The Medicare Trustees Report Is Still Bad News

The Medicare Hospital Insurance (HI) Trust Fund will become insolvent in 2028, according to the latest report by the Medicare Board of Trustees in June 2022.  Last year’s report projected the HI Trust Fund’s insolvency date to 2026, which means the fund now has just two additional years of breathing room. 

In brief, the HI Trust Fund funds Medicare Part A, which reimburses providers for inpatient hospital services, hospice care, and skilled nursing facility and home health care services and is funded primarily through payroll taxes.  In contrast, a separate account known as the Supplementary Medical Insurance (SMI) Trust Fund funds physicians and other outpatient services under Part B and prescription drugs under Part D and is funded through general tax revenue and the premiums enrollees pay.

Better-than-expected recovery in economic growth, pay, and employment convinced the Medicare trustees to push out the HI Trust Fund’s insolvency date by two years.  The trustees also noted in their report that the COVID-19 pandemic isn’t expected to have a serious impact on Medicare’s finances

New projections that the HI Trust Fund will become insolvent two years later than initially expected isn’t the good news it seems to be.  In fact, the HI Trust Fund is in a world of trouble.  As the trustees noted in their report, there is much uncertainty on the economy, population demographics, and access to health care that indicate serious problems with the HI Trust Fund’s estimates on future expenditures, and there may be cause for concern regarding the report’s projected insolvency date. 

For example, the trustees made the economic projections that were included in the report back in February 2022 – right before COVID-19 cases started to shoot up again and inflation began to climb.  An analysis from the Committee for a Responsible Federal Budget says the trustees’ estimates appear to “understate inflation and overstate real economic growth.”  If inflation and poor economic growth is persistent into next year, the report might estimate a sooner insolvency date in their 2023 report.

Furthermore, the HI Trust Fund still faces a massive shortfall to the tune of a $350 billion deficit over the next 10 years.  The trustees project there will be a shortfall of 0.7% of payroll, or 0.3% of Gross Domestic Product (GDP).  This means either a 24% payroll tax or a 15% spending cut is required to prevent the fund from becoming insolvent.

Additionally, Medicare spending is expected to quickly increase.  According to the report, Medicare spending is projected to grow from 3.9% of GDP to 6% by 2040 before hitting 6.5% around 2070.  Medicare Advantage (MA) is cited as a primary driver of rising spending, as MA plans are argued to be more expensive than traditional Medicare.  On top of this, an aging population is driving overall health care spending higher, which includes the kind of inpatient services that Part A pays for. High spending means addressing the HI Trust Fund’s finances – whether by upping payroll taxes or cutting spending – is only going to get harder down the road.

There is some disagreement on how dire the situation is for the HI Trust Fund’s finances.  Even if the HI Trust Fund were to be depleted in the next few years, it would still pay roughly 90% of its current level.   However, this is far from an ideal scenario.  Insolvency essentially means Medicare Part A payments to providers would be reduced to levels that could only be covered by incoming tax revenues.  By only being able to pay nine-tenths of current program expenditures, an insolvent HI Trust Fund would affect providers by either delaying payments for all providers or having Medicare reimburse at a decreased rate for Part A careEither scenario could result in many seniors potentially losing access to care.    

Thus, the HI Trust Fund going insolvent is a big deal, and lawmakers will have to get their act together at some point to shore up Medicare’s finances.  It is important that lawmakers act sooner rather than later to bolster the trust fund by reducing spending, increasing revenues, or some combination of both.  Acting sooner would also boost the public’s trust in Medicare and stabilize the fund, heading off scenarios where providers face declining reimbursement and beneficiaries could lose access to care.

Are US Hospitals At Risk of Russian Cyberattacks?

The alarm is sounding for cybersecurity attacks.  In late February, the Cybersecurity and Infrastructure Security Agency (CISA) issued a rare warning that the Russian government could launch cyberattacks against the US economy – including the health care sector.  One month later, President Joe Biden publicly warned that Russian cyberattacks are “coming.”  Given these warnings, how worried should hospitals be?

The threat explained: Russia is no stranger to deploying cyberattacks.  In the days leading up to  Russia’s invasion of Ukraine on February 24, 2022, a series of Russian cyberattacks temporarily shut down websites for some Ukrainian banks and deleted data at multiple Ukrainian government agencies.  Since then, US government officials have expressed concern that Russia is preparing to launch cyberattacks against the US in retaliation for heavy sanctions levied against the Kremlin in response to the invasion of Ukraine.  However, the federal government has yet to offer any evidence of an anticipated specific cyberattack.   

Cyberattacks aren’t new to the health care industry.  In 2017, Russian-backed hackers launched a destructive malware called “NotPetya” initially targeted at Ukrainian interests that went on to infect several US-based health care stakeholders like Merck Pharmaceuticals and Heritage Valley Health System.  During the COVID-19 pandemic, the number of cyberattacks against US hospitals surged, with an estimated 50 million people in the US  had their sensitive health data breached in 2021.  According to a survey of information technology professionals, in 2020 more than a third of health care organizations reported that they were  hit by ransomware attacks, which is when hackers use encryption to hold a victim’s information at ransom.

Unfortunately, the health care sector is attractive target for cyberattackers.  Hospitals dealing with ransomware attacks are often pressured to pay hackers because they otherwise wouldn’t be able to operate.  And while some hospitals have invested in security-monitoring capabilities and new software over the past few years, most health care organizations have meager cybersecurity budgets and remain vulnerable to attacks.  Compounding these vulnerabilities is the COVID-19 pandemic, which has overwhelmed hospitals with patients and strained hospitals’ budget, leaving fewer resources available for cybersecurity. 

Congress and the Biden administration has proposed some steps to shore up the nation’s cybersecurity.  The Build Back Better Act (BBBA) included more than $500 million in cybersecurity funding, and President Biden’s Fiscal Year (FY) 2023 budget request calls for $11 billion in new cybersecurity spending.  Most recently, Sens. Jacky Rosen (D-NV) and Bill Cassidy (R-LA) introduced a bill to improve the health care industry’s cyber-defenses by requiring CISA to partner with the Department of Health and Human Services (HHS).  However, next steps for these proposals aren’t exactly promising – the BBBA is stalled in its current format, the president’s budget request is generally considered a wish list, and the cybersecurity bill has yet to add any cosponsors since its introduction on March 23.

Absent action from the federal government, there are steps hospitals can take to boost their defense against cyberattacks, as outlined in an American Hospital Association (AHA) advisory notice on the CISA warning.

  • Increase network monitoring for unusual activity.
  • Flag all inbound and outbound traffic from Ukraine and the surrounding area.
  • Implement four-to-six-week business continuing plans, with an emphasis on all internal and third-party mission-critical clinical and operational services and technology.
  • Check networks for redundancy, resilience, and security and create multiple data back-ups.

There is a chance that Russian hackers will leave the US health care system alone.  While Russia has certainly become more belligerent in cyberspace over the last decade, cyberattacks against Ukraine have been more limited than intelligence and defense experts have anticipated.  In fact, some experts say Russia’s cyber-forces may actually be overhyped and in a state of disarray – similar to Russia’s armed forces. 

But hospitals can’t rely on hope to stay safe from hackers.  If the experience of the last few years says anything, it’s that the health care system isn’t immune to cyberattacks, and that stakeholders would do best to prepare for the worst.

Hospitals Face Looming Deadline on Advance Medicare Payments

Hospitals face a fast-approaching deadline to pay back loans from the Medicare Accelerated and Advance Payment (AAP) programs towards the end of March. However, lawmakers who provided little assistance for hospitals in the way of additional relief funding in the most recent COVID-19 relief bill seem just as unlikely to adjust the loan repayment date.

The Medicare AAP programs, which predates the COVID-19 public health emergency, were designed to help hospitals and other providers withstand cash flow disruptions during emergencies.   The programs provide loans paid out of the Medicare Hospital Insurance (Part A) and the Supplementary Medical Insurance (Part B) trust funds and include timelines and terms for repayment.  Enacted on March 27, 2020, the CARES Act (P.L. 116-136) greatly expanded the Medicare AAP programs to include a broader swath of health care providers.  Of the $100 billion in Medicare advance payments loaned to providers in 2020, nearly 80% went to hospitals, while the remainder went to skilled nursing facilities, critical access hospitals, home health providers, and other types of providers and suppliers. 

While repayment for the AAP loans was originally set to begin in August 2020, Congress delayed the repayment start date to March 27, 2021 under the Continuing Appropriations Act, 2021 (P.L. 116-159).  Signed into law on October 1, 2020, the Continuing Appropriations Act also revised the repayment terms for AAP loans to allow Medicare to begin automatically recouping 25% of Medicare payments to the outstanding loan balance in the first 11 months following the March 27, 2021 repayment deadline and 50% of Medicare payments in the subsequent six-month period.

Hospitals are again requesting a delay in the repayment schedule and other changes to AAP programs due to concerns over continued revenue losses associated with the pandemic.  According to an analysis commissioned by the American Hospital Association (AHA), hospitals could stand to lose between $53-122 billion in revenue in 2021 due to costs related to COVID-19 vaccine distribution and the potential for future surges in case numbers to cause elective procedures to drop.  As such, America’s Essential Hospitals has urged congressional leadership to delay the AAP loan deadline and lower interest rates in a February 17 letter.  The AHA has gone a step further in asking the federal government to outright forgive the loans per a November 2020 fact sheet.

However, Congress has yet to deliver further.  In the American Rescue Plan Act of 2021, the latest COVID-19 relief bill that could be signed into law within days, lawmakers did not make any changes to the AAP program.  Congress also notably came up short on hospitals’ request to provide $35 billion in additional funding for the Provider Relief Fund.  Instead of more fully replenishing relief funds, the American Rescue Act only provides $8.5 billion in assistance, and specifically designates the monies for rural hospitals.

One reason lawmakers may be hesitant to make significant changes to AAP loans is the implications for the Medicare trust funds.  The Congressional Budget Office projects the Part A trust fund and Part B trust fund will become insolvent by 2026 and 2024 respectively.  Further changes to AAP programs that would protract repayment or forgive the loans outright would ramp up the timeline for the trust funds to run dry.

At the moment, Congress is carefully monitoring whether to legislate any additional financial help for hospitals, whether it be in the form of a delayed loan repayment date or grants from the Provider Relief Fund, taking a pass for now in the American Rescue Plan.