Posts

CMS Proposes Updates to Medicaid Managed Care Organizations

By Jose Lopez, Senior Consultant, The Verden Group

On May 26th, the Centers for Medicare and Medicaid Services (CMS) issued a proposed rule aimed at “improving the quality and performance of Medicaid Managed Care Organizations (MCOs).” The proposed rule is vast, with more than 650 pages of proposed reforms that attempt to align MCOs with existing regulations for other private and public payers. More than half of all Medicaid beneficiaries (at least 39 million individuals in 39 states and the District of Columbia) have coverage through MCOs.

Amongst the proposed provisions are:

  1. Application of a Minimum Loss Ratio (MLR) to Medicaid and CHIP. The most sweeping change is the application of a federal 85% minimum MLR to MCOs beginning in 2017. MLRs measure how much a managed care plan spends on the provision of covered services compared to the total revenue it receives in capitation payments from the state. Applying a common national standard for calculating MLR is intended to allow comparability across states, facilitate more accurate rate setting, and reduce the administrative burden on managed care plans that operate in multiple states or have multiple product lines.
  2. Greater transparency in how states determine plan payment rates. States will be required to give CMS enough information for the agency to understand the data and the reasoning for the rate.
  3. Apply minimum standards to screen and enroll providers.
  4. Increase Provider Network Access by decreasing time and distance limitations for beneficiaries, particularly from services for Pediatric CHIP providers, OB/GYNs, behavioral health providers, and dentists.
  5. Expanding health plans’ responsibilities in program integrity efforts through administrative and managerial procedures that prevent, monitor, identify, and respond to suspected provider fraud.
  6. Establish a Quality Rating System for Medicaid Plans, based on quality factors including clinical effectiveness, patient safety, care coordination, prevention, member experience, plan efficiency, affordability, and management.
  7. Strengthen encounter data submissions from managed care plans to states, and from states to CMS.
  8. Allow Long-Term Care Beneficiaries to change plans or cancel enrollment and move to standard Medicaid coverage if their preferred providers are out of the managed care networks.

The Verden Group applauds these much-needed reforms. The proposed rule will provide greater access for Managed Medicaid beneficiaries located in rural areas, especially for at-risk children enrolled in CHIP. With greater transparency and provider choice, patients will be able to select plans that include practices that have differentiated themselves through innovative and high quality programs.

The two trade groups representing insurers, America’s Health Insurance Plans and Medicaid Health Plans of America, are generally supportive of the regulatory modernization and the thrust of CMS’ proposals, except for the national 85% minimum MLR. However, there is little evidence to suggest it will negatively impact their profits as many states already mandate MLR requirements.

The Verden Group is concerned the MLR mandate may create difficulties for not-for-profit safety-net insurers, which usually cover large numbers of Medicaid beneficiaries with serious and chronic health issues. These plans have profit margins that vary year over year, meaning a large profit surplus one year could be needed to offset significant losses in another year. In addition, state Medicaid agencies may not have enough resources to implement the proposed regulations. As with all regulations, it is important that sufficient resources are provided to ensure the proposed rule does not become an unfunded mandate where the fiscal responsibility falls to those it is intended to help.

The Verden Group encourages our clients to share their thoughts on the proposed rule by commenting publicly at:

https://www.federalregister.gov/public-inspection before the deadline of July 27, 2015.

 

Cyber Risk Insurance – Should you consider getting it for your practice?

By Sumita Saxena, Senior Consultant, The Verden Group

The cyber-attack on Anthem, which left 80 million customers and employees vulnerable to identity theft, has quickly elevated the question of whether to purchase cyber risk insurance to the forefront of discussion among healthcare providers. The attack will certainly impact the market of cyber security insurance for healthcare providers, payers and others. Small to medium-sized healthcare organizations that have not considered such coverage may do so now while insurers will be re-evaluating underwriting standards and likely premium levels in the wake of the Anthem attack.

Most policies provide broad coverage for what constitutes a privacy breach, whether it results from a hacker, unauthorized access by an internal rogue employee or a laptop that was lost or stolen. Coverage can be divided into two categories: first-party and third-party costs.

Typically first-party costs involve those direct costs related to responding to a privacy breach or security failure. Such costs include forensic investigation of the breach, legal advice to determine notification obligations, notification costs of communicating the breach, offering credit monitoring to customers or patients as a result, and loss of profits and extra expenses during time network is down (business interruption).

Generally third-party costs include legal defense, settlements or damages or judgments related to the breach, liability to banks for re-issuing credit cards, cost of responding to regulatory inquiries and regulatory fines and penalties. Optional coverage can encompass underwriting for cyber-extortion, where hackers access a network and demand a ransom in exchange for not stealing data (many companies would rather pay the ransom and make the problem go away).

Larger organizations are more likely to purchase coverage than smaller ones given their access to risk managers and in-house IT security. Smaller companies, like physician practices and local clinics, may not have access to such resources and may forego coverage as unnecessary or too expensive. Data breaches, however, are continuing to garner significant attention and some insurance experts have commented that more and more small and mid-sized organizations are actively seeking out this coverage. Premiums for a $1 million plan are generally $5,000 to $10,000 annually though the cost can vary based on several factors, including company revenue, cyber-risk management efforts and the coverage chosen.

The cost of insurance coverage and breach response is minimal, however, when compared to the legal and regulatory costs associated with a data breach, which depending on the size of the attack, can run into the millions and substantially impair a company’s profitability if the response is not adequate.

Any large, well-publicized breach such as the one that struck Anthem will affect the market for cyber security insurance, as noted by industry experts, by influencing coverage terms, increasing coverage prices and making underwriting requirements more stringent, especially for healthcare companies as the industry sees more large-scale breaches. In light of these changes, it is prudent to re-assess network security and adequacy of breach notification, and to consider cyber risk insurance as an additional safeguard against the substantial cost associated with data breaches.