 2014, the Centers for Medicare and Medicaid Services (CMS) published a proposed rule addressing changes to the Medicare Shared Savings Program (MSSP). The proposed rule recommends codifying much of the operational guidance released following the Final Rule in 2011. CMS will accept comments on the proposed rule through February 5, 2015.

Manatt Health has prepared a detailed memo, summarized below, with highlights of the proposed. Click here to download the full memo. Please refer to Manatt’s summary of the Final Rule for background on the current MSSP.


ACO Eligibility Requirements

ACO Participant Agreements and Lists. CMS proposes to codify guidance requiring ACOs to notify CMS of changes to their participant and provider/supplier lists within 30 days. The proposed rule would allow CMS to reevaluate an ACO’s eligibility for the MSSP should its participant list change by 50% or more.

Legal Entity and Governing Body. CMS clarifies that an ACO formed by two or more participants with unique Tax Identification Numbers (TINs) must be a legal entity separate from any of the ACO participants. It proposes that an ACO’s governing body must be unique to the ACO. If an ACO is composed of two or more participants, the governing body must not be the same as the governing body of any ACO participant. With these changes, CMS intends to ensure ACO decision-making authority resides with the ACO governing body and not an existing body of an ACO parent organization.

Enabling Technologies. CMS proposes to require prospective ACOs to describe how they will “encourage and promote the use of enabling technologies for improving care coordination for beneficiaries.” Examples of enabling technologies include electronic health records (EHRs) and other health information technology (IT) tools, telehealth services, and health information exchange (HIE) services.

Transition of Pioneer ACOs into the MSSP. CMS proposes a transition process for Pioneer ACOs to participate in the MSSP through completion of a condensed application form, as long as the ACO is applying for a risk-based payment Track. (There are currently two Tracks for which ACOs can choose to apply. Track 1 is shared savings only. Track 2 is shared savings and shared risk.)

Provision of Beneficiary Data

Streamlining Data Sharing Policies. CMS proposes streamlining its data sharing policies and processes to better support ACOs in Tracks 1 and 2 by:

1. Expanding the information it makes available to include name, date of birth, Health Insurance Claim Number (HICN), and sex for each beneficiary that had a primary care visit with an ACO participant in the past 12 months, as well as to make that data available monthly; and

2. Sharing data on prospectively assigned beneficiaries at the beginning of the agreement period and each performance year, on a quarterly basis, and in conjunction with annual reconciliation.

Beneficiary Assignment

Definition of Primary Care Services, and Consideration of Physician Specialties and Nonphysician Practitioners. CMS proposes expanding the definition of primary care services used as the basis of beneficiary assignment to include transitional care management (TCM) and chronic care management (CCM). CMS further proposes including primary care services furnished by nonphysician practitioners--specifically nurse practitioners (NPs), physician assistants (PAs) and clinical nurse specialists (CNSs)--in the first step of the beneficiary assignment methodology. It also proposes excluding services that certain specialties provide from the second step of the assignment process.

Any final policy changes impacting beneficiary assignment will be applicable at the beginning of the next performance year (i.e., 2016) following the release of the final rule.

Payment Track Changes

Proposed Modifications to Existing Payment Tracks. CMS outlines several changes to existing payment tracks to address concerns raised by participating ACOs and “smooth the on-ramp” for ACOs to accept increasing levels of performance-based risk. CMS proposes removing the requirement that Track 1 participants transition to Track 2 after the first agreement period ends, permitting these ACOs to remain in Track 1 for an additional three years.

In addition, CMS proposes creating a “Track 3” under which ACOs may assume increased levels of risk and be eligible for greater savings than in Tracks 1 and 2. CMS believes that providing greater opportunities for reward will incentivize ACOs to take greater responsibility for their assigned beneficiary populations.

Seeking Comment on Ways to Encourage ACO Participation in Performance-Based Risk Arrangements

To encourage ACOs to assume more risk, CMS is seeking comments from stakeholders regarding four possible waivers from payment rules, including input on the design of those waivers. CMS also is considering creating a beneficiary attestation process for Track 2 and the proposed Track 3 ACOs, similar to attestation processes being tested by Pioneer ACOs.

Considerations of Changes to Establishing, Updating and Resetting Benchmarks

CMS does not propose any changes to the benchmarking methodology. It is seeking comment, however, on whether to change how it establishes, updates and resets ACO benchmarks.

back to top