States Begin to Enact Workplace Violence Prevention Laws July 1, 2024

By:  Dorothy Cociu, RHU, REBC, GBA, RPA, LPRT
President, Advanced Benefit Consulting & Insurance Services, Inc.

It’s the middle of the afternoon and you’re having a really good day at work.  You turned in your report that resulted in high praise earlier, you closed a huge sale and you and your team just received a very loud, standing ovation at your staff meeting.  Everyone seems happy.  There are smiles all around; the atmosphere is positive and invigorating, and you’ve never been so happy in the workplace.  What more could you ask for?  Perhaps the answer to that question could be simply to feel safe.

Your company has grown significantly, and you can no longer have staff meetings in a training or conference room.  You are in the open in the warehouse, which is the only place large enough to gather the entire warehouse day shift, office/administration staff, sales and all other personnel.  As the applause begins to dissipate, there is a loud series of pop-pop-pop sounds followed by screams of terror, and everyone begins running, but no one knows where to run to.  Eyes are filled with horror and tears, and people are literally shoving and pushing others to get to an exit.  There are people lying on the floor being trampled, and there are large warehouse shelving units  and cabinets that are toppled over and inventory is crashing onto people before hitting the floor.

Everyone appears to be in shock, and no one knows what to do.  After a few seconds it begins to register that something really bad is happening.  Then you hear people screaming “Shooter” and then more shots are heard, closer this time.  You see people with splatters of something red on their clothing as they run by, and you realize that it must be blood.  You instinctively turn toward the direction they are running from and you see something that should only be seen in a movie, but instead, it’s right in front of you.  Four people are lying on the floor, injured or possibly worse.  Then you see the barrel of a very large gun coming from around the corner and out into the open toward you.  You watch in what appears to be slow motion and you see the gun being fired, and it’s aiming in your direction.  At that point, it all becomes a blur, as  you feel something hit your leg and your body begins to shake as the pain surges through you.  Before you black out, you see images of your family flash before your eyes….

Most of us think of our top two priorities in life as our family and our jobs.  Both should be safe and secure, and both should be filled with a healthy combination of joy, frustration and stress.  We all hope that the joy far outweighs the frustration and stress.  But what happens when somewhere we are all supposed to feel safe turns into a place of chaos and trauma, violence and disaster?

Workplace Violence & Workplace Violence Plans

What is Workplace Violence? As taken from California’s Cal-OSHA website, Per Labor Code section 6401.9, “workplace violence” is defined as any act of violence or threat of violence that occurs in a place of employment. This includes, but is not limited to, the following:

• The threat or use of physical force against an employee that results in, or has a high likelihood of resulting in, injury, psychological trauma, or stress, regardless of whether the employee sustains an injury.
• An incident involving a threat or use of a firearm or other dangerous weapon, including the use of common objects as weapons, regardless of whether the employee sustains an injury.
• The four types of workplace violence defined in Labor Code section 6401.9.

Why is all of this so important now?  As stated on the Cal-OSHA website, On September 30, 2023, California Senate Bill 553 (Cortese) was signed into law and California Labor Code section 6401.9 will be in effect and enforceable on July 1, 2024. Employers that fall within the scope of this law must establish, implement, and maintain an effective written Workplace Violence Prevention Plan that includes but is not limited to the following:

• Identifying who is responsible for implementing the plan
• Involving employees and their representatives
• Accepting and responding to reports of workplace violence and prohibit employee retaliation
• Communicating with employees regarding workplace violence matters
• Responding to actual and potential emergencies
• Developing and providing effective training
• Identifying, evaluating, and correcting workplace violence hazards
• Performing post incident response and investigations

Categories of Workplace Violence

Unfortunately, these scenarios, as well as overall violence in the workplace, have become far too common.  There are four categories of workplace violence, according to the National Institute for Occupational Safety and Health:  1) Criminal Intent; 2) Customer/Client; 3) Worker-on-Worker, and 4) Personal Relationship, which overwhelmingly targets women.

I was shocked when I read some of the statistics on workplace violence while researching for this article.  Assaults resulted in 57,610 injuries in the workplace in 2021-2022, according to the National Safety Council (NSC).  In 2022, 525 fatalities due to assault were reported, according to Injury Facts.  Every year, according to NSC, thousands of American workers report having been victims of workplace violence.  Certain industries, including health, service providers and education, are more prone to violence than others.  OSHA reports that taxi drivers, for example, are more than 20 times more likely to be murdered on the job than other workers.  The Centers for Disease Control and Prevention (CDC)’s National Institute for Occupational Safety and Health (NIOSH)  reports that in 2020, health care and social assistance workers had an incidence rate of 10.3 out of 10,000 full-time workers) for injuries resulting from assaults and violent acts by others.  The rate for nursing and personal care facility workers was 21.8.  According to the NSC, assault is the fifth leading cause of workplace deaths.

Active Shooter v Other Workplace Violence

The deadliest situations of course involve an active shorter.  The US Department of Homeland Security defines an active shooter as someone “actively engaged in killing or attempting to kill people in a confined and populated area.”

The US Bureau of Labor Statistics states that 20,050 workers in the private industry experienced trauma from nonfatal workplace violence in 2020, which required days away from work.  Of these victims who experienced trauma from workplace violence, 73% were female, 62% were aged 25 to 54, 76% worked in the healthcare and social assistance industry, and 22% required 31 or more days away from work to recover, and 22% involved 3 to 5 days away from work.  That same Bureau reports that 392 US workers were workplace homicide victims in 2020 that died from homicide.  Of those, 81% were men, 44% were aged 25 to 44, 28% were Black and 18% Hispanic.

According to The Economics Daily (TED) of the Bureau of Labor Statistics, the five occupational groups with the most workplace homicides in 2020 were sales and related (92), transportation and material moving (51), management (29), construction and extraction (20), and production (18).   Non-fatal workplace intentional injuries by another person that required at least one day away from work in 2020, included 18,690 in Service, 8,590 in Healthcare Practitioners  and Technical, 5,470 in Education instruction and libraries, 1,560 in transportation and material moving, and 1,360 in management, business or financial areas.

The statistics are overwhelming, but we care mostly about how it affects us, our workplace and our lives.

Cal-OSHA has posted this on their website:  “According to the latest data, in 2021, 57 working people died from acts of workplace violence in California. In the United States, an average of 1.3 million nonfatal violent crimes in the workplace occurred annually from 2015 to 2019. For further details see Indicators of Workplace Violence, 2019 (published 2022).”

I recently spoke with Michael Julian, CEO from ALIVE Active Shooter Survival Training Program, MPS Security and Protection and National Business Investigations, Inc. and Tony Clubb, Active Shooter Master Trainer from ALIVE Active Shooter Survival Training Program about workplace violence and active shooter situations.  Michael was a guest on my Benefits Executive Roundtable podcast this past season (S5 E16) and was very passionate about protecting workers from active shooter situations, and how common they have become, particularly when comparing to a decade ago, which mirror some of the statistics stated above.

“There are roughly 2 million victims of workplace violence annually in the United States Each year,” stated Michael. “According to Safety and Health Magazine ‘over the last six years of the study period, workplace violence-related deaths rose 11%, from 409 in 2014.’ In addition, we have seen a steady rise in the number of active shooter incidents over the last 20+ years. From 2000 through 2019, there were 333 active shooter incidents in the US. From 2020 through 2022, there have been 151.’”

Workplace violence can  happen in any city, any state, any type of workplace.  All you need is a disgruntled current or former employee or a family member of such, and extenuating circumstances which cause that person to take drastic measures.

California’s SB 553- Workplace Violence Prevention

California is leading the nation (no surprise there) with legislation (SB 553) set to go into effect on July 1, 2024, which includes massive requirements for workplace violence training, logging and other tedious requirements.  Although I’ll be discussing the upcoming California state legislation, the same circumstances may happen in whatever state you are in, regardless of whether or not you have state laws to help educate or prevent certain activities.

Workplace Violence Plans  and California’s SB 553

I asked Michael Julian how other states are responding to workplace violence in general and if they have or expect to have similar laws to CA’s SB 553 in the near future.

“There are currently no other states mandating such stringent workplace violence prevention laws as SB 553,” Michael replied, “but California is somewhat of a trend-setter in areas like this, so most states will begin to follow suit by implementing similar laws.”

So how comprehensive is SB 553?  I asked Michael about this and some of the requirements he felt employers aren’t and won’t be ready for by the July 1, 2024 deadline.  “SB 553 requires organizations to develop a Workplace Violence Prevention Plan, establish effective training, maintain a Violent Incident Log, investigate incidents, and retain records for specific lengths of time. I think the infrastructure the organization has in place will determine which component will cause an organization the most trouble. For example, a larger organization with HR resources in place may have the most trouble getting their staff the required training annually. The training must be interactive, and the employees need to be able to ask questions. On the other hand, a smaller organization may find it easier to give the training to their staff but may struggle with the more technical parts such as developing the WVPP with input from employees/bargaining units, completing the physical security audit and providing the active shooter training.”

Are most California employers ready to implement SB 553?  “I think organizations that have a fully staffed HR department or have an HR firm providing consultation, are probably moving in the right direction. However, it appears that many businesses that do not have these resources currently in place are unaware of the requirements this legislation mandates,” stated Michael. 

I also asked our Benefits Attorney, Marilyn Monahan, the same.  “I suspect many employers are not prepared. Cal-OSHA is working to get the word out, and so are many law firms, HR consultants, and other service providers. And we do know that many employers have gotten the message and are starting to work on implementation.  However, the law is sweeping in its application, and I would not be surprised if many employers—especially those who do not have a lot of resources available to them—are unaware or unprepared for implementation.”

Implementation is always the key to law enactment and enforcement.  This law is wide-reaching and will require a tremendous amount of management and Human Resources labor hours to understand and implement.

“This new law will add a massive amount of new work to many HR departments that are already overtaxed, especially if they try to create and implement what is necessary to fulfill these new requirements themselves,” stated Tony Clubb.  “They will have three choices; completely create everything from scratch themselves, obtain a package of templated documents and the training presentation to complete and deliver themselves, or hire an outside consultant to do all the work for them, which could be quite expensive.”

Marilyn Monahan was concerned about the complexities of the law and made these comments:  “Employers need a written workplace policy, and there are numerous steps involved in putting the policy together.  For example, they have to develop procedures to obtain the active involvement of employees and authorized employee representatives in developing and implementing the policy.  Once the policy is written, they have to implement it.  An important part of implementation is mandatory training.  To start the process, Cal-OSHA has issued a model policy.  While the model policy is a helpful starting point, it must be tailored to address the specific circumstances of the employer’s workplace—and for employers with multiple facilities, that means multiple policies or procedures. The law also includes detailed record-keeping requirements.”

The Cal-OSHA Model policy and related documents can be found at:  https://www.dir.ca.gov/dosh/Workplace-Violence.html.

What Employers Must Know; Even Those Who Don’t Believe it Could Happen to Them

In my recent podcast interview with Michael Julian (Benefits Executive Roundtable, S5 E16) we talked in detail about workplace violence, active shooter situations and the reality of today’s world, as well as the inability or unwillingness of some employers to actually perceive that events like active shooters could happen in their workplace.  I asked Michael in the podcast, and again recently for this article, if he thinks most employers are equipped to handle an active shooter situation.

“No,” said Michael, absolutely.  “A small percentage of employers have implemented proper physical security apparatus to harden themselves as a target or provided adequate active shooter response/survival training. Per statistics published on Zippia.com, ‘Although 62% of companies view an active shooter as a top threat, as many as 79% of businesses report feeling unprepared for an active shooter, meanwhile, 61% of these companies do not run any proactive active shooter preparedness drills or training for their employees.’” 

If the unthinkable happens, there are things an employer should know to do immediately after an Active Shooter is known to be on the premises.  I asked Tony Clubb to walk us through those first critical steps.

“Previous to any type of catastrophic violent event, all employees should be trained on the appropriate way to respond to such an event,” stated Tony. “Employers and employees should follow these steps upon learning of the presence of an active shooter:

• ASSESS the situation to determine which of the following next steps are appropriate and call 911 immediately.
• If possible, LEAVE the danger zone as quickly and safely as possible, notifying others of the danger.
• If leaving is not possible, attempt to IMPEDE the killer’s ability to get to you by creating time and space.
• If no other option is available, commit to VIOLENCE against the killer to neutralize the threat.
• When you believe the threat is over, EXPOSE your position carefully. There may still be a threat, and law enforcement will not know who the threat is so they may treat you as one.”

Can the risk of an active shooter be minimized or prevented?  Are there steps that can be taken to decrease your risk of an active shooter?  I asked Michael what he thought the five best things an employer can do to minimize the risk of an active shooter, if that’s at all possible.  Michael didn’t even hesitate or have to think about it when I asked.  “An employer must…

• Provide effective training to staff on how to prepare for and respond to an incident.
• Ensure your site is hardened by making it difficult for someone to gain unauthorized access and setting up safe rooms where staff can shelter in place.
• Ensure resources are available for staff that are struggling, ensure they know how to utilize them, and ensure they know how to refer people to them.
• Establish an effective reporting system that allows staff to remain anonymous if they choose.
• Develop a timely process to investigate reports of workplace violence or concerns for workplace violence.”

None of that sounds easy and it all sounds very time-consuming and stressful for the employer; particularly their HR Department.  Does SB 553 apply to all employers or are there employers who are exempt from the law?  Marilyn Monahan advised “Exempt employers include:  health care facilities that are in compliance with an existing mandate that they have a workplace violence policy in place; employees teleworking from a location of the employee’s choice, which is not under the control of the employer; and places of employment where there are less than 10 employees working at the place at any given time and that are not accessible to the public, if the places are in compliance with existing rules on Injury and Illness Prevention Programs.”

Michael Julian and Marilyn Monahan provided me with a list of the types of exempted employers for SB 553 requirements:

• Health care facilities, service categories, and operations covered by Section 3342 of Title 8 of the California Code of Regulations.
• Employers that comply with Section 3342 of Title 8 of the California Code of Regulations.
• Facilities operated by the Department of Corrections and Rehabilitation, if the facilities are in compliant with Section 3203 of Title 8 of the California Code of Regulations.
• Employers that are law enforcement agencies that are a “department or participating department,” as defined in Section 1001 of Title 11 of the California Code of Regulations and that have received confirmation of compliance with the Commission on Peace Officer Standards and Training (POST) Program from the POST Executive Director in accordance with Section 1010 of Title 11 of the California Code of Regulations. However, an employer shall be exempt pursuant to this subparagraph only if all facilities operated by the agency are in compliance with Section 3203 of Title 8 of the California Code of Regulations.
• Employees teleworking from a location of the employee’s choice, which is not under the control of the employer.
• Places of employment where there are less than 10 employees working at the place at any given time and that are not accessible to the public, if the places are in compliance with Section 3203 of Title 8 of the California Code of Regulations.

Workplace Violence Prevention Implementation, Training & Resources

Whether the employer is in California and must meet the SB 553 requirements or is located in another state, most of the things discussed in this article would be relevant (other than those specific requirements of SB 553) to any employer, anywhere.  Whether you’re in California or not, but want to address the possibility of workplace violence and create a plan on what to do if the unthinkable happens, human resources departments, which are already spread too thin, probably aren’t going to be able to do this on their own.  Nor would their executives want them to.  These are complex issues and preparation is exhaustive.  If you have to or want to implement a workplace violence prevention program, an easy place to start is at the Cal-OSHA website, where they have posted Fact Sheets and have created model prevention plan samples, depending on industry.  You can find these at:  https://www.dir.ca.gov/dosh/Workplace-Violence.html

However, it’s important to keep in mind, these are just models.  I asked Marilyn if she had words of caution or advice for employers when using the government-provided models.  “The guidance and the models are a good starting point, but more work will have to be done. Employers may need to work with outside counsel, an HR consultant, or a workplace safety consultant in order to put an effective and compliant policy in place.”

I also asked if Marilyn would have any recommendations for employers when determining whether to try to do the implementations themselves in-house or hire outside experts.  Marilyn recommended:  “As is the case with any service provider, compare experience, references, and cost to ensure the employer is retaining the services of a competent and effective partner in this process.”

I also asked Tony what they would recommend.  “If an employer has adequate resources in-house, they should use them,” stated Tony. “If not, for something as serious as workplace violence prevention, we recommend using consultants with the appropriate expertise and experience to address this issue.”

The Aftermath

The actual event is only the beginning for some.  Often it involves ongoing medical care and therapy, grief counseling, treatment/counseling for post traumatic stress or depression or survivor guilt syndrome, just to name a few.

… You open your eyes and realize everything is a bit blurry.  You feel groggy and heavily medicated.  Then you begin to realize that you’re in a hospital.  Why am I here, you ask yourself?  Then you begin to recall.  Work, people running, scared, gun, pain and then… nothing.  You passed out from the pain and blood loss from a gunshot wound to the leg.  You look down and are relieved to see that your limbs seem to be in tact, but your leg is heavily wrapped with something and is elevated.  You can’t quite process it yet. 

The nurse, who had been doing work on a monitor by the cabinet a few feet from you, now turns to you and speaks.  “You’re awake,” she states.  “It’s ok.  There was an incident, you were hurt, but you’re better now.  You had surgery.”  She goes on to explain that you were shot in the leg, and although you lost a lot of blood, they were able to surgically repair your leg, but you should be prepared for some long-term therapy and a somewhat long road to recovery.

“My family,” you reply in a soft and raspy voice you don’t recognize.  “Are they ok?  Do they know?  Are they afraid?  I have to talk to them!”

“It’s ok,” says the nurse calmingly.  “They are here.  That’s a big-hearted bunch out there.  You’ve got family, friends and co-workers out there, all worried about you.  I’ll go out and let them know you’re awake and talking, and soon I can let them in to see you, two at a time.”

“Wait,” you ask, “the others?  Is everyone ok?  I saw… I saw blood, and a gun, and a shooter… Did everyone make it?  Is everyone ok?  What happened?”

The nurse’s face suddenly looks sad.  “You were one of the lucky ones.  You were shot in the leg… Others weren’t so lucky.  I’m afraid there were some casualties, and a lot more injuries.  We’ll fill you in later, after you’ve been able to see some family.  Sound good?  I’ll be right back.”

As soon as the nurse leaves the room, it all begins to come back to you, and you start to feel overwhelmed, frightened, and very sad.  But you’re full of questions and simply overwhelmed.  Who died?  Who is also injured?  Who was the shooter, and why did he do this?  Just as you start to cry, the smiling faces of your wife and your daughter run into the room to greet you.  You fight back the tears, and open your arms for them…

Three months later, you still aren’t back to work, as the intense physical therapy for your leg injury continues.  You tried working remotely from home, but you just can’t seem to concentrate.  You have also been seeing a therapist about your post-traumatic stress disorder and your survivor’s guilt, which developed after you discovered nine people died that day, and three were your friends.  17 others were injured, and 11 still haven’t returned to work.  Your company offered an employee assistance program and brought in special counselors, but it just hasn’t been the same. …

The violent event may be over, but the recovery will take much more than surgery to heal.  The emotional part of workplace violence will be with you for the rest of your life, and it’s after the event, that’s where the real work begins.

Employers may want to consider, both inside California where required and out,  if they’ve done enough to prevent this type of thing from happening, and how they should prepare and train their employees.  Maybe some prevention steps could decrease the likelihood, and if it does happen, decrease the number of casualties and injuries.  We all want to feel safe at our jobs.

##

Author’s Note:  I’d like to thank Marilyn Monahan, Monahan Law Office, Michael Julian and Tony Clubb from ALIVE Active Shooter Survival Training Program, MPS Security and Protection and National Business Investigations, Inc. for their assistance with this article.  Marilyn can be reached at:  marilyn@monahanlawoffice.com.  Michael can be reached at:  mjulian@investigations-nbi.com, or Michael Julian, CPI PPS CSP, CEO, at 866-624-8050 x26, and Tony Clubb can be reached at:   tclubb@aliveactiveshooter.com.   Michael and Tony offer A.L.I.V.E. Active Shooter Survival Training Program at:  www.ActiveShooterSurvivalTraining.com

Reference Sources: 

Cal OSHA website and California Department of Industrial Relations Division of Occupational Safety & Health, Fact Sheet, Workplace Violence Prevention in General Industry (Non-Health Care Settings)- Information for Employees; California Department of Industrial Relations Division of Occupational Safety & Health, Fact Sheet, Workplace Violence Prevention in General Industry (Non-Health Care Settings)- Information for Employers; Cal-OSHA’s Workplace Prevention Model Plan, available at:  https://www.dir.ca.gov/dosh/Workplace-Violence/General-Industry.html.  Other reference Sources Mentioned in this Article:  https://www.nsc.org/workplace/safety-topics/workplace-violence#:~:text=Every%20year%2C%20thousands%20of%20American,according%20to%20Injury%20Facts%C2%AE. https://www.cdc.gov/niosh/topics/violence/fastfacts.html

TED:  The Economics Daily, US Bureau of Labor Statistics, Workplace Violence:  Homicides and nonfatal Intentional Injuries by Another Person in 2020, November 21, 2022

US Centers for Disease Control and Prevention, National Institute for Occupational Safety and Health (NIOSH) website

NSC Injury Facts, Assault at Work Federal Agencies Release Joint Study on Workplace Violence, July 21, 2022, Bureau of Justice Statistics, Department of Justice, Fast Facts 

Alternative and Holistic Medicines in Health Care and CBD…Is There a Path to Future Health Plan Coverage?

By Dorothy M. Cociu

RHU, REBC, GBA, RPA
President, Advanced Benefit Consulting

Artificial Intelligence in the Benefits & HR Space; Protecting Private Data When Moving Toward AI in the Workplace

Published by Manage HR and HR Tech Outlook

 orothy Cociu, RHU, REBC, GBA, RPA President, Advanced Benefit Consulting

Artificial Intelligence is everywhere; growing more rapidly than anyone ever anticipated. It has become a part of our daily lives; whether seeing and using predictive text on your computers or phones or chat features while looking at products or services online, and sometimes when getting those automated phone responses when you’re stuck talking to machines instead of a real person when you really need a human being to discuss something with. Whether you view it as scary or innovative, frightening or fascinating, annoying or thought-provoking, it’s here, and the possibilities of AI seem endless.

I recently sat in a Professionals in Human Resources (PIHRA) south Orange County meeting on AI with multiple speakers and a packed room.  One of the speakers, doing an actual ChatGPT demonstration, asked the audience, full of HR professionals, to respond to a multiple-choice question on whether or not they or their organization were using some sort of AI program like ChatGPT. An overwhelming majority responded with “yes, but my boss doesn’t know it!,” which really got me thinking
about how many HR Professionals and Benefits Professionals are actually using an AI program to help them with their jobs and have NOT gone through proper channels at work to verify they can be using it on company systems. Yes, on a number of functions, AI can work really well… For example, for assistance in narrowing job applicants to a manageable number or finding ways to evaluate performance without the human emotions, for streamlining claims and enrollment functions, designing health and other plans based on data analytics, and seriously reducing administrative burdens. Chatbots and virtual assistants can provide measurable real-time support to plan participants, and AI algorithms can analyze data to tailor plans to meet the specific needs and preferences of a very diverse workplace. In production facilities, there is no doubt that AI can help with many routine and automated functions, but that is not the same as using AI in the areas of the workplace that work with confidential data, such as payroll, human resources, and benefits. Two questions /always/ need to be asked up front.

1). Are those AI programs crossing privacy lines?

2). Do you need proper firewalls put in place /before/ you use AI?

We’ll examine these questions throughout this article and provide some real-world solutions to use AI effectively, but safely.

Let’s back up for a moment and start from the beginning, to assist those perhaps not as familiar with artificial intelligence and how it can help (or hurt) in the workplace.

What exactly is Artificial Intelligence? It is the intelligence of machines or software, as opposed to the intelligence of humans or animals. It is also the field of study in computer science that develops and studies intelligent machines. AI is a tool that humans can use to help workflow and improve efficiencies. One thing to keep in mind is that AI doesn’t automatically replace people…. But it was recently said by IBM that “AI won’t replace people -but people who use AI will replace people who don’t,” so that can be a concern for some.

Along the same definitional lines, Hybrid Intelligence crosses over the human intelligence (people, experiences, flexibility, creative functions, empathetic, instinctive or showing common sense) with Machine Intelligence (fast, efficient, cheap, scalable, consistent) by using data and algorithms to assist humans in improvements or efficiencies.

You may have heard of Generative AI and wondered what that means. A Generative AI system is one that can independently “create” new and unique content based on the prompts given to it from massive datasets, such as ChatGPT.

Generative AI only generates or produces, but it does not create.  Basically, it can only generate content based on information fed to it by humans. Humans are the creative ones; robots use constant machine-learning tools and computer programming to respond to querying, prompt engineering and produce human-free response generation, including programs like ChatGPT. One of the most important components of this is “Prompt Engineering.” What are you asking, or prompting, the program to do? These of course can be good or bad prompts, depending on how specific or non-specific the human prompting it has been. For example, if you ask a chatbot to write you a resume with no real job specifics, versus asking it to write you a resume after you send a job description and former resume, and asking it to optimize your resume and include bullet points for the specific job you’re applying for, and ask it to include metric-based achievements or something similar, you will see wildly different results from each. That is Prompt Engineering within Generative AI.

There are many phases of Generative AI. The input stage, which trains the AI algorithm by feeding it with good and relevant data and/or content, which can produce anything from text to images to code, and can even compose music in a specific style or genre. In the input stage, you need to be very specific, as used in the example above of writing a resume. Remember, like any software program, “garbage in” means “garbage out.”

There is also the processing stage, where the algorithm identifies and replicates patterns in the data or content that aligns with the user’s prompts, which is where the human factor comes in. This is also the area where we’ve found some highly controversial “garbage out” data generated, such as a recent legal case where the attorneys used AI for their case and the data that came out was not factual, causing the attorneys major embarrassment, when they discovered (during the trial!) that the AI tool “hallucinated” or made up things… like the precedents it provided in the AI produced research… /When it couldn’t find a supporting case that the attorney needed, it basically made one up…  /This is where it is imperative that any and all data created that is in the processing stage is reviewed and verified before being used….

Particularly if you’re relying on it for an actual situation… In this example, in a court case in front of a judge and jury! The Output stage is the result generated on the input, user prompts and processing stages, so always check what comes out and verify the facts to be true before using it! /It has been documented that AI can produce very convincing gibberish! /

Putting aside the “garbage out” for a moment, it is true that generative AI can have a tremendous impact on workflow and production. Brain-power is growing at an exponential rate; from ChatGPT generating 3,000 words per minute in 2022 to GPT4 achieving 25,000 words per minute in 2023. It is now documented that Claude’s AI is producing 75,000 words per minute, and that is a lot faster than any human could conceive of producing.

I asked Ted Flittner, Principal of Aditi Group, our technology, HIPAA Security and Cybersecurity consultant partners, how careful the user should be when using Generative AI to be sure that it is generating factual information (not hallucinating or making up things)? “This hits on a major issue with AI right now. AI in general and popular ones like ChatGPT are designed to give answers,” replied Ted. “And they can provide a detailed answer, even if there really isn’t one to give or is not true. Users need to take output not as fact, but something to consider and evaluate. We want to test answers in the real world and understand what inputs led to the answers – and consider whether the inputs are true.” There are things, of course, that can be done to improve the use of AI in your organization. “Training is a major issue,” Ted stated. “AI has a natural tendency to amplify inequities and incorrect patterns. It tends to give answers that match the training data – even if the data is NOT a fair sample of the real world.”

AI can help employees, such as HR Managers (used frequently for assistance in narrowing down job candidates, performance evaluations, etc.), and Risk Managers (used for examining trends and making better risk decisions) be better at their jobs, by allowing employees to focus on analysis rather than crunching data or performing other time-consuming tasks, and it allows employees to focus on strategic thinking and problem solving rather than mechanical tasks. However, using such tools as AI can be risky and if you use it, you need to be safe… So, I asked Ted, what are some basic safety/security protocols employers should implement when using AI?

“Clearly define who can access AI programs and output data,” Ted responded. “And define in writing, what data fields are that AI programs can use. Ideally, don’t use any private personal data. Don’t let AI results and answers get released to the public unless we’re /absolutely sure/ that private info is not exposed. A growing number of computer services are being offered to automate the process of evaluating data that AI systems can see and output. They’re akin to email security/encryption programs that try to prevent users from accidentally sending out emails with social security numbers, for example. The best approach is use all of the tools: make good policies, train people, and use software to watch for problems automatically.”

*Use of Proper Security and Approval Channels*

Going back to that PIHRA meeting I recently attended, that attendee response really concerned me, and actually prompted me to include an AI class in our September, 2023 Lunch & Learn educational series for our clients and guests, and to follow up with writing an article to assist users.

As I talked about in that Lunch & Learn in September, you shouldn’t be downloading AI programs such as ChatGPT without going through the proper security and approval channels at your office. I asked Ted if he would recommend that employers be sure there are policies in place BEFORE their employees (assume HR Department, for example) starts using AI such as ChatGPT? Ted’s response didn’t surprise me at all (and I assumed it back in September at our Lunch & Learn program). “Absolutely,” replied
Ted. “You need to set the rules before it comes back to bite you. Good policies and controls can prevent privacy breaches or AI output from being used in the wrong way. Check points on data input, data output and what people do with the ‘answers’ are a MUST. We have too many examples of groups rushing to implement AI and realizing later thatpersonal data is or was wrongly shared or wrong assumptions were made from data output from [one or more] AI programs. Too many people are feeling the ‘AI Burn.’”

*Dangers of Using ChatGPT and AI Programs*

What are the dangers of using ChatGPT or similar software without the proper firewalls in place first? Is there a danger of ChatGPT crossing over into confidential databases or other proprietary or trade secrets information? “The dangers are both human and software system ones,” stated Ted. “First, people can choose to share data that they shouldn’t with ChatGPT, for example. ChatGPT does use data to help improve the model – it uses data we enter, unless we take certain steps to block or minimize it. OpenAI does not use API data to train. So, we can choose which tools to use, depending on how secure we need to be.

“The software dangers really show up when AI results drive automated actions. For example, when facial recognition company Clearview AI software was quickly embraced by police departments, it led to many arrests of innocent people. The software marked people as suspects and police put too much trust in technology. As technology investigative journalist Kashmir Hill said ‘It wasn’t a simple matter of an algorithm making a mistake, it was a series of human beings making bad decisions, aided by fallible technology.’”

Another concern of mine, which has been a high security concern since 2020’s COVID massive move to remote work, is people continuing to workat home, without regular supervisory oversight. I asked Ted if there additional (or perhaps same as office in some circumstances) policies that should be in place for employees working from home? Ted responded “Match the privacy and security policies relating to other sensitive data for your company. Keep data private. Keep answers private. Sendinformation securely. Work on secure computer devices and networks. Keep it focused on business.”

Today organizations are realizing the vast potential of harnessing AI technology to enhance productivity, augment intelligence and gain a competitive edge with tools like data analytics. You can greatly improve productivity by automation of repetitive and time-consuming (and often hated) tasks, so humans can focus on the more strategic and creative functions on their desk, or in their workplace. You can unlock innovation by using algorithms to power your applications and business models and improve and increase your data analytics with more accurate predictions and improve data-backed decisions.

These tools, which are used commonly in the benefits and human resource space, are continually improving and helping us mere mortal humans in predicting future claims patterns, long term cost projections based on past group behavior, etc. Self-funded health plans (as well as insured health plans of course) have used data analytics to help them predict costs, and design benefits to meet the specific needs of that particular employer’s population for decades now… But now, with AI tools, the future looks even brighter when it comes to providing valuable insight into future costs and patterns, and to the benefits industry, AI seems to be a highly valuable tool that can be used to help contain costs.

*Potential Future Uses of AI in the Workplace*

Potential future uses of AI in the workplace, particularly in HR and Benefits, include (but are not limited to) advanced analytics
applications, process changes and reorganization uses, Employee Value Proposition assistance (common in HR now), ways to measure performance with AI (without the emotions). I asked Ted if he could comment on the internal data that AI may need access to in order to do these functions, and how an employer can be protected from AI technology accessingconfidential information within their systems, and why that needs more privacy/security protections in place? Ted responded: “We’re talking about the kinds of data that HR managers have access to every day, at both the individual staff member and /family member/ level. We really
want to de-identify personal info and aggregate data so that personal data is not used directly. That could be done manually or by other software systems that ‘cleanse’ data before it’s analyzed.”

*AI in Benefits Administration & Legal Implications*

I asked our Benefits Attorney, Marilyn Monahan, if there are there specific cautions or concerns she has about using AI in Benefits
Administration? Her response was: “While AI could be a great help in streamlining benefits enrollment and administration—making the process easier and more useful for both employees and employers—the human touch is still necessary. No system is turnkey, and work will have to be done—both to set it up and as part of an on-going monitoring process—to ensure the system is accurate and effective. Further, from the point of view of employee relations, employees will continue to have questions for HR on the enrollment process and benefit options, and HR needs to be available to answer those questions. From the point of view of benefit administration, the data produced by the system will need to be reviewed and analyzed to ensure benefits administration is going smoothly. ‘The computer did it’ is not a very compelling defense when a mistake is made.”

I also asked Marilyn what some potential drawbacks, limitations andlegal risks of using AI in benefits administration may be? She replied: “There are several issues that could arise. For example, an AI programused to translate an SPD might translate plan language incorrectly, or the translation might not satisfy the ERISA standard that the SPD is written calculated to be understood by the average plan participant. Or, when AI is used for enrollment, if the system has built-in biases, it might, for example, steer applicants in a protected class to benefit options that are not best for them personally.”

There are concerns about Intellectual Property and privacy and trade secrets and privacy when you use AI programs. I asked Marilyn if she could comment on her primary concerns? “These issues—and problems—could arise in various contexts,” stated Marilyn. “For example, employers using an AI system to draft written communications should be concerned about the system incorporating copyrighted material without attribution. As another example, companies should recognize that materials created by
AI will probably /not/ be protected by copyright laws.”

The legal implications of using AI continue to be a major concern, of course. States like California and cities like New York have or are considering laws on automated decision tools and AI… I asked Marilyn if she could tell us a little bit about these? “AI is the hot topic these days, not only within industry but by legislators as well. The City of New York has already passed a law regulating employer use of automated decision-making tools (the AEDT Law). It has been reported that the California legislature intends, when it returns from recess in January, to look into whether it should pass legislation to address AI in the workplace and beyond.”

Besides lawsuits and penalties, I asked Marilyn what some other potential consequences are of improperly using AI? Mairlyn replied “Do not overlook the damage to the company’s reputation, and the impact news of the misuse could have on client relationships, employee morale, and more.”

I asked Marilyn in general, what her primary privacy & security concerns of HR using AI? She stated “Any data being input into an AI system must be adequately protected to ensure it is not accessible by those who are not entitled to access it, and it is not vulnerable to a cyber-attack. Information that needs to be protected includes private employee data (such as personnel and medical data), customer data, and proprietarydata. Before utilizing an AI system, employers need to ensure that the system is secure, that access is limited, and that any necessarycontractual agreements (such as business associate agreements) are in place. In addition, employers should be concerned about employees using AI systems on their own, without the employer’s permission. Employers should put employees on notice that such actions are prohibited and will result in discipline.”

*Types of Employees/Departments Safety Precautions*

A question that is asked often today is what types of employees/departments are in general, more “safe” to use AI and what employees/departments should be more cautious overall? Once again, I asked for the opinion of Ted Flittner.

“Personally, I think everyone needs to follow the same cautions,” Ted responded. “HR, Accounting, and Finance generally have access to the sensitive staff data. Sales and Customer Service may see end-customer private info as well. All departments should understand the priority of keeping data private and follow the HIPAA ‘Minimum Necessary’ guideline of just giving access to the data that people need to get the job done.”

Certain job functions in the workplace have seen major headlines in the  news over the past several months. Replacing writers with ChatGPT-like programs is big in the news lately; particularly given the recent Hollywood writers’ strike, etc. I asked Marilyn if she would comment on possible trade secrets and copyright implications that may occur when using a Chat-GPT or other AI program in general, and if she had any warnings and suggestions for employers? “Two concerns that come to mind are accuracy and copyright. You cannot assume that the information generated by AI is true or accurate—it must be verified. Also, if the AI system copies copyrighted material without proper attribution, the employer could violate copyright laws when it uses the material.”

Should employers be worried that anything generated by a program such as Chat GPT could end up being put out on the internet for the public? Those are certainly concerns that I have, given my background in HIPAA Privacy & Security, so once again, I asked Ted for his opinion. “Yes, for sure,” Ted said in response to an employer being worried about these programs resulting in data going public on the internet. “Employers don’t want payroll, personnel reviews, or confidential company plans to be broadcast. They don’t want it to be done by computers OR people making bad decisions.”

I asked Ted what his biggest concerns related to privacy & security are when using any type of AI? “Systems that collect data, analyze it, share it, or take action on it, without our knowledge or consent,” Ted responded. “Again, facial recognition is a great example. More and more places and groups are using it – with photos from all parts of the internet and everywhere we go. We’re not asked for our OK with all of that. And so more cities and states are enacting bans on using facial recognition in public.”

I then asked Ted if there are other general comments/concerns/warnings or cautions he’d like to share with employers using or contemplating using AI for HR/Benefit functions? Ted responded, “Don’t rush to use AI just because it’s new and it’s cool. Any process or tool you use must provide real value. Ask yourself ‘How does it add value to our customers?’” I would echo those cautions provided by Ted.

As an employer, I’d want to know if AI tools are prone to cyber-attacks and if so, are they more or less than any other programs or uses in employer offices? Ted shared these thoughts. “AI is not more inherently prone to attack than other IT. The Internet is a two-way Superhighway. If a computer system can reach the internet or if it’s in the cloud, it is at risk. Use the same precautions.”

*Artificial Intelligence Policy Concerns & Considerations*

Marilyn Monahan and I discussed the policy concerns that employers should be looking at before using AI in the workplace as they relate to privacy & security. These included: Be sure that they suit your needs and priorities; Customize your policies to suit your workplace; Outline the purpose of the policy and the scope of the policy; Create Policies to Maintain Data Privacy & Security; Put in safeguards to protect data inputted into any GenAI technology, Address data collection, storage and sharing; Prohibit employees from entering private or personal information into *any* GenAI platform; Uphold company confidentiality – trade secrets, private information, PII and PHI of employees and third parties, confidential data, sensitive data; Protect Commitment to Diversity and Discrimination standards; Prevent Copyright or Theft Concerns; Double-check sources; Use AI as an idea-generator, not as a replacement for content creation; Prohibit Employment-Based Decisions Aided by GenAI; Do not use AI to help you make employment decisions about applicants or employees (recruitment, hiring, retention, promotions, transfers, performance monitoring, discipline, demotions, terminations, etc.) Uphold legal principals; Outline Best Practices – have workers confirm information before relying on it (avoid hallucinations or outdated answers); Understand the risks of data breaches in AI- /treat questions as if they will go viral on the internet; /Recommend employees disclose when they are using AI and the extent it aided in the creation of any content developed; Be Clear About Consequences if violations occur; Include a Disclaimer; and be sure to use Multi-Disciplinary input from stakeholders of organization. I asked Ted if he had any additions to this list. He added “ Employers should focus on value.”

Article by Dorothy Cociu, published in HR Tech Outlook and Manage HR magazines.  Read the full article at either site.

By: Dorothy Cociu, RHU, REBC, GBA, RPA
President, Advanced Benefit Consulting & Insurance Services, Inc.

Another year, another new Federal requirement for health plans and employers who sponsor them.  So, what is it this year?  Besides of course the CAA’s RxDC filing requirements in HIOS (originally due December, 2022, but pushed back to January 31, 2023 for reference years 2020 and 2021, and June 1, 2023 for 2022 reference years, which had employers, brokers, TPAs, pharmacy benefit managers and more scrambling to comply with), we now have the end of the year filing requirement for the CAA’s Gag Clause Prohibitions and Attestations. 

Hopefully, this isn’t the first time you’re hearing about this requirement… Perhaps it’s more like “Oh, yeah, another annoying filing requirement… I guess I better start thinking about that now.” 

Yes, it is another requirement within CMS’ HIOS portal, but the good news is, it’s not as difficult as the RxDC Submission Process.  But I will get to that process later.  Let me start from the beginning.

So, what does this all actually mean? Basically, it means that employer-sponsored group health plans and issuers (like insurance companies and HMOs) cannot have any “gag clauses” in their contracts that directly or indirectly restricts specific data and information that a plan or issuer can make available to another party in their contracts.  I’ll come back to this later.

Background

The CAA was one of the largest bills ever passed by Congress, and had several years of requirements for health plans, plan sponsors, issuers, PBMs, TPAs and more.  One of the last provisions of the CAA is the prohibition on Gag Clauses in provider and other agreements.   This last provision has a looming due date for CMS’ HIOS System filing of December 31, 2023. 

The CAA’s Gag Clause Prohibition requirements came from Section 201 of Division BB of the Consolidated Appropriations Act, 2021, and it amended IRC Section 9824, ERISA Section 724 and the PHS Act Section 2799A-9.  What this means is that it is enforced by three separate government entities; the Department of Labor (DOL), Health & Human Services (HHS) and Treasury (Departments).  Complaints related to parties not complying with the Gag Clause Prohibition requirements can be submitted at either CMS or the DOL. 

There have been no actual regulations issued for the Gag Clause Prohibition and Attestation requirements, because the Departments felt that the statutory language is “self-implementing,” or easy enough for applicable parties to comply directly from the statutory language plus any FAQs or other guidance issued.  The Departments did issue FAQs in 2021 and 2023.  FAQ Part 49 was issued in August, 2021, and new guidance was issued in February, 2023 by the Departments in FAQ Part 57. 

Effective Date and Filing Date

The effective date was actually December 27, 2020, meaning that plans could not enter into a contract with gag clauses as of that date.

The gag clause prohibition compliance attestation must be file on or before December 31, 2023, and each year thereafter by December 31. 

The first attestation is due no later than  December 31, 2023, and should cover the period beginning December 27, 2020 through the date of the attestation.

Prohibition on Gag Clauses

A “gag clause” under the CAA prohibits restrictions on the disclosure of provider-specific cost or quality of care information or data to referring partners, the plan sponsor, participants, beneficiaries, or enrollees, or individuals eligible to become participants, beneficiaries or enrollees of their plan or coverage.  The CAA also puts restrictions on electronic access to de-identified claims and encounter information or data for each participant, beneficiary, or enrollee upon request with the privacy regulations included in laws like HIPAA, GINA or the ADA, including, on a per claim basis, the following: 

• Financial information, such as the allowed amount, or any other claim-related financial obligations included in the provider contract;
• Provider information, including name and clinical designation;
• Service codes; or
• Any other data element included in the claim or encounter transactions;
• Restrictions on sharing information or data or directing that information or data to be shared with a “business associate,” consistent with privacy regulations, including HIPAA.

I asked our attorney, Marilyn Monahan of Monahan Law Office, to describe what a gag clause is. “A gag clause is a contractual term that directly or indirectly restricts specific data and information that a plan or issuer can make available to another party,” stated Marilyn. “The clauses at issue here are typically found in contracts between plans and issuers, on the one hand, and health care providers, a network or association of providers, a TPA, or another service provider offering access to a network of providers, on the other hand.”

I also asked Marilyn to describe what the purpose of the gag clause prohibition is, and what are they trying to accomplish? “This is all about transparency,” replied Marilyn. “They want plans and consumers to have as much information as possible so that they can make informed decisions about plan design and health care options. Without the prohibition on gag clauses, the third parties may restrict access to information that is necessary to fulfill the goal of transparency.”

To be more specific, these gag clause prohibitions basically came from other provisions within the CAA and prior legislation (like the ACA) that required transparency, including the disclosure of pricing information on medical costs and services, Machine Readable File requirements, and most recently, the requirement of Online Price Comparison Tools, where plan participants can compare online prices for services from one provider to another.  These gag clause provisions can’t be put into contracts that could take away from the requirements of any of these other CAA requirements related to such Transparency and Price Comparison tools.  Health plans and Issuers cannot have any direct, indirect, explicit or non-explicit provisions that would prevent a plan or issuer from providing, accessing, or sharing information required in the CAA. 

In the past, gag clauses could be found (but of course are now prohibited) in agreements between a health plan or issuer and any of the following parties:  a health care provider; a network or association partner; a third party administrator (TPA); or another services provider offering access to a network of providers.   

The FAQs gave some good examples of these types of provisions:

Example:  If a contract between a TPA and a group health plan states that the plan will pay providers at rates designated as “Point of Service Rates,” but the TPA considers those rates to be proprietary and therefore includes language in the contract stating that the plan may not disclose the rates to participants or beneficiaries, that language prohibiting disclosure would be considered a prohibited gag clause.

Example:  If a contract between a TPA and a plan provides that the plan sponsor’s access to provider-specific cost and quality of care information is only at the discretion of the TPA, that contractual provision would be considered a prohibited gag clause.

Attestation of Compliance

Employers sponsoring health plans and health insurance issuers (carriers or HMOs) are required to submit a Gag Clause Prohibition Compliance Attestation (GCPCA) that confirms that they are compliant with this CAA provision by December 31 of each year, and the first attestation is due for the period beginning December 27, 2020 through 2023 on  December 31, 2023.  Again, this is an annual requirement, so be prepared to do these filings, or subcontract with a third party to do them for you, each year, no later than December 31. 

It is important to note that both the group health plan (employer plan sponsor) and the health insurance issuers are legally obligated to make such attestations.

Entities that must comply include the following:

• Health insurance issuers offering group health insurance coverage;
• Health insurance issuers offering individual health insurance coverage, including student health insurance coverage and individual health insurance coverage issued through an association; and
• Fully-insured and self-insured group health plans, including ERISA plans, non-federal governmental plans, and church plans subject to the IRC

These provisions apply to grandfathered and non-grandfathered plans, and small and large group plans.  They do not apply to account-based plans (such as HRAs), excepted benefits, and stand-alone dental and vision plans. 

Reporting Entities Required to Attest

• Issuers offering individual health insurance coverage, including: Student health insurance plans, Grandfathered and Grandmothered plans, Policies sold on or off Exchanges, and Policies sold through an association
• Issuers offering group health insurance coverage, including: Grandfathered and Grandmothered plans, Policies sold on or off Exchanges, and all other group health insurance plans
• Group health plans, including the following to the extent they are considered group health plans: ERISA plans (or sponsors of ERISA plans), Non-Federal governmental plans, such as plans sponsored by state or local governments, Church plans and Grandfathered group health plans under the ACA

Entities Not Required to Attest

• Account-based plans, such as health reimbursement arrangements (HRAs),including individual coverage HRAs
• Issuers and group health plans that offer only excepted benefits coverage, including, but not limited to: Hospital indemnity or other fixed indemnity insurance, Disease-specific insurance, Dental, vision, and long-term care, and Accident-only, disability, and workers’ compensation
• Issuers that offer only short-term, limited-duration insurance
• Medicare and Medicaid plans
• State children’s health insurance program plans
• Basic Health Program plans

What Do You Attest To?

I asked Marily to explain what are employers specifically asked to provide an attestation on.  “Plan sponsors are asked to attest that their group health plan has not entered into any contracts that contain gag clauses,” stated Marilyn. “With respect to the webform that must be executed by this December 31, the attester must attest that “the group health plan(s) . . . on whose behalf I am signing will not enter into an agreement, and has not, subsequent to December 27, 2020, entered into an agreement with a health care provider, network or association of providers, third-party administrator, or other service provider offering access to a network of providers that would be directly or indirectly restrict the group health plan(s) or health plan(s) or health insurance issuer(s) from” disclosing the types of information outlined in the law.”  

The attestation language for December 31, 2023’s filing can be found on the CMS website as well as in the FAQs.  It includes the following:

I attest that, in accordance with section 9824(a)(1) of the Internal Revenue Code, section 724(a)(1) of the Employee Retirement Income Security Act, and section 2799A-9(a)(1) of the Public Health Service Act, the group health plan(s) or health insurance issuer(s) offering group health insurance coverage on whose behalf I am signing will not enter into an agreement, and has not, subsequent to December 27, 2020, entered into an agreement with a health care provider, network or association of providers, third-party administrator, or other service provider offering access to a network of providers that would be directly or indirectly restrict the group health plan(s) or health plan(s) or health insurance issuer(s) from—

1. Providing provider-specific cost or quality of care information or data, through a consumer engagement tool or any other means, to referring providers, the plan sponsor, participants, beneficiaries, or enrollees, or individuals eligible to become participants, beneficiaries, or enrollees of the plan or coverage.
2. Electronically accessing de-identified claims and encounter information or data for each participant, beneficiary, or enrollee in the plan or coverage, upon request and consistent with the privacy regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the amendments made by the Genetic Information Nondiscrimination Act of 2008 (GINA), and the Americans with Disabilities Act of 1990 (ADA), including, on a per claim basis— a. Financial information, such as the allowed amount, or any other claim-related financial obligations included in the provider contract.
3. Provider information, including name and clinical designation.
4. Service codes; or
5. Any other data element included in claim or encounter transactions; or

3. Sharing information or data described in items (1) or (2), or directing that such data be shared, with a business associate as defined in section 160.103 of title 45, Code of Federal Regulations (or successor regulations), consistent with the privacy regulations promulgated pursuant to section 264(c) of HIPAA, the amendments made by GINA, and the ADA.

I am attesting on behalf of group health plans, including non-federal governmental plans, and health insurance issuers offering group health insurance coverage. (Check box on attestation form)

What Employer Plan Sponsors Need to Do

What employers need to do depends on whether you have a Self-Funded or Fully Insured health plan.  The “reporting entity” is the plan or issuer subject to the law that has entered into an agreement that may be subject to the prohibition (either directly or indirectly).  The reporting entity is responsible for compliance with the annual mandate. 

Self-Funded Plans

Self-funded health plan sponsors may either attest to the gag clause prohibitions in the HIOS portal or enter into a written agreement with a service provider, such as your TPA, to attest on the plan’s behalf.  However, it’s important to understand that even if you subcontract this task to a third party, the self-funded employer remains liable and responsible for the legal obligation. 

If you enter into a third-party agreement, you should get it in writing that the third party will be responsible for filing the attestation in HIOS, and then be sure to receive a copy of the confirmation of the filing after the filing is complete.  If you file yourselves, you need to register in HIOS; two parties are required to register in the portal; a Submitter and an Attester. 

As brokers and consultants, to assist our self-funded clients, we registered in the HIOS system to assist our clients as needed (just as we did for the RxDC HIOS filings), or do the filing for them, should their TPA or other vendor not be prepared to do the filing or, if their filing is billable, so that is of course an option for employers. You should always check to see if you have a reliable resource to do this for you or work with you.  Although we do it on a complimentary basis for our clients, that may not always be the case.  TPAs or other brokers or consultants or other vendors may charge for this service. 

Fully Insured Plans

For fully insured employers, be advised that both the issuer (your carrier) and the plan sponsors are required to comply.  However, the FAQ’s state that ““With respect to fully-insured group health plans, the group health plan and the issuer are each required to annually submit a Gag Clause Prohibition Compliance Attestation. However, when the issuer of a fully-insured group health plan submits a Gag Clause Prohibition Compliance Attestation on behalf of the plan, the Departments will consider the plan and issuer to have satisfied the attestation submission requirement.” Therefore, it is important to note that employers should contact their carriers and obtain a written commitment from them to comply. 

Some carriers have already sent out e-blasts stating whether or not they will be performing this function for you.  Please look for this in your email.  Some say they will do it, some say they will not, and others are silent on this function (i.e. no correspondence to date).  It’s your responsibility to verify they are doing this for you  (or not doing it).  Be sure to keep copies of those emails for your records.  We also recommend that our fully insured clients forward those emails to us as well so that we can keep a record of what carrier is doing what for each fully insured client.  If you haven’t received a confirmation from your carriers, you will be responsible for the attestation.  ABC can also enter your attestation into HIOS, but we will need confirmation from you that your carrier is not doing this function (for example, forward the email to us that tells you they are not doing this on your behalf).  You should retain the email or other notification from your issuer (carrier) that states that they will be filing on your behalf. 

Marilyn advised “Employers should definitely get something in writing—from either their carrier or third party service provider—confirming that the attestation will be made on the employer’s behalf.”

HIOS Attestation Process

As stated above, the Reporting Entity is the employer plan sponsor or issuer that is subject to the law and has entered into an agreement, either directly or indirectly, that may be subject to the prohibition.  The reporting entity is responsible for compliance on an annual basis with the mandate.

I asked Marilyn for her thoughts on the actual attestation process, and the differences between self-funded and fully insured employers.  “The registration process is much faster and more straightforward than it was for the RxDC reporting process,” stated Marilyn. “Also, you do not have to submit the same type of detailed plan data that was required for RxDC reporting. If your plan is fully insured, and the carrier confirms in writing that it will attest on your behalf, you have satisfied your reporting obligation. If your plan is self-funded, you will need to first identify the third-party service providers that may have contracts subject to the rules, and then obtain their written agreement to attest on your behalf. This may require you to reach an agreement with more than one third party. If they do not agree to do so, it is the employer’s legal responsibility to attest.”

There are two persons involved with the attestations. 

Attester – The attester attests on behalf of the Attesting Entity (or Reporting Entity).  A health plan or issuer may authorize any appropriate individual within the organization, such as the plan administrator of a group health plan, to attest on behalf of the plan or issuer.  This should be a high-level employee of the employer that has the legal authority to act. 

A service provider, such as a TPA or broker that has been provided the authority to make the attestation on behalf of the plan or issuer, may authorize any appropriate personnel within that organization to make the attestation. 

Submitter- A Submitter may submit the data on the Attester’s behalf, subject to the Attester’s review and signature. 

Again, it’s a two-step process, requiring two individuals to register in HIOS and do the required reporting; the submitter submits and the attestor verifies the data is correct and signs the attestation.

Similar to the RxDC process, you must submit data into the HIOS portal on the CMS website.  This is not the same as the RxDC portal.  They have created a new portal for reporting, and it appears that they learned some valuable lessons during the RxDC reporting process, and have made it simpler and more user friendly for submissions.  The good news is, you don’t have to go through Regtap, like you did for  RxDC reporting. 

“For employers, the ‘attester’ is someone with the legal authority to act on behalf of the group health plan, and who is authorized to electronically sign the GCPCA via the CMS webform,” stated Marilyn. “For a third party who is attesting on the employer’s behalf—such as a TPA—the attester is someone with the legal authority to sign the GCPCA on behalf of the TPA.”

The first step in the process is to obtain an authentication code by going to the Gag Clause Prohibition Compliance Attestation website at https://hios.cms.gov/HIOS-GCPCA-UI  and selecting “Don’t have a code or forgot yours?” The user will be asked to provide the user’s e-mail address. The system will generate an authentication code and send it to the e-mail address provided. The user can then return to the Gag Clause Prohibition Compliance Attestation website, enter the e-mail address and code where indicated, and select “Login to the system” to proceed with submitting the attestation.  This step only takes a few minutes.   You should receive a code in your email very quickly so that you can enter the code and login. 

There is a short description and what to expect directly under the home page graphic you see above, that summarizes what you need to do. 

If you’re filing for only one employer (such as an employer filing just their own attestation), the reporting entity should use the GCPCA webform to provide the Reporting Entity’s information. (Option A in the Instructions.) The Excel Template is not required.  The webform will prompt the Submitter/Attester to answer a series of questions about the Submitter, the Attester, the Reporting Entity, and the plan.  The Attester will then make the attestation, and when complete, the Attester may download a confirmation receipt as a pdf file.  It’s pretty simple. 

If the Attesting Entity is attesting for multiple reporting entities (such as a TPA or broker), you should use both the GCPCA webform and the Excel Template to report information about the Reporting Entities on whose behalf it is attesting.  (Option B in the Instructions.)  You’ll be prompted to attach the excel template, upload it and then attest to it.  The instructions for submitting an attestation, a system user manual, and a reporting entity Excel Template for plans and issuers to submit the required attestation an be found at:  https://www.cms.gov/cciio/programs-and-initiatives/other-insurance-protections/gag-clause-prohibition-compliance

Creating an Attestation Submission

You will be asked to  enter the submitter’s contact information, which will include the name, position title, email address, phone number, name of employer, type of entity (such as group health plan, issuer, TPA, Behavioral Health or other service provider), then enter the Attestor’s contact information (same as above as applicable for attester).  You will then need to provide the Reporting Entity’s details, such as plan number, plan type (for example, health insurance issuer, non-federal government plan, ERISA Plan, non-ERISA plan, etc.), point of contact, employer ID number, mailing address, email address, phone number, point of contact.  You will need to drag and drop the excel template (you’ll need to save as a TXT file) and upload it, review and attest. 

Non-Compliance Enforcement

Failure to file could result in enforcement action from any of the Departments, which may be a $100 per day excise tax under the IRS code or a civil penalty under ERISA. 

Overall Recommendations for Employers

I asked Marilyn if there is anything she would recommend to those attesting to the gag clause prohibition? Marilyn replied:  “Confirm that the gag clauses have been removed from the contracts. In addition, read the CMS instructions and understand what you are being asked to attest to.”

Does Marilyn provide any cautions for employers? “Calendar the deadline for this year and every year thereafter. If your plan is self-funded, add this to the list of services you expect the service provider to perform on your behalf, and confirm whether there will be an additional charge. Do not leave this process to the last minute, in case you have difficulty obtaining the cooperation of the third parties involved in the process. Remember that although you have until December 31, 2023, to make the attestation, the requirement to remove the gag clauses is already in effect, and has been for some time.”

Remember, it’s really not as complicated as you might think.  Compared to the RxDC reporting, the Gag Clause Prohibition Attestation is a “piece of cake!”  ##

Author’s Note:  I’d like to thank Marilyn Monahan for her assistance with this article.  Marilyn can be reached at marilyn@monahanlawoffice.com.  I can be reached at dmcociu@advancedbenefitconsulting.com.  Be sure to listen to our podcast series, Benefits Executive Roundtable, which begins Season 5 on September 12, 2023! 

Reference Sources & Resources:

Gag Clause Prohibition Compliance Attestation website at https://hios.cms.gov/HIOS-GCPCA-UI  

The instructions for submitting an attestation, a system user manual, and a reporting entity Excel Template for plans and issuers to submit the required attestation an be found at:  https://www.cms.gov/cciio/programs-and-initiatives/other-insurance-protections/gag-clause-prohibition-compliance

FAQS About Affordable Care Act and Consolidated Appropriations Act, 2021 Implementation Part 57 (July 2023)- https://www.cms.gov/files/document/aca-part-57.pdf

Health Insurance Oversight System (HIOS) Gag Clause Prohibition Compliance Attestation (GCPCA) User Manual – https://www.cms.gov/files/document/hios-gcpca-usermanual-020000.pdf

Monahan Law Office Webinar, July 28, 2023, “Prohibition on Gag Clauses and Attestation Requirement,” by Marilyn Monahan

Published in HR Tech Outlook, June 2023.

By:  Dorothy Cociu, RHU, REBC, GBA, RPA, President, Advanced Benefit Consulting & Insurance Services, Inc.

Ask and you shall receive?  Well, although that does not happen as frequently as we’d like, sometimes we are surprised, and it does.  In the spring (April) of 2021, the US Department of Labor (DOL) released a much needed (although maybe not wanted by some) guidance package on cybersecurity for plan sponsors and plan fiduciaries.  This release didn’t get as much press or attention as some releases; perhaps because COVID was still very much a part of our everyday lives at that time.  One thing COVID did was bring out more and more bad actors involved with ransomware, malware and other cyber and online threats, perhaps in part because more and more people were working remotely, and where there are remote employees, there is a greater chance of risk and exposure to cyber- attacks. In some cases, examples made national and worldwide news, and affected many of our daily lives.  But attacks can and do happen in our offices as well.  Keep in mind, where there is data, there is risk of someone gaining access to that data.

Most of us remember the Colonial Pipeline ransomware event in May, 2021.  This seemed to be the first of many cyber attacks hitting us that year, but this one really hit home to many.  As you’ll recall, the Colonial attack is the largest publicly disclosed cyber-attack against critical infrastructure in the United States, attacking the company’s IT systems and causing fuel shortages for weeks in the eastern United States.  We found out later in news reports that the attack was due to a leaked password, an inactive VPN account and a lack of multifactor authentication.  You may also recall that Colonial paid a ransom of millions of dollars to get their systems back up and running.  Lucky for them, much of those funds were actually recovered through the tracing of cryptocurrency.  Still, the breach could have been avoided if Colonial had used basic cybersecurity practices that experts have been preaching for years.  Could have, would have, should have been avoided…  Yet, these cyber criminals continue to do their damage and far too many companies have been subject to similar circumstances.  No one wants to face that moment of shear panic when your systems won’t come up, or when they do, and you get a strange and frightening  video or screen-shot of someone telling you they now have your data and you must pay to get it back.

The DOL Cybersecurity Guidance was primarily aimed at protecting retirement plans, due to their high financial values and the financial security of so many individuals and families, but the DOL wrote the guidance in such a way to apply to all ERISA Plans, including health and welfare plans, because all benefit plans have valuable information (and assets) that cyber criminals want to have their hands on.  This has become evident based on the high number of breaches in the health care and health insurance industry in recent years.  Remember Anthem, Primera Blue Cross, UCLA Medical Center, New York Presbyterian/Columba Medical Center, Children’s Medical Center of Dallas and so many more.  ERISA plans not only have financial assets, but personal information that criminals want to exploit.  The bottom line is that the DOL has made it clear that plan sponsors and plan fiduciaries have a responsibility and duty to protect the plan and participants, and therefore have a duty to mitigate cybersecurity risk. 

ERISA and Plan Fiduciary Overview and Background

Before I get into the guidance and how it affects employer plan sponsors and plan fiduciaries, I want to provide a brief background that should help you understand the significance of the role of plan sponsors and their plan fiduciaries in employee benefits.

The Employee Retirement Income Security Act of 1974 (ERISA) includes reporting and disclosure requirements enforced by the Department of Labor (DOL), Employee Benefits Security Administration (EBSA).  ERISA is a federal law that regulates employer-sponsored (a) pension plans and (b) employee welfare benefit plans—whether fully insured or self-funded.

Welfare benefit plans include medical, dental, vision, health FSAs, HRA, LTD, STD, life, AD&D, pre-paid legal, some EAPs and some wellness programs.

Federal oversight is needed to protect benefit programs.  So what government entities are involved, who audits what, and what areas are subject to review?  ERISA Reporting, Disclosure, and Fiduciary (operational) requirements, and now Cybersecurity, is enforced by the US Department of Labor.  The IRS, Department of Health & Human Services (HHS) and DOL oversee the Affordable Care Act.  HIPAA Privacy and Data Security are enforced by HHS and OCR (Office of Civil Rights – which operates under HHS).  Cafeteria Plans and Nondiscrimination Testing fall under the IRS.  Wellness programs are the responsibility of the DOL and IRS, and Mental Health Parity, Voluntary Benefits and Claims Procedures overseen by the DOL.

So, what is a Fiduciary and why is it so important?  First off, all ERISA-covered benefit plans are required to have fiduciaries.  There are various fiduciary roles under ERISA (both named and functional), including the requirement for each plan to have at least one named fiduciary that must be identified in the plan document  (ERISA § 402). The fiduciary is the Plan Administrator (ERISA § 3(16)).  A fiduciary has discretionary authority or control over plan management (ERISA § 3(21)), and a fiduciary is someone who provides investment advice for compensation.  Mostly, it’s important to note that Fiduciary status is based on the functions performed for the plan, not just a person’s title.  One thing I always say when discussing the role of fiduciaries, either with an employer client or when teaching a class, is that If it looks like a duck, walks like a duck, acts like a duck, it’s a duck!  Therefore, if you are performing any of these tasks, whether or not you’ve been given the title, you are, indeed, a fiduciary.

There are four main fiduciary duties under ERISA: 1) the Duty of undivided loyalty to plan participants and beneficiaries (exclusive benefit rule), including acting for the sole purpose of providing benefits to plan participants, which includes the requirement that you must only pay reasonable plan expenses; 2) Duty of prudence (Prudent Man/Person Standard of Care).  ERISA requires that plan fiduciaries must act with the care, skill, prudence, and diligence under the circumstances then prevailing, that any prudent person acting in a like capacity and familiar with such matters would use.  What has now been added to these duties is an obligation to ensure “proper mitigation of cybersecurity risks.”  3) Duty to diversify assets of the plan; 4) Duty to administer the plan in conformity with governing documents.  The DOL understands and encourages plan fiduciaries to get help if and when they need it from experts.

Why Cybersecurity Compliance Matters

For an employer sponsoring an ERISA benefit plan, cybersecurity compliance matters because It’s the legal standard, it is part of the Plan Administrator’s fiduciary responsibility, it’s an employer obligation – not an insurer or broker obligation, it’s needed and expected to fix problems, be ready to respond to participant inquiries or complaints, as well as be ready in the event of a lawsuit.  In addition, compliance matters so that you’re prepared in the event of a DOL, IRS, or HHS/OCR audit, prepared in the event of a merger, or wish to be a hero to the CEO/CFO, and if self-funded, it is required to be complaint with stop loss requirements, to name a few reasons.

Real-World Applications of Cybersecurity Compliance

As I said previously, the DOL released their Cybersecurity Guidance in April, 2021 for plan fiduciaries, plan sponsors, recordkeepers and plan participants.  Why have they released them?

Without sufficient protections, “participants and assets may be at risk from both internal and external cybersecurity threats. ERISA requires plan fiduciaries to take appropriate precautions to mitigate these risks.”  In addition, “This much-needed guidance emphasizes the importance that plan sponsors and fiduciaries must place on combatting cybercrime and gives important tips to participants and beneficiaries on remaining vigilant against emerging cyber threats.”

I asked Marilyn Monahan, our Benefits Attorney, if she thinks plan sponsors and plan fiduciaries should be taking this seriously and if so, why? “By issuing this summary of ‘best practices,’ the DOL has announced that this is an area of concern and focus. Further, in the introductory paragraph of the guidance, the DOL clearly ties these best practices to existing ERISA fiduciary standards:  ‘Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.’ Responsible plan fiduciaries would be well advised to take note.”

I asked our technology/IT and cybersecurity partners, Ted Flittner and Ted Mayeshiba of Aditi Group, if they thought plan sponsors and plan fiduciaries should be taking this cybersecurity guidance seriously, and if so, why.

“Dorothy, I have money in a plan.  If it goes missing, you can bet I’m coming after my money,” stated Ted Mayeshiba, Principal.  “Plan fiduciaries are named that [fiduciaries] because there is a responsibility to safeguard MY MONEY.  There are too many horror stories which relate fiduciaries having individual accounts under their control  hacked and money stolen.  Now, with these guidelines, the legal standard of “duty of prudence” have been clarified.  Meaning, if you don’t follow these guidelines, you are more likely to be on the losing end of a judgement.”

His partner Ted Flittner continued: “This is the DOL’s way of making Cybersecurity an official, formal and now expected part of doing business in employer/employee related areas.  Not following guidance is asking for investigation, judgement against you and penalties. But aside from the “legal” or DOL impact, the guidance offered is just plain SMART and good for everyone.”

For another opinion, I spoke with Adriana Mendieta, an industry friend and fellow cybersecurity business associate, who is a database manager for Colonial Life and also specializes in cyber liability insurance coverage.  “Plan sponsors and plan fiduciaries should indeed give serious consideration to the Department of Labor’s requirement for Cybersecurity Policies and Programs,” stated Adriana. “Cyber threats pose a substantial risk to ERISA plans, and it is crucial for sponsors to prioritize the protection of assets, compliance, and safeguards. In my role, I strongly believe that cyber insurance plays a vital role in ensuring the cybersecurity of the plan.”

The guidance “complements EBSA’s regulations on electronic records and disclosures to plan participants and beneficiaries. These include provisions on ensuring that electronic recordkeeping systems have reasonable controls, adequate records management practices are in place, and that electronic disclosure systems include measures calculated to protect Personally Identifiable Information.”

I asked our Benefits Attorney, Marilyn Monahan, if she agreed with me that the release of such guidance means that they are putting a much higher emphasis on cybersecurity in benefit plans.  “Yes,” Marilyn replied. “In fact, it is clear that cybersecurity is a priority not only with the DOL, but also with other federal agencies and at the state level as well. (The California Consumer Privacy Act of 2018 (CCPA)—as modified by the California Privacy Rights Act (CPRA)—is an example of the increasing interest in cybersecurity at the state level.) While this interest can seem to create significant challenges for employers and producers as they work to understand how multiple—and potentially overlapping—standards apply to them and their benefit plans, taken together they do also send a clear message that cybersecurity is a priority to regulators and must be to employers as well.”

The DOL/EBSA Guidance divides the Guidance into three sections, which I will divide by topic for readers.  I asked Marilyn to give me her thoughts on why it is important that you, as a plan sponsor or plan fiduciary, to create a complete  Cybersecurity Program now.  “The guidance was issued in 2021—a couple of years ago,”  Marilyn stated.  “The COVID-19 National Emergency and PHE are now over. With things getting back to ‘normal,” this is a good time for employers to turn their attention to all aspects of compliance, including cybersecurity.”

Tips for Hiring a Service Provider with Strong Cybersecurity Practices

In the first of the 3-part guidance, the DOL focuses on tips for hiring service providers with strong cybersecurity practices.  Business owners have a fiduciary responsibility under ERISA to prudently select and monitor service providers.  The guidance makes it clear that each plan sponsor must have a process in place for selecting your service providers.  One question you need to ask them is if their “process” is completely documented? This should be made a part of your RFP process.  Then you need to find out from the service provider how they monitor their electronic files and data and be sure that every step is completely documented.  Plan sponsors/fiduciaries should monitor not only new service providers, but current providers as well.

The service provider or providers should have in place a recognized standard of information security and outside monitoring procedure.  Do they have a documented standard of information security that tracks the who, how, why, when for everything they have in their possession?  Lastly, you should ask who is overseeing the process? Each service provider should assign an individual or team to oversee the process, and the employer/plan sponsor/fiduciary should be asking for details on this procedure (or procedures).

Another step in hiring a service provider with strong cybersecurity practice, according to the DOL Guidance, is to be sure they have in place a vendor/service provider validation of practices, so that you can see their track record, their past security breaches and how they mitigated those breaches.  Is there public information regarding security incidents or breaches, other litigation and/or legal proceedings related to the vendor’s services? You want to be sure to ask them what their internal process is for all of these items, and perhaps do some google and other types of public searches as well, and not rely entirely on what the vendor tells you.  My motto for this is trust, but verify!

Other things you can do as a plan sponsor/fiduciary is to check the HHS “Wall of Shame” for Large Breaches (those covered under HIPAA Privacy & Security rules are required to report their breaches to HHS/OCR; those with over 500 affected by the breach are posted on their “Wall of Shame” – a term that the industry coined for the website pages on breaches), google newspapers that monitor breaches, and check newspaper articles to see if their name comes up related to breaches that may have been smaller than those posted on Wall of Shame.  In addition, you can ask for client references and ask questions about whether they know of any security breaches.  What happened?  How was it documented and reported?  How did the service provider respond overall?  How was it mitigated?

We all know that things can happen, no matter how secure you may think you are.  After all, we’re all dealing with the “weakest link,” which is human beings; our employees.  That’s why it’s important to have insurance policies in place to cover losses.  Therefore, the Guidance asks if you’re verifying if the service provider has cyber liability insurance.  In order to be approved for cyber liability coverage, you must have written procedures in place, so having it tells you a lot.  You may want to ask them for a copy of their cyber liability policy… If you have that, you can check to see what their policy covers.  Will it cover losses caused by cybersecurity and identity theft breaches (including breaches caused by their own internal threats, such as misconduct by the service provider’s own employees or contracted vendors, and breaches caused by outside threats, such as a third party hijacking a plan participant’s account)?

The Guidance also suggests that you have contract terms that actually require certain cybersecurity standards.  A plan fiduciary should review their agreements and see if they have added cybersecurity standards to your vendor agreements.  If not, that is something you want to add to them, sooner rather than later.

Process for Comparing and Selecting a Service Provider

So how do you do all of this, and how can you do it consistently, with the same process for all vendors?  I highly suggest that you have in place a standardized questionnaire that you ask all current and all potential new vendors to complete and provide to you, so that you can verify and compare vendors properly.

The first step is to look for service providers that follow a recognized standard for information security and use an outside (third-party) auditor to review and validate their cybersecurity practices.  You can do this with annual audit reports that verify information security, system/data availability, processing integrity, and data confidentiality.

Next, you want to know how the service provider validates its practices, and what levels of security standards it has met and implemented.  In doing this, you should be sure you have contract provisions that allow you the right to review audit results demonstrating compliance with the standard.  You may want to verify that the contract requires ongoing compliance with cybersecurity and information security standards and watch for and beware of contract provisions that limit the service provider’s responsibility for IT security breaches.  You should have a consultant or attorney review the contract to see if it has or you can add appropriate terms to enhance cybersecurity protection for the Plan and its participants, including information security reporting, clear provisions on the use and sharing of information and confidentiality of information. Does it meet a strong standard of care to protect confidential information against unauthorized access, loss, disclosure, modification or misuse?  Does the contract require that they notify you about cybersecurity breaches, and if so, when/how quickly?  You will also want provisions to assure that the service provider will ensure their cooperation with investigations and responsibly address the cause of the breach, and how they mitigate such breaches.

Additional contract terms of a Service Provider to look for includes looking to see if they require ongoing cybersecurity and information security standards and compliance.  Do their contracts limit the service provider’s responsibility for IT security breaches?  That could be a reg flag and prompt to check into it further.  You should consider including terms that would enhance cybersecurity protection for the Plan and its participants, including (but not limited to): Information Security Reporting – annually obtaining third-party audits to determine compliance with IT P&Ps; Clear Provisions on the  Use and Sharing of Information & Confidentiality – spell out service provider’s obligation to keep private information private, prevent the use or disclosure of confidential information without written permission, and meet a strong standard of care to protect the confidential information against unauthorized access, loss, disclosure, modification, or misuse.

While you are looking at contracts, you should Include terms that would enhance cybersecurity protection for the Plan and its participants, including (but not limited to): Notification of Cybersecurity Breaches – identify how quickly you would be notified of any cyber incident or data breach, and ensure the service provider’s cooperation to investigate and reasonably address the cause of the breach; Compliance with Records Retention & Destruction, Privacy & Information Security Laws – specify the service provider’s obligations to meet all applicable federal, state and local laws, rules, regulations, directives and other governmental requirements pertaining to the privacy, confidentiality or security of participants’ personal information; Insurance – you as a Plan Sponsor or Fiduciary may want to require insurance coverage such as professional liability, E&O, cyber liability, and privacy breach insurance, and/or fidelity bond/blanket crime coverage.  Be sure you understand the terms and limits of each before relying on these as protection from loss.

Cyber insurance in today’s world is critical for most, if not all, service providers.  “One vital aspect of a well-rounded cybersecurity plan is being prepared for every possible scenario,” stated Adriana. “Cyber insurance can play a crucial role in reducing the financial impact of a cyber incident. It offers coverage for various expenses, such as legal and forensic services, breach notification, credit monitoring, public relations, and potential regulatory fines. By obtaining cyber insurance, plan sponsors and fiduciaries can transfer some of the financial risks associated with cyber incidents to an insurance provider, providing an additional layer of protection for plan assets. Furthermore, cyber insurance can provide additional benefits beyond financial protection. Many insurance providers offer proactive risk management services and resources to policyholders, such as cybersecurity training, vulnerability assessments, and incident response support. These services can assist organizations in strengthening their cybersecurity posture and enhancing their overall resilience against cyber threats. However, it is important to acknowledge that cyber insurance should not be viewed as a substitute for a comprehensive cybersecurity plan. It is merely a component of a broader strategy that encompasses preventive measures, employee education, regular system updates, and ongoing monitoring. Having a formal cybersecurity plan in place provides a structured approach to safeguarding critical assets and minimize the potential impact of cyber incidents, including the role of insurance.”

The guidance states that when you contract with a service provider that the plan sponsor/fiduciary makes sure that the contract requires ongoing compliance with cybersecurity and information security standard, and be aware of provisions limiting the service provider’s responsibility for IT security breaches.  I asked Marilyn, as an attorney, what kind of provisions she would recommend be included in vendor contracts related to these requirements?  “If the draft agreement comes from the service provider, do not take the contract terms for granted. Be certain that the contract addresses the issues that are most important to you, and provides you with assurances that security compliance will satisfy designated industry standards, not only as of the date the contract was signed, but on an on-going basis. The DOL’s guidance provides some terms to consider.”  Again, trust, but verify!

A standardized questionnaire should allow you to compare each service provider based on how they answered their questionnaire.  With this, you can then have a committee meeting or meetings to compare and evaluate the submitted questionnaire, document the positives and negatives of each, and place a value or score on each for comparison purposes.  After discussions and evaluations, you should make your service provider selection based on the final “value” or “score” of each to justify why this selection was made.

If a service provider refuses to complete your questionnaire, consider that there is likely a reason for them not to complete it… Quite likely, they are not doing everything that they should be doing to protect client (your) data, and therefore, you may not want to use them.  If it’s an in-place vendor, you should definitely be looking at replacement vendors and a safe and efficient transition method to move the data from your old to your new service provider.

Why is it important to hire service providers with strong cybersecurity practices?  “For two key reasons,”  stated Monahan. “First, because choosing the right service provider is a fiduciary function. (This point was also emphasized by the new CAA compensation disclosure rules.) Second, because loose cybersecurity practices by a service provider create vulnerabilities, and vulnerabilities could result in a breach that could harm the employer and plan participants.”

To make this process easier for our clients, ABC has developed a sample questionnaire and chart for comparison for our clients to assist them in their selection of service providers, and to be sure the employer client is fully documenting their cybersecurity program based on the DOL guidance. 

“A checklist or questionnaire would be a great idea,” commented Mayeshiba, when I informed Aditi of ABC’s intention to create tools for compliance with the Guidance.  “It will give the uninitiated a baseline to begin asking the right questions of their IT staff.  Every company is different.  Every company does things differently.  A checklist or questionnaire will help get everyone on the same page to tackle a tricky problem.  One size does not fit all.”

Service Provider Monitoring

The DOL Guidance also requires plan sponsors/fiduciaries to create a cybersecurity service provider monitoring process.  Questions to ask yourself include:  a) what categories are you monitoring?, b) how often are you monitoring?, c) who is assigned to monitor?, d) do you have a documented process for all of this?

As a Plan Sponsor/Fiduciary, what will you do when you see insufficiencies or failures to perform?  What is your process in reporting this to the service provider and getting resolution or improvements?  Have you looked for who, what, when, and how?  Again, you should have all of these processes in place, and the ability to make corrections and changes as needed.

The Guidance makes it clear that you as a plan sponsor/plan fiduciary have an obligation to be sure that your vendor/servicer providers are using a recognized standard of information security and one or more outside third party auditors to review and validate cybersecurity.

As a plan sponsor/fiduciary, your confidence in a service provider increases if the security of its systems and practices are backed by annual audit reports that verify information security, system/data availability, processing integrity, and data confidentiality.  Therefore, you will want to verify if the service provider has annual audits and who the outside auditor is; then, be sure that you follow normal credentialling/fact checking/due diligence to be sure they are reputable and use NIST (National Institute of Standards and Technology and other security standards.

Other overall tips for Hiring a Service Provider with strong Cybersecurity Practices include of course, checking references, getting a consultant Seal of Approval, and using Legal Counsel when appropriate.  We also suggest that you keep your eyes open and don’t hire service providers only based on friendship, family relations, golf or sports buddies; you need to hire experts if you want to prove you have taken the guidance and your fiduciary roles seriously. 

Cybersecurity Program Best Practices

A Formal, Well-Documented Cybersecurity Program

The Guidance calls for a formal, well documented cybersecurity program.  According to the DOL, a sound cybersecurity program identifies and assesses internal and external cybersecurity risks that may threaten the confidentiality, integrity or availability of stored nonpublic information.  Under the program, the organization fully implements well-documented information security policies, procedures, guidelines and standards to protect the security of the IT infrastructure and data stored on the system.

A “prudently designed” program will protect the infrastructure, information systems and information in the systems from “unauthorized access, use, or other malicious acts by enabling the organization to identify the risks to assets, information and systems; protect each of the necessary assets, data and systems; detect and respond to cybersecurity threats; recover from the event, should one occur; disclose the event as appropriate; restore normal operations and services and quickly and efficiently as possible.”

Why is this formal program so important in protecting plan assets and overall ERISA compliance?  “There are several good reasons for having a written program,” stated Marilyn.  “One of those reasons is that the drafting process, on its own, is an important tool that can be used to identify and address both cybersecurity vulnerabilities and corresponding solutions. In addition, a written standard gives you a starting point for compliance, as well as a reference point for on-going risk analysis and upgrades. Finally, if you are audited, a well-written and well-thought-out program will provide proof of your commitment to cybersecurity.”

Should plan sponsors and plan fiduciaries be taking this seriously and if so, why? “By issuing this summary of ‘best practices,’ the DOL has announced that this is an area of concern and focus,” stated Marilyn. “Further, in the introductory paragraph of the guidance, the DOL clearly ties these best practices to existing ERISA fiduciary standards:  ‘Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks.’ Responsible plan fiduciaries would be well advised to take note.”

Interestingly and consistently, the DOL’s guidance on cybersecurity best practices mirror what ABC and Aditi Group (our Technology/IT/Cybersecurity partners) have been preaching since HITECH was enacted in 2009, and HIPAA related final regulations which were released in 2013 (with of course updates based on current threats, etc.).

A formal, well-documented cybersecurity program should establish strong security policies, procedures, guidelines and standards that meet the following criteria:

• Approval by senior leadership
• Review at least annually with updates as needed
• Terms are effectively explained to users
• Review by an independent third-party auditor who confirms compliance
• Documentation of the particular framework(s) used to assess the security of its systems and practices.

Again, consistent with the educational materials and trainings of ABC and Aditi Group, the DOL’s best practices guidance states that you should have formal and effective policies and procedures in place that govern things like data governance and classification; access controls and identity management; business continuity and disaster recovery; configuration management; asset management; risk assessment; data disposal; incident response; systems operations; vulnerability and patch management; system, application  and network security and monitoring; systems and application development and performance; physical security and environmental controls; data privacy; vendor and third party service provider management; consistent use of multi-factor authentication; cybersecurity awareness training, which is given to all personnel at least annually; encryption to protect all sensitive information being transmitted and at rest.

“It’s important to note that cybersecurity is a complex and ever-changing field,” stated Adriana. “Striking the right balance between regulation and innovation is crucial. Overly burdensome regulations could stifle innovation and impose significant costs on businesses, particularly small and medium-sized enterprises. Any government efforts to enhance cybersecurity requirements should be carefully crafted, taking much into consideration. It may be beneficial for the government to reassess and potentially enhance their requirements should be done thoughtfully, in collaboration with industry experts, and with a clear understanding of the potential impact on businesses and the overall digital ecosystem. Cyber Insurance providing financial backing should also be considered as a part of the solution.”

I asked Aditi Group Principals how important it is to have Senior Leadership involved with the cybersecurity program and why? “The company is at risk,” replied Mayeshiba.  “Addressing that risk must be made by Senior Leadership.  Assigning ultimate responsibility for the various cybersecurity functions must be made so that the POSITION, not the person, is the RIGHT person to take action.”

“We also know that actions speak louder than words,” commented Flittner.  “When we see people at the top involved, we know it’s important.”

This sentiment was echoed by Adriana Mendieta, cyber liability insurance expert.  “Having Senior Leadership engaged in the cybersecurity program is crucial. Leadership sets the tone, allocates resources, makes decisions and are key in incident response and compliance + legal considerations.”

Prudent Annual Risk Assessments

Again, 100% consistent with what ABC and Aditi Group have been training on since 2009, risk assessments are necessary and of the utmost importance.  In a risk assessment, you can identify, estimate, and prioritize information system risks.  IT and cyber risks are constantly changing, and your risk assessment schedule should reflect that.  If you want to be safe, you must constantly adapt to new threats and know how to mitigate them.  Waiting only puts your firm and your assets, including your data, at greater risk.

Why is this documentation and annual risk assessment so important?  “When you’re standing in front of a judge, they want to see evidence that you’ve at least made a good faith effort to comply.  This is your vehicle,” stated Mayeshiba.

Flittner commented:  “Remember the mantra: If it’s not in writing, it didn’t happen. Assessments, action plans, and notes along the way become the evidence that a program IS real.  Investigators look for these documents right off the bat.  Every business changes and technology evolves so quickly year after year that what we thought was “safe” last year may not be now.  Risk assessment MUST be a repeated action or risk will grow and grow over time.

So what does a Prudent Annual Risk Assessment accomplish?  “The environment is constantly changing,” stated Mayeshiba.  “Cybercriminals are improving their techniques, software and attacks.  As we know more, we need to assess differently.  It’s ‘whack-a-mole.’”

“Documentation and annual risk assessments are critical components of a proactive cybersecurity approach,” stated Adriana. “They help organizations identify and mitigate risks, ensure compliance with regulations, enable effective incident response, and enhance the prospects of obtaining adequate cyber insurance coverage.”

Adriana continued,” Prudent Annual Risk Assessment is a vital tool in the world of cyber, particularly when it comes to qualifying for cyber insurance. It enables organizations to identify, quantify, and mitigate risks, and are prepared or not to respond to any cyber incidents.”

A Reliable Annual Third-Party Audit of Security Controls

It’s vitally important that you have an independent auditor assess an organization’s security controls which provides a clear, unbiased report of existing risks, vulnerabilities and weaknesses.  As I always say in training, an in-house IT Team should NEVER evaluate its own in-house security.  It’s like putting a proverbial chicken in charge of watching the hen house… or in more corporate terms, an IT Team is stressed enough.  If they know that an outside audit could result in them having to do more work, or modify or change what they spent months or longer putting in place, they tend to be a bit  protective of their work, and time and energy put into it.  Therefore, in their eyes, and in reports to senior management, they are less likely to report their own weaknesses.  Sometimes it takes an outside auditor to put the spark under them to make them tighten things up to be more secure.

“Involving an independent third-party in reviewing a cyber program and policies brings objectivity, expertise, credibility, compliance verification, and risk mitigation to the process. Their involvement strengthens the overall effectiveness of the program, instills confidence and helps organizations stay resilient,” commented Adriana.

The Best Practices guidance states that the program and policies should be reviewed by an independent third- party auditor who can confirm compliance.  I asked Aditi Group why is this third party so important, and is this something that Aditi Group does for employer plan sponsors?

Flittner responded:  “The outside viewer can spot things that insiders look past or forget about.  And insiders often just assume something has to be a certain way – “it’s always been this way.”  And impartiality allows an outside viewer to highlight and include things that may be too sensitive or political hot potatoes.

“Yes, we have done these audits,” confirmed Mayeshiba.  “Sometimes, the company comes to us and says, ‘we’ve done our best, can you please review our situation and documentation?’  We have also started from scratch with companies that have nothing in place and want us to build something for them.”   So there is help out there, if you need it.

Clearly Defined and Assigned Information Security Roles and Responsibilities

The DOL Guidance clearly states that for a cybersecurity program to be effective, it must be managed at the senior executive (fiduciary) level and be executed by qualified personnel.  The Guidance calls for the Chief Information Security Officer (CISO) to establish and maintain the vision, strategy, and operation of the cybersecurity program which is performed by qualified personnel who should have sufficient experience and the necessary certifications; the program should be subject to initial and periodic background checks (because, let’s face it, things happen since people were  hired); the program should include regular updates and training to address current cybersecurity risks; the program should reflect current knowledge of changing cybersecurity threats and countermeasures.

Strong Access Control Procedures

Access control, says ABC, Aditi Group and the DOL, is a method guaranteeing that users are who they say they are and that they have the appropriate access to the systems and data.  This includes two main components:  authentication and authorization.  The Guidance provides best security practices for access control, which again, is consistent with those provided by ABC and Aditi Group.  They include access to systems limited to authorized users, process, devices, activities and transactions; access privileges, which are reviewed at least quarterly; a requirement for complex and unique passwords; multi-factor authentication; P&Ps and controls to monitor activity and detect unauthorized access, use of or tampering with nonpublic information; procedures that ensure sensitive data about a participant or beneficiary in the service provider’s records matches the information that the plan maintains; confirmation of identity of the authorized recipient of any funds.

Assets or Data Stored in a Cloud or Managed by a Third-Party Service Provider Subject to Appropriate Security Reviews and Independent Security Assessments

Cloud computing always has dangers and challenges.  A cloud means that a third-party is storing the data.  Organizations must understand the security posture of the cloud service provider in order to make sound decisions on their services.  Best practices include requiring a risk assessment of third-party service providers; defining minimum cybersecurity practices; periodically assessing third party providers based on potential risks; and ensuring that guidelines and contractual provisions protect all parties.  Be sure to have a HIPAA Business Associates Agreement in place with your cloud providers if there is any HIPAA or related information stored there.

Why is it best to have a third-party cloud provider reviewed and have independent security assessments?  “The “Cloud” is too easily out of sight and out of mind,” commented Flittner.  “It’s too easy to ignore risks that can be understood and addressed.  Sometimes an assessment leads us to make big changes.  And change can mean more work for someone for a time.  It’s easier to not look and pretend that it’s all ok…”

Mayeshiba commented:  “Cloud computing has become very powerful and ubiquitous in the business.  Everywhere your data resides, every link from your business to that data, is at risk.  Do you have an agreement in place with your cloud provider that insures your data from breach?  Probably not.  No one can realistically take that bet, because you (the user) may well be culpable for the data breach on their cloud system.  So could others in the supply chain.  Yes, a security assessment should be done on all ‘third party vendors’ including cloud providers.”

“When an organization entrusts its data to a cloud provider or a third-party service, it essentially transfers some level of control and responsibility for the security of that data,” Adriana commented. “Then it becomes essential to thoroughly review and assess the security measures implemented by these providers to the same accountability of other 3^rd party providers.”

Cybersecurity Awareness Training Conducted At Least Annually

As we’ve been saying at ABC and Aditi for over a decade, the weakest link of any organization’s cybersecurity is their own employees.  How well or how little you train them will determine your fate in most cases.  It’s imperative that you train your employees at all levels of the risks, what to look for, and what to do and not to do (such as clicking on links that may result in malware, ransomware or other cyber threats entering your systems).  I’m happy that finally the federal government has put a priority on training and is stating that it should be done at least annually.  Without prior guidance, some firms went years before re-training their staff.

Secure System Development Life Cycle Program

The DOL’s Guidance recommends a secure SDLC process that ensures that security assurance activities such as penetration testing, code review, and architectural analysis are an integral part of the system development effort.   This includes such protections as configuring system alerts to trigger when an individual’s account information has been changed; requiring additional validation for distributions; requiring additional validation if personal information has been changed prior to a request for a distribution from an account; periodic reviews and updates; a vulnerability management plan; and annual penetration tests.

Business Resiliency Program Which Effectively Addresses Business Continuity, Disaster Recovery and Incident Response

Business resiliency is the ability to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and data.  You should, at minimum, have in place a Business Continuity Plan, a Disaster Recovery Plan, and an Incident Response Plan.

I asked Aditi Group how high of a priority should business continuity, disaster recovery and incident response be to plan sponsors/plan fiduciaries?  “The greatest chance for a criminal to get into your system is when you aren’t looking,” replied Mayeshiba.  “You’re too busy with an earthquake, storm, flooding, etc.  A plan for everyone to lock down the data when an exogenous event occurs is critical.”

“Given the potential financial and reputational impact of cyber incidents, the Business Resiliency Program should be treated as a high priority by plan sponsors and fiduciaries,” informed Adriana. “Investing in proactive measures, including cyber insurance, demonstrates a commitment to protecting the organization, its stakeholders, and the beneficiaries of the plan. It also helps fulfill their fiduciary duty to act in the best interest of the plan participants and beneficiaries by safeguarding their data and assets.”

Encryption of Sensitive Data Stored and in Transit

It’s no secret that the best way to protect non-public information is to encrypt it.  Organizations should implement current, prudent standards for encryption keys, message authentication and hashing to protect the confidentiality and integrity of the data at rest or in transit.

Strong Technical Controls Implementing Best Security Practices

Technical security solutions are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.  Best practices for technical security, again, consistent with ABC/Aditi recommendations, include:  Keeping your hardware, software and firmware models and versions up to date; using reputable vendor-supported firewalls, intrusion detection and prevention tools or appliances; using current and regularly updated antivirus software; implementing routine patch management (preferably automated); implementing network segregation; using system hardening; and having routine data backup (preferably automated).

Responsiveness to Cybersecurity Incidents or Breaches

It’s usually not if, but when a cybersecurity breach or incident occurs, and when it does, you should be taking appropriate actions to protect the plan and it’s participants, including: informing law enforcement; notifying the appropriate insurer; investigating the incident; giving affected plans and participants the information necessary to prevent or reduce injury; honoring any contractual or legal obligations with respect to the breach, including complying with notification requirements; fixing the problems that caused the breach to prevent its recurrence.

Online Security Tips

The third of the three DOL Guidances provided online security tips, which are 100% consistent with our current training tips provided by ABC and Aditi Group.  The guidance states that you can reduce the risk of fraud and loss to your retirement account (or other plans), if you follow their (and our) online security tips, including registering, setting up and routinely monitoring your online account, using strong and unique passwords, using multi-factor authentication, keeping personal contact information current, closing or deleting unused accounts, being wary of free wifi, being aware and taking efforts to eliminate or reduce phishing attacks, using antivirus software and keep apps and software current, and knowing how to report identity theft and cybersecurity incidents.

Of course, phishing attacks are aimed to trick you into sharing your passwords, account numbers, and sensitive information, which allow the “bad actors” to gain access to your accounts.  You should always be aware of these, and train your staff to be wary of messages that may look like it comes from a trusted organization, to lure you into clicking on a dangerous link or passing along confidential information.  Warning signs include a text message or email that you didn’t expect or that comes from a person or service you don’t know or use; spelling errors or poor grammar; mismatched links (a link that sends you to an unexpected address; watch for those by hovering your mouse over the link without clicking on it, so that your browser displays the actual destination); shortened or odd links or addresses; an email request for your account number or personal information; offers or messages that seem too good to be true, express great urgency, or are aggressive and perhaps scary; strange or mismatched sender addresses; or anything else that makes you feel uneasy.

We always suggest that you check with your IT department or your Security Officer if something doesn’t look or feel right, and always be cautious, and DON’T CLICK unless you are 100% sure that the email is legitimate.

I asked Aditi if there were additional tips/suggestions for online safety they’d like to share, in addition to what is stated in the guidance.  “The tips are all good ones,” stated Flittner.  “But there are other factors to remember, such as the security of the device they are using.  Is it shared with others?  Is it up to date with security patches and releases?  Is it still supported? Think Microsoft Windows 7, not end of life for software updates.  Does it have other vulnerable software on it that hackers can exploit (think multiplayer games for example)?  Be aware of who may be looking over your shoulder when you are online as well.  Keep it to yourself. Don’t look for anti-virus alone to catch all malware that you might innocently download or flaws that hackers may exploit.  Reduce risks in ALL areas”.

Overall Policies and Procedures for Cybersecurity and Their Importance

All three sets of guidance are very helpful and much-needed.  I for one have been saying (and writing) for years that we needed more federal action and guidance on privacy and security.  Knowing that the DOL/EBSA has made it clear that plan sponsors and fiduciaries need to pay more attention to cybersecurity, and adding this to DOL audits, should hopefully increase overall awareness and prioritize cybersecurity as you prioritize protecting your other assets.  It does make me feel good that the DOL has affirmed everything we’ve been teaching for so many years in our electronic security training.  I asked Aditi if they feel it’s about time that the government stepped up their requirements for cybersecurity.

“Absolutely,” replied Flittner.  “Can we get an AMEN?!”

“Plan sponsors and plan fiduciaries should indeed give serious consideration to the Department of Labor’s requirement for Cybersecurity Policies and Programs,” stated Adriana. “Cyber threats pose a substantial risk to ERISA plans, and it is crucial for sponsors to prioritize the protection of assets, compliance, and safeguards.”

I asked Marilyn Monahan, on a scale of 1-10, 10 being of highest importance how she would rank the importance of Cybersecurity. “How can a compliance lawyer pick a favorite? Isn’t that like asking a parent to choose a favorite child? Let’s just say the time is right to make this a priority.”

The bottom line is, had Colonial Pipeline, Anthem, a myriad of health insurance companies and providers and many others practiced what this guidance is asking plan sponsor and plan fiduciaries to do, their breaches and ransom situations may not have happened, or may have been mitigated sooner and been less costly.  So, learn from those who didn’t practice the policies and procedures and awareness of the importance of cybersecurity in the past, and hopefully, your data will be protected.  ##

About the Author: Dorothy Cociu is the President of Advanced Benefit Consulting, which was honored by HR Tech Outlook in 2023 for Top Employee Benefits Solutions Provider and in 2022 for Top Employee Benefits Service Company.  Dorothy is a proud member of the Professionals in Human Resources Association (PIHRA), Self-Insurance Institute of America, National Association of Benefits & Insurance Professionals, California Association of Health Insurance Professionals (CAHIP), and current VP of Communications for CAHIP-Orange County, CA. 

Author’s Note:  I’d like to thank Marilyn Monahan, Aditi Group and Adriana Mendieta for their assistance with this article.  Marilyn can be reached at Marilyn@monahanlawoffice.com, Ted Flittner can be reached at ted.flittner@aditigroup.com, Ted Mayeshiba at ted.mayeshiba@aditigroup.com, and Adriana Mendieta at adriana@mendieta.net. The author can be reached at (714) 693-9754 x 3, or toll free at 866 658-3835, or by email at dmcociu@advancedbenefitconsulting.com.  Be sure to listen to ABC’s informative benefits and compliance podcast, the Benefits Executive Roundtable, to stay up to date.  It can be found on all major podcast platforms, and ABC begins Season 5 in the fall, 2023. 

Published in HR Tech Outlook: Talent Management

I was fortunate to have two incredibly talented and knowledgeable experts join me in presenting several classes during Advanced Benefit Consulting’s Lunch & Learn program in January, 2023; Kathy Ruffino, Vice President & HR Consultant and Trainer from Train Me Today, and Marilyn Monahan, Esq, of Monahan Law Office, ABC’s benefits and insurance attorney. While putting together the four classes for that program, we were able to share ideas, experiences and expertise in a way that was very productive, creative and interesting for the attendees and for us, the presenters, as well. Our second class presentation was of the same title as this article, followed by Benefit Programs to Attract and Retain Talent for All Job Tiers. I learned so much from this experience that I wanted to share it with others, so I hope you’ll enjoy reading about this important topic.

Challenges for Employers Post-Pandemic

I think that one of the greatest challenges employers have in our post-pandemic world is recruiting talent and keeping those recruited from moving on quickly to other employers, after tremendous time, energy, effort and money was spent on bringing them on and training them for their new positions. It’s an HR Professional’s nightmare, as well as senior management, as the turnover never seems to end, with what seems like little or no hope for improvement any time soon. Let’s face it; employers, as I mentioned, are at the mercy of the employees they are trying to recruit and retain. So, what makes one employer better than the other, as a job candidate creates their potential job spreadsheet, and you fit only into a simple square that may contain only a check-mark or a one word comment when they go back to compare job possibilities? How do you stand out? What will make those job candidates want to work for you, and want to stay with you for multiple years?
What have we seen post-COVID? Everything has changed… Employee engagement has diminished, people are discovering, or re-discovering, the need for life/work balance, and the labor force expectations and demands have changed. Most notably, employers have experienced a shrinking labor pool for jobs that had previously been easily filled. And simultaneously, new labor laws have made things even more difficult for employers. So how do you navigate all of this change?

We are seeing now “quiet quitting,” which Kathy Ruffino says is now the new slang for employee engagement. “What they are telling you now is that they are not going to do seven jobs for the pay of one.” Post-COVID employees are saying they will no longer work their 40 hours during the week and another 10-20 over the weekend. The new workforce post-COVID, per Kathy, is saying “No, you know what? I’ll work 40 hours. That’s what you pay me for, so that’s what I’ll do.”
What, specifically, are job applicants looking for post-pandemic? “It’s pretty simple, actually,” stated Kathy Ruffino. “Applicants are expecting rewards that compensate them for the work they do.” So, what do employees or job applicants want? Although we’ll get more into details later, they want:

• More and better benefits
• Higher pay
• More flexibility in their work schedule
• Remote or hybrid work
• Advancement opportunities
• Recognition and rewards programs.

Kathy stated, “They are looking for you to value them. Recognize their hard work. Recognize what they contribute to your organization’s success. It doesn’t always have to be monetary, but it has to be sincere and authentic.”

The Need for Remote or Hybrid Workers

One of the most common themes of the majority of job candidates is the need to find remote or hybrid work. For those jobs that can be done from home, full-time or part-time, human resources and supervisors and managers are struggling to figure out how to design job descriptions for remote employees at all tiers, and are finding it even more challenging to hire a remote or hybrid work force. As an employer, what do you need to offer in the form of benefits that attract and retain recruits, and keep them on the job? What can you do to keep them on your team, and what tools do you need to keep employees engaged long-term if they are working remotely?

It’s true; workplaces changed dramatically during the pandemic. There are now fewer people in offices, and more and more people working from home, or wherever they may be, but somehow, the work still needs to get done! So, how do you manage all of this?
First, you need to take a step back and determine exactly what jobs can be offered remotely or on a hybrid basis. Stop thinking about what you thought to be true in 2019, and get onboard with what’s going on in 2023. Many managers may automatically say no, this job or that can’t be done remotely, but is that really true? Here is the reality in 2023…. 80% of workers want jobs that are remote or hybrid, so if you are refusing to offer remote or hybrid jobs, you will not find good candidates to fill those jobs in many cases, because quite simply, they will go somewhere that does.

We all know that there are some jobs that are not conducive to working from home, so let’s put those aside first… Think production jobs, manufacturing, tool making, bank tellers, etc. But what about the other positions in the company? From a strategic planning perspective, you need to consider the essential duties of the job and determine whether all or part of them can be performed offsite. Then, if you determine that some of these jobs can be done from home or on a hybrid basis, how will you manage your remote workers? How will you keep them engaged while off-site, and what new expectations will be placed on managers that have employees working off-site? “Ask your employees. They have amazing ideas,” stated Kathy. “What does it cost you to have people remote? What does it cost you to not?” stated Kathy. The reality is, you could lose 40-60% of your potential applicants by not offering remote work.

Marilyn Monahan stated that she has read that countries like “Spain, as well as 25 other countries, are offering new work visas for people that want to work remotely.” These opportunities will only increase the likelihood that more individuals will be looking for fully remote positions.

Matters of confidentiality and technology cannot be overlooked if working at home. Can information be properly protected from unauthorized access, deletion, or alteration? “If the only option is using the family computer, then you’ve got issues,” stated Marilyn Monahan, particularly if the remote worker will be handling confidential, protected, or trade secret information. “Can you support them by providing them with a company computer?” This topic is something I’m personally very familiar with, as we are HIPAA Privacy & Security consultants and trainers also, and we work with an elite group of technology partners that are experts in electronic and cyber security. Our last class on January 24th actually discussed this topic, but unfortunately it’s too much information to include in this article!

Employers need to weigh the costs of a remote or hybrid workforce to determine if it’s feasible. While we all know many employers prefer to have their employees working onsite, failing to consider the viability of remote or hybrid work as an incentive to job applicants and employees may actually be far less costly than the lost productivity due to the employer’s failure to hire and retain good people in all job tiers!

How to Offer Cost-Effective Additional Job Benefits and Incentives to Stay on the Job Long-Term

One effective solution, according to Kathy Ruffino of Train Me Today, has been to provide incentives to help you recruit and retain quality employees. You need to think outside of the box and the usual “menu” of pay and benefits to create a total rewards package that will attract applicants and retain employees.

How do you do that? By offering both company-paid and voluntary (supplemental) benefits to your employees, by providing on-site day care or offsite day care subsidies, by providing ride-sharing, student debt and college tuition assistance, by creating career pathing and promotions within the company culture, by having a strong employee reward and recognition program or programs, by training and developing your employees, and by providing personal days off, usually on a monthly or quarterly basis. Most importantly, states Kathy, is that you “must deliver what you promise!”

“On-site day care is always an interest for the employees, but not so much for employers… The insurance for that is phenomenal. The risk of having a child care center on site is incredibly expensive from the insurance and safety perspective, and lawsuits,” stated Kathy. “A lot of employers pulled away from that. The subsidies, sure. That’s always attractive, especially for parents that are working hourly wages. Daycare is expensive.”

Student tuition debt and tuition assistance has come back strongly. “In the 80’s, tuition reimbursement was a standard. Then it kind of went away, but now it’s something to think about again,” commented Kathy. It’s a big cost. But, you can tie it to certain things, like grades, etc.

Can these types of benefits be offered by class? Yes, they can be offered by class, as long as you don’t discriminate within a class. It’s always best to have your benefits lawyer review these before implementing.

You can tie things to a time-frame, like tuition reimbursement, to assure longevity. It’s best to talk this through with an expert. You want to be sure you’re offering the right benefits to attract workers, and look beyond that as well.

“People don’t leave just based on benefits, pay and child subsidies. They leave because they don’t like management. More employees quit because of their management than anything else,” stated Kathy Ruffino. Perhaps management training is more important today than ever before.

How to Stand Out on a Job-Seeker’s Job Comparison Spreadsheet

The most important thing you can do to stand out to applicants, according to Kathy, is to develop your Employer Value Proposition. In our live presentation on January 24, 2023, Kathy referred to a survey conducted by Universum of nearly 2.500 HR, Marketing and Talent Acquisition Managers from 50 countries that found that these types of companies have created employer value propositions: 67% of large companies (10,000 employees), 55% of medium-sized companies (1,000 to 9,999 employees), and 30% of small companies with fewer than 999 employees. Why do this? According to Kathy, you need to do this to show job seekers who you are, and to show them what they can expect if they are to work with your organization. A Value Proposition will teach you to promote careers, not just the job, and how to use social media to tell your story to potential applicants. Very importantly, a good Value Proposition will allow you to share news about the awards the company has received, the partnerships it has, and the advances in your industry. All in all, a Value Proposition will help you to STAND OUT to applicants in every way possible.
“Candidates today are looking for purpose,” stated Kathy. …”What is the purpose of your company and why would I want to work for you? It’s no longer ‘I just need a job’. They are in high demand. They know they can work anywhere they want. What makes you different? What makes them say I want to work for this company because, wow, look at what they believe in. Employer Value Propositions tell the candidates who you are.”

Good examples of Employer Value Propositions include HubSpot, a software developer, whose emphasis is that employees are treated like people, not bottom-line items. “Employees are whole people, with families, hobbies, and lives outside of work. We work remotely, keep non-traditional hours, and use unlimited vacation to create work-life fit for us and the people we love.” While not every organization would want or could afford unlimited vacation time, it’s definitely a strong Value Proposition to attract talent!
Another example of a good Value Proposition is Unilever, who works in consumer goods. Its emphasis is on the opportunity to work alongside brilliant, inspiring leaders. “Unilever is the place where you can bring your purpose to life through the work that you do, creating a better business and a better world. You will work with brands that are loved and improve the lives of our consumers and the communities around us.”

Recruit and Select the “A” Players

Key steps to recruiting and selecting the “A” players include conducting thorough interviews, but using more than one qualified interviewer whenever possible. “It shortens your bias. It gives you a better view… Use more than one person if you can,” recommended Kathy.

Another key step is to ask success-prediction questions, to dig deep and learn what is important to each candidate. What are they passionate about? What might attract them to accept the job and stay? Interviewers need to pay attention to patterns for why they accepted previous jobs and perhaps ask about the impact they made on previous companies when working for them. According to Kathy, “Lackluster candidates will be lackluster employees.” If you’re hearing one theme, pay attention… It’s the common theme with all of their jobs, and that’s not going to be offered, so you’re probably not going to keep that person.”

One important thing to NOT do, according to Kathy, is to show candidates around and introduce them to your team unless you have made an offer. If you do, it sends the wrong message, and makes them think they have the job. “It sends a really bad message… Why would you introduce them if you weren’t [hiring them]? Please stop doing that. It’s really bad PR for your company, because now when they don’t get the job, they are going to tell everyone how horrible you were.”

Retaining Your Employees

Now that you have quality new hires, how do you retain them, along with retaining your current/longer-term employees? One thing to keep in mind is that while you’re putting most of your efforts into bringing on new and quality new hires, your current employees may very well be looking for new opportunities themselves! Because let’s face it… they know what’s going on in the world and they know that if you don’t give them what they want, they can go somewhere else that can and will.

Keep in mind; culture is everything. You need to create and maintain a culture that shows you value your employees and demonstrate that culture in everything you do. You should also provide learning and development, and provide your employees opportunities to learn and develop new skills and increase their self-worth and value within the organization.

Something that should not be forgotten is that supervisors and managers want and need training. You should require training for your leadership team to learn and fine-tune their skillsets needed to be effective leaders. According to Kathy, supervisor and manager training is their most popular training in recent years. “Organizations have discovered that we promote people into management positions, and they have no skills in which to manage. They have no idea how to be a manager or a supervisor. They have no idea how to stop being friends with co-workers and now they have to manage them.” Make sure you give them the skill sets and make sure they are ready. Not all excellent producers are good managers. You could not only have a poor manager, but also lose an excellent producer. If you can’t train them, you may not want to promote them.

“I had an employee who was amazing at her job and her manager kept wanting to promote her,” recalled Kathy. “She came into my office and said please don’t let them promote me. I don’t want to be in management, and her manager did it anyway, and did it in a town hall meeting. She quit the next day. She was an amazing, 11-year employee, and she left.”

As an employer, you should re-engage your workforce on a continuous basis. You should create opportunities for all employees at all levels to reconnect and re-engage with each other.

In addition, you should remember to pay equitably. The compensation you offer as an employer needs to reflect the job requirements. You should keep in mind that employees will no longer do three jobs for the compensation of one job. If you do that, they will move on to another employer, sooner rather than later.

Another good thing to keep in mind is to promote from within. If you show your employees that there are real opportunities within your organization, they may not be as quick to look elsewhere. Be sure to post your open positions internally regularly, and be sure all of your employees are aware of openings on a consistent basis.

Another way to retain the employees that you value is to provide a mentoring partner in your organization who can mentor them in their career path.

As mentioned previously, reward learning and skills development. Provide recognition to your employees and rewards (monetary or in-kind) to employees when they learn new applicable skills or gain additional knowledge.

Lastly, be present, and actively and intentionally connect with your employees. You should develop a frequent walk-through of the office, acknowledge people by name, ask casual questions to get to know more about the people who work for you and with you. Show them that you know them, and show them that you see them!

Benefit Programs to Attract and Retain Talent at All Job Tiers

In another session on January 24th, Marilyn Monahan and I discussed in detail the types of benefit programs that attract and retain talent at all job tiers. I’d like to share some of that with you in this article.

In a SHRM State of the Workplace Study for 2021-2022, the top 2021 Occupational Challenges included, in the top category, Labor Shortages, with approximately 85% of companies having them. In that same study, the highest number of responses indicated that employers need to increase benefits and compensation for current and/or new talent: “Offer more competitive wages to existing and loyal employees, and new talent.” Also included in this were “Lower insurance costs, better compensation, leave policies, and work flexibilities.” In addition, Metlife’s 20th Annual US Employee Benefits Trends Study in 2022 stated that overall job satisfaction has reached a 20-year low, and loyalty continues to decline, particularly among women. “Concerns about job security, prevalent early in the pandemic, have been replaced by a sense of empowerment. Knowing that they are in demand, many workers are convinced they can find more attractive roles, opportunities, and compensation elsewhere.”

So, how can you best attract talent? According to these and other surveys, an employer must offer good medical and dental benefits that meet their needs and budgets. You can’t assume that one size fits all, and all employees want the same thing. Offering only one medical and one dental plan may not put you on top of that candidate spreadsheet. It may, in fact, drop you to the bottom, because you’re not attempting to meet their particular needs. It’s important to understand that not all candidates want the same thing. If for example, you are looking for a new Vice President of Sales, and your top candidate is a healthy, athletic 30 year old single man that has sizable student loan debts still, and rarely sees a doctor, your very rich “Platinum” level plan may not be of interest to him. He may instead take a job from an employer that gave him 3 medical plan choices, and the one he chose was a “bronze level” medical plan, but he selected from the 3 dental plans offered a rich PPO dental plan with a $2,000 annual limit, plus a Section 127 Educational Assistance Program, which could help him pay down his high cost student loan, and a strong 401(k) plan with matching employer contributions, because those are the benefits he was looking for.

The most wanted candidate for the new position of President you were looking for may not accept your job because he is in his late 40s, has a large family, 3 homes and several garages full of new vehicles. He wants a rich medical plan, rich dental plan, a disability plan, a good retirement plan with employer matching, and many ancillary benefits. Your high deductible health plan, with or without an HRA, HSA or Section 125 plan may not be of as much interest to him, particularly if that’s all that you offer.

Your opening for a Production Line supervisor is a key position to keeping the company running smoothly. Your best candidate is a 52-year old man, slightly overweight, not very active, loves his weekends with football and beer. He is married with 1 child who is 16 and one who is 20 and is in college. He and his wife were most interested in saving money for the kids’ college education. The job he chose over yours, which offered only a 70% medical plan, no company-paid dental plan and no retirement plan, was a job that offered a “gold-level” medical plan, a dental DMO with low copays, a 401(k) with matching, an FSA, and a Section 127 educational assistance plan.

If you’re a hotel or a restaurant and have openings for restaurant workers, like waiters and waitresses, those employee needs may be different than your management staff. Your best candidate would be paid just above minimum wage but would receive good tips. She is a single parent, goes to college at night, age 25, healthy, with a 5-year old child with chronic allergies, who needs to have an Epipen handy, just in case, and will need braces soon. You offered a high-benefit, but also a high cost from payroll deductions, medical plan, and a dental PPO plan without orthodontia that was also pricy from her perspective. The employer she selected, in lieu of you, is an employer who offered an enhanced silver plan with a high deductible, with a $25 PCP office visit and $10 generic drug copay, a DMO dental plan with orthodontia and no annual limit, an FSA with Child Care benefits, and a Section 127 educational assistance plan.

So what do these selections tell you, other than you missed out on some excellent candidates? Most importantly, that one size does not fit all, and limited benefit options will even more limit your pool of candidates.

We always suggest that you should perhaps view the ACA requirements for “affordability” and ask yourself if your benefits are truly “affordable” to the types of employees you need to hire. If you only offer a rich PPO and nothing else, although the government may say your contributions are “affordable,” are they really, to that job candidate? Or maybe they are affordable, but you’re offering too rich a plan for that particular employee. What the pandemic and the aftermath of the employment world of 2023 is showing us is that you need many choices to attract and retain employees. If you can offer, for example, 3 different medical plans with varying benefits and payroll deduction amounts, you can serve a much wider population of good candidates. If you have a “core” benefits plan and two buy-up plans, you may see more options that look good to potential employees. Your dental plan should also have options… Maybe a PPO plan and a DMO (dental HMO) option with ortho coverage, as the DMO would be more attractive to lower paid workers and those with kids needing a lot of dental care, while others may like the richer PPO, even though it will cost them more.

Another example: You only offer a region-specific HMO. This option will not be attractive to remote workers if they live out-of-the-area or out-of-state. Consider offering a second or third option with broader coverage.

With today’s inflation, employees are struggling. Employers need to be sensitive to this. Are your plans truly affordable to your lower-paid employees? Have your wages kept up with the cost of living in 2023?
“When you’re looking at true affordability for the employees, you can make an argument that making your plans cheaper, so that more of the employees will sign up, is a benefit to the employer…You’re going to have a healthier workforce. As I understand it, workers’ compensation claim costs, and therefore premiums, go down as more employees enroll in your insurance. So, it may seem like more of an outlay toward your health benefit costs, but there be could be other benefits down the line by structuring your contributions in a way that you maximize who is going to sign up for the coverage,” suggested Marilyn Monahan.
Employers need to listen to employees during interviews and see what candidates seem to be most interested in. Listen to your existing employees, listen to human resources, or do surveys. Maybe you are paying for benefits that no one is interested in, so it’s wasted money. If the majority of your workers do physical labor the majority of the week, a gym benefit may not be as important to that population (although it may be to the office staff). Pay attention to your demographics… If your population is over 40, orthodontia may not be needed. Having choice is the best thing you can offer.

Some candidates may hesitate to ask about your benefit package, so provide information about your benefits package up front. Marilyn Monahan shared these thoughts with me. “I have talked to young women who were hesitant to ask about maternity benefits, because they were afraid they would not be hired if their employer thought they might soon be taking maternity leave. I have also known people to be concerned about asking too many questions about health benefits, in case the employer would think they would heavily utilize the plan and cost the plan too much money, and that would weigh against them in the hiring process. Of course, not hiring someone on these bases is discriminatory and prohibited by law, but employees still worry about asking and then being turned down for the job. All the more reason for the employer to be up-front about what they offer.”

“Years ago I was a VP of HR for a company and the president, in his infinite wisdom, decided that everyone should go on Kaiser, because he was on Kaiser, and because at that time, Kaiser was the cheapest, and we had 47 resignations within an hour, so what Dorothy is saying is absolutely true. It was removing the choice that made the difference. He wanted to drop the other option and put everyone on Kaiser,” commented Kathy Ruffino.

Importantly, you shouldn’t stop at just medical and dental benefits. Job candidates want more choices, more options, so that they can pick what they want, as they know if you don’t offer it, someone else will.

Consider, even if on a voluntary basis, vision, disability, 401(k) plans, as well as life, cancer and other voluntary options, and if you want to hire younger people in any job position, particularly high tech jobs, consider adding a Section 127 Educational Assistance Program, as many young people are carrying heavy student loan debt, or continuing to finish college part-time, and would appreciate the tax-preferred benefits under Section 127.

A Section 127 Educational Assistance Program is an effective way to attract younger and high-tech employees, particularly, but they are helpful to many. An amendment to Section 127—passed during the pandemic—allows employers to set up Educational Assistance Programs that reimburse either tuition or qualified student loan debt tax-free to the employee. “The total contribution an employer can make is a maximum of $5,250 per year, for both tuition or student loan debt,” stated Marilyn. “If you have a workforce that is carrying a lot of student loan debt, you can pay up to $5,250 per year. At the federal level, that is tax free to the employee. California has not passed a conforming bill, but there are still benefits on the federal side.” You need a separate plan document to offer this type of plan, and there are some hoops to jump through, but they are generally worth it. The tax benefit runs out at the end of 2025, but it is possible Congress could extend the benefit beyond that date. The popularity of this benefit is huge, particularly with this inflation. If you’re not offering one, you should talk to a benefits expert to help you set one up.

Other benefits that are polling well now include adoption assistance, fertility benefits, long-term care, parking benefits, child-care options (even if only a subsidy or reimbursement through a section 125 cafeteria plan), gym memberships, cancer, critical illness, short- and long-term disability, and of course, educational assistance programs.

Another benefit that has been popular lately is pet insurance. “Employers can’t subsidize it or offer it on a group basis, but by offering it they can make it easier for the employee to locate and sign up for it,” commented Marilyn.

If you don’t think these plans are affordable to you, you should talk to a qualified broker/consultant that can walk you through how you can offer these types of plans on a cost-effective basis. You may be able to use alternate funding arrangements to lower your costs considerably, so speak to an expert on self-funding, level funding and other alternate funding arrangements.

Most importantly, you need to pay attention to what is happening in the employment world right now, and if you want to fill those 20+ jobs that are open, you may need to adjust your thinking a bit and conform to what is happening today.

Happy job-filling! ##

Author’s Note: I’d like to thank Marilyn Monahan (marilyn@monahanlawoffice.com) and Kathy Ruffino (kathy@trainmetoday.com) for their assistance with this article. You can find out more about all of these things by reviewing our recorded sessions from January 24, 2023’s Lunch & Learn program, on our website at www.advancedbenefitconsulting.com on our Empowered Education Center, with on-demand video education programs, or by listening to our podcast series, the Benefits Executive Roundtable, found on all podcast platforms. You can also reach the author, Dorothy Cociu, at dmcociu@advancedbenefitconsulting.com.

Reporting Deadlines

This mandate will require that plans/issuers report for 2020 and 2021 calendar years by December 27, 2022, and annually thereafter on June 1:

• The 50 brand prescription drugs most frequently dispensed by pharmacies;
• The 50 most costly prescription drugs; and
• The 50 prescription drugs with the greatest increase in plan expenditures

In addition, plans/issuers must report total spending; spending on prescription drugs by the plan as well as by participants/beneficiaries; and the average monthly premiums paid by participants/beneficiaries and by employers on behalf of participants/beneficiaries.  Plans/issuers must report rebates, fees, and any other remuneration paid by drug manufacturers for each reporting period.  For subsequent years, entities must report for 2022 calendar year by June 1, 2023, and then must report for each calendar year thereafter by following June 1.  

Applicability

What health plans and issuers are required to submit include the following:  Fully-insured and self-funded group health plans, including Health insurance issuers offering group coverage, Non-federal governmental plans, such as plans sponsored by state and local government, Church plans that are subject to the Internal Revenue Code, and Federal Employees Health Benefits (FEHB) plans.  Health insurance issuers offering individual market coverage include : a) Student health plans; b) Plans sold through the Exchanges; c) Plans sold outside of the Exchanges; and d) Individual coverage issued through an association.

Plans or coverage NOT required to submit includes the following:  a) Account-based plans, such as health reimbursement arrangements; b) Excepted benefits including but not limited to: Short-term limited-duration insurance, Hospital or other fixed indemnity insurance, Disease-specific insurance; c) Medicare Advantage and Part D plans; d) Medicaid plans; e) State children’s health insurance program plans; f) Basic Health Program plans.

Who, What, Where to Submit?

First, it’s important to note that multiple parties will likely be involved in submitting data, and CMS is set up to receive data from multiple parties for each health plan.   If you’re fully insured, your carrier will likely submit most if not all of the information (but keep reading because employer plan sponsors still have action items they must complete), but some may require employers to submit on their own or through other vendors some of the plan-level data, which I’ll discuss below.  Keep an eye out for emails or letters or notices on billings of items related to the CAA Pharmacy Reporting requirements from carriers, as they will vary greatly.

“Much of this data about prescription drugs will be in the hands of the PBM,” stated Marilyn.  “For example, they will know the 50 brand Rx drugs most frequently dispensed, but there is other data, like the total spending on health care, that is probably not going to be known by the PBM; it’s going to be known by your TPA.  Also, the PBM will not know the premium cost for the plan, but either the TPA or the employer will. These are perfect examples of how the parties need to work together to get the information to the powers that be in a timely manner.”

Self-Funded Plans

If you’re self-funded, it’s likely that several parties will submit data, including your TPA or ASO provider, your Pharmacy Benefit Manager (PBM), or others, such as your broker (for example, ABC has set up an account and will be working with employer clients and TPAs to gather and submit portions of the data), as Marilyn mentioned previously.  Also, keep in mind that some plans may have more than one PBM in multiple states or if special needs exist for multiple PBMs.

So how do you submit data?  CMS has an online Enterprise Portal and RX Data Collection using their Health Insurance Oversight System (HIOS).  There is a multifactor authentication and Identity Management System within the portal for security.  Multiple outside vendors may submit data into the portal (again, which will likely include, at a minimum, your TPA and your PBM).

The portal is not easy, and not fast.  You need to plan ahead, register well in advance as it takes time to be approved to be an eligible party to submit data into the portal for another entity, and then be prepared to submit data later.  The portal and submission process has employers, administrators and PBMs scratching their heads and wondering how to learn and become efficient with this system.

“I do agree [it’s a difficult process] but there are a couple of pointers I’d like to give you,” stated Marilyn.  “If you decide to register on your own and not use a third party for part of the process, I’d like to remind people that this is not like filing your taxes with Tax Cut.  It’s going to take a bit of time.  If you’ve done it before, like ABC has, it’s going to be easier than if you’ve never done it before, but it is going to take a little bit of time, like it takes time to register and file with the IRS your 1094 and 1095 forms.  Don’t wait until noon on December 27^th to register.  You can register early, even if the forms and data aren’t ready to file, so you’ll have that part of the process out of the way.”

Fully Insured Plans

Again, if your plan is fully insured, your carrier will do most of the reporting, but it is your responsibility as an employer plan sponsor to 1) have a written agreement with them that specifies that they will perform the duties related to the pharmacy reporting requirements and 2) watch for updates from emails, letters, notes on billings, etc. from your carrier, as one of these may have information related to these requirements, and you may receive a notice of a contract change or other, stating that they will do these things on your behalf.  To be safe, we are sending written agreements on our fully insured clients’ behalf to all of our clients’ carriers, so that we can have documented correspondence with them.  Some may not accept these agreements (as they have thousands of plan sponsors and may not want to have individual agreements), but if/when they respond, we can capture their responses for our clients’ files.  Again, carriers may simply just send plan sponsors a contract change by email or mail.  It is the plan sponsor’s responsibility to keep that in their contract file.

What Data Is Reported?

In summary, for fully insured employers, group health plan data will typically be reported by the issuer (as the “reporting entity”)—but the issuer will typically need certain “plan-level” data from the employer.  For self-funded employers, group health plan data will typically be reported by one or more third party vendors (such as a TPA, PBM, ASO)—but these “reporting entities” will need certain “plan-level” data from the employer. When the data is filed by the issuer or TPA, plan-level data for each plan is included (P2), along with “aggregated” data for the issuer or TPA’s book of business (but broken down by market segment and state) (D1-D8).  Note that data is reported on a calendar year, or ”reference year” basis.

For both fully insured and self-funded plans, employer must have a contract/written agreement with the reporting entity or entities. 

The employer plan sponsor may be in possession of some items that your carrier or issuer, or if self-funded, your TPA or ASO provider simply won’t have.  This is called “Plan-Level Data.”  The specific plan file that you may hear of is the P2 Data File, which may or may not be known by other parties, and includes:  Identifying information such as plan name; plan number(s); plan sponsor; plan sponsor EIN; and issuer, TPA, and PBM names and EINs; Beginning and end dates of the plan year that ended on/before the last day of the reference year; the number of participants and beneficiaries (“members”) covered on the last day of reference year; and each state in which the plan or coverage is offered.

There are also items needed from the employer health plan that needs to be submitted with the aggregated data; the D-1 file in particular.  The D-1 file includes premium amounts, including:  the average monthly premium amount paid by employers and other plan sponsors on behalf of participants and beneficiaries (ie the carrier may have the total premium collected, but they may not have the split between what is paid by the employer and what is paid by the plan participants in employee contributions to the plan); the average monthly premium amount paid by participants and beneficiaries; and the total annual premium amount and the total number of life-years.  The Life-Years are the total number of members covered on a given day of each month of the reference year, divided by 12.  Be advised that for premium data, enforcement relief was offered for 2020 and 2021 reference years.

So, again in summary, the information that outside parties may not have but will need from employers includes all or part of what is needed for the P1 and D1 information, whether you are fully insured or self-funded.

Aggregated Data That Needs to Be Reported

The aggregated data, again, is provided by the carrier for all of their block of business, or by the TPA or ASO for their block of business, aggregated into one or more files that will be reported.  The chart below summarizes the contents of each Data File that contains aggregated data.

AGGREGATED DATA FOR EACH STATE AND MARKET SEGMENT

The Process

Again, the data is submitted to CMS through its Health Insurance and Oversight System (HIOS).  Plans must submit one or more plan lists (P1 – P3), eight data files (D1-D8) and a narrative response.

One or more third parties or vendors (“reporting entity”) may submit on behalf of the employer’s plan—each submits a P file (so CMS can identify by plan), along with the 8 data files.

Many resources were provided by CMS, including:

CMS has issued, “Prescription Drug Data Collection (RxDC) Reporting Instructions,” templates for each data file, “RxDC Data Dictionary for the 2020 and 2021 Reference Years,” “Health Insurance Oversight System (HIOS) Prescription Drug Data Collection (RxDC) User Manual,” and FAQs.  In addition, CMS provides webinars, resources, FAQs, and other educational tools through the Registration and Technical Assistance Portal (REGTAP—registration required), and there is also a phone number and email address to submit questions.  See their website at:   https://www.cms.gov/CCIIO/Programs-and-Initiatives/Other-Insurance-Protections/Prescription-Drug-Data-Collection.

Because some individual understand the process better with tools such as a chart, we have created the following chart for the process, for plan lists and data files.

The Narrative

In addition to the plan and data files (P and D), a narrative response is required. In it, parties submitting data must describe the impact of prescription drug rebates on premium and cost sharing, and address other topics that may be described in places throughout the Instructions.  The narrative response file format must be Portable Document Format (.pdf) or Microsoft Word (.doc or .docx).  You can, but do not have to, submit additional information about your submission using PDF or Word documents.  “It’s not a problem if multiple reporting entities upload different narrative responses on behalf of the same plan, issuer, or carrier.”

“The narrative response is going to be a word or PDF document that you are going to file along with the P and D files, that provides some clarifying or explanatory information,” Marilyn explained.  “It’s also used as a kind of a catch-all, so if there is an area in your reporting where you have to explain a methodology, then you add the explanation for this in the narrative response. “

When filing, the narrative must include, at a minimum, the following:  Employer size for self-funded plans, net payments from federal or state reinsurance or cost-sharing reduction programs, drugs missing from the CMS crosswalk, medical benefit drugs, prescription drug rebate descriptions, allocation methods for prescription drug rebates, and impact of prescription drug rebates. The narrative response is also used to describe certain methodologies chosen (for examples, see Instructions).

The Pharmacy Benefit Reporting Written Agreement

Just like the TiC MRF requirements, the CAA Pharmacy Benefit reporting requirements have a requirement for a written agreement.

“That written agreement mandate, that same structure that applies to the MRFs, also applies to the prescription drug reporting requirement,” stated Marilyn.  “Whether you’re fully insured or self-funded, you can outsource this to your insurance company, your TPA, your ASO, or your PBM, but you have to have a written agreement in place.”

To summarize the action items and to provide a conclusion, the most important thing for an employer to do is get a written agreement in place with your vendors as soon as possible, to identify who is doing what, and to get your vendors to commit to complying by the due dates.

For Fully Insured Plans:  If your plan is fully insured, the plan satisfies the reporting mandate if the plan requires the health insurance issuer offering the coverage to provide the information pursuant to a written agreement.  I asked Marilyn to comment on the written agreement for fully insured plans and explain why it’s so important.  “With regard to fully insured plans, much of the filing has to be done by the insurance company, but you still have to have a written agreement with an insurance company.  If you have that written agreement and the insurance company fails to perform, it will be the insurance company, not the employer, who will be deemed to be out of compliance.”

For Self-Funded Plans:  If your plan is self-funded, the plan may satisfy the mandate if the plan enters into a written agreement under which another party (such as a third-party administrator or health care claims clearinghouse) will provide the information.  But, if the third-party fails to provide the information, the plan violates the reporting requirement.  Marilyn also provided her insight here.  “If you are self-funded, then you can outsource it to 1 or more outside vendors, but you need to have a written agreement with each of those outside vendors, to make sure they agree to be in compliance.”

Marilyn continued: “Here is the little twist for self-funded entities…  And that is that although you’re required to enter into a written agreement, if you do so and the third parties fail to perform, unlike with a fully insured plan, the employer still remains responsible and could still be found to be liable if the third parties fail to perform.  So, you need that written agreement.”

Note that the form of the written agreement is not defined by the regulations.  Be sure to cover Liability Protections in your written agreements:  Particularly for self-funded plans, review the full agreement to ensure it provides the protections the plan and employer needs.

“You can combine and have one written agreement to address all of these mandates, RxDC, TiC, Self-Service Tool, and Air Ambulance Reporting, or you can break them up,” informed Marilyn Monahan.  “They haven’t specified what form the written agreement needs to be in.  We have seen written contracts, we have seen amendments, we have seen email confirmation of amendments, etc., so they take different forms…”

Action Items for Employers: 

For All Plans:  Be sure to calendar compliance dates.  The initial RX reporting date is December 27, 2022 and annual dates for 2022 and after calendar years will be June 1 after the calendar year ends.  For Fully Insured plans:  Enter into a written agreement with issuer; timely provide any plan-level or other data required by issuer .  For Self-Funded plans:  Self-funded plans must either comply or outsource to a TPA or ASO; if you’re outsourcing, you need to enter into a written agreement to assure that they timely provide any plan-level or other data required by the third party.  You need the written agreements to lessen employer liability, period.

It is important to note that the written agreement requirement also applies to the TiC Final Rule (both MRF and on-line self-service tool mandates) and the CAA air ambulance reporting requirement.  Our ABC contracts include all of these items and allows us to customize for each client and delete unneeded items in each circumstance.

You may have already been receiving some emails or other correspondence from your carriers, administrators or PBMs on this.  Do not ignore them.  Our clients have of course already been informed on the role we will play in this to assist them through the entire process.

Marilyn Monahan felt our approach was a good one.  “Dorothy, when we were talking about the TiC final rule,  I think it’s very prudent as you stated, to reach out to your carrier. Don’t assume they are going to reach out to you. Take the affirmative step, reach out to them, offer them a contract or amendment and see where they stand on this, and then move forward, and keep that paper trail. Then, if any questions ever arise, you can establish the steps you took to try and meet your fiduciary obligations in the administration of your group health plan, and you did the best you could to make sure you were in compliance with the rules…. Keep a copy of these records and hold on to them.”

I hope your eyes will indeed reflect knowledge and understanding on these topics in the months to come….  Best of luck with it all, and happy reporting!

##

Author’s Note:  I’d like to thank Marilyn Monahan of Monahan Law Office for her assistance with this article and our related seminars and webinars.  I can be reached at (714) 693-9754 x 3, or by email at dmcociu@advancedbenefitconsulting.com.  Marilyn can be reached by email at marilyn@monahanlawoffice.com.

Reference Sources:  ACA FAQs, Part 49; DOL:  No Surprises Act; https://www.dol.gov/agencies/ebsa/laws-and-regulations/laws/no-surprises-act; CMS:  Website on Surprise Billing: https://www.cms.gov/nosurprises; CMS:  Model Disclosure Notice Regarding Patient Protections Against Surprise Billing:  https://www.cms.gov/files/document/model-disclosure-notice-patient-protections-against-surprise-billing-providers-facilities-health.pdf; CMS: No Surprises Act Final Rule FAQ: https://www.cms.gov/nosurprises/policies-and-resources/overview-of-rules-fact-sheets; For CAA RX Reporting:  CMS has issued, “Prescription Drug Data Collection (RxDC) Reporting Instructions,” templates for each data file, “RxDC Data Dictionary for the 2020 and 2021 Reference Years,” “Health Insurance Oversight System (HIOS) Prescription Drug Data Collection (RxDC) User Manual,” and FAQs; CMS provides webinars, resources, FAQs, and other educational tools through the Registration and Technical Assistance Portal (REGTAP); Website: https://www.cms.gov/CCIIO/Programs-and-Initiatives/Other-Insurance-Protections/Prescription-Drug-Data-Collection.   

Published in the Jan-Feb 2023 issue of America’s Benefit Specialist

BACKGROUND INFORMATION

As required in the Affordable Care Act, the Transparency in Coverage final rules (TiC) were issued on November ‘2, 2020. Not long after, the Consolidated Appropriations Act (CAA) was signed into law  on December 27. It included the “No Surprises Act” (Title ‘ of Div. BB) and “Transparency” (Title II of Div. BB). On  August 20, 202’, FAQs  were issued (Part 49), which included new effective dates for some, but not all, of the TiC and CAA provisions.

The TiC final rule included requirements for machine-read- able files to be publicly disclosed, as well  as an online self-service tool. The MRF public disclosure is defined as a digital representation of data or information in a file that can be imported or read into a computer system for further processing. Examples include .XML, .JSON and .CVS formats. As the title  alludes to, MRFs are not intended for just any- one, such as a plan participant, to read. They of course can, as they are publicly posted, but they focus instead on being available for machines, or computer systems, to understand and decipher, and to use to provide overall data for future public disclosure in many forms. The data allows computer programs and systems to break it down and study the data for multiple disclosure purposes.

These laws have been considered among the most confusing and most difficult for our employer clients, so I wanted  to write a detailed article to break it all down for you.  Even Marilyn Monahan, benefits and insurance attorney, thinks it’s been confusing for employers. “Part of the good news here is that we do have more guidance available to us now, on both the TiC MRFs  and the RX reporting,” she said.

TIC REQUIREMENTS  FOR MRFS

The TiC requires plans and insurance issuers to publicly post two MRFs: In-Network Provider Rates for Covered Items and Services, and Out-of-Network (OON) Allowed Amounts for Covered Items and Services. For  in-network items and services, the MRF must list, for each coverage option, negotiated rates for all covered items or services between the plan or issuer and the in-network providers. The Out-of-Network MRF must show, for each coverage option, both the historical payments to and the billed charges f rom out-of-network providers. This list will include the unique OON allowed amounts and billed charges for covered items and services furnished by OON providers during the 90-day period that begins ’80 days prior to the publication date of the MRF. Historical payments for a particular item or service and provider under a single plan or coverage must have a minimum of 20 entries or data is omitted to protect consumer privacy.

These first two MRFs  were done to be posted by July ‘, 2022, for plan years on or after January ‘, 2022, by July ‘, 2022, so all renewal dates January through July had to be posted by July ‘, 2022, and for each renewal date after July ‘, they were required to be posted by that renewal date (i.e., August ‘ renewals by August ‘, 2022, September ‘ renewals by September ‘, 2022, and so forth).

“The responsibility of the employer,” stated Monahan, “is to make certain that the third parties that it works with will populate and post these MRFs.”

There was a requirement for a MRF for covered prescription drug prices, but that requirement was delayed indefinitely because of the CAA’s RX reporting requirements, which I’ll talk about later. They felt the TiC provisions would be duplicative of much of the CAA requirements.

The first two MRFs  are required to be publicly available and accessible to any person, f ree of charge and without conditions, such as establishment of a user account, password or other credentials, or submission of any personally identifiable information to access the file. In other words, it must be publicly posted for anyone who wishes to see the data by simply clicking on the data links. The files must be updated monthly and clearly indicate the date of the update.

It is important to note that the MRF provision of the TiC does NOT apply to grandfathered health plans under the ACA, and does not apply to excepted benefits such as limited-scope dental and vision plans, or account-based group health plans such as HRAs or Health FSAs.

The MRFs  are not required to be user-f riendly. Federal departments expect the data to be used by aggregators and researchers, who will apply the data to many future statistical and public disclosure reporting analytics.

Additional disclosures may include “data dictionaries,” dis- claimers and clarifications, such as explaining why the cost of care may vary f rom hospital to hospital or region to region. Some health insurance carriers have been adding language about the size and the use of the files as well.

One important requirement to be aware of is that all plan sponsor employers, whether fully insured or self-funded, are required to enter into a written agreement with the vendors providing them with the data, as well  as posting the MRFs and links.

For  fully insured health plans, the plan will satisfy the MRF mandate if the plan requires the health plan insurance issuer offering the coverage (i.e., the insurance carrier) to provide the information pursuant to a written agreement. Then, if the issuer fails to provide the information, “the issuer, but not the plan, violates the transparency disclosure requirements.”

For  self-funded health plans, the plan may satisfy the MRF mandate if it enters into a written agreement under which another party (such as a TPA, healthcare claims clearing house, or administrative services only entity) will provide the information. However, if the third party fails to provide the information, “the plan…violates the transparency disclosure requirements.” The form of the agreement is not defined, but it’s  vitally important, particularly to self-funded health plans, that they review the full agreement to ensure it pro- vides the protections of the plan and the employer needs, as well  as transfers the liability to the third-party vendor that will be providing the data.

“The other main requirement for employers, whether fully insured or self-funded, is the written agreement,” said Monahan. “Employers don’t have access to the in-network pricing or the OON prices. Even if you’re self-funded, the employer itself doesn’t typically have that data. However, its TPA has it, its ASO has it, and so forth. So, if you are self-funded, you are relying on these third parties to compile and post the data. Similarly, if you have a fully insured plan, only the carrier-not the employer-will have this data. Therefore, you’re relying either on your insurance carrier or your TPA or ASO to take care of this. But what the employer has to do, under the rules, is to have a written agreement in place with that third party, through which that third party agrees to be responsible.

That is a requirement whether your plan is fully insured or self-funded. What’s unusual here is that the mandate to have a written agreement is actually written into the regulations – not only for self-funded plans but also for fully insured plans.”

Our main concern is of course employer/plan sponsor liability if they don’t have the written agreements in place. “If you don’t have a written agreement,” affirmed Monahan, “and the carrier fails to perform, then the employer could be liable.”

Note that this requirement is not part of the HIPAA Business Associates Agreement, as BA agreements only include protections related to HIPAA Privacy & Security, and no other requirements. Your standard administrative agreement will need to be amended, or a separate written agreement will need to be entered into.

POSTING MRFS

Recent guidance has clarified some of the questions we had related to who posts the data and links to the post. The MRFs  must be posted on a public website but they may be posted by a third-party, such as the issuer or TPA, on behalf of the plan.

Updated guidance states that a distinction is drawn be- tween the employer and the employer’s group health plan. A third party (like an issuer or TPA) may post the data on its public “website for the plan” if there is a written agreement,

but if the employer’s group health plan does not have its own website, the “plan” does not have to create its own website, either to post the files or provide a link. If the “plan” maintains a public website, the plan must post a link  to the aggregated “allowable amounts” file posted by the third party. The “employer’s” public website does not have to post the data or a link. This could potentially be different than what some interpreted prior to recent guidance.

Another important point for employers to understand is that it’s  ongoing. “By the way,” stated Monahan, “this requirement is not going away. The MRFs  have to be updated on a regular basis, and if you get a new carrier in the future, or you enter into a new relationship with a new TPA, this should be part of your discussion process.”

TIC FINAL RULE-ONLINE SELF-SERVICE TOOL FOR SHOPPABLE SERVICES

We’ve been hearing about the online self-service tool for shoppable services for about two years now. What does it require and what is its intent?

“For  the first time, most consumers will be able to get real-time and accurate estimates of their cost-sharing liability for healthcare items and services f rom different providers in real time, allowing them to both understand how costs for covered healthcare items and services are determined by their plan, and also shop and compare healthcare cost before receiving care,” said Monahan.

The online self-service tool under the TiC final rule requires plans and issuers, although not grandfathered plans (but see below as the CAA does require similar provisions for grandfathered plans) to make available to participants personalized out-of-pocket cost information, and the underlying negotiated rate, for all covered healthcare items and services, including prescription drugs, through both an Internet-based self-service tool and in paper form upon request. (The CAA also adds a telephone requirement.)

What has to be disclosed is an initial list of 500 “shoppable” items or services, as identified by the departments, that must be available for plan years beginning on or after January ‘, 2023.

A shoppable service is one that can be scheduled in advance and typically is provided in non-urgent situations, thus allowing patients to price-shop and schedule the service when it’s  convenient for them, at the most affordable rates. The 500 shoppable services are defined; all entities are re- quired to post the same items and services, for easy comparisons for consumers.

All other items or services must be available for plan years beginning on or after January ‘, 2024.

CAA PRICE-COMPARISON TOOL

The CAA price-comparison tool is “largely duplicative” of the TiC self-service tool, but it also applies to grandfathered plans (grandfathered under the ACA) and includes a requirement to provide the information as required above by the TiC but also a requirement to provide information over the phone. The implementation date of the CAA price-comparison tool was delayed until January ‘, 2023, to be consistent with the TiC self-service tool requirements.

To clarify, grandfathered plans under the ACA are only exempt f rom the MRF posting requirements; they are NOT exempt f rom the price-comparison/TiC online self-service tool. Grandfathered health plans under the ACA are not exempt f rom the online self-service tool requirements.

We highly recommend that employers consider employee and plan participant communications about the price-com- parison/online self-service tool so that they understand that they can start fully shopping their non-emergency services for cost containment.

The CAA price-comparison tool also requires a written agreement with the health plan issuer/carrier. For  fully insured plans, you must enter into a written agreement with your issuer. For  self-funded plans, you must either comply or outsource this task to a TPA or ASO vendor. If the self-funded employer outsources it (most will need to as they don’t have access to the information required), they should enter into a written agreement and consider adding it to the SPD for plan participant information.

Like the TiC written agreement requirements, the self-funded health plan still remains liable, but should enter into an agreement that ensures that the third party will provide the data and post the requirements and provide appropriate protections for the health plan and employer.

NO SURPRISES ACT

The No Surprises Act is intended to prevent balance-billings in certain circumstances. These provisions are applicable to health plans and health plan issuers (i.e., carriers) for major medical coverage. They do not apply, however, to stand- alone dental or vision plans.

Under the NSA, emergency services must be treated on an in-network basis without prior authorization, regardless of where they are provided. The NSA modified the requirements for emergency services to include a prudent-lay- person standard to determine what is or is not an emergency. The NSA also bans out-of-network cost sharing for non-emergency services at an in-network facility. Under the NSA, non-emergency services require a standard for deter- mining cost-sharing amounts (typically, the lesser of the billed charge and the “qualifying payment amount” or QPA). It’s important to note that, in some circumstances, a patient can consent, with advance notice, to pay an out-of-network rate, subject to the NSA rules.

Similar to the CAA pharmacy reporting disclosures, the NSA requires 2022 plan data to be reported by March 3′, 2023, and 2023 data to be reported by March 3′, 2024. Under the air-ambulance provisions of the CAA, fully insured and self-funded employers will need contracts in place with a carrier  or TPA to provide these services. Self-funded plans retain the liability, the same as other provisions of the TiC and CAA discussed in this article.

EMERGENCY MEDICAL CONDITION

The NSA changed the definition of an emergency medical condition to a medical condition manifesting itself by acute symptoms of sufficient severity (including severe pain) such that a prudent layperson who possesses an average knowledge of health and medicine could reasonably expect to: 1) place their health in serious jeopardy, 2) seriously impair bodily functions or 3) cause serious disfunction to a bodily organ or part.

Plans must ultimately determine whether the standard was met by reviewing presenting symptoms without imposing any type of time limit between onset and presentation for emergency care.

Of course, the NSA made changes to requirements for ID cards, with new language requirements, provider directories and more.

Most important, the NSA required a new No Surprises

Act Notice, which incidentally, was modified mid-year 2022. If you used the model notice issued just prior to January ‘, 2022, note that you will need to use the new notice issued this past summer with your next renewal. These notices must be customized for each employer and, if fully insured, you must include any state law  provisions on balance-billing that apply in your state (or multiple states). Self-funded plans following ERISA rules need only include the federal information on surprise-billing protections in the notices.

A notice of patient protections was also implemented with the NSA. Providers must notify patients if they intend to charge more than the network rate, and the patient must agree to the additional charges in writing. My personal fear continues to be that providers will bury the authorization with other paperwork that the patient must sign, and the patient will unknowingly give up his  or her rights under the NSA.

The surprise-billing rules also require plans or issuers to provide an advance EOB  to estimate charges for upcoming services. There are several other provisions included in the No Surprises Act, including the creation of a federal portal for claims disputes, which must be submitted into the independent dispute resolution process.

QUALIFIED PAYMENT AMOUNT

The QPA  is the median of the in-network rate in a geographic area. If there is no network, such as in a reference-based pricing plan, it becomes more complicated. In a fully insured plan, the carrier will deal with the QPA  and the IOR. In a self-funded plan, the plan sponsor, TPA or ASO vendor will be directly involved.

Under the NSA, if a self-funded health plan and an out-of- network provider cannot agree on a payment rate, they must go through the new independent dispute resolution (IOR) process. The Interim Final Rule states the contracted rates between providers and the network provider for the health plan would be treated as the self-insured plan’s contracted rates for purposes of calculating the QPA.

A median contract rate should be determined by taking into account every group health plan offered by the self-insured plan sponsor. The Interim Final Rule (IFR) allows for ad- ministrative simplicity for self-funded plans to permit the TPA that processes their claims to determine the QPA  for the plan sponsor by calculating the median contract rate based on all of the plans that it processes and administers claims for. The IFR states that the contracted rates between providers and the network provider for the health plan would be treated as the self-insured plan’s contracted rates for purposes of calculating the QPA.

INDEPENDENT DISPUTE RESOLUTION PROCESS

If a payer such as a carrier or health plan cannot resolve a payment settlement with a provider, then the payer and provider must resolve the payment dispute using methods of negotiation and arbitration. The No Surprises Act requires payers to send an initial payment or denial of payment of a claim no longer than 30 days after a claim is submitted. After the 30-day period, either party may begin negotiations on a claim. If the parties involved cannot agree on payment terms during the 30-day period, then they will move to an IOR process. This process may be initiated within four days of the 30-day period (for a 34-day window).

Each entity will offer a final payment amount, then the arbiter will use a variety of factors to determine the final amount, including geographic areas, service codes, etc. The intent is to make it fair to both parties. Under the IOR process, they are not allowed to use lower payment rates such as Medicare or Medicaid.

The IOR does not impact the consumer or plan participant. The dispute is between the provider and the health plan. The provider has no recourse against the consumer and, there- fore, it is not an adverse benefit determination. It’s important to note that the IOR uses baseball-style arbitration, meaning that the arbiter must select one offer or the other. There is no splitting the difference. Therefore, it’s  important that the parties submitting the dispute into the federal portal must take time and fully understand the process in order to win in an arbitration case within the IOR.

On  August 19, 2022, the federal departments released the Final Rule implementing the IOR process under the NSA. In this release, they noted that, effective 60 days after publication in the Federal Register, the following modifications were made in the NSA:

a) eliminates the rebuttable presumption standard

b)   increases claims downcoding transparency

c) strengthens arbitration explanation

In the final rules, they released an IORE (certified independent dispute resolution entity, or federal arbiter) Fact Sheet, provided a status update on arbitration claims, and released FAQs  related to Surprise Billing and Transparency in Cover- age Rule.

The Federal IOR Portal did not open on January 1, 2022, as expected. It was delayed until April 15, 2022. The departments released an update on the IOR portal with the final rules. It’s important to note that the cases are seriously backlogged due to the delay in opening the portal. In addition, only 12 CI- OREs (arbiters) were approved to date, and two have stopped taking new cases, leaving only 10 companies providing arbitration services in the portal.

Data on the first period’s activity (April 15 to August 11, 2022) includes the following:

a) 46,000 total number of disputes initiated, which was “substantially more than the departments initially estimated would be submitted for a full year”

b) 1,200 cases in which CIOREs have made a payment determination

c) 21,000 non-initiating party challenged eligibility – nearly half of the disputes

d) 7,000 disputes were found ineligible by CIOREs

I want to point out that cases have resulted in approximately 60/40 in favor of providers, where early indications were that health plans had the advantage. Is this perhaps be- cause providers are doing a better job  of providing additional information? In my opinion, it would appear so. Providers have been studying the rules and practicing submitting “additional information” that would increase their payment amounts. Health plans appear to have not done such home- work, and those submitting the dispute information, such as third-party administrators, need to learn more about this and take more time before they submit to be sure all of the additional elements are included, which can influence an arbitrator to rule in favor of the health plan more frequently.

FINAL RULE CLARIFICATIONS  ON THE IOR PROCESS

Clarifications in the Final Rule include downcoding. By definition, downcoding occurs when a payer alters a service code by changing it to another code or altering, adding or removing a modifier in a way that results in a lower QPA  relative to the billed claims. The Final Rule requires payers to disclose to providers if a claim has been downcoded for the purpose of computing the QPA. If so, the payer must:

a) provide a statement that codes or modifiers were down- coded

b) explain why a claim was downcoded, including a description of which codes or modifier were altered, added or removed

c) specify the amount that would have been the QPA had the codes or modifiers not been downcoded

Another clarification in the Final Rule was on the QPA  de- termination/payment considerations for non-RBP plans. The Final Rule eliminates the rebuttable presumption standard. In addition, the Final Rule kept the central role for QPA  and the standards that allow a CIDRE  to choose an offer that “best reflects appropriate out of network payment.” The Final Rule begins with consideration of the QPA, then all other “credible” additional information, and then decides which rate best reflects the appropriate payment amount for the OON service without double counting. Despite the departments’ emphasis on considering the QPA, IDRES now have authority to give equal weight to the provider’s additional information (whether “credible” or not).

Other final rule clarifications are related to federal arbitration decisions. The Final Rule directs the IDRE to include in written decisions information used to determine that the “offer” selected best represented the value of the item or services, including the weight given to the QPA  and any credible “additional information.” As part of the Final Rule, they released FAQs  for self-insured plan QPA  calculation. In the Final Rule, the departments explain how a SF group health plan should calculate a QPA  when the plan offers multiple benefit package options that are administered by different TPAs. In addition, for RBP plans with no network, they provided for the applicability of surprise-billing protections. In the final rule, they stated that RBP plans will always be subject to surprise-billing requirements, but only in cases in which emergency care is furnished. NSA protections apply when an enrollee receives covered emergency care or air-ambulance services. In an RBP plan, patients would NOT be protected f rom OON bills  for non-emergency care (because there can never be an in-network medical facility if the RBP plan has no network).

Next month: pharmacy requirements.

Sources:

ACA FAQs,  Part 49

www.dol.gov/agencies/ebsa/laws-and-regulations/laws/no-surprises-act;

www.cms.gov/nosurprises www.cms.gov/files/document/model-disclosure-notice-patient-protections-against-surprise-billing-providers-facilities-health.pdf

www.cms.gov/nosurprises/policies-and-resources/overview-of- rules-fact-sheets

www.cms.gov/CCIIO/Programs-and-Initiatives/Other-Insurance-Protections/Prescription-Drug-Data-Collection

Dorothy Cociu is the president of Advanced Benefit Consulting in Anaheim, California. Advanced Benefit Consulting & Aditi Croup offer privacy and security training, consultation and implementation system assistance, as well as risk-assessment services on an ongoing basis.

Author‘s Note: I’d like to thank Marilyn Monahan of Monahan Law Office for her assistance with this article and our related seminars and webinars.