Other representative goal(s) that fit under this budget category but are not listed in the chart are:

(MB4-01)

The HIPAA goal to ensure compliance with HIPAA requirements through the use of policy form reviews is an FY 2000 goal. The goal was revised to directly measure compliance with HIPAA by insurers instead of focusing on complaints. In FY 2000, we will complete 30 percent of the reviews for compliance in direct enforcement States, where HCFA is responsible for enforcement. The end of FY 2001, we will have completed 60 percent of our reviews.

The information technology architecture goal is designed to track the

development and implementation of an IT architecture framework. By the end of FY 2000, HCFA will have completed the development of the target architecture and migration plan, and will create a portfolio of IT investments to implement the migration plan beginning with the development of core data bases.

Description: Ensure compliance with HIPAA requirements by reviewing policy forms used by issuers in the group and individual markets in the direct enforcement States. The review will determine if such contracts are representative of the protections to be provided to individuals, small employer groups and large employer groups. This review process will determine areas of deficiencies in the contracts which require corrective action by issuers.

NOTE: This goal has been completely revised from the previous submission. After having a few years of experience with HIPAA, we have realized that the prior goal, which focused on complaints, would not be a meaningful goal. Since most of the States have enacted HIPAA legislation, few complaints actually reach the Federal level and instead are the responsibility of the States. Therefore, it would not be a good measure for accountability of Federal effectiveness in implementing or enforcing HIPAA. On the other hand, this revised goal directly measures the result we really want: compliance with HIPAA by insurers, specifically in States where we have enforcement authority. This is a better measure of our enforcement efforts and serves the public better since we will be taking action to review compliance for a major segment of the markets.

Budget Linkage: This performance goal is linked to the Administrative Costs

budget category.

FY 2001 Target: Increase the level of HIPAA compliance reviews in the market to 60 percent in direct enforcement States (California, Missouri, and Rhode Island) using policy form reviews as the measuring tool. The measure will be for the individual market and group market separately, but the States will be combined to yield a national percentage for direct enforcement States.

Discussion: Title I of HIPAA contains the health insurance access, portability, and renewability standards which apply to self-funded and fully-insured group coverage, as well as to individual market coverage. HIPAA was enacted to promote access to health insurance coverage to people who had lost their insurance, often through job dislocation, or who were previously uninsurable because of their health status.

Currently three States, Missouri, Rhode Island and California, have failed to pass or substantially enforce appropriate laws regarding group and/or individual insurance. Therefore, HCFA is directly enforcing the HIPAA requirements in Missouri and Rhode Island in the individual and group markets; and directly enforcing the HIPAA requirements in the individual market in California.

Policy forms were traditionally reviewed for compliance by the State insurance department of the State in which the form was issued. The policy form is a written document that represents the binding agreement of insurance between two or more parties. State insurance departments traditionally reviewed policy forms to ensure the contracts complied with appropriate laws and did not fail to disclose required benefits and rights afforded to the consumer. Since HCFA has now assumed enforcement in three States, we must take on certain responsibilities, which were previously conducted by the State including the review of policy forms. The policy form reviews will determine if the contractual wording of the forms fails to disclose certain protections afforded by HIPAA or is worded in a manner that prevents an individual or employer the required protections. If a policy form document fails to disclose certain rights to the consumer or excludes eligibility or benefits as required by HIPAA, the HCFA regional office (RO) will advise the issuer to amend the contracts appropriately. Therefore, when the policy form is issued to an individual or employer, the insured will be informed of the benefits and rights available to them.

The HCFA ROs for Missouri, Rhode Island and California will collect total premium volume and per issuer premium volume amounts by collecting data from the State insurance department or by reviewing the Statistical Compilation and Market Share Reports for Accident and Health Insurance Companies and Health Maintenance Organizations published by the National Association of Insurance Commissioner (NAIC). The NAIC is an organization established by the insurance commissioners of the 50 States. The purpose of the NAIC is to attempt to standardize reporting forms and operating procedures among all States with respect to insurance matters.

Each HCFA RO will identify the issuers which transact insurance in the individual market in Missouri, Rhode Island and California. We will also identify the total premium volume written in the State in the individual market. HCFA will determine the market share held by each issuer in the individual market by reviewing total premium volume collected in the State on individual policies in comparison to the premium volume underwritten by each issuer.

In addition, the Boston and Kansas City ROs will identify the issuers, which transact insurance in the group markets in Rhode Island and Missouri, respectively. Each HCFA RO will identify the total premium volume written in the State in the group market. They will determine the market share held by each issuer in the group market by reviewing total premium volume collected in the State on group policies in comparison to the premium volume underwritten by each issuer.

The HCFA ROs will request issuers, which represent 30 percent (60 percent for FY 2001) of the market in both the group and individual market to submit their forms to them for review. They will review the policy forms and identify deficiencies and incorrect provisions that fail to comply with the requirements of HIPAA. The issuer will be directed to revise the forms accordingly to ensure the policy form adequately represents the protections afforded by HIPAA to the individual, small employer group and large employer group. The forms may be resubmitted several times to verify that the changed wording is acceptable. If a company does not amend the forms, we, pursuant to the enforcement regulation published on August 20, 1999, effective September 20, 1999, must follow a process before we can take action. However, we can take action, which includes imposing civil monetary penalties. Once the form has been revised appropriately, the HCFA RO will advise the issuer that the form has been found to be acceptable to be used in that State.

Coordination: This will need to be coordinated internally in HCFA as well as with the State insurance departments and the issuers. Achievement of the targets depend upon the cooperation provided by the State insurance departments to confirm premium volume in order to identify issuers that maintain a significant market share in the State. In addition, the ROs in their objective to complete the policy form reviews will depend upon the cooperation provided by each issuer. Completing a policy form review will depend, in part, upon the timeliness of the submission of forms by the issuer and the attention given by the issuer to making the required revisions as recommended by the RO.

Baseline: The Health Insurance Portability and Accountability Act of 1996, (HIPAA) was enacted on August 21, 1996. The requirements set forth in HIPAA became effective at various stages with the final requirements effective on January 1, 1998. HCFA analyzed State enforcement decisions in 1998 and initiated policy reviews in 1999. The 1998 baseline is, therefore, zero.

Data Source(s): The policy forms will be submitted by the issuers. The primary data source to identify target issuers of which to request such forms will be State insurance departments and other State insurance regulatory agencies to confirm premium volume and market share. A second data source to confirm market share will be the Statistical Compilation and Market Share Reports for Accident and Health Insurance Companies and Health Maintenance Organizations published by the National Association of Insurance Commissioners (NAIC).

The NAIC is an organization established by the insurance commissioners of the 50 States. The purpose of the NAIC is to attempt to standardize reporting forms and operating procedures among all States with respect to insurance matters. The Statistical Compilation and Market Share Reports for Accident and Health Insurance Companies and Health Maintenance Organizations provides aggregate data for all companies that write accident and health coverage and file annual Statements with the NAIC.

Description: The development and implementation of an information technology (IT) architecture framework is a key component of the successful management of information systems at HCFA. This goal tracks the development and implementation of an IT architecture framework.

Budget Linkage: This performance goal is linked to the Administrative Costs budget category.

FY 2001 Target: Review and update at least two-thirds of the policies and standards set in FY 2000.

HCFA has developed an IT vision on which the target IT architecture will be based. Key elements of this vision are:

HCFA is working with a contractor to:

HCFA has recently completed baselining the existing architecture and documenting business objectives. The target architecture and migration strategy will be completed in early CY 2000.

As HCFA begins to move forward with the implementation of the migration plan it will begin to replace current, system-specific databases with new databases that have broad applicability across many systems. It will also redesign antiquated data systems and technology to take advantage of modern, more flexible programming languages. The result will be a systems environment that is more responsive to current and future business demands, less expensive to maintain, and better able to support program operations and policy decision-making.

Coordination: HCFA will coordinate the development of its target architecture and migration strategy with the Department of Health and Human Services (HHS), which is in the process of developing an Agency-wide IT architecture. This coordination will occur through regular meetings of the HHS CIO Council and its IT Architecture Group. In addition, HCFA will consult monthly with the Department and bimonthly with OMB to discuss the progress of this effort.

Baseline: Developmental

Data Source(s): (FY 2000 goal): The approval policies or standards will be noted in the minutes of the IT Council proceedings.

Verification and Validation: To be determined when quantifiable metrics are defined.

Budget Linkage: This measure is linked to the Administrative Costs budget category.

FY 2001 Target: To achieve zero material weaknesses in CFO audits. In addition, 95 percent of HCFA employees will receive security awareness training; and HCFA will complete site security reviews of at least a third of the

Medicare Contractor facilities.

Discussion: As HCFA moves further into on-line activity, with increased business partners and technology complexity, the protection of confidential information held in trust for the citizenry becomes increasingly at risk. HCFA is sensitive to the need to effectively fulfill its stewardship responsibilities for the information contained in its data systems and transported across its data network.

Security is evaluated by the Office of Inspector General (OIG) using seven major categories of control. OIG assesses the existence of:

Recent internal and external audits of the systems security posture of HCFA have shown an apparent need for HCFA to take additional steps to improve its security policies and practices and to assure that the IT assets of the Agency are protected, and that data covered by the Privacy Act and the Computer Security Act are safe from unauthorized access, damage, or modification. The goals of this initiative are to:

• Achieve a sustainable and effective HCFA system and network security posture.
• Develop a continuing and effective HCFA system and network security program, including recurrent appropriate training and education for HCFA software development staff and users, effective configuration management, recurrent penetration testing, and an operative incident-response capability.
• Develop and implement user-transparent administrative, physical, hardware, and software controls to adequately protect systems, networks, processes, and data.

The initiative includes the following areas of concentration: policies and procedures; security administration, training, and awareness; security systems engineering; oversight and management. Further, HCFA will need to implement the security requirements under the Health Insurance Portability and Accountability Act of 1996.

Since HCFA contracts with intermediaries and carriers (including Durable Medical Equipment Regional Carriers and Common Working File Hosts) throughout the country to process and pay claims for medical services rendered to Medicare beneficiaries, the security requirements that HCFA must meet also must be fulfilled by these contractors. Under this project, HCFA will issue up-to-date security requirements and guidelines for Medicare contractors. HCFA will assure compliance through a series of security audits. The plan is for every intermediary and carrier to undergo a review at least every 3 years, with corrective actions being taken to obviate any security problems or deficiencies.

Central Office showed 1 material weakness and 31 reportable conditions; and

4 material weaknesses and 102 reportable conditions for Medicare contractor systems. In Central Office, there was a material weakness in the control of access to production data. In the contractor area, there was one material weakness in physical access and three in the control of local modifications or overrides to shared system applications and edits programs. Reportable conditions were found in all seven categories of evaluation.

Verification and Validation: Audit and review findings are always verified by systems owners. In developing other data sources for measurement, validation will be taken into consideration together with data captured.

Description: To implement statutory requirements for developing new Medicare payment systems and to improve our ability to be a beneficiary-centered purchaser by, (1) developing additional prospective payment systems (PPS) in traditional fee-for-service Medicare, and (2) refining payments to Medicare+Choice plans by adjusting payments for the relative health status of beneficiaries.

Budget Linkage: This goal is linked primarily to the Administrative Costs and Medicare Contractors budget categories, and secondarily to the Medicare Benefits and Research budget categories.

FY 2001 Target: HHA PPS implementation is scheduled for October 1, 2000. In addition, HCFA is in the early stages of regulations development in order to implement PPS for inpatient rehabilitation hospital services by the statutory effective date of October 1, 2000. The implementation of risk adjusted payments to Medicare+Choice plans based on the Principal Inpatient Diagnostic Cost PIP-DCG model and the collection of additional encounter data should be continued in FY 2001.

Discussion: The Balanced Budget Act (BBA) of 1997 requires the development of a number of PPS systems in traditional Medicare and a risk adjustment methodology for payments to Medicare+Choice plans. The categories of providers or services that are to be paid on a prospective basis include skilled nursing facilities (SNF), home health agencies (HHA), inpatient rehabilitation hospital services, and services provided in hospital outpatient departments.

Prior to enactment of the BBA, SNFs, HHAs, hospital outpatient services, and inpatient rehabilitation hospital services were paid on a cost reimbursement basis (though certain limits apply). Prospective payment for these services is expected to result in more efficient provision of care, and lower costs to the Medicare program.

With regard to payment to Medicare+Choice plans, HCFA, the Congressional Budget Office, and numerous researchers have found that, because of the relatively better health of Medicare Health Maintenance Organization (HMO) enrollees, the current payment methodology results in costs to the Medicare program that exceed the program costs that would have been incurred if the current HMO population had remained in original (fee-for-service) Medicare. The payment reforms of the BBA that were effective for 1998 did not address the cause of these overpayments because the payment methodology did not have a risk adjuster that would decrease program payments for relatively healthier beneficiaries. However, based on BBA requirements, the Secretary implemented a risk adjustment methodology, on January 1, 2000, that accounts for variations in per capita costs based on health status.

We published the method for implementing risk adjusted payments in CY 2000. The final risk adjusted payment rates were published March 1, 1999. The Report to Congress was also sent at that time and this included a report on the actuarial soundness of the risk adjustment methodology. Further, encounter data was collected for the period July 1997 - June 1998 and this data was used to provide plans with payment estimates. HCFA implemented risk adjustment for payments in 2000 as required by the BBA.

Risk adjusted payments for Medicare+Choice plans based on hospital inpatient encounter data was implemented January 1, 2000. Additional ambulatory encounter data will be collected starting with the submission of physician data October 1, 2000, and then hospital outpatient data January 1, 2001. This data will be used to implement the comprehensive risk adjustment model in 2004. During the interim, the further refinement of the comprehensive risk adjustment model will be conducted.

Coordination: Not applicable.

Baseline: Prior to the enactment of BBA of 1997, SNFs, HHAs, hospital outpatient hospital services, and inpatient rehabilitation services were all paid for on a cost reimbursement basis (although certain limits applied). Payments to managed care plans were not risk-adjusted (did not reflect variations in per capita costs based on health status of beneficiaries).

Data Source(s): Required regulations and/or notices must be published in final in time to implement each provision. Timely completion of regulations is therefore a necessary component of the data source that determines whether HCFA has been successful in meeting this performance measure. We intend to further refine and improve the payment methodologies on a continuous basis to ensure that payments are as appropriate as possible and that the payment methodologies serve the purposes for which they were intended. HCFA will use data and studies to determine whether, for example, payments to health plans appropriately adjust for health status, and the payment methodology includes appropriate incentives to prevent biased selection (i.e., preventing health plans from being able to game the system by targeting, or avoiding, enrollment of particular categories of beneficiaries).

Verification and Validation: Studies will be conducted to evaluate the appropriateness of the payment systems with a view towards continuous refinement.

Performance Goal FAC5-01

Description: Improve the exchange and flow of management information within HCFA.

Budget Linkage: This performance goal is linked to the Administrative Costs budget category.

FY 2001 Target: Developmental. During FY 2000 we will gather baseline information on the formal, informal and information communication and coordination systems in use at HCFA. Once this information is analyzed and a set of recommendations developed, a target will be set for FY 2001.

Coordination: We will coordinate this initiative internally, as well as with stakeholders and oversight organizations, such as the Assistant Secretary for Management and Budget (HHS) and the Office of Management and Budget.

Baseline: Developmental. A baseline study will be conducted during FY 2000 to include the analysis of formal communication and coordination systems currently in use at HCFA and informal organizational practices and assumptions regarding communication and coordination. The analysis will include informational tools, organizational roles, communication policies, standard operating procedures, and other mechanisms intended to facilitate the flow of information and coordination of business activities throughout the Agency. Informal organizational practices will include the assumptions and daily practices HCFA managers and staff apply to the need for coordination and communication.

Data Source(s): Detailed analysis of the nature of communications and coordination within HCFA. Interviews, review of current information management systems, surveys, and focus group discussions.

Verification and Validation: To be determined.