RISE summarizes recent regulatory-related headlines.
OCR proposes rule to improve cybersecurity in health care
The Office for Civil Rights (OCR) last week issued a proposed rule to improve cybersecurity and modify the current Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule to require health plans, health care clearinghouse, and most health care providers, and their business associates, to strengthen cybersecurity protections for individuals’ protected health information. The proposed rule, which is scheduled to be published in the Federal Register on January 6, 2025, aims to address frequent cyberattacks targeting the U.S. health care system.
“The increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety,” said Deputy Secretary Andrea Palm in an announcement. “These attacks endanger patients by exposing vulnerabilities in our health care system, degrading patient trust, disrupting patient care, diverting patients, and delaying medical procedures. This proposed rule is a vital step to ensuring that health care providers, patients, and communities are not only better prepared to face a cyberattack but are also more secure and resilient.”
OCR said the proposed changes are due to the significant number of large breach reports in the last five years. Indeed, from 2018-2023, reports of large breaches increased by 102 percent, and the number of individuals affected by such breaches increased by 1002 percent, primarily because of the rise in hacking and ransomware attacks. In 2023, over 167 million individuals were affected by large breaches—a new record. Since 2019, large breaches caused by hacking and ransomware have increased 89 percent and 102 percent.
The proposed rule would modify the HIPAA Security Rule to require health plans, health care clearinghouses, and most health care providers, and their business associates to better protect individuals’ electronic protected health information against both external and internal threats. It would clarify and provide more specific instruction about what covered entities and their business associates must do to protect the security of electronic protected health information. The proposed rule would also require policies and procedures to be in writing, reviewed, tested, and updated on a regular basis.
The proposals would better align the Security Rule, which will remain in effect during the rulemaking process, with modern best practices in cybersecurity and address:
- Changes in the environment in which health care is provided.
- Significant increases in breaches and cyberattacks.
- Common deficiencies OCR has observed in investigations into Security Rule compliance by covered entities and their business associates.
- Other cybersecurity guidelines, best practices, methodologies, procedures, and processes.
- Court decisions that affect enforcement of the Security Rule.
CMS: Record number of consumers enroll in ACA coverage for 2025
A record 16.6 million consumers signed up for health care coverage for 2025 during the Marketplace Open Enrollment and will receive a full year of coverage beginning January 1, according to the Centers for Medicare & Medicaid Services (CMS). Of those consumers, two million are new to the marketplace this year.
CMS also said that nearly 7.2 million existing consumers have already returned to the marketplace to actively keep their current plan or select a new plan for 2025. Building on the success of last year, the agency said are on track for a record high number of plan selections for this year’s Open Enrollment.
“The record-breaking enrollment in Marketplace coverage speaks volumes about the critical need for health care coverage,” said CMS Administrator Chiquita Brooks-LaSure in the announcement. “To consumers still exploring options: Act now to secure coverage beginning February 1, and to take advantage of the enhanced tax credits that are still available for 2025 to make coverage more affordable.”
Marketplace Open Enrollment on HealthCare.gov runs from November 1 to January 15. Most consumers who enroll between now and January 15 will get coverage starting February 1, 2025.
HHS announces cost savings for 64 prescription drugs under Medicare Prescription Drug Inflation Rebate Program
The U.S. Department of Health and Human Services (HHS), through CMS, has announced that some Medicare enrollees will pay less for 64 drugs available through Medicare Part B. The drugs will have a lowered Part B coinsurance rate from January 1, 2025–March 31, 2025, since drug companies raised prices for each of these 64 drugs faster than the rate of inflation. Over 853,000 people with Medicare use these drugs annually to treat conditions such as cancer, osteoporosis, and substance use disorder.
Since April 1, 2023, people with Medicare have seen savings on over 120 drugs due to Inflation Reduction Act’s establishment of the Medicare Prescription Drug Inflation Rebate Program.
“The Inflation Reduction Act is working to lower prescription drug costs for millions of people,” said HHS Secretary Xavier Becerra in the announcement.. “By discouraging drug companies from raising their prices faster than inflation, we are keeping prices affordable for the people with Medicare who rely on these drugs to live healthier lives.The law has also capped out-of-pocket costs and finally allows Medicare the right to negotiate lower prices. It is a success story for the American people.”
In addition to the Medicare Prescription Drug Inflation Rebate, people with Medicare Part D will benefit from a $2,000 cap on annual out-of-pocket prescription drug costs in 2025. They may also choose to spread out their out-of-pocket prescription drug costs throughout the calendar year, allowing for more predictable, lower monthly costs instead of paying all at once at the pharmacy.
The Inflation Reduction Act also requires drug companies to pay rebates to Medicare when prices increase faster than the rate of inflation for certain drugs. CMS intends to begin invoicing prescription drug companies for Part B inflation rebates owed to Medicare no later than September 30, 2025, and Part D inflation rebates no later than December 31, 2025. The rebate amounts paid by drug companies will be deposited in the Federal Supplementary Medical Insurance Trust Fund, which will help ensure the long-term sustainability of the Medicare program for future generations.