Comment 1

November 20, 2006

Cynthia Tudor, Ph.D.

Medicare Drug Benefits Group

Department of Health and Human Services

Centers for Medicare and Medicaid Services

7500 Security Boulevard, Mail Stop 53-16-16

Baltimore, Maryland 21244-1850

Via e-mail: PARTDappcomments@cms.hhs.gov

Re: Comments on Draft 2008 Solicitation for Applications for New Prescription Drug Plan (PDP) Sponsors

Dear Dr. Tudor:

SilverScript Insurance Company, a national Part D Sponsor, and SilverScript, Inc., a Part D pharmacy benefit management company (PBM), both affiliates of Caremark Rx, Inc., a leading PBM company, appreciates the opportunity to provide comments on CMS’ Draft 2008 Solicitation for Applications for new PDP Sponsors.

SilverScript Insurance Company (SSIC) is one of only 10 national PDPs servicing the Part D market. We have united with distribution partners, including health plans and Medicare Supplement providers, in the sales of our products nationwide. We bring substantial prescription drug benefit management experience through operating our own PDP (SSIC) as well as through our affiliate SilverScript, Inc. (SSI), a PBM offering prescription drug management services to Part D plans. SSI supports over 30 of our health plan clients, which have a combined membership of 2 million lives in Medicare Advantage and PDP programs.

We have are pleased to submit the following comments on the Draft 2008 Solicitation for Applications for New PDP Sponsors:

1. Section 2.4 and Section 4

CMS has added reference to the “forthcoming” call letter in the Instructions in Section 2.4 and in the Certification in Section 4. Specifically, the certification requires PDP sponsors to certify that they are “aware that there is operational policy guidance, including the forthcoming 2008 Call Letter…posted on the CMS website” and to acknowledge that they “will comply with such guidance should they be approved for a Part D contract.”

While we recognize and accept that a PDP that enters a contract with CMS to offer a Part D plan would be expected to agree to comply with the requirements of the Call Letter as part of that contract, we believe that it is premature to include this in the PDP Application, and that the appropriate vehicle for this commitment is the contract with CMS. The application is intended to provide information to evaluate the qualifications of an applying entity, whereas the contract is the vehicle for specifying the terms on which a qualifying entity will provide the benefit. It is neither meaningful nor appropriate for an entity to have to commit to program requirements before those requirements are known, and it should not be necessary for it to do so. This can and should be covered in the contract the PDP executes with CMS, at which time the Call Letter requirements will be known.

Recommendation: Delete the requirement to certify compliance with any “forthcoming” CMS Guidance, such as the “forthcoming Call Letter”.

2. Section 3.7

The third requirement in this section states that “ Applicant agrees that errors or omissions identified by CMS during analyses of the data will also result in the suppression of the Applicant’s pricing data from the website.” As written, this means that a single error or omission could result in suppression of the Sponsor’s pricing data. In many cases, the “errors or omissions” are simply a result of differences between the First DataBank and MediSpan files and the CMS Reference NDC File, which often contains obsolete and repackager NDCs.

We have recently discussed this issue in a conference call with Vikki Oates at CMS, and followed up with an email detailing our concerns and recommendations for addressing the problems associated with the Plan Finder. Specifically, we recommended that CMS utilize the previously implemented default for missing drug prices that was based on AWP minus 10% for retail and AWP minus 30% for mail to establish consistency across all plans and eliminate the need for manual file manipulation with each submission. Additionally, we recommended that all repackager and obsolete NDCs be removed from the CMS Reference NDC file. To date, these recommendations have been neither accepted nor rejected by CMS, but CMS has recognized this mis-information as an issue. In light of this, we believe a more reasonable and less punitive approach is reflected in the second requirement in Section 3.7, which would base suppression of pricing data on a lack of quality checks, rather than a single wrong item. We would therefore suggest that the third requirement be revised to require at least some determination of a pattern or practice of submitting wrong data before the pricing data is suppressed, rather than allowing suppression of pricing data to be based on a single event.

Recommendations: (i) CMS should utilize the previously implemented default for missing drug prices that was based on AWP minus 10% for retail and AWP minus 30% for mail to establish consistency across all plans and eliminate the need for manual file manipulation with each submission; (ii) all repackager and obsolete NDCs should be removed from the CMS Reference NDC file; and (iii) revise the third requirement in Section 3.7 to state that the Applicant agrees that “a pattern or practice of submitting data that contains errors or omissions will result in the suppression of the Applicant’s data from the website.”

3. Section 3.19

Requirements 6, 7 and 8 are all new requirements, and all go well beyond the requirements of HIPAA. As we are sure CMS appreciates, Part D sponsors are unlike other Medicare contractors in the Medicare fee-for-service (FFS) program which are business associates of CMS and so not directly subject to any of the HIPAA requirements. In contrast, Part D sponsors are, like CMS, themselves covered entities subject to all the HIPAA regulations and requirements. Neither Congress nor the Secretary has determined that it is necessary to impose additional obligations on other covered entities, including government providers and plans such as the VA, TRICARE or plans in the FEHB program. Absent a showing of myriad problems with protection of PHI by Part D sponsors, it is not clear why CMS has determined it necessary to invoke these more stringent requirements.

That said, we realize there is increasing concern about public disclosures of personal health information and the ability to enforce privacy and security obligations on offshore contractors. Therefore, we are not opposed to additional measures over and above the HIPAA requirements to address these concerns, but would ask that these measures take into account the burden and cost of compliance against the potential benefit. Specifically, we would suggest that the requirement to notify CMS of unauthorized public disclosures be revised to:

(i) increase the time frame for reporting from 48 hours to 30 days, as is currently the case for contractors in the Medicare FFS program. It should be noted that this will not in anyway postpone the Part D sponsor’s obligation to take action to mitigate the unauthorized disclosure, and simply allows the Part D sponsor the necessary time to investigate the incident, gather the necessary factual information surrounding it and determine an appropriate plan of action. In many, if not most cases, an entity will not have reliable or complete information to provide notification within 48 hours, especially in a national organization where it may take that long for all the relevant internal parties to be fully informed, especially if it occurs on a weekend or holiday.

(ii) limit this notification obligation to (a) electronic PHI records that include social security numbers or other identification or account numbers together with an individual’s name (so that this would exclude, for example, information that is the equivalent of telephone directory information), and (b) material public disclosures where there is a reasonable expectation that the disclosure could result in identity theft or other serious harm to the individuals involved, as is the case with most state security breach notification laws. For this purpose, a material public disclosure would involve disclosure in some public forum and of at least a material number of records. Again, these limitations would not in anyway limit the Part D sponsor’s obligations to take mitigation action immediately, but they would avoid constant notifications of low-risk disclosures, which would be a burden to CMS and Part D sponsors, and would instead require notifications to those situations where there is likely to be public concern, and therefore those in which CMS may be contacted by beneficiaries and others.

(iii) delete the requirement to obtain privacy and security certifications from an unrelated organization. This was considered at the time HIPAA was implemented, and was rejected by HHS as imposing a costly administrative burden on covered entities, while providing little benefit in return. While such certifications may give comfort to external parties, there is no evidence that they result in better systems, processes, policies or procedures, or better protections of beneficiary information. As is the case with certifications under Sarbanes-Oxley, there is no doubt that these certifications will impose tremendous costs on the Part D sponsor, not only to choose, engage, and pay the outside entity, but to assist it in understanding the Part D sponsor’s operations and structure and provide staff to support its efforts. The Part D sponsor is not only capable, but far better equipped to perform such a review itself, and indeed, many covered entities periodically conduct such internal reviews as they deem appropriate in light of internal or external changes affecting the organization.

Recommendations: (i) change the time period for notifying CMS of public disclosures from 48 hours to 30 days; (ii) limit disclosures to (a) electronic PHI records that include name and social security or other identification or account numbers, and (b) material public disclosures where there is a reasonable expectation of harm, with a disclosure being viewed as “material” and “public” only if it occurs in a public forum and involves a material number of records, and (iii) delete the requirement for certification by an unrelated organization.

4. Section 3.22

The last requirement in this section requires PDP sponsors to “implement within 90 days any new messaging approved by the NCPDP Workgroup to adjudicate a Part D claim and appropriately coordinate benefits in real time.” While we appreciate CMS revising the time period for implementation to depend on the date the messaging is approved by NCPDP, we are still concerned that a 90 day time frame may not be sufficient in all cases. The implementation time frame will vary with the complexity of the changes required, and it is difficult to commit to 90 days without knowing the nature of the changes required. Therefore, we would suggest revising this requirement to be more flexible, by either not specifying a time frame for implementing changes, or allowing NCPDP to recommend a time frame based on its assessment of the changes that will be required, and then requiring Part D sponsors to implement within that NCPDP- recommended time frame.

Recommendation: Revise the last requirement to delete the reference to implementation within 90 days of approval by NCPDP, or otherwise to require implementation within the time frame recommended by NCPDP.

We appreciate the opportunity to provide these comments. If you have any questions or would like discuss our comments, please do not hesitate to contact me at 202-772-3501.

Sincerely,

Russell C. Ring

SVP, Government Relations