Medicare Advantage should not ‘game the system’ but prioritize patient care, honest billing

https://www.healthcaredive.com/news/medicare-advantage-should-not-game-the-system-but-prioritize-patient-care/585613/

We all agree healthcare providers should prioritize patient well-being and bill honestly. Most do. But, if not, my office, the Office of Inspector General for the HHS, and other government agencies, are watching. 

We are especially monitoring an area of concern: abuse of risk adjustment in Medicare Advantage, the managed care program serving 23 million beneficiaries, 37% of the Medicare population, at a cost of about $264 billion annually. We have good reason to pay attention. Our recent report found that Medicare Advantage paid $2.6 billion a year for diagnoses unrelated to any clinical services.

Plans used a tool called “health risk assessments” to collect these diagnoses. Ideally, health risk assessments might be part of a Medicare beneficiary’s annual wellness visit and help care teams identify health issues. However, some Medicare Advantage plans use risk assessments without involving the patients’ regular care providers. 

Some plans partner with businesses whose primary livelihood entails identifying diagnoses by conducting risk assessments. Some organizations send professional risk assessors, perhaps practitioners with some medical credentials but not physicians or other clinicians involved in the person’s care, to the beneficiaries’ homes.  Our study found that 80% of that extra $2.6 billion payment resulted from in-home health risk assessments. 

Medicare’s capitated payments vary by beneficiary for good reason. If Medicare paid the same for every beneficiary, plans might favor younger and healthier enrollees. It may not hold true every month, but, on average, it will cost a plan less to serve a healthy 65-year-old than an older person with diabetes or cancer.

Risk adjustment tailors the capitated rate to each beneficiary’s expected costs, so plans should enroll any interested beneficiary and not discriminate. But the risk adjustment is just a projection. Beneficiaries need not actually incur higher costs for the plan to receive higher payments. Some beneficiaries with a seemingly low risk will incur high costs in a given year and some beneficiaries with a high risk will incur low or even no costs.

In fact, one Medicare Advantage plan received about $7 million for beneficiaries who did not appear to receive any clinical care that year — other than the risk assessment, which was the only reason for the higher Medicare payment. Finding beneficiaries with high risk scores but low care utilization can prove a profitable business strategy. 

Without gaming, on the aggregate, risk-based payments and utilization should even out over time.  But what if plans do game the system? Perhaps making their beneficiaries look sicker? Or not providing care for beneficiaries’ health conditions?

We identified two main concerns:

  • bad data — risk of incorrect diagnoses identified in the health risk assessment resulting in incorrect payments to plans.
  • suboptimal care — risk that diagnoses are correct, but patients are not getting the care they need.

The question of whether beneficiaries are experiencing quality and safety problems requires more study. For example, it is possible that beneficiaries are receiving care, but plans are not submitting this data as required. Regardless, plans that use risk assessments to gather diagnoses, but then take no further action, are clearly missing an opportunity for meaningful care coordination. We urge Medicare Advantage plans to:

  • Ensure practices drive better care and not just higher profits.  
  • Enact policies and procedures to ensure the integrity and usefulness of the data.

This could include measures like educating patients about the identified diagnoses and sharing them with caregivers. These steps are consistent with the best practices identified by CMS and provided to Medicare Advantage Plans in 2015.

It is not necessarily bad that Medicare allows risk assessments to influence payment, trusting that plans use risk assessments to identify missed diagnoses and not to fabricate nonexistent diagnoses. 

However, this practice only helps patients if there is some additional intervention to improve care. If risk assessments are performed by third parties, at minimum, the beneficiary and the beneficiary’s care team should learn the results. Risk assessments should trigger meaningful care coordination, patient engagement and help ensure the care team takes appropriate action. Risk assessments that generate diagnoses for payment purposes, but result in no follow-up care raise serious concerns.

Ensuring beneficiaries receive the care they need should be front of mind for executives as they design risk assessment programs with an eye to quality of care and better care coordination. Failing that, executives should know that government agencies will scrutinize risk adjustment for abuse. 

In response to our report, CMS promised to provide additional oversight and target plans that reap the greatest payments from in-home health risk assessments and conditions generated solely by risk assessments for which the beneficiaries appeared to receive no other clinical services. My office has identified red flags in some industry patterns and recommends plans adopt best practices. Executives should champion best practices and make sure their plans are driving correct diagnoses and quality care.

Ensuring that beneficiaries are properly diagnosed is important, not just for the integrity of taxpayer-funded federal healthcare programs, but also for the welfare of the beneficiaries served. Coordinating care and providing appropriate follow up is critical.

My office and other government agencies are targeting oversight to make sure plans do not pad risk adjustments with unsupported diagnoses. When plans find new real diagnoses, the plans deserve the extra payment, but only if patients get appropriate care.

 

 

 

 

C.D.C. Tells States How to Prepare for Covid-19 Vaccine by Early November

As President Trump pushes the possibility of a vaccine this year, the C.D.C. has outlined technical scenarios to state public health officials for an unidentified Vaccine A and Vaccine B.

The Centers for Disease Control and Prevention has notified public health officials in all 50 states and five large cities to prepare to distribute a coronavirus vaccine to health care workers and other high-risk groups as soon as late October or early November.

The new C.D.C. guidance is the latest sign of an accelerating race for a vaccine to ease a pandemic that has killed more than 184,000 Americans. The documents were sent out on the same day that President Trump told the nation in his speech to the Republican National Convention that a vaccine might arrive before the end of the year.

Over the past week, both Dr. Anthony S. Fauci, the country’s top infectious disease expert, and Dr. Stephen Hahn, who heads the Food and Drug Administration, have said in interviews with news organizations that a vaccine may be available for certain groups before clinical trials have been completed, if the data is overwhelmingly positive.

Public health experts agree that agencies at all levels of government should urgently prepare for what will eventually be a vast, complex effort to vaccinate hundreds of millions of Americans. But the possibility of a rollout in late October or early November has heightened concerns that the Trump administration is seeking to rush the distribution of a vaccine — or simply to hype that one is possible — before Election Day on Nov. 3.

For an administration that has struggled with the logistical challenges of containing the coronavirus, the distribution of millions of vaccines that must be stored in subzero temperatures and provided first to high-risk groups through America’s flawed, fragmented health care system would be a daunting challenge. Even the C.D.C.’s guidance acknowledged that its plan was hypothetical and based on the need to immediately begin organizing the gigantic effort that would be required if the F.D.A. were to allow the use of a vaccine or two this year.

The C.D.C. plans lay out technical specifications for two candidates described as Vaccine A and Vaccine B, including requirements for shipping, mixing, storage and administration. The details seem to match the products developed by Pfizer and Moderna, which are the furthest along in late-stage clinical trials. On Aug. 20, Pfizer said it was “on track” for seeking government review “as early as October 2020.”

Credit…

“This timeline of the initial deployment at the end of October is deeply worrisome for the politicization of public health and the potential safety ramifications,” said Saskia Popescu, an infection prevention epidemiologist based in Arizona. “It’s hard not to see this as a push for a pre-election vaccine.”

Three documents were sent to public health officials in all states and territories as well as officials in New York, Chicago, Philadelphia, Houston and San Antonio on Aug. 27. They outlined detailed scenarios for distributing two unidentified vaccine candidates, each requiring two doses a few weeks apart, at hospitals, mobile clinics and other facilities offering easy access to the first targeted recipients.

The guidance noted that health care professionals, including long-term care employees, would be among the first to receive the product, along with other essential workers and national security employees. People 65 or older, as well as Native Americans and those who are from “racial and ethnic minority populations” or incarcerated — all communities known to be at greater risk of contracting the virus and experiencing severe disease — were also prioritized in the documents.

That’s a positive development, “so it doesn’t just all wind up in high-income, affluent suburbs,” said Dr. Cedric Dark, an emergency medicine physician at Baylor College of Medicine in Texas.

The C.D.C. noted in its guidance that “limited Covid-19 vaccine doses may be available by early November 2020.” The documents were dispatched the same day that Dr. Robert Redfield, director of the C.D.C., sent a letter to governors asking them to prepare vaccine distribution sites by Nov. 1, as McClatchy reported.

The agency also said its plans were as yet hypothetical, noting, “The Covid-19 vaccine landscape is evolving and uncertain, and these scenarios may evolve as more information is available.” A C.D.C. spokeswoman confirmed that the documents were sent but declined to comment further.

Many of the details listed for the two vaccines — including required storage temperature, the number of days needed between doses, and the type of medical center that can accommodate the product’s storage — match what Pfizer and Moderna have said about their products, which are based on so-called mRNA technology. Neither company responded to requests for comment.

The scenarios, which assume that the two vaccines will demonstrate sufficient safety and effectiveness for an emergency authorization from the F.D.A. by the end of October, noted that Vaccine A, which seems to match Pfizer’s, would have about two million doses ready within this time frame, and that Vaccine B, whose description matches Moderna’s, would have about one million doses ready, with tens of millions of doses of each vaccine ready by the end of the year. Although it’s possible that some promising preliminary data may emerge by the end of October, experts are skeptical.

“The timeline that’s reported seems a bit ambitious to me,” Dr. Dark said. “October’s like 30 days away.”

Trials that test a vaccine’s effectiveness can take years to yield reliable results. It’s possible to draw conclusions sooner “if there is an overwhelming effect” in which vaccinated people appear to be far better protected from disease, said Padmini Pillai, a vaccine researcher and immunologist at M.I.T.

But there can be significant risks in approving a vaccine for broad use in the public before Phase 3 clinical trials involving tens of thousand of participants are completed. Rare but dangerous side effects may only surface over time, after such large numbers of people have received the vaccine.

And data gathered early in a trial might not hold true months down the line. Researchers also need time to test large numbers of people from a variety of backgrounds to determine how well the vaccine works in different populations — including the vulnerable communities identified in the guidelines.

Should any of these snags occur, Dr. Pillai said, “all of this together could diminish public trust in the vaccine.”

James S. Blumenstocksenior vice president of pandemic response and recovery at the Association of State and Territorial Health Officials, confirmed that the three C.D.C. documents were sent to all state and territorial health departments last week. “It is now the time to enhance organizational structure and involve all partners in this planning process going forward,” he said.

Lisa Stromme, a spokeswoman for the Washington State Department of Health, said that her state’s health officials were still at “a very early stage in a planning process,” but were already working toward developing infrastructure that would accommodate the assumptions laid out by the C.D.C.

The C.D.C. documents said that public health administrators should review lessons learned from the 2009 H1N1 pandemic vaccination campaign, which did not have enough doses at the beginning to meet demand.

“It’s good to have a plan out for hospitals and health care systems to prepare” for a potential rollout, said Dr. Taison Bell, a pulmonary and critical care physician at the University of Virginia. But Dr. Bell added that he was concerned that the timeline outlined in the documents “is incredibly ambitious and makes me worry that the administration will prioritize this arbitrary deadline rather than maintaining diligence with following the science.”

The technical comparison of Vaccine A and Vaccine B has some echoes of what was discussed at an Aug. 26 meeting of the Advisory Committee on Immunization Practices of the C.D.C. At the meeting, Dr. Kathleen Dooling, a C.D.C. medical officer, laid out three scenarios: Vaccine A, or the Pfizer vaccine, is approved, Vaccine B, the Moderna vaccine, is approved, or both. The requirement that Pfizer’s vaccine be stored at minus 70 degrees Celsius would mean that it couldn’t be administered at most small sites, she said. The C.D.C. documents noted that orders of Vaccine A would go “to large administration sites only.” The Moderna vaccine requires storage at minus 20 degrees Celsius.

The C.D.C. documents said the vaccine would be free to patients, but that providers might not be reimbursed for administrative costs if the vaccine was given an emergency authorization, rather than a standard approval.

Experts worry that the process is unlikely to go off without a hitch, given the last-minute scramble and the mixed messaging so far. “I think distribution is going to be very tricky for the vaccine, particularly if there is a cold storage requirement,” Dr. Bell said.

There are also likely to be challenges administering both doses of the proposed vaccines, which must be given weeks apart, Dr. Dark said. “How are you going to make sure people get both?”

 

 

 

 

What makes a Bad Vaccine?

A Covid-19 vaccine, amazingly, is close. Why am I so worried?

A mere six months after identifying the SARS-CoV-2 virus as the cause of Covid-19, scientists are on the precipice of a having a vaccine to fight it. Moderna and the National Institutes of Health recently announced the start of a Phase 3 clinical trial, joining several others in a constructive rivalry that could save millions of lives.

It’s a truly impressive a feat and a testament to the power of basic and applied medical sciences. Under normal circumstances, vaccine approvals are measured in decades. Milestones that once took months or years have been achieved in days or weeks. If these efforts are successful, the Covid-19 vaccine could take a place alongside the Apollo missions as one of history’s greatest scientific achievements.

I’m optimistic. And yet, as someone who studies drug development, I want to temper expectations with a dose of realism and perhaps a bit of angst. Behind the proud declarations, many science and medical professionals have been whispering concerns. These whispers have escalated into a murmur. It’s time to cry them loudly:

Hey, Food and Drug Administration: Don’t be rash! Premature approval of a sub-standard Covid-19 vaccine could have dire implications, and not just for this pandemic. It could harm public health for years, if not generations, to come.

Unfortunately, elements now in place make such a disastrous outcome not only possible but in fact quite likely. Specifically, the FDA and its staff of chronically overworked and underappreciated regulators will face enormous public and political pressure to approve a vaccine. Whether or not one worries about an “October surprise” aimed at the upcoming election, regulators will be pressed hard. Some will stand firm. Some may resign in protest. But others could break and allow a bad vaccine to be released.

What makes a “bad vaccine”? Insufficient protection against the disease it is designed for, unwanted side effects, or some combination of the two. If an approved Covid-19 vaccine turns out to be ineffective, this could unintentionally promote wider spread of the disease by individuals who presume they were protected from it. Likewise, a negative experience with one vaccine might discourage the use of other vaccines that are far more safe and effective, whether they are for Covid-19 or other vaccine-preventable diseases.

Some things take time. Under normal circumstances, ensuring that a vaccine’s effects are safe and durable requires years of study and monitoring. And there is some evidence that natural immune responses to SARS-CoV-2 infection could be transient, making sustained investigation all the more necessary. A merely short-term effect could encourage vaccinated individuals to resume risky behaviors, which would all but guarantee that the epidemic endures. And if unintended side effects turn out to include, for instance, chronic inflammatory or autoimmune disease, a bad vaccine could impart lifelong damage.

But wait, there’s worse! A bad Covid-19 vaccine could further undermine confidence in the many safe, reliable vaccines already in our public health arsenal. Vaccine skepticism and anti-science bias, propagated by B-list celebrities and Russian troll farms, have been gaining strength all year. Combined with disappointing Covid-19 outcomes, such malign forces could facilitate the reemergence of once-vanquished foes — polio, measles, mumps, rubella, diphtheria, whooping cough, and tetanus — that once killed multitudes of children each year.

These are enormous risks. Placing all of our bets on a small set of untried vaccine technologies would be gobsmackingly foolish. Yet this is exactly what we are now doing. Most of the high-profile names capturing headlines are pursuing comparatively minor variations on a theme of genetic vaccines (those delivered via DNA or RNA). If one approach happens to work, the odds are higher the others will work as well. Disappointing results from one candidate, though, might presage failure across the board.

Rather than investing in a balanced portfolio of vaccines with different approaches — not to mention different therapies, devices, and diagnostics for treating Covid-19 — too many observers, too many companies, and too many governmental officials seem to be narrowly focused on hopes for a “savior” vaccine. Were that savior to fail, our national morale, already low, could plummet even further.

Don’t get me wrong. I, along with millions of Americans, want a Covid-19 vaccine. But we deserve one that’s been proven to be safe and effective.

It’s not too late to take a deep breath and devise a strategy to balance short- and long-term goals, including vaccination, improved diagnostics, and existing and novel treatments. We must support the FDA and hope that its scientists and physicians retain the strength and conviction to resist approving a substandard vaccine.

For encouragement, we should look to Frances Oldham Kelsey, a veritable patron saint of the FDA. In 1960, during her first month working for the agency, Kelsey was asked to approve a sedative called Kevadon, which had the potential to generate billions in revenue. Despite enormous pressure, Kelsey spotted a risk for toxicity and dug in her heels. She refused to rubber stamp the approval. Her actions saved the lives of countless babies. Kevadon, better known as thalidomide, proved to be one of the most dangerous and disfiguring drugs in history.

Kelsey passed away in 2015 at the age of 101. We must pray that her spirit inspires a new generation of FDA leaders with the courage to say, “No.”

 

 

 

 

 

COVID-19 Event Risk Assessment Planning Tool

https://covid19risk.biosci.gatech.edu/?fbclid=IwAR2w_OgIVr9Er81yZJaktKEz_ot6mz6HrdtRIzOYZPuigvIT4V2LuG59qm0

Georgia Tech map calculates COVID risk at events in each county ...

This map shows the risk level of attending an event, given the event size and location.

The risk level is the estimated chance (0-100%) that at least 1 COVID-19 positive individual will be present at an event in a county, given the size of the event.

Based on seroprevalence data, we assume there are ten times more cases than are being reported (10:1 ascertainment bias). In places with more testing availability, that rate may be lower.

Choose an event size and ascertainment bias below:

 

 

 

 

Healthcare’s number one financial issue is cybersecurity

https://www.healthcarefinancenews.com/node/139027?mkt_tok=eyJpIjoiTURRMk1tVTFaVE15TkRjMiIsInQiOiJPNUYydDU5cFVodjB4bnlnb2M0eVhDNjg2YU53NDl6MWFRQlVpUEpmTzV5cEcrVVZMWldhd1AzbHNlckIwUWJHczlhOVRMZUxxSngyWk02VVhXTktXRjN1OE9mbkQ2V2FhQlBqVFIzOWpMS0pNUEdCYWh0SUQyZWZHRmpBQjRFWiJ9

Image result for hospital cybersecurity

The cost of a healthcare breach is about $408 per patient record and that doesn’t include the loss of business, productivity and reputation.

Cyber attacks affect the finances of every hospital and insurer like no other.

“I’ve seen estimates of over $5 billion in costs to the healthcare industry annually,” said Lisa Rivera, a partner at Bass, Berry and Sims who focuses on healthcare security. “That’s enormous and is not going away.”

Beyond the cost to find a solution to fix breaches and to settle any civil complaints are fines from the Department of Health and Human Services Office of Civil Rights. In 2018, OCR issued 10 resolutions that totalled $28 million.

The HHS Office of Civil Rights is stepping up breach enforcement of private health information, according to Rivera, who is a former assistant U.S. Attorney and federal prosecutor handling civil and criminal investigations for the Department of Justice.

What officials want to see is that the hospital or insurer has taken reasonable efforts to avoid a breach.

“There is no perfect cybersecurity,” Rivera said. “They say it’s not perfection, it’s reasonable efforts. That’s going to require an investment up-front to see where data is located, and educating the workforce on phishing incidents.”

Also, hospital finance professionals who are relying more on contractors for revenue cycle management and analytics should take note on the security issues involved in sharing this information.

“Every sector of business has attacks, but healthcare is experiencing the largest growth of cyber attacks because of the nature of its information,” Rivera said. “It’s more valuable on the dark web.”

It’s also not easily fixed.

If an individual’s credit card is stolen, the consumer can cancel his or her credit card. But in health records, the damage is permanent.

THE IMPACT

Despite the number of breaches, healthcare has been behind other sectors in taking security measures. Four to seven percent of a health system’s IT budget is in cybersecurity, compared to about 15% for other sectors such as the financial industry, according to Rivera.

Hospitals are behind because first, it’s a challenge to keep up with the move to more information being in electronic form.

“There’s no hospital that doesn’t have mobile EHR information,” Rivera said. “Then there was this transition with incentives from the government to go to electronic medical records. There were vast routes to doing that without a lot of experience involved in doing it. The push to become electronic began happening with this enormous uptick in cyber attacks.”

Also, the focus of healthcare has always been patient care. The population health explosion also involves the sharing of information.

And consolidation across the healthcare industry can potentially make covered entities more vulnerable to lapses in security during the transition and integration phases.

RECOMMENDATIONS

The number one way to cut costs is to prevent a breach. Once one has happened, hospitals must be able to identify it as soon as possible and then be able to respond to it.

Hospitals should be able to determine where certain data goes off the rail, Rivera said. For instance, large systems doing research have outcome information that may not be within the system of protection.

“You don’t want to learn about a data breach because the FBI saw it on the dark web,” Rivera said. And some hospitals have.

It’s a constant battle of software updates and checks. Criminals are pinging systems thousands of times a day. It’s like locking down doors and windows.

The first thing that’s needed for systems large and small is a risk assessment. This is the first thing the OCR wants to see, she said. Many hospitals use an outside vendor to do the job.

Prices for other cybersecurity measures vary from a software purchase that could be in the millions, to having vendor monitoring.

But the cost of a healthcare breach is about $408 per patient record and that doesn’t include the loss of business, productivity, reputation and the service disruption.

Hospitals can also purchase cyber insurance, which varies in cost and coverage. Some obtain it for purposes of class action lawsuits.

THE LARGER TREND

OCR enforcement activity during 2018 demonstrates the agency’s continued emphasis on enforcing violations of the security risk assessment and risk management requirements, Rivera said.

Covered entities and business associates are required to: conduct a thorough assessment of the threats and vulnerabilities across the enterprise;    implement measures to reduce known threats and vulnerabilities to a reasonable and appropriate level; and ensure that any vendor or other organization accessing or storing private health information is security compliant.
The OCR concluded 2018 with an all-time record year for HIPAA enforcement  activity. The OCR settled 10 cases and secured one judgment, together totaling $28.7 million. This surpassed the previous record of $23.5 million from 2016.

In addition, OCR also achieved the single largest individual HIPAA settlement  of $16 million with Anthem, representing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016. Anthem was held responsible for cyber attacks that stole the protected health information of close to 79 million people.