Capitol Insights Newsletter

Authors: Luke Schwartz, Caroline Oliver, and Matt Reiter

What happened in Congress this week?

The House Energy and Commerce Committee’s Oversight and Investigation Subcommittee convened on Tuesday this week for a hearing examining improper payments in Medicare and Medicaid. Lawmakers expressed concern about financial mismanagement and the threat of improper payments to the programs’ abilities to accomplish their goals. The discussion focused mostly on Medicare Advantage and managed care organizations for Medicaid. Witnesses advocated for more timely audits and improved data accuracy, collection, and use to address program integrity.

HHS Secretary Xavier Becerra testified before the House Energy & Commerce’s Health Subcommittee this week on the FY 2025 HHS budget. Overall, Democrats applauded the budget while Republicans criticized the budget for not doing enough to reduce healthcare spending.

House Energy and Commerce Health Subcommittee Holds Hearing on Impacts of Change Healthcare Cyberattack

The devastating cyberattack on Change Healthcare has garnered the attention of Congressional leaders. On Tuesday, April 16th, the House Energy & Commerce Committee’s Health Subcommittee held a hearing titled “Examining Health Sector Cybersecurity in the Wake of the Change Healthcare Attack.”

Despite widespread disappointment from Congressional leaders that the UnitedHealth Group (UHG) CEO was not in attendance, the hearing featured witness testimony from cybersecurity leaders, public policy directors, a health IT professional, an American Hospital Association representative, and an orthopedic surgeon. The three-hour hearing allowed the witnesses to describe the disruptions caused by the cyberattack on Change Healthcare and the urgent need for Congressional action to minimize the chances of cyber incidents in the future.

The Need for Financial Assistance to Improve Cybersecurity

There is bipartisan agreement that there needs to be heightened cybersecurity risk management and standards in the health sector. The Committee and witnesses agreed that protocols and risk management should be spread across the many players across healthcare. However, many expressed concern that medical practices (especially small and rural practices) would face problems implementing any cybersecurity requirements without assistance from the federal government. Witnesses advocated for federal funding to assist entities that must implement new cybersecurity requirements.

Witnesses also articulated the importance of focusing new cybersecurity requirements on the “highest value” targets. In many cases, vendors that hold large amounts of Protected Health Information (PHI) are higher value targets than medical practices.

The hearing also discussed the importance of easing access to financial support following a cyberattack. Committee members and witnesses agreed that federally supported financial assistance programs took too long to take effect- this is largely because a cyberattack usually does not constitute a Federal Emergency Management Agency (FEMA) National State of Emergency. To remedy this problem, witnesses proposed creating a lower-level state of emergency for cyberattacks that would allow funds to be distributed to providers in a timely manner to ensure that patients are treated and medical practices can pay their bills.

Concerns with Consolidation/Vertical Integration in the Health Sector

Another area that received major hearing coverage was the harms of healthcare consolidation/vertical integration. There was widespread concern among members of Congress and witnesses that healthcare consolidation and vertical integration posed major consequences for cybersecurity. Ironically, the prime example is UHG, the world’s biggest privately owned healthcare conglomerate. UHG acquired Change Healthcare in late 2022. The Department of Justice (DOJ) unsuccessfully challenged the acquisition. Large healthcare companies have access to abundant amounts of sensitive PHI which makes them especially high-value targets for cybercriminals. When probed about whether vertical integration in the health sector could lead to higher national security risks, the witnesses unanimously agreed this was the case as healthcare is considered critical infrastructure.

Notably, it was highlighted that Optum (the subsidiary of UHG that owns Change Healthcare) is capitalizing on the issues it has caused by acquiring vulnerable clinics financially struggling due to the cyberattack. The hearing called attention to Corvallis Clinic in Oregon, which in March, requested emergency acquisition by Optum due to a major cash flow disruption. According to the witnesses, this is just one of many such instances.

Looking Ahead

More hearings on the cyberattack are expected soon. The Senate Finance Committee is expected to announce a hearing with UHG CEO Andrew Witty in the coming days. The Senate Committee on Health, Education, Labor and Pensions (HELP) is holding private meetings with UHG. It is unclear if these meetings will lead to a HELP Committee hearing.

Top Stories in Healthcare Policy

A survey by the Kaiser Family Foundation determined that 23% of Medicaid enrollees who were disenrolled during 2023 remain uninsured. Additionally, 47% of individuals who were disenrolled regained coverage in Medicaid, while 28% now have a different form of coverage.

Coloradans for Protecting Reproductive Freedom announced last Friday that advocates have collected enough signatures to have a proposed amendment that protects access to abortion on the state’s ballot in November. Measures on abortion will also be on the ballot in New York, Florida, and Maryland, as advocates seek to add other states to the list.

Researchers at Harvard studying private equity ownership of hospitals found that patients in hospitals owned by private equity experienced 25.4% more hospital-acquired conditions, such as central-line bloodstream infections. The study, published in the Journal of the American Medical Association, analyzed almost 4.8 million Medicare claims between 2009 and 2019.

A Medscape report on physician compensation found that, on average, total compensation for physicians grew by 3% in 2023. The report, which surveyed 7,000 physicians, also found that 61% of doctors believe the profession is underpaid and highlighted differences in payment between different specialties.

The Biden Administration is facing a tight deadline to finalize regulations across policy areas, including health care. The Congressional Review Act allows a new Congress to review rules proposed in the last 60 legislative days of the previous Congress, meaning the Biden Administration has until around the end of May to finalize regulations to avoid review under this act.

A Government Accountability Office report released this week found that broad regulatory authority is effective for states that regulate pharmacy benefit managers (PBMs). States reviewed for the report include Arkansas, California, Louisiana, Maine, and New York.

A report released by the Congressional Budget Office examined factors that lead to savings in Medicare accountable care organizations (ACOs). CBO determined that ACOs run by independent physician groups or with more primary care providers have greater savings.

The Federal Trade Commission (FTC) issued a proposed order that prohibits Cerebral, an online mental health service company, from using consumers’ personal health information for advertising purposes. The order will also require Cerebral to pay $7 million in fines for failure to protect consumer health data if approved by the court.

The Biden Administration announced a new United States Global Health Security Strategy aimed at addressing the prevention of and response to the spread of infectious disease. The strategy involves expanding global health strategy partnerships from 19 countries to 50 countries.

UnitedHealth Group reported $99.8 billion in revenue in the first quarter of 2024, compared to $91.9 billion in the same quarter last year. The company estimated that the fallout from the cyberattack in February impacted each share by 74 cents.

This week, the White House Office of Management and Budget finished reviewing a proposal by the HHS Office for Civil Rights that would expand HIPAA protections for patient health information regarding reproductive health care services, like abortion.