Issue 20, Spring/Summer 2023

After an extensive evaluation process the Todd Strategy Group (TSG) has been selected to represent the OrthoForum in its advocacy efforts beginning May 1, 2023. TSG is a leading strategic consulting firm focused on legislative and regulatory guidance and advocacy for stakeholders impacted by Federal law. It has served as the sole D.C. representative for many smaller companies in the finance, health care and technology spaces and has consistently been featured as one of the top Federal lobbying firms in Bloomberg Government’s “Top-Performing Lobbying Firms”

null

Dan Todd

Principal at TSG

Prior to founding TSG, Dan Todd was a Senior Health Care Counsel for the Republican staff of the Senate Finance Committee, the Committee of jurisdiction for the Medicare and Medicaid programs.  Dan was centrally involved in the development of the physician payment reforms included in The Medicare Access and CHIP Reauthorization Act of 2015 referred to as “MACRA”. Before joining the Finance Committee, Dan spent several years in the biotechnology industry, where he led policy development and government affairs strategy.   Dan also represented his companies’ interests with major trade associations and  before federal and state representatives, as well as with key stakeholders such as physician and patient advocacy organizations. Dan also served as a Special Assistant in the Office of the Administrator at the Centers for Medicare & Medicaid Services (CMS), where he  worked on Medicare Part B and Part D issues during the implementation of the Medicare Modernization Act from 2003-2005.

Employing a comprehensive team-based approach, TSG clients benefit from multiple representatives providing relevant, timely and actionable information for business planning and execution. TSG has hit the ground running having already met with our Advocacy Committee. A TSG advisor has been assigned as the primary liaison with each of our subcommittees. 

All of us involved with the OrthoForum’s advocacy efforts are excited about the energy, knowledge and strategic approach that TSG has already demonstrated. More than ever the expertise, guidance and the influence of an effective advocacy partner is crucial to meeting our mission. We look forward to working with TSG for many years as the healthcare legislative and policy issues related to private physician practices are only going to intensify.

General OrthoForum Policy Issues

End of COVID-19 Public Health Emergency
The COVID-19 PHE concluded on May 11, 2023, ending three plus years of emergency authorities enacted by the government to respond to the pandemic. Many policies have been maintained on the state and federal level, including telehealth flexibilities and access to therapeutics authorized under EUAs. Additionally, with the conclusion of the PHE and other external factors, it will be more difficult for Congress to gain consensus on COVID-related spending. Many stakeholders have committed to maintaining asks to Congress for additional help navigating workforce challenges, cost increases for equipment and drugs, sicker patients, and disrupted supply chains.

Notably, States will begin and execute the disenrollment Medicaid process and the conclusion of several provider flexibilities. A provision in the CAA of 2023 allows states to begin redetermining beneficiary eligibility without penalty. The continuous coverage requirement for State Medicaid plans ended on March 31, 2023, and states are required to complete redetermination by the end of May 2024. In response to the difficulties associated with Medicaid enrollment, the Biden Administration issued state guidance on ways to limit increases in the uninsured rate as states try to educate residents about other options like marketplace coverage if their income would now disqualify them for Medicaid.

A brief overview of flexibilities expiring, being maintained, and those with special sunset periods can be found below. Of note, further explanation of telehealth flexibilities can be found in the Therapy Services section:

Notable Policies Impacted by PHE Conclusion

  • Access to FDA Emergency Use Authorization (EUA) COVID-19 products
  • Most major telehealth flexibilities will not be affected and will remain in place through December 2024
  • Certain Medicare and Medicaid waivers (State 1315) and broad flexibilities for health care providers
    (Of note, it will be important to verify and reference state Medicaid and Medicare flexibilities for providers including add-on payments as extensions and conclusions vary by state and jurisdiction)
  • Cost sharing for COVID-19 diagnostics will resume in the private/commercial market—No cost sharing will be maintained in Traditional Medicare and Medicaid while Medicare Advantage may see changes in cost sharing levels

Medicare Prior Authorization Issues

Congressional Action: As mentioned in previous newsletters, Congress did not address prior authorization issues in its end-of-session legislation package (the Consolidated Appropriations Act, 2023). Many advocates hoped the bill that passed the House in September 2022 by a voice vote (H.R. 3173) would be included in the package, but the costs of the legislation (CBO Score increasing deficit by $16 billion) may have prevented final inclusion. There have been rumors that the bill will be re-introduced in the 118th Congress but we have not seen written legislation as of Mid-May 2023.

On Wednesday, May 17, the Senate Homeland Security investigative subcommittee launched a bipartisan investigation into how frequently Medicare Advantage insurers deny care with prior authorization and the usage of artificial intelligence software to do so. The investigation included a letter sent to three large insurers (Humana, United Healthcare and CVS) insisting on records outlining the role of software algorithms play in denying physician prior authorization requests. The letters call for insurers to release records surrounding the number of prior authorization requests and denials from 2019 onward. Chairman Richard Blumenthal (D-CT) and Ranking Member Ron Johnson (R-WI), also seek to learn more about who is most likely to have a request denied and what is the most likely service to be turned down.

This effort follows numerous letters from House of Representative members including an effort led by Reps Pramila Jayapal (D-WA), Rosa DeLauro (D-CT), and Jan Schakowsky (D-IL) with over 70 lawmakers urging CMS to finalize the December 2022 Prior Authorization proposed rule and a May letter from House Energy and Commerce leadership to Cigna on use of automation and AI to deny claims. 

State Action: Of note, over 90 prior-authorization reform bills are being considered in legislative sessions across 30 states, with over a dozen rated for potential passage. Key states include (Arkansas, California, New Jersey, North Carolina, Washington, DC, and Washington state. Provisions include provisions to:

  • 24–48-hour response time requirements
  • Allow adverse determinations only by a physician licensed in the state and of the same specialty that typically manages the patient’s condition
  • Prohibit retroactive denials if care is preauthorized
  • Make authorization valid for at least one year, regardless of dose changes; and for those with chronic conditions, the prior authorization should be valid for the length of treatment
  • Require public release of insurers’ prior authorization data by drug and service as it relates to approvals, denials, appeals, wait times and more
  • Require a new health plan to honor the patient’s prior authorization for at least 90 days.
  • Reduce volume through the use of solutions such as prior authorization exemptions or gold-carding programs

CMS Final Rule: In April 2023, CMS issued the Medicare Advantage and Part D final rule including provisions relating to preauthorization restrictions such as use “to confirm the presence of diagnoses or other medical criteria and/or ensure that an item or service is medically necessary.” The rule announcement included several paragraphs including “Removing Barriers to Care Created by Complex Prior Authorization and Utilization Management,” and “Promoting More Equitable Care,” relating to provider difficulties with prior authorization. According to reports, over 93% of physicians reported that patients face delays in accessing necessary care while waiting for health plans to authorize treatment or services.

CMS officials noted, “CMS has received numerous inquiries regarding the use of prior authorization by Medicare Advantage plans and the effect on beneficiary access to care.” In the rule, CMS finalizes impactful changes to address these concerns and to advance timely access to medically necessary care for enrollees including:

  • Requires prior authorization approvals to be valid as long as medically necessary and states that coverage denials based on medical necessity must be reviewed by healthcare professionals with relevant expertise before issuing a denial
  • Requires Medicare Advantage plans to annually review utilization management policies
  • Directs coordinated care plans to provide a 90-day transition period when a beneficiary undergoing treatment switches to a new Medicare Advantage plan. During this time, the new plan cannot require prior authorization for the active treatment
  • Requiring Medicare Advantage plans to comply with national coverage determinations, local coverage determinations, and general coverage and benefit conditions included in traditional Medicare regulations
  • Requires that prior authorization approvals for a course of treatment remain valid for as long as medically necessary to avoid care disruptions in accordance with applicable coverage criteria, the patient’s medical history, and the provider’s recommendation
  •  MA plans can apply internal coverage criteria in scenarios where no Medicare FFS guidelines are available, but they must publicly post a summary of the evidence that went into the decision

 

As written about in prior newsletters, CMS issued a proposed rule in December 2022 that would establish time frames for payer responses to prior authorization requests in MA, Medicaid managed care and the Affordable Care Act insurance marketplaces starting in 2026. Deadlines would be 72 hours for expedited requests and seven days for standard requests. However, CMS said it would consider shortening those durations based on stakeholder feedback to the proposals (the comment period closed in March). Additionally, the rule would require an “application programming interface” (API) to support and streamline the prior authorization process. For more details, see the January 2023 newsletter. Of note, the proposed rule does not apply to the Medicare FFS program. However, CMS has stated if the proposed rule is finalized, Medicare FFS “would align its efforts for implementation of the requirements as feasible.”

No Surprises Act Update

IDR Process Litigation
The final CMS regulation rule implementing the No Surprises Act, issued in August 2022, was enacted on October 25, 2022. However, the Texas Medical Association, the same association that challenged the prior version of the Independent Dispute Resolution (IDR) rule, filed an additional lawsuit arguing that the Final Rule continues to impermissibly require the IDR process to favor the Qualifying Payment Amount (QPA). The QPA is a statutorily defined payment rate representing the median contracted rates recognized by an insurer for the same or similar items or services in the same geographic area.

On February 6, 2023, the United States District Court for the Eastern District of Texas ruled in favor of the Texas Medical Association and vacated portions of the final rule adopted in August 2022 that applied to IDR process. This is the second time portions of final rules for the IDR decision-making methods have been vacated by this Court because of litigation brought by impacted providers. On April 11, 2023, the Department of Health and Human Services led an appeal of the most recent Texas Medical Association decision. That decision is still pending.

TMA argued that because the August Rule required an arbitrator to first consider the QPA and then consider the other information presented, the agencies were promoting the QPA to a higher status than other factors required to be considered by statute. Ultimately, U.S. District Judge Jeremy Kernodle ruled that the revised arbitration process “continues to place a thumb on the scale” in favor of insurers and “that the challenged portions of the final rule are unlawful and must be set aside.”

In response, CMS issued statements on February 24, 2023, and March 17, 2023, providing instructions to IDR entities on how to process claims for services provided before and after October 25, 2022 (the effective date of the Final Rule). Claims for services provided prior to Oct. 25, 2022, should be processed according to the independent final rule as amended by the prior Texas Medical Association lawsuit, and claims for services provided after Oct. 25, 2022, should be processed according to the Final Rule as amended by the newer Texas Medical Association lawsuit against the Final Rule.

SurpriseBilling

Fourth Lawsuit Filed—Relating to Fees
On January 30, 2023 TMA filed a fourth lawsuit over the No Surprises Act, focusing on increased fees to both parties involved in the IDR process. Fees increased for both parties regarding the independent arbitration process to solve billing disputes between providers and payers. At the start of 2023, CMS increased the administrative fee for arbitration, or IDR, processes — from $50 to $350. The increase of almost 600% was an unexpected surprise to providers and insurers relying on the IDR process. TMA writes in filings, “the change will not only make the process significantly more expensive for all IDR participants but will make it cost-prohibitive for many providers to access IDR at all.” Additionally, the suit lists challenges to the laws’ restrictions on batching claims, which allows arbitration processes only on claims with the same service code, requiring providers to go through a separate dispute process for each claim related to a care episode.

Fee increases are largely related to a significant backlog in IDR claims. A report from January 4, 2023 released by HHS found that between April 15 and Sept. 30, 2022, more than 90,000 disputes were initiated between health-care providers and payers such as health insurers and employer health plans. Agencies report the number to be “significantly more” than envisioned and predicted during implementation planning.

Implementation Efforts
In April 2023, HHS Secretary Xavier Becerra testified before multiple congressional committees including Senate Finance, and House Appropriations: Labor HHS (LHHS), Ways and Means, and Energy and Commerce. Throughout these sessions, Secretary Becerra was repeatedly asked about the implementation of the No Surprises Act. For example, during testimony with Senate Finance, Senator Michael Bennet (D-CO) referred to implementation as “a big mess” and noted that even when medical practices prevail in arbitration, insurance companies are not consistently paying providers as required. Additionally, reports and concerns surrounding the over 90,000 backlogged claims, with over six-month waiting periods to receive complete payments, were also mentioned.

In response, Secretary Becerra explained that most of the disputes being submitted for arbitration appear to be “frivolous,” due to zero cost associated with filing and that “everyone is just filing all sorts of claims…That’s what is bogging down the system.” The claims directly contradict HHS reporting that the main cause of the delays is difficulty determining claim eligibility for the federal arbitration process. Relevant agencies have not required insurers to indicate this eligibility initially, despite repeated stakeholder engagement that requirements would help address the problem and improve efficiency.

OrthoForum Advocacy Committee

For more information on any of the topics discussed in this section, please contact the chair of the OrthoForum Advocacy Committee, Dr. Richard Bruch, at rich.bruch@gmail.com.

Therapy Services Update

Telehealth Services

As noted in previous newsletters, The 2023 PFS final rule (published on November 18, 2022) continues through the end of 2023. Many of the Medicare telehealth flexibilities allowed during the COVID-19 public health emergency (PHE) for physical therapists (PTs) and occupational therapists (OTs), including CPT codes 97161-97164 for PTs, codes 97165-97168 for OTs, and therapy codes 97110, 97112, 97116, 97150, 97530, and 97542 (Congress extended these provisions until December 31, 2024 through the CAA of 2023).

Telehealth in Hospital Settings: During initial guidance on the end of the COVID-19 PHE, CMS was questioning the ability of occupational therapy, physical therapy, and speech-language pathology practitioners to provide telehealth services in outpatient hospital and SNF settings (under Medicare Part B) after the end of the PHE on May 11, 2023. Following an early May update, CMS has confirmed that following the end of the PHE, hospitals may bill for outpatient physical therapy (PT), occupational therapy (OT), speech-language pathology (SLP) services provided to beneficiaries in their homes through telecommunication technology by hospital-employed staff (Question 21).

Direct Supervision Requirement: During the PHE CMS allowed “direct supervision” of PT or OT to be provided virtually though real-time audio/video technology. CMS has clarified that the provision will expire on December 31, 2023 and has not expressed intentions to extend the provision into 2024.

Legislation Regarding PTs, OTs and Provider Reimbursement

In early spring three pieces of legislation were introduced to ease provider and therapy workforce challenges including H.R. 1310, the SHARE Act, H.R. 1617, the Prevent Interruptions in Physical Therapy Act of 2023 and H.R. 2474, the Strengthening Medicare for Patients and Providers Act, which aim to expand interstate licensure compacts and stabilize inflationary update to physician, OT and PT reimbursement under the Physician Fee Schedule.

The SHARE Act: H.R.1310 was introduced by Reps. Tracey Mann (R-KS), Joe Neguse (D-CO) and 11 other bipartisan members of congress aimed at increasing participation and creations of interstate licensure compacts for healthcare and other services. To date there are 25 states participating in the OT state licensure compact with 11 states introducing or enacting legislation to become member states. The SHARE Act aims to increase ease and federal regulatory barriers to compact uptake, improve the provider workforce shortage and reduce provider burden. Specifically, the bill would improve the current licensing process for health care providers and increase the number of licensed providers able to serve communities across state lines through:

  • Removing regulatory red tape and administrative burden by authorizing the FBI to share criminal history record information between states for licensure purposes
  •  Maintaining states’ rights to determine provider eligibility while allows cooperation and interstate licensure between states
  •  Leverages the use of Telehealth and telehealth flexibilities of “virtual direct supervision”

Strengthening Medicare for Patients and Providers Act: In April 2023 members of the Congressional Doctors Caucus including Reps. Raul Ruiz (D-CA), Larry Bucshon (R-IN), Ami Bera (D-CA) and Marianette Miller-Meeks (R-IA) introduced the Strengthening Medicare for Patients and Providers Act that would address payment uncertainty affecting Medicare-participating physicians and avoid a possible physician shortage for Medicare beneficiaries. H.R. 2474 would change the physician payment rate above the current law by providing an annual Medicare physician payment update tied to inflation, as measured by the Medicare Economic Index (MEI). Current law provides for separate conversion factors for physicians that are qualifying participants in advanced alternative payment models (also known as qualifying APM participants) and for other physicians beginning in 2026, with an annual update of 0.75% and 0.25%, respectively.

The bill replaces the separate conversion factors for qualifying APM participants and other physicians with a single conversion factor and provides for an update that is equal to the annual percentage increase in the Medicare Economic Index, beginning in 2024.

In a Press Release, the Caucus explicitly referred to MedPAC calls for legislative action to address the Medicare physician payment system by providing physicians with an annual inflation-based update tied to the MEI. Additionally, a March 2023 report from the Medicare Trustees states that the trustees “expect access to Medicare-participating physicians to become a significant issue in the long term” unless Congress takes steps to bolster the payment system. 

Prevent Interruptions in Physical Therapy Act of 2023: The bill builds on previous legislation passed into law in the 21st Century Cures Act that enables physical therapists in rural, medically underserved, and health professional shortage areas to ensure their patients continue to receive quality care during a temporary absence. This bill would extend the same flexibility to all physical therapists and patients nationwide. The effort is being led by Sens. Ben Ray Lujan (D-MN) and John Thune (R-SD) in the Senate and Reps. Gus Bilirakis (R-FL) and Paul Tonko (D-NY) in the house.

Specifically, the legislation extends provisions that allow physical therapists in rural, medically underserved, and health professional shortage areas to the ability to use locum tenens arrangements to ensure their patients continue to receive quality care during a temporary provider absence (e.g. illness, family leave, or continued professional education to all physical therapists in the outpatient setting participating in the Medicare program. This bill was endorsed by the American Physical Therapy Association

Due to political movements in the House and Senate with small majority margins for both sides, it’s unclear if any of the bills will pass into law this year despite bipartisan backing.

Therapy Services Advocacy

For more information on any of the topics discussed in this section, please contact the chair of the Therapy Services Subcommittee of the OrthoForum Advocacy Committee, Renee Duncan, at renee.duncan@orthotennessee.com.

CMS & CMMI Update

MedPAC Issues Site Neutral Payment Proposals
During the third session of MedPAC’s April 2023 public meeting, Commissioners focused on site neutral payments across ambulatory settings. Specifically, MedPAC’s recommendation asked Congress to align rates more closely across physician offices, ambulatory surgical centers, and hospital outpatient departments for 66 specific payment classifications outlined in Medicare’s outpatient payment system but only when doing so does not pose a risk to patient access. The proposals are not expected to have any direct effect on program spending, but MedPAC did note site-neutral payment could discourage provider consolidation and lower spending indirectly. Additionally, Beneficiaries may see lower cost sharing for some services, and higher cost sharing for others as a result of site neutrality.

MedPAC’s analysis identified 66 ambulatory payment classifications (APCs) to align payment rates, including 57 outpatient PPS (OPPS) and ASC rates to align with the physician fee schedule and nine OPPS rates to align with the ASC rates. While MedPAC also incorporated a budget neutrality adjustment to increase the payment rate for APCs that were not aligned, resulting in no change to aggregate spending, the proposal would move $7.75 billion from aligned APCs to non-aligned APCs.

The recommendation was unanimously adopted despite concern from Commissioner Lynn Barr about negative impacts for rural patient access and providers. Commissioner Robert Cherry abstained in a first round of vote, but eventually agreed to the policy after a small wording change eliminating “safe and appropriate to provide in all settings.” Commissioner Cherry explained, “The issue with site neutrality as is currently constructed in the chapter is that it may lead to unintended consequences… [for] individual patients who may benefit from a more resource-intense setting such as a hospital outpatient department.” Despite the recommendation being sent to Congress, MedPAC has a turbulent history in convincing lawmakers to institute recommended policies.

MedPAC Proposals on Physician Reimbursement
During the April 2023 meeting MedPAC commissioners expressed concern that the current Medicare wage index system fails to accurately reflect differences in labor costs across geographic areas and creates inequities across providers. To address this, MedPAC voted to recommend that Congress repeal the existing Medicare wage index statutes, including current exceptions (reclassifications), and require the HHS Secretary to phase in a new Medicare wage index system for hospitals and other types of providers. The new wage index system would:

  • Use all-employer and occupation-level wage data with weights for each provider type and different occupation
  • Reflect local area-level differences in wages between and within metropolitan statistical areas and statewide rural areas
  • Smooth wage index differences across adjacent local areas
  • Funds would be redistributed from high-wage-index hospitals (particularly those benefiting from wage-index exceptions) to low-wage-index hospitals, and recommended a transition period to mitigate negative impacts

CMS & CMMI Advocacy

For more information on any of the topics discussed in this section, please contact the chair of the CMMI Subcommittee of the OrthoForum Advocacy Committee, Dr. Wilford Gibson, at gibsonw@atlanticortho.com.

Ambulatory Surgery Center Update

Congress Debates Site Neutral Payment Legislation
During recent hearings in the Energy and Commerce Committee, multiple legislative opportunities for implementation of site-neutral payment were discussed including in a five-and-a-half hour long hearing on lowering the cost of healthcare. Chairwoman Cathy McMorris Rodgers (R-WA) referred to potential savings of $94 billion over 10 years from more extensively implementing site-neutral payment, as calculated by the Committee for a Responsible Federal Budget. While not all site-neutral policies were advanced to the Full Committee, smaller policies with effects to OrthoForum interests were advanced and more site-neutral policies are likely to be pursued this term. Of note, the site neutral payment policies being considered by the committee have not yet been introduced as bills but rather discussion drafts.

Two of the drafts would build on site-neutral payment clauses in the Bipartisan Budget Act of 2015 by largely eliminating available exceptions. The bill established site-neutral payment for off-campus provider-based departments but exempted any such facility that was operating or under construction as of November 2015, resulting in the provisions covering less than 1% of outpatient services. The bills would nullify the exception starting in 2025 and would build on regulations requiring payments at the lower rate for all clinic visits. An additional draft would apply site-neutral payment to a wider array of ASC payment classifications starting in 2026. Exceptions would be available for services deemed by the HHS secretary to be most appropriately furnished in hospital outpatient departments and for services provided most frequently in outpatient departments compared with ASCs and physician officers over a four-year period. Lastly, a draft would require a separate national provider identifier for each outpatient department of a provider starting in 2026, with mandatory attestation by the parent hospital or health system every two years.

Ranking Member Anna Eshoo (D-CA) spoke to statistics indicating that after a hospital acquires a physician practice, prices for services at the practice increase by 14%. After statements suggesting lack of site neutral payment has led to provider consolidation and increased costs, Chairwoman Rodgers (D-WA) offered the site-neutral provisions as an amendment that was ultimately withdrawn. Despite not forwarding the discussion drafts to the full committee, some site neutral provisions such as requiring mandatory reporting with respect to certain health-related ownership information, site neutral payment for dispensing certain Part B medications. More E&C debate on full site neutrality proposals is expected in the current congressional term and has broad bipartisan support despite not being advanced with the 17-bill package.

Our efforts to address site neutral payments have been enhanced through being introduced to the Alliance for Site Neutral Payment Reform (https://www.siteneutral.org/). The OrthoForum has joined this coalition of like-minded provider, employer and patient advocate groups, This organization is committed to educating its members and advocating for legislative changes to level the playing field regarding CMS payments for all outpatient services regardless of site of service.

ASC Advocacy

For more information on any of the topics discussed in this section, please contact the chair of the ASC Subcommittee of the OrthoForum Advocacy Committee, Teresa Copeland, at teresa.copeland@orthotennessee.com.

Cyber Security Update

HHS Releases Voluntary Cyber Security Guidance
In March 2023, HHS in partnership with the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group released voluntary “Health Care and Public Health Sector Cybersecurity Framework Implementation” guidance to bolster healthcare cybersecurity. The guide aims to help the public and private healthcare sectors align their cybersecurity programs with the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF) and enable healthcare organizations to assess their current cybersecurity practices and risks and identify gaps for remediation.

Overall, the guidance leverages the NIST CSF and gives a voluntary avenue to aid implementation. The NIST CSF was originally released in 2014 and updated in 2018, designed to assist organizations with developing, aligning, and prioritizing cybersecurity activities with business requirements, risk tolerances, and resources. The Guide also notes that, pursuant to 2021 amendments to the HI-TECH Act, HHS must “consider a health care entity’s adoption of recognized security practices, as defined by PL 116-321, when determining the length and outcome of audits or the number of fines or extent of penalties.” In February 2013, healthcare was identified as a critical infrastructure sector under Presidential Policy Directive 21 and the guide follows a push from the Comments on the guide ended on March 31, 2023, and has yet to be released to the public.

HHS Releases New Health Industry Cybersecurity Practices (HICP) 2023 Edition
On April 17, 2023, the HHS Cybersecurity Task Force led by the HHS 405(d) Program and the Health Sector Coordinating Council Cybersecurity Working Group released new resources to address cybersecurity concerns in the Healthcare and Public Health (HPH) sector. The three resources including the following: a publication entitled “Health Industry Cyber Security Practices (HCIP) 2023 Edition” aimed to raise awareness of cybersecurity risks and provide best practices, a report entitled “Hospital Cyber Resiliency Initiative Landscape Analysis” outlining domestic hospitals’ current state of cybersecurity preparedness, and “Knowledge on Demand” which is a new online education platform that offers free cybersecurity trainings. The new resources are in part of the Biden Administration’s broader work to bolster cybersecurity in “all of our Nation’s critical infrastructure.” Resources can be found at 405d.hhs.gov   

The updated HICP 2023 Edition is based on the program’s 2018 publication and has been updated by over 150 industry and federal government professionals with a focus on patient safety and mitigating current healthcare cybersecurity threats. HICP serves as a collection of best practices and recommendations for a range of audiences such as physicians, managers, technicians, among others to better prepare and combat cybersecurity threats that may impact patient safety.

The new HICP edition identifies five cybersecurity threats including social engineering, ransomware, loss or theft of equipment or data, insider accidental or malicious data loss, and attacks against network connected medical devices. HICP also outlines the “10 Cybersecurity Practices” including: email protection systems, endpoint protection systems, access management, data protection and loss prevention, asset management, network management, vulnerability management, security operation centers and incident response, network connected medical devices, and cybersecurity oversight and governance.

Additionally, the “Hospital Cyber Resiliency Initiative Landscape Analysis” included a review of participating hospitals benchmarks against standard cybersecurity guidelines and how hospitals are or are not protected against common cybersecurity threats. The analysis stated that based on the 2023 Censinet/AHA/KLAS survey, on average, hospitals claim to cover 72.05% of HICP practices, with email protection having the highest coverage and medical equipment security being the lowest. The same study showed 59.4% of medical technology used in hospitals encounter varying levels of anti-virus solution or other compensating control and 52.41% of hospitals indicate they separate medical technology from general access networks. HHS Deputy Secretary Andrea Palm stated that the analysis was in “anticipation of forthcoming policy discussions and to better understand the current state of sector cybersecurity.” Deputy Secretary Palm conveyed the agency’s ability to successfully collaborate with private industry by establishing and implementing new materials and tools to ensure enhanced cybersecurity preparedness, resiliency, and patient protection and safety.

To increase learning and understanding on these topics, the Task Force released the “Knowledge on Demand” website that features free cybersecurity trainings for the HPH sector workforce including overviews of the five identified cybersecurity threats, videos, and slide decks.

Of note, the HHS 405(d) Program started as a congressional mandate under the Cybersecurity Act of 2015, Section 405(d), to strengthen cybersecurity of the HPH sector and establish industry regulatory guidelines. 

Update on Senator Mark Warner (D-VA) Health Cyber Security Legislation
In November 2023, Sen. Warner released an op-ed and policy options paper outlining current cybersecurity threats facing health care providers and systems and offering for discussion a series of policy solutions to improve cybersecurity across the industry. As of May 2023, the Senator has received over 60 responses from industry groups and individuals. Originally, Sen. Warner aimed to release legislation by the end of Q1 but has yet to release it. For more details on Senator Warner’s plans refer to previous Advocacy Insights newsletters.

Additional Congressional Action on Health Cyber Security
On March 16, 2023 the Senate Committee on Homeland Security and Government Affairs held a two hour hearing on examining the cybersecurity risks to the healthcare sector with Scott Dresden of Corewell Health, Kate Pierce of Fortified Health Security, Greg Garcia of Healthcare and Public Health Sector Coordinating Council and Stirling Matin of Epic Systems. The hearing highlighted work from Senator Jackie Rosen (D-NV), that would improve the way CISA and the Department of Health and Human Services share information about cybersecurity threats with the healthcare sector, as well as provide cybersecurity training to medical professionals. Of note, in 2022 Sen. Rosen introduced the bipartisan Healthcare Cybersecurity Act, but has not reintroduced the measures in the 118th Congress.

HIPPA and Cybersecurity: Additionally, in February of 2023, the Office for Civil Rights (OCR) delivered two reports to Congress regarding Health Insurance Portability and Accountability Act (HIPAA) compliance and breaches of unsecured health information. The reports revealed from 2017—2021, HIPAA violation complaints increased 39% with large breaches reporting an increase of 58%. OCR received 609 notifications of events affecting 500 or more individuals that reached approximately 37.2 million individuals in total. Breaches affecting less than 500 individuals reported only affected a total of 319,215 individuals. Of these instances listed in the report Organizations were required to take corrective action or pay civil penalties at a rate of 83%.

Cyber Security Advocacy

For more information on any of the topics discussed in this section, please contact the chair of the Cybersecurity Subcommittee of the OrthoForum Advocacy Committee, Scott Paneitz, at spaneitz@SignatureHealth.net.

Political Update

politics

2024 Update
In November 2022, former President Donald Trump announced his 2024 Presidential campaign while in April 2023, President Joe Biden announced his re-election bid for President of the United States. According to a May 2023 CNN poll, President Biden’s approval rating is 41% and as of June 4, 2023, a polling from Real Clear Politics has Donald Trump (45.5%) ahead of President Biden (43.7%) in the general election. 

Prior to President Biden’s re-election announcement, several Republicans including Donald Trump and Governor Ron DeSantis of Florida announced their 2024 Presidential candidacy. Additional declared Republican candidates feature U.S. Senator Tim Scott (R-SC), former South Carolina Governor and United Nations Ambassador Nikki Haley, Vivek Ramaswamy founder of Roivant Sciences, Michigan businessman Perry Johnson, former Arkansas Governor Asa Hutchinson, former conservative media personality Larry Elder, and Dallas businessman Ryan Binkley. According to a May 2023 Quinnipiac University poll, Donald Trump leads with 56% support from Republican voters followed by Governor DeSantis with 25%.

Two candidates have declared their Presidential campaign of challenging President Biden for the 2024 Democratic nomination: Robert F. Kennedy Jr. and 2020 candidate Marianne Williamson. According to May 2023 CNN poll, nearly 60% of Democratic and Democratic-leaning voters indicate their support for Biden while 20% favor Robert Kennedy and 8% support Marianne Williamson. Notably, several external factors can still occur leading up to the Democrat primary.

Currently, seven states and electoral districts are considered “toss-ups” for the 2024 presidential election: Arizona (R +1.8), Georgia (R +2.5), Pennsylvania (D +4.1), Wisconsin (D +1), Maine’s 2nd District, and Nebraska’s 2nd District. In 2020, President Biden won Arizona, Georgia, Pennsylvania, and Wisconsin by one percentage point or less indicating that either the Republican or Democrat candidate will likely need to secure at least three of the four states in 2024 to win the Presidency. According to Inside Election’s Baseline Metric polling, Republicans have an advantage in Arizona and Georgia despite 2022 Democrat won Senate races for both states and Democrats show leading in Pennsylvania and Wisconsin.

 For 2024, Democrats will likely count on a Biden nomination despite disapproval ratings and limited alternative candidates. Under the Biden Administration, the United States has seen increased rates of inflation and some Americans have criticized the administration for not delivering on campaign promises such as student loan forgiveness. Notably, the recent debt limit negotiations could impact President Biden’s 2024 polling numbers. Current state standings with corresponding electoral votes include:

Toss-up (56)
Arizona (11), Georgia (16), Pennsylvania (19), Wisconsin (10)

Tilt Republican (16)
North Carolina (16)

Tilt Democratic (21)
Michigan (15), Nevada (6)

Lean Republican (31)
Florida (30), Maine’s 2nd District (1)

Lean Democratic (15)
Minnesota (10), Nebraska’s 2nd District (1), New Hampshire (4)

Despite the outcome of the 2024 Presidential election, health care and lowering costs will likely maintain a political priority.