INTERVIEW

Obviously, the COVID-19 pandemic was a headwind that no one saw coming and I gained the experience of working with the plans to quickly adapt and support their members. The Council has always worked collaboratively to make health care affordable and accessible for Minnesotans, but the exponential growth of telehealth has required particularly close coordination to support continued access to care. The pandemic has also highlighted how important the additional services that the nonprofit health plans provide are for optimal health. For example, there’s been a renewed focus on community giving and our foundations have provided significant financial assistance related to addressing social isolation, mental health, food insecurity, domestic abuse as well as supporting broad availability of personal protective equipment. Organizations receiving financial and other support from health plans include Second Harvest Heartland, Greater Twin Cities United Way, People Serving People, YMCA of the Greater Twin Cities, and many others.

The Council is a resource for consumers in a variety of ways, including helping Minnesotans gain entry into the health care system, finding the best providers for their specific situation, and ensuring coordinating of care overall. Efforts can also include support for food security, housing, education, and transportation to appointments.

Reinsurance was first considered on the federal level as a necessary tool for market stability under the Affordable Care Act. When that fell through at the federal level, the market was unstable and more costly. Minnesota stepped up with our own proposal and it has performed as advertised — bringing much needed stability and more affordable premiums, 20% lower on average, to Minnesota’s individual market. It does so by directly paying for a portion of high-cost claims. We are in year four of a five-year federal waiver and right now we are seeing bipartisan support to extend the program for a fifth year. Reinsurance has been so successful that it should be considered as part of a longer-term solution.

The health of Minnesotans is the highest priority of the nonprofit plans we represent, and they stepped up immediately for their members. In addition to community giving efforts, health plans took voluntary actions very early on that including waiving any cost sharing for testing and in-patient treatment, broad expansion of telehealth services, relaxed outof-network requirements, and removal of prior authorization procedures. We also work closely with state officials to continuously assess if there are additional steps that can be taken to ensure timely and barrier-free access for Minnesotans, including support for the vaccination effort.

Extending reinsurance is a top priority, and so is a proper permanent expansion of telehealth. Telehealth utilization during the pandemic was a success story thanks to the close coordination that made it work for Minnesotans. The question remains about where it will level off, but the future clearly will have higher utilization of telehealth. That is a good thing because it will support better access and it has the potential to bring more efficiency to care models, as well.

There is a lot of great work going on in Minnesota right now on health equity, but obviously more needs to be done. One of the biggest challenges is driving the close coordination necessary to make real progress. Health plans recently made their senior leaders available to create a Health Equity Committee focused on coordinating a focused effort. As an example of our intentions, at only our second meeting, we were able to unite around a recommendation to update the Universal Initial Credentialing Application Form to include voluntary disclosure of race, ethnicity and language so that information is available to support health equity efforts by identifying diverse mental health providers. That quick and substantial action is just one of many impactful steps we will be advancing to improve health equity in Minnesota.

Our plans are engaging with a wide variety of public health initiatives, ranging from mental health to physical activity to environmental health initiatives. Every 5 years, our plans come together to set priority areas for community engagement after reviewing state and local health assessments and outline those goals and partnerships in a Collaboration Plan. Through these initiatives, our plans address health equity in three key ways:

• Creating and supporting a diverse workforce within our organizations. • Increasing access to culturally and linguistically appropriate care. • Improving quality of care.

We know we can’t make everyone healthier on our own, which why we value our work with others in the community and invest in programs that aim to reduce health disparities.

What could be considered step one in making an impact on drug costs was our successful effort to require transparency regarding drug companies’ price increases. The law generally requires drug manufacturers to report certain information to the state if drugs costing more than $100/month increase their price more than 10% in one year or 16% over two. The information they must submit include the factors contributing to the increase, costs associated with manufacturing, marketing, R&D, sales revenue, profit, any agreements made to delay a generic version, and the ten highest prices paid for the drug in any other country. The goal is to put pressure on their regular price increases and scrutinize the reporting to inform the best next steps in supporting affordability.

We are always working to find practical and innovative ways to ensure that all Minnesotans get access to high-quality care at the most affordable price. So, in partnership with the Minnesota Chamber of Commerce and the Minnesota Hospital Association, we are working on a High Value Care Initiative to more broadly identify services that are considered to have low or no value and develop protocols to minimize their occurrence. A 2017 Minnesota Department of Health study found that $55 million was wasted in a single year on a small subset of services known to be of low value, which is generally care that is medically unnecessary and can include things like redundant or unneeded diagnostic tests, lab tests, therapy services, radiology services and pharmaceuticals. We are excited to focus an effort here in Minnesota that has great potential to maximize efficient, effective care – and ultimately lower cost.

Health plans truly want to work closely with you to support optimal health. I have regular conversations with the leaders of the provider associations that are constructive and focused on working together and problem solving. There is a natural push-pull between providers and payers but it can and should be a positive conversation because we all have the same goals of supporting the well-being of Minnesotans.

Lucas Nesse, JD, President & CEO for the Minnesota Council of Health Plans. Since 2019, Mr. Nesse has guided the Council’s members toward consensus and is the face and voice of Minnesota’s nonprofit health insurance companies. He works with all of the member health plans and stakeholders to pursue high-quality and affordable health services for Minnesotans. Prior to assuming this role at the Council, Lucas was the Health Policy and Grassroots Director for the Minnesota Business Partnership, a large employer membership organization. He served previously for nine years in various roles at the Minnesota Senate. He’s also on the board of Minnesota Community Measurement.

Do you have patients who suffer from GI issues? MNGI provides the specialized GI treatment they need. We’ve made access to our care even easier with telehealth services and convenient locations for in-clinic visits, procedures and infusion therapy. Like you, we’re here to help change patients’ lives for the better.

Refer your patients using our secure referral site at referrals.mngi.com or call 612-870-5400.

3Ransomware in the Age of COVID-19 from cover

As more workers become remote and health organizations continue to make the shift to be more connected technologically due to the COVIDdestroyed UVM Health Network’s computer infrastructure on which 19 pandemic, the risk of ransomware attacks, as well as other forms of encrypted data resided and put both patients and staff at risk. cyberattacks, has grown. This can be corroborated by examining the

The effect of the attack spread like pestilence throughout the organization. ransomware claims experience of Coverys insureds. When isolating data According to the Vermont Digger, UVM from the most recent fully developed underwriting furloughed or reassigned about 300 employees who year (2018), Coverys’ ransomware claims increased could no longer perform their jobs, services were over 66% relative to the average of the previous postponed or cancelled due to the systems being four underwriting years, which is a notable jump. offline, and the health system experienced a loss of The effect of the attack In an April 2020 advisory released by the approximately $1.5 million per day due to disrupted spread like pestilence New Jersey Cybersecurity & Communications revenue and the resulting expenses of repairing the throughout the organization. Integration Cell, a rising concern of COVIDorganization’s infrastructure. 19-related cyberattacks and phishing scams have

Due to severity of the attack, HealthITSecurity been specifically targeting the healthcare sector, reported that the state’s governor eventually deployed which is more open to attack due to both the the Army National Guard’s Cyber Response Team preoccupation with treating COVID-19 cases and to UVM to assist with recovery efforts. following stringent protocol, as well as the everexpanding use of technology to keep healthcare

But this pestilence is not from nature – it’s man-made. organizations connected in the new age of telehealth.

Ransomware is a type of malware. It infects a computer or computer system and encrypts the files contained within. Then the ransomware delivers Devastating effects a dreaded message: pay a fee to retrieve the files or lose them forever. Some In addition to data being locked or needing to pay a ransom, business owners organizations agree to pay the ransom. However, there are no guarantees could also experience a data breach due to ransomware. Ransomware is that this strategy will work. The cybercriminals may demand more money, a significant reason for the number of data breaches trending upward in launch another attack, or refuse to release the files despite payment. recent years. According to HIPAA Journal, businesses have experienced more data breaches in 2020 than any other year before. As the 2020 attack on UVM demonstrates, when a healthcare organization loses its data, the outcome can be devastating. And although all industries and organizations experience a punch from a ransomware attack, such attacks can cause life-threatening injury in a healthcare setting. For example, HealthITSecurity reported that another 2020 ransomware attack on a large U.S. healthcare system resulted in rerouted ambulances, delayed radiation and treatment for cancer patients, medical records that were inaccessible and even permanently lost, and hundreds of furloughed staff. But how can you fight an unseen, growing monster? Like the vaccine developed for COVID-19, the answer lies in developing a plan and taking action to prevent an attack before it has the chance to spread – and in having a safety net ready in the event of infection.

To protect a healthcare organization’s employees, patients, and data, a multifaceted defense system is required.

The typical initial infection is carried through a phishing email containing a link or attachment. Other infection opportunities include users inadvertently installing malware from the internet or from USB drives, and exploiting remote access using stolen or hacked credentials.

To defend against the initial phishing infection, there are a few steps an organization can take: • Provide security awareness training to educate users not to click on links or open attachments from suspicious senders and without carefully inspecting emails for signs of phishing.

• Provide for phishing and spam filtering at the mail gateway. • Don’t install/run programs unless they’re from a reputable source. • Restrict the ability of end-users to install software themselves or only allow installation from whitelisted sources. • Only allow the use of trusted USB drives and don’t allow execution from USB drives.

• Implement endpoint detection and response products to stop malicious code from executing. • Require strong, unique passwords and multifactor authentication.

As more workers become remote...ransomware attacks, as well as other forms of cyberattacks, has grown.

Once infected, oftentimes the initial malware will reach out to a command and control (C2) server in order to download additional malware or to open a backdoor allowing the attacker access to the system. To defend your systems against this infiltration, consider: • Domain Name System filtering/protection. • Next-generation firewalls used to block unauthorized egress traffic.

Once past initial defenses, malware will use application vulnerabilities to Matthew C. Bertke, CPA, MBA is the Product Development Manager execute code. The code will run under the context of the logged-in user, or for Coverys a nationally recognized professional liability insurer and leader in the attacker will try to elevate privileges. Therefore, consider the following addressing the challenges of health care delivery. defense strategies: • Reducing access privileges so users have the minimum access that they need in order to do their job. • Regular patching of operating systems and applications, including web browsers. • Hardening of endpoint systems and the use of endpoint detection and response products to stop malicious code from executing and privilege execution.

If the malware is able to execute and encrypt data, organizations must identify what data was affected, whether it was exfiltrated from the network and whether it can be recovered. The following tactics can be used as a data defense: • Encryption. • Audit logs. • Regular backups and testing of those backups.

These defense strategies can be used to fortify an organization, but even the safest of healthcare organizations are at risk of a stealthy attack during day-to-day activities.

Data will be less secure at times to address the everyday aspects of sharing data with business partners, patients, employees, and others. These standard business needs create the weak points that hackers are eager to exploit.

While prevention is the smartest strategy, it is not 100% effective.

When isolating data from the most recent fully developed underwriting year (2018), Coverys’ Cyber Liability and Protection Plus incurred losses increased over 110% relative to the previous four-year average – a number which demonstrates the need for a solid contingency strategy in the event of a cyberattack.

Therefore, it is equally important to be properly insured. Just as healthcare organizations have a written plan for responding to potential natural disasters, they should also have a written plan for responding to potential data breaches. Because in the age of technology and remote work, the question isn’t if, but when an attack will occur.

In the event of a breach, both your organization and your board could face lawsuits. There may be some overlap between Directors & Officers (D&O) insurance, general liability, and cyber policies, but one should not assume that one policy type will provide all the coverage needed if an attack occurs. Check D&O and general liability policies to see whether they cover cyber events, as well as cyber policies to see whether they cover board members within the Definition of Insured. Consult with your organization’s insurance broker to assess whether your insurance coverages meet your organization’s needs.

3Stark Law and Anti-Kickback Statute Updates from cover

“unnecessary obstacles” to coordinated care. Some of the primary new changes to the Stark Law and AKS are intended to allow greater flexibility in structuring payments to physicians based on value based care models. The level of flexibility in the payments generally depends on the degree of financial risk involved in the arrangements, with greater flexibility being granted in arrangements where the provider assumes greater financial risk. The exact framework is beyond the scope of this article, but parties structuring compensation models should know that there is greater flexibility to pay physicians that are involved in value based care programs than there previously was.

In addition to greater flexibility in compensation arrangements, there is more flexibility surrounding patient incentives. Whereas previously, many patient incentives would have been prohibited as inducements, the new laws allow incentives if they further a value-based purpose for a specified patient population. The incentives allow provision of in-kind, preventative items, goods, or services, such as health related technology, patient health-related monitoring tools and services, or supports and services designed to identify and address a patient’s social determinants of health. For example, movie tickets as a reward for completing a therapy regimen will not be allowed, but onsite childcare services while a parent receives treatment will be allowed. Cash and cash equivalents (e.g. Visa gift cards) are prohibited, however vouchers and gift cards for a specific purpose are allowed (e.g. voucher for a free heart rate monitor).

Speech Therapy | Occupational Therapy Physical Therapy | Music Therapy | Feeding Therapy

Mental health, pediatric therapy, autism services and preschool—under one roof!

The Stark Law changes are generally intended to reduce the burden on providers and also reduce technical violations and the backlog of selfdisclosures that CMS has been working through since the enactment of the self-disclosure referral protocol back in 2010. For those not very familiar with the Stark Law, at a high level it prohibits referrals of certain designated health services (DHS) from physicians to providers that the physician has a financial arrangement with, unless an exception exists. The challenge with the Stark Law is that intent is irrelevant in determining whether there has been a violation and in many cases, well-meaning physicians can end up violating the law and incurring extremely high financial penalties. Here are some examples of the recent fine-tuning.

a. Group Practice Change While many of the Stark Law changes were intended to reduce provider burden, the clarification to the rules of allocating DHS profits across multi-disciplinary provider groups may require these groups to restructure their profit distribution methodologies. Fortunately these rules will not take effect until January 1, 2022, so that gives groups some time to plan. As some context, the Stark Law generally requires that profit distribution methodology among physician groups not take into account referrals of DHS, but there is an exception that allows compensation to be structured differently among subgroups of a physician group that contain at least 5 members. Some provider groups interpreted this exception to allow these subgroups to be paid according to DHS service line (cardiology receives lab profits; radiology receives imaging; etc…). CMS clarified that this was not the intent behind the allowance of subgroups and that instead all DHS service line profits must be combined prior to the profit distribution across subgroups.

b. Commercially Reasonabl Change The Stark Law requires that compensation be commercially reasonable and the definition of what qualifies as “commercially reasonable” has been an issue that providers have struggled with over the years. One example is that health systems often suffer losses on their primary care service lines but they still have to hire physicians to fill those roles. Is the arrangement commercially reasonable even if the clinic is projected to run at a loss? Most parties to commercial transactions will not enter into it if they know they will lose money, however there are exceptions. Specifically, a lack of physicians in a particular specialty in a geographic area may justify higher compensation payments because of a health system’s need to have providers with that expertise. CMS realized this situation and clarified that arrangements do not necessarily need to be profitable in order to be commercially reasonable.

c. Isolated Financial Transaction The clarification that CMS made with respect to the isolated financial transactions exception doesn’t present new opportunities for physicians but rather clarifies the application to help prevent the continuation of overly broad interpretations. Through the self-referral disclosure protocol process, CMS noticed that providers would attempt to remedy ongoing violations by making a single payment and then claim that the payment was an “isolated financial transaction”. CMS reasoned that if this interpretation was correct, that it could ultimately be used to retroactively correct any Stark Law violation and obviate the need for any other exceptions. CMS clarified that the intent of this exception is to cover one-time events, (e.g. the sale of physician practices) or events occurring over a short timeframe (e.g. a weekend of call coverage).

d. Period of Disallowance The Period of Disallowance refers to the time period that any referrals of DHS are prohibited and it is used to calculate the financial penalties for noncompliance with the Stark Law. In an attempt to draw a clear line, CMS provided guidance for the calculation of the Period of Disallowance which ultimately resulted in a overly rigid formula. CMS was seeing voluntary disclosures involving technical violations of the Stark Law that would ultimately end up with penalties of several million dollars. In an attempt to curb this, CMS provided guid- There is more flexibility ance on how a Period of Disallowance can be surrounding patient incentives. eliminated if a Stark Law violation resulting from an administrative error is resolved within 90 days of expiration of the arrangement. e. Limited Remuneration The new limited remuneration exception to the Stark Law is probably going to have the most significant impact of all of the Stark Law changes as it pertains to preventing technical violations that pose little risk of fraud or abuse. This exception is intended to apply to arrangements Antonio “Tony” Fricano, JD, is a health care attorney at Lathrop GPM and involving less than $5,000 annually that fail to qualify for other Stark Law has extensive experience advising physicians, health systems, and other health exceptions. Now, there are still some conditions to qualify for this excep- care organizations. Prior to starting with Lathrop GPM Tony was an in-house tion so providers should not think that this exception will allow DHS entities to write a $5,000 check to physicians. Notwithstanding these attorney at the largest health system in Illinois. conditions, if an arrangement wasn’t premised on referrals and is within the $5,000 limit, there is a good chance that this exception could apply. When taking this exception into account with the guidance provided in relation to the Period of Disallowance, it is clear that CMS intends to reduce Stark Law violations resulting from technical issues that pose little risk of fraud or abuse.

One of the additional opportunities for providers is the new allowance for donations of cybersecurity (generally from health systems to provider groups) that were added to the Stark Law and AKS. This allowance is similar to the EHR exception and safe harbor introduced back in August of 2006. Of course there are protections intended to prevent abuse, but on the whole this is a win for providers. It should be noted that the exception and safe harbor prohibit selection of donation recipients based upon criteria that takes volume of referrals into account and that providers cannot require a donation as a condition of doing business with another provider. In other words a hospital cannot determine donation recipients based upon the amount of referrals it receives and physician groups cannot demand a donation as a condition to supplying referrals.

Develop • Lease • Manage • Monetize

AKS has broader application than the Stark Law and should be looked at in connection with any agreement involving physicians. Because AKS is an intent based statute, the technical violations that existed under the Stark Law are less likely to occur under AKS. Still, providers that are seeking certainty that their arrangement does not violate AKS will want to structure their arrangements to fall within a safe harbor. There are more than twenty safe harbors, and one of the more significant changes we saw from OIG with respect to AKS is that the requirements of the Personal Services Safe Harbor have been changed to allow wider application. Specifically, the Personal Services Safe Harbor previously required compensation to be set in advance and this was interpreted to require that the total aggregate compensation be calculated at the time of entering into the contract. That basically requires that any contract be structured as a fixed fee which creates problems when the arrangement is more appropriate for an hourly fee or per-unit charge. The revisions to the Personal Services Safe Harbor now change this requirement so that only the compensation methodology needs to be determined in advance. This is a significant change that will allow many more arrangements to qualify for the safe harbor. In summary, the AKS and Stark Law changes might offer providers new opportunities. This article provides a high level summary of some of these opportunities. Physicians should consult with experienced health law counsel prior to structuring arrangements that might implicate either law.

www.hsaprimecare.com • 312.332.3555