Capitol Insights Newsletter
Authors: Luke Schwartz and Matt Reiter
What happened in Congress this week?
While much of Congress’s attention is focused on the confirmation processes for President-elect Trump’s nominees, discussions surrounding an end-of-year healthcare legislative package have gained momentum. Although much of this remains speculative, here are a few things we are hearing might be included in the package proposed by Republicans:
- “Doc Pay” Fix: One proposal is a one-time 2.5% increase to the Medicare Physician Fee Schedule Conversion Factor. If accurate, this would be less than the 2.83% cut set to take effect at the start of 2025. It also would not address a 4% reduction from failing to waive PAYGO in the American Rescue Plan Act of 2021.
- Telehealth Extension: Extending pandemic-era Medicare telehealth flexibilities set to expire at the end of this year has been a top priority on Congress’s health policy agenda in 2024. While initial bills introduced and advanced have focused on two-year extensions, we are now hearing that extensions ranging from as short as 90 days to as long as three years are now in play. We will keep a close eye on developments in the coming weeks.
- PBM Reform: Pharmacy Benefit Manager (PBM) reform has been a hot topic for years. While details are currently sparse, reforming PBMs (such as reigning in PBM spread pricing) is being considered for an end-of-year healthcare package.
However, Republicans and Democrats currently seem to be far apart in their negotiations.
Any major developments on these health policy topics or others that come to the surface before the end of the year will be covered in Capitol Insights.
OIG Releases Report Displaying Shortcomings of HIPAA Audits
The Office of Inspector General (OIG) conducted an audit of the Office of Civil Rights’ (OCR) HIPAA audit program to assess how effective the program has been in protecting electronic protected health information (ePHI). The program is designed to ensure compliance with HIPAA Security Rule across HIPAA-covered entities and business associates. OIG decided to conduct its audit in response to the increase in cyberattacks targeting healthcare provider IT systems. In 2022, OCR received 64,593 reported breaches affecting 42 million individuals. Additionally, the number of reported breaches continued to increase between 2018 and 2022. As a result, OIG has raised concerns about the adequacy of OCR’s efforts to ensure compliance with the HIPAA Security Rule.
The OIG’s audit revealed that although OCR fulfilled its requirement under the HITECH Act to conduct periodic HIPAA audits, it did not assess a majority of the required protections and was too narrowly focused on assessing ePHI protections. OCR’s audits only evaluated 8 of the 180 elements in the audit protocol. Additionally, OCR did not require audited entities to correct the identified deficiencies, failed to monitor the outcomes of its audits, and did not document the frequency of its HIPAA audits as of 2020.
The OIG has provided recommendations aimed at improving the effectiveness of OCR’s HIPAA audit program. Recommendations include expanding the scope of audits to evaluate compliance with physical and technical safeguards under the HIPAA Security Rule, documenting and implementing processes that will ensure timely correction of deficiencies, and defining metrics to monitor the effectiveness of OCR’s HIPAA audits.
Improving healthcare cybersecurity has rapidly become a priority for the federal government. An Office of Civil Rights proposed rule updating the HIPAA Security Rule is expected before the end of the year. Furthermore, a bipartisan group of Senators released the Health Care Cybersecurity and Resiliency Act of 2024 just a few weeks ago to help address the growing cybersecurity problems across the health sector.
Top Stories in Healthcare Policy
UnitedHealthcare CEO Brian Thompson was killed in a tragic, likely targeted shooting on Wednesday morning.
President-elect Donald Trump has announced additional picks for health-related cabinet nominations for the new administration:
- FDA Commissioner: Marty Makary, a Johns Hopkins surgeon, has been an advocate for increasing transparency in federal health agencies and restoring public trust in institutions like the FDA and CDC.
- CDC Director: Dave Weldon, a physician and former congressman, has been nominated to lead the CDC. For the first time, this position will require Senate confirmation as a result of new legislation passed in 2022.
- Surgeon General: Janette Nesheiwat, a Fox News medical contributor, is Trump’s pick for surgeon general. The surgeon general is responsible for educating the public on health issues, promoting disease prevention strategies, and issuing warnings on products that could pose health risks.
- NIH Director: Jay Bhattacharya, a physician and Stanford University professor, has been nominated by President-elect Trump to lead the NIH. If confirmed, he will be in charge as House Republicans consider NIH reform.
CMS issued its Medicare Advantage and Part D 2026 Proposed Rule. According to the CMS press release, the rule aims to improve transparency and hold plans accountable by requiring accurate provider directories, reforming the prior authorization process, and improving access to supplemental benefits.
Anthem Blue Cross and Blue Shield has reversed its decision to limit anesthesia coverage during surgeries, following a strong public response. The policy that was set to take effect in February sparked widespread concern.
According to a Congressional Budget Office (CBO) report released this week, if Congress does not expand Affordable Care Act subsidies set to expire at the end of 2025, 2.2 million Americans will lose health insurance in 2026. The number would later increase to 3.7 million in 2027. This will be one of the biggest health policy issues Congress will have to handle in 2025.