Published in HR Tech Outlook: Talent Management

I was fortunate to have two incredibly talented and knowledgeable experts join me in presenting several classes during Advanced Benefit Consulting’s Lunch & Learn program in January, 2023; Kathy Ruffino, Vice President & HR Consultant and Trainer from Train Me Today, and Marilyn Monahan, Esq, of Monahan Law Office, ABC’s benefits and insurance attorney. While putting together the four classes for that program, we were able to share ideas, experiences and expertise in a way that was very productive, creative and interesting for the attendees and for us, the presenters, as well. Our second class presentation was of the same title as this article, followed by Benefit Programs to Attract and Retain Talent for All Job Tiers. I learned so much from this experience that I wanted to share it with others, so I hope you’ll enjoy reading about this important topic.

Challenges for Employers Post-Pandemic

I think that one of the greatest challenges employers have in our post-pandemic world is recruiting talent and keeping those recruited from moving on quickly to other employers, after tremendous time, energy, effort and money was spent on bringing them on and training them for their new positions. It’s an HR Professional’s nightmare, as well as senior management, as the turnover never seems to end, with what seems like little or no hope for improvement any time soon. Let’s face it; employers, as I mentioned, are at the mercy of the employees they are trying to recruit and retain. So, what makes one employer better than the other, as a job candidate creates their potential job spreadsheet, and you fit only into a simple square that may contain only a check-mark or a one word comment when they go back to compare job possibilities? How do you stand out? What will make those job candidates want to work for you, and want to stay with you for multiple years?
What have we seen post-COVID? Everything has changed… Employee engagement has diminished, people are discovering, or re-discovering, the need for life/work balance, and the labor force expectations and demands have changed. Most notably, employers have experienced a shrinking labor pool for jobs that had previously been easily filled. And simultaneously, new labor laws have made things even more difficult for employers. So how do you navigate all of this change?

We are seeing now “quiet quitting,” which Kathy Ruffino says is now the new slang for employee engagement. “What they are telling you now is that they are not going to do seven jobs for the pay of one.” Post-COVID employees are saying they will no longer work their 40 hours during the week and another 10-20 over the weekend. The new workforce post-COVID, per Kathy, is saying “No, you know what? I’ll work 40 hours. That’s what you pay me for, so that’s what I’ll do.”
What, specifically, are job applicants looking for post-pandemic? “It’s pretty simple, actually,” stated Kathy Ruffino. “Applicants are expecting rewards that compensate them for the work they do.” So, what do employees or job applicants want? Although we’ll get more into details later, they want:

• More and better benefits
• Higher pay
• More flexibility in their work schedule
• Remote or hybrid work
• Advancement opportunities
• Recognition and rewards programs.

Kathy stated, “They are looking for you to value them. Recognize their hard work. Recognize what they contribute to your organization’s success. It doesn’t always have to be monetary, but it has to be sincere and authentic.”

The Need for Remote or Hybrid Workers

One of the most common themes of the majority of job candidates is the need to find remote or hybrid work. For those jobs that can be done from home, full-time or part-time, human resources and supervisors and managers are struggling to figure out how to design job descriptions for remote employees at all tiers, and are finding it even more challenging to hire a remote or hybrid work force. As an employer, what do you need to offer in the form of benefits that attract and retain recruits, and keep them on the job? What can you do to keep them on your team, and what tools do you need to keep employees engaged long-term if they are working remotely?

It’s true; workplaces changed dramatically during the pandemic. There are now fewer people in offices, and more and more people working from home, or wherever they may be, but somehow, the work still needs to get done! So, how do you manage all of this?
First, you need to take a step back and determine exactly what jobs can be offered remotely or on a hybrid basis. Stop thinking about what you thought to be true in 2019, and get onboard with what’s going on in 2023. Many managers may automatically say no, this job or that can’t be done remotely, but is that really true? Here is the reality in 2023…. 80% of workers want jobs that are remote or hybrid, so if you are refusing to offer remote or hybrid jobs, you will not find good candidates to fill those jobs in many cases, because quite simply, they will go somewhere that does.

We all know that there are some jobs that are not conducive to working from home, so let’s put those aside first… Think production jobs, manufacturing, tool making, bank tellers, etc. But what about the other positions in the company? From a strategic planning perspective, you need to consider the essential duties of the job and determine whether all or part of them can be performed offsite. Then, if you determine that some of these jobs can be done from home or on a hybrid basis, how will you manage your remote workers? How will you keep them engaged while off-site, and what new expectations will be placed on managers that have employees working off-site? “Ask your employees. They have amazing ideas,” stated Kathy. “What does it cost you to have people remote? What does it cost you to not?” stated Kathy. The reality is, you could lose 40-60% of your potential applicants by not offering remote work.

Marilyn Monahan stated that she has read that countries like “Spain, as well as 25 other countries, are offering new work visas for people that want to work remotely.” These opportunities will only increase the likelihood that more individuals will be looking for fully remote positions.

Matters of confidentiality and technology cannot be overlooked if working at home. Can information be properly protected from unauthorized access, deletion, or alteration? “If the only option is using the family computer, then you’ve got issues,” stated Marilyn Monahan, particularly if the remote worker will be handling confidential, protected, or trade secret information. “Can you support them by providing them with a company computer?” This topic is something I’m personally very familiar with, as we are HIPAA Privacy & Security consultants and trainers also, and we work with an elite group of technology partners that are experts in electronic and cyber security. Our last class on January 24th actually discussed this topic, but unfortunately it’s too much information to include in this article!

Employers need to weigh the costs of a remote or hybrid workforce to determine if it’s feasible. While we all know many employers prefer to have their employees working onsite, failing to consider the viability of remote or hybrid work as an incentive to job applicants and employees may actually be far less costly than the lost productivity due to the employer’s failure to hire and retain good people in all job tiers!

How to Offer Cost-Effective Additional Job Benefits and Incentives to Stay on the Job Long-Term

One effective solution, according to Kathy Ruffino of Train Me Today, has been to provide incentives to help you recruit and retain quality employees. You need to think outside of the box and the usual “menu” of pay and benefits to create a total rewards package that will attract applicants and retain employees.

How do you do that? By offering both company-paid and voluntary (supplemental) benefits to your employees, by providing on-site day care or offsite day care subsidies, by providing ride-sharing, student debt and college tuition assistance, by creating career pathing and promotions within the company culture, by having a strong employee reward and recognition program or programs, by training and developing your employees, and by providing personal days off, usually on a monthly or quarterly basis. Most importantly, states Kathy, is that you “must deliver what you promise!”

“On-site day care is always an interest for the employees, but not so much for employers… The insurance for that is phenomenal. The risk of having a child care center on site is incredibly expensive from the insurance and safety perspective, and lawsuits,” stated Kathy. “A lot of employers pulled away from that. The subsidies, sure. That’s always attractive, especially for parents that are working hourly wages. Daycare is expensive.”

Student tuition debt and tuition assistance has come back strongly. “In the 80’s, tuition reimbursement was a standard. Then it kind of went away, but now it’s something to think about again,” commented Kathy. It’s a big cost. But, you can tie it to certain things, like grades, etc.

Can these types of benefits be offered by class? Yes, they can be offered by class, as long as you don’t discriminate within a class. It’s always best to have your benefits lawyer review these before implementing.

You can tie things to a time-frame, like tuition reimbursement, to assure longevity. It’s best to talk this through with an expert. You want to be sure you’re offering the right benefits to attract workers, and look beyond that as well.

“People don’t leave just based on benefits, pay and child subsidies. They leave because they don’t like management. More employees quit because of their management than anything else,” stated Kathy Ruffino. Perhaps management training is more important today than ever before.

How to Stand Out on a Job-Seeker’s Job Comparison Spreadsheet

The most important thing you can do to stand out to applicants, according to Kathy, is to develop your Employer Value Proposition. In our live presentation on January 24, 2023, Kathy referred to a survey conducted by Universum of nearly 2.500 HR, Marketing and Talent Acquisition Managers from 50 countries that found that these types of companies have created employer value propositions: 67% of large companies (10,000 employees), 55% of medium-sized companies (1,000 to 9,999 employees), and 30% of small companies with fewer than 999 employees. Why do this? According to Kathy, you need to do this to show job seekers who you are, and to show them what they can expect if they are to work with your organization. A Value Proposition will teach you to promote careers, not just the job, and how to use social media to tell your story to potential applicants. Very importantly, a good Value Proposition will allow you to share news about the awards the company has received, the partnerships it has, and the advances in your industry. All in all, a Value Proposition will help you to STAND OUT to applicants in every way possible.
“Candidates today are looking for purpose,” stated Kathy. …”What is the purpose of your company and why would I want to work for you? It’s no longer ‘I just need a job’. They are in high demand. They know they can work anywhere they want. What makes you different? What makes them say I want to work for this company because, wow, look at what they believe in. Employer Value Propositions tell the candidates who you are.”

Good examples of Employer Value Propositions include HubSpot, a software developer, whose emphasis is that employees are treated like people, not bottom-line items. “Employees are whole people, with families, hobbies, and lives outside of work. We work remotely, keep non-traditional hours, and use unlimited vacation to create work-life fit for us and the people we love.” While not every organization would want or could afford unlimited vacation time, it’s definitely a strong Value Proposition to attract talent!
Another example of a good Value Proposition is Unilever, who works in consumer goods. Its emphasis is on the opportunity to work alongside brilliant, inspiring leaders. “Unilever is the place where you can bring your purpose to life through the work that you do, creating a better business and a better world. You will work with brands that are loved and improve the lives of our consumers and the communities around us.”

Recruit and Select the “A” Players

Key steps to recruiting and selecting the “A” players include conducting thorough interviews, but using more than one qualified interviewer whenever possible. “It shortens your bias. It gives you a better view… Use more than one person if you can,” recommended Kathy.

Another key step is to ask success-prediction questions, to dig deep and learn what is important to each candidate. What are they passionate about? What might attract them to accept the job and stay? Interviewers need to pay attention to patterns for why they accepted previous jobs and perhaps ask about the impact they made on previous companies when working for them. According to Kathy, “Lackluster candidates will be lackluster employees.” If you’re hearing one theme, pay attention… It’s the common theme with all of their jobs, and that’s not going to be offered, so you’re probably not going to keep that person.”

One important thing to NOT do, according to Kathy, is to show candidates around and introduce them to your team unless you have made an offer. If you do, it sends the wrong message, and makes them think they have the job. “It sends a really bad message… Why would you introduce them if you weren’t [hiring them]? Please stop doing that. It’s really bad PR for your company, because now when they don’t get the job, they are going to tell everyone how horrible you were.”

Retaining Your Employees

Now that you have quality new hires, how do you retain them, along with retaining your current/longer-term employees? One thing to keep in mind is that while you’re putting most of your efforts into bringing on new and quality new hires, your current employees may very well be looking for new opportunities themselves! Because let’s face it… they know what’s going on in the world and they know that if you don’t give them what they want, they can go somewhere else that can and will.

Keep in mind; culture is everything. You need to create and maintain a culture that shows you value your employees and demonstrate that culture in everything you do. You should also provide learning and development, and provide your employees opportunities to learn and develop new skills and increase their self-worth and value within the organization.

Something that should not be forgotten is that supervisors and managers want and need training. You should require training for your leadership team to learn and fine-tune their skillsets needed to be effective leaders. According to Kathy, supervisor and manager training is their most popular training in recent years. “Organizations have discovered that we promote people into management positions, and they have no skills in which to manage. They have no idea how to be a manager or a supervisor. They have no idea how to stop being friends with co-workers and now they have to manage them.” Make sure you give them the skill sets and make sure they are ready. Not all excellent producers are good managers. You could not only have a poor manager, but also lose an excellent producer. If you can’t train them, you may not want to promote them.

“I had an employee who was amazing at her job and her manager kept wanting to promote her,” recalled Kathy. “She came into my office and said please don’t let them promote me. I don’t want to be in management, and her manager did it anyway, and did it in a town hall meeting. She quit the next day. She was an amazing, 11-year employee, and she left.”

As an employer, you should re-engage your workforce on a continuous basis. You should create opportunities for all employees at all levels to reconnect and re-engage with each other.

In addition, you should remember to pay equitably. The compensation you offer as an employer needs to reflect the job requirements. You should keep in mind that employees will no longer do three jobs for the compensation of one job. If you do that, they will move on to another employer, sooner rather than later.

Another good thing to keep in mind is to promote from within. If you show your employees that there are real opportunities within your organization, they may not be as quick to look elsewhere. Be sure to post your open positions internally regularly, and be sure all of your employees are aware of openings on a consistent basis.

Another way to retain the employees that you value is to provide a mentoring partner in your organization who can mentor them in their career path.

As mentioned previously, reward learning and skills development. Provide recognition to your employees and rewards (monetary or in-kind) to employees when they learn new applicable skills or gain additional knowledge.

Lastly, be present, and actively and intentionally connect with your employees. You should develop a frequent walk-through of the office, acknowledge people by name, ask casual questions to get to know more about the people who work for you and with you. Show them that you know them, and show them that you see them!

Benefit Programs to Attract and Retain Talent at All Job Tiers

In another session on January 24th, Marilyn Monahan and I discussed in detail the types of benefit programs that attract and retain talent at all job tiers. I’d like to share some of that with you in this article.

In a SHRM State of the Workplace Study for 2021-2022, the top 2021 Occupational Challenges included, in the top category, Labor Shortages, with approximately 85% of companies having them. In that same study, the highest number of responses indicated that employers need to increase benefits and compensation for current and/or new talent: “Offer more competitive wages to existing and loyal employees, and new talent.” Also included in this were “Lower insurance costs, better compensation, leave policies, and work flexibilities.” In addition, Metlife’s 20th Annual US Employee Benefits Trends Study in 2022 stated that overall job satisfaction has reached a 20-year low, and loyalty continues to decline, particularly among women. “Concerns about job security, prevalent early in the pandemic, have been replaced by a sense of empowerment. Knowing that they are in demand, many workers are convinced they can find more attractive roles, opportunities, and compensation elsewhere.”

So, how can you best attract talent? According to these and other surveys, an employer must offer good medical and dental benefits that meet their needs and budgets. You can’t assume that one size fits all, and all employees want the same thing. Offering only one medical and one dental plan may not put you on top of that candidate spreadsheet. It may, in fact, drop you to the bottom, because you’re not attempting to meet their particular needs. It’s important to understand that not all candidates want the same thing. If for example, you are looking for a new Vice President of Sales, and your top candidate is a healthy, athletic 30 year old single man that has sizable student loan debts still, and rarely sees a doctor, your very rich “Platinum” level plan may not be of interest to him. He may instead take a job from an employer that gave him 3 medical plan choices, and the one he chose was a “bronze level” medical plan, but he selected from the 3 dental plans offered a rich PPO dental plan with a $2,000 annual limit, plus a Section 127 Educational Assistance Program, which could help him pay down his high cost student loan, and a strong 401(k) plan with matching employer contributions, because those are the benefits he was looking for.

The most wanted candidate for the new position of President you were looking for may not accept your job because he is in his late 40s, has a large family, 3 homes and several garages full of new vehicles. He wants a rich medical plan, rich dental plan, a disability plan, a good retirement plan with employer matching, and many ancillary benefits. Your high deductible health plan, with or without an HRA, HSA or Section 125 plan may not be of as much interest to him, particularly if that’s all that you offer.

Your opening for a Production Line supervisor is a key position to keeping the company running smoothly. Your best candidate is a 52-year old man, slightly overweight, not very active, loves his weekends with football and beer. He is married with 1 child who is 16 and one who is 20 and is in college. He and his wife were most interested in saving money for the kids’ college education. The job he chose over yours, which offered only a 70% medical plan, no company-paid dental plan and no retirement plan, was a job that offered a “gold-level” medical plan, a dental DMO with low copays, a 401(k) with matching, an FSA, and a Section 127 educational assistance plan.

If you’re a hotel or a restaurant and have openings for restaurant workers, like waiters and waitresses, those employee needs may be different than your management staff. Your best candidate would be paid just above minimum wage but would receive good tips. She is a single parent, goes to college at night, age 25, healthy, with a 5-year old child with chronic allergies, who needs to have an Epipen handy, just in case, and will need braces soon. You offered a high-benefit, but also a high cost from payroll deductions, medical plan, and a dental PPO plan without orthodontia that was also pricy from her perspective. The employer she selected, in lieu of you, is an employer who offered an enhanced silver plan with a high deductible, with a $25 PCP office visit and $10 generic drug copay, a DMO dental plan with orthodontia and no annual limit, an FSA with Child Care benefits, and a Section 127 educational assistance plan.

So what do these selections tell you, other than you missed out on some excellent candidates? Most importantly, that one size does not fit all, and limited benefit options will even more limit your pool of candidates.

We always suggest that you should perhaps view the ACA requirements for “affordability” and ask yourself if your benefits are truly “affordable” to the types of employees you need to hire. If you only offer a rich PPO and nothing else, although the government may say your contributions are “affordable,” are they really, to that job candidate? Or maybe they are affordable, but you’re offering too rich a plan for that particular employee. What the pandemic and the aftermath of the employment world of 2023 is showing us is that you need many choices to attract and retain employees. If you can offer, for example, 3 different medical plans with varying benefits and payroll deduction amounts, you can serve a much wider population of good candidates. If you have a “core” benefits plan and two buy-up plans, you may see more options that look good to potential employees. Your dental plan should also have options… Maybe a PPO plan and a DMO (dental HMO) option with ortho coverage, as the DMO would be more attractive to lower paid workers and those with kids needing a lot of dental care, while others may like the richer PPO, even though it will cost them more.

Another example: You only offer a region-specific HMO. This option will not be attractive to remote workers if they live out-of-the-area or out-of-state. Consider offering a second or third option with broader coverage.

With today’s inflation, employees are struggling. Employers need to be sensitive to this. Are your plans truly affordable to your lower-paid employees? Have your wages kept up with the cost of living in 2023?
“When you’re looking at true affordability for the employees, you can make an argument that making your plans cheaper, so that more of the employees will sign up, is a benefit to the employer…You’re going to have a healthier workforce. As I understand it, workers’ compensation claim costs, and therefore premiums, go down as more employees enroll in your insurance. So, it may seem like more of an outlay toward your health benefit costs, but there be could be other benefits down the line by structuring your contributions in a way that you maximize who is going to sign up for the coverage,” suggested Marilyn Monahan.
Employers need to listen to employees during interviews and see what candidates seem to be most interested in. Listen to your existing employees, listen to human resources, or do surveys. Maybe you are paying for benefits that no one is interested in, so it’s wasted money. If the majority of your workers do physical labor the majority of the week, a gym benefit may not be as important to that population (although it may be to the office staff). Pay attention to your demographics… If your population is over 40, orthodontia may not be needed. Having choice is the best thing you can offer.

Some candidates may hesitate to ask about your benefit package, so provide information about your benefits package up front. Marilyn Monahan shared these thoughts with me. “I have talked to young women who were hesitant to ask about maternity benefits, because they were afraid they would not be hired if their employer thought they might soon be taking maternity leave. I have also known people to be concerned about asking too many questions about health benefits, in case the employer would think they would heavily utilize the plan and cost the plan too much money, and that would weigh against them in the hiring process. Of course, not hiring someone on these bases is discriminatory and prohibited by law, but employees still worry about asking and then being turned down for the job. All the more reason for the employer to be up-front about what they offer.”

“Years ago I was a VP of HR for a company and the president, in his infinite wisdom, decided that everyone should go on Kaiser, because he was on Kaiser, and because at that time, Kaiser was the cheapest, and we had 47 resignations within an hour, so what Dorothy is saying is absolutely true. It was removing the choice that made the difference. He wanted to drop the other option and put everyone on Kaiser,” commented Kathy Ruffino.

Importantly, you shouldn’t stop at just medical and dental benefits. Job candidates want more choices, more options, so that they can pick what they want, as they know if you don’t offer it, someone else will.

Consider, even if on a voluntary basis, vision, disability, 401(k) plans, as well as life, cancer and other voluntary options, and if you want to hire younger people in any job position, particularly high tech jobs, consider adding a Section 127 Educational Assistance Program, as many young people are carrying heavy student loan debt, or continuing to finish college part-time, and would appreciate the tax-preferred benefits under Section 127.

A Section 127 Educational Assistance Program is an effective way to attract younger and high-tech employees, particularly, but they are helpful to many. An amendment to Section 127—passed during the pandemic—allows employers to set up Educational Assistance Programs that reimburse either tuition or qualified student loan debt tax-free to the employee. “The total contribution an employer can make is a maximum of $5,250 per year, for both tuition or student loan debt,” stated Marilyn. “If you have a workforce that is carrying a lot of student loan debt, you can pay up to $5,250 per year. At the federal level, that is tax free to the employee. California has not passed a conforming bill, but there are still benefits on the federal side.” You need a separate plan document to offer this type of plan, and there are some hoops to jump through, but they are generally worth it. The tax benefit runs out at the end of 2025, but it is possible Congress could extend the benefit beyond that date. The popularity of this benefit is huge, particularly with this inflation. If you’re not offering one, you should talk to a benefits expert to help you set one up.

Other benefits that are polling well now include adoption assistance, fertility benefits, long-term care, parking benefits, child-care options (even if only a subsidy or reimbursement through a section 125 cafeteria plan), gym memberships, cancer, critical illness, short- and long-term disability, and of course, educational assistance programs.

Another benefit that has been popular lately is pet insurance. “Employers can’t subsidize it or offer it on a group basis, but by offering it they can make it easier for the employee to locate and sign up for it,” commented Marilyn.

If you don’t think these plans are affordable to you, you should talk to a qualified broker/consultant that can walk you through how you can offer these types of plans on a cost-effective basis. You may be able to use alternate funding arrangements to lower your costs considerably, so speak to an expert on self-funding, level funding and other alternate funding arrangements.

Most importantly, you need to pay attention to what is happening in the employment world right now, and if you want to fill those 20+ jobs that are open, you may need to adjust your thinking a bit and conform to what is happening today.

Happy job-filling! ##

Author’s Note: I’d like to thank Marilyn Monahan (marilyn@monahanlawoffice.com) and Kathy Ruffino (kathy@trainmetoday.com) for their assistance with this article. You can find out more about all of these things by reviewing our recorded sessions from January 24, 2023’s Lunch & Learn program, on our website at www.advancedbenefitconsulting.com on our Empowered Education Center, with on-demand video education programs, or by listening to our podcast series, the Benefits Executive Roundtable, found on all podcast platforms. You can also reach the author, Dorothy Cociu, at dmcociu@advancedbenefitconsulting.com.

By:  Dorothy Cociu, RHU, REBC, GBA, RPA

It’s been about a year since we were all on pins and needles about cyber-attacks and the news that Colonial Pipeline, JBS Foods and many others had been breached and their data held for ransom, which resulted in gas shortages and price hikes in the East and meat and food shortages everywhere, followed by the 4^th of July weekend, 2021 cyber-attack against the software company Kaseya, which targeted many small companies in up to 17 countries, including the US, United Kingdom, South Africa, Canada, Argentina, Mexico, Kenya and Germany.  Cybersecurity experts believe the REvil gang, which is a major Russian-speaking ransomware syndicate, was behind the attack, targeting the software company by using its network-management package as a means to spread the ransomware broadly through cloud-service providers.  Luckily, the software company was able to shut it down quickly, but not before significant damage was done. 

When I wrote my last article on this topic, “Cyber Attacks Hit Home…. The Next National Emergency?

Valuable Cybersecurity Tools to Keep You Safe,” published in The Statement, July/August, 2021  page 5, at: https://camsdev.net/CAHU/Magazine/July-August-2021/index.html and California Broker, August, 2021 https://www.calbrokermag.com/in-this-issue/cyber-attacks-hit-home-the-next-national-emergency/,  I detailed how these attacks happened and gave some advice on how to keep your organization safe, as did many others, yet since then, we are still seeing the same issues popping up in the news on a far-too-regular basis… Breaches, hacks, cyber-attacks,  ransomware…Why does this keep happening?  Because for many people, unless and until it happens to them, they put off doing what they know they need to do… because it can’t happen to them, right?  WRONG!  It can, and it’s not a matter of “if” – it’s usually a matter of “when” it happens to you.  Your company… Your data… in the hands of someone that shouldn’t have access to it… And then it’s too late.  Your business is literally shut down.  Your systems are basically dead.  You’re scrambling to either restore from backups, pay the ransom, notify the authorities and the victims, and in all cases, you’re retracing your work, putting in hundreds of man hours (or thousands), or paying millions of dollars in crypto or other currencies, all to get your hands on what is already yours – your data!  

How many times do you have to read about this stuff… hear about it on the news…  listen to people who had it happen to them, before you actually do something to prevent it from happening to you?  What’s the number?  Ten?  Thirty?  One Hundred?  More?

Let’s do a little review first on what has happened since early 2021….  Just in summary:

• Colonial Pipeline – $4.4 million paid (but 64 bitcoin (approximately $2.3 million, was recovered by the US Government from a virtual wallet – the only known recovery to date of significance) – resulted in severe gas shortages, long lines and extremely high prices all over the East Coast.
• JBS Foods, reportedly paid $11 million from the Memorial Weekend, 2021 attack, which caused sever meat shortages in an already pinched supply chain during the pandemic.
• Kaseya Software hack occurred affecting customers in approximately 17 countries.
• Microsoft Exchange Server Breach in early 2021, giving attackers full access to user emails and passwords on affected servers, administrator privilegeson the server, and access to connected devices on the same network. As of March, 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile’s Commission for the Financial Market (CMF).

Healthcare and insurance providers have of course been a huge target for cyber-attacks.  We’ve heard of Anthem to Primera Blue Cross, Mass General, Cottage Health, UMass, Scripts and more, all falling victims to cyber criminals.  It’s commonly felt that healthcare and medical information is susceptible to cyber-attacks because of the amount of highly sensitive data that they possess.  Of course, the medical and insurance industries are subject to privacy and security laws such as HIPAA Security and HITECH, so there is a standard for protecting information.  But as I said in my last article on this, there is no single federal law regulating cybersecurity or information security.  We have a hodgepodge of state laws and minor federal laws, but no single protection source, as they do in the European Union and other nations.

Lately, it seems, mobile banking is among the latest victims, including Bank of America and Wells Fargo customers being scammed from outsiders using the mobile banking app Zelle to steal money from their accounts; and worse yet, the customers themselves allowed it to happen, because they thought they were talking to their banks, and instead of stopping it, they basically allowed the Zelle hackers to take money directly from their accounts.

Another very scary security scenario, in my opinion, is everyone’s use of QR Codes.  They’ve become all the rage to use… but they are also susceptible to hacking, which I will discuss further later in this article.

And let’s not forget Mobile Ticketing and the requirement of season ticket holders and individual game purchasers to download their team’s league app, without thinking twice about it and not questioning the permissions they are granting, which can be a security nightmare.

So, for anyone reading this, it’s not over.  That storm I talked about last summer and fall in my article referenced above has not passed.  If we thought we were in the eye of that storm then, I hate to be the bearer of bad news, but it’s more than a season of continuing storms with no clear skies ahead as far as the trend for more cyber-attacks and ransomware, because most of us are allowing the bad guys to keep doing it!

As long as we still have that Weakest Link I discussed in the previous article – Human Beings- we will always have risks, and we need to learn how to manage those risks, now and in the long-run.  Until we do, we will continue to hear news reports on breaches and ransomware, and companies will continue to be at risk.

I will provide you with some more detail on these recent breaches, hacks, scams and current risks you should be aware of below.

Microsoft Breach by Lapsus$ Hacker Group, March 2022

Just this past March, Microsoft announced it was breached by Lapsus$ Hacker Group…  News reports said that a screenshot was taken indicating that Bing, Cortana and other projects had been compromised in this breach.

As I often do, I looked to my HIPAA Security/HITECH and IT Services and Security partners, Aditi Group, to offer some insight from an IT or technical perspective as to what happened, if there is anything Microsoft users need to be worried about, or things they need to do to protect themselves.  I was able to gain some additional insight to share with you in my conversations with Ted Flittner and Ted Mayeshiba, principals of Aditi Group.

“This group has also just successfully attacked T-Mobile and a growing list of big-name companies,” stated Ted Flittner.  “What happened with Microsoft is that hackers allegedly stole portions of source code for the search service Bing, and the navigation for Bing Maps and Cortana (Microsoft’s answer to Siri).  Microsoft’s public statement is that obtaining portions of source code does not put the general public at risk.”

Flittner continued: “In truth, knowing the code can increase risk by allowing hackers to scrutinize it and find weaknesses that Microsoft hasn’t found or fixed.  Since these services (Bing, Maps, Cortana) don’t require user login info, there probably is not a risk.”

Block (Formerly Square) Breach, April, 2022

More recently, Block (formerly Square) acknowledged that its Cash App had been breached by a former employee in December, 2021.  It’s reported that over 8 million customers were affected.  The breach included customer names, brokerage account numbers, portfolio information and stock trading activity.  They are claiming that no other personally identifiable information or account credentials were leaked in the incident.  What is the danger of this sort of breach?  Again, I went to my tech experts.

“This a straightforward case of a former employee still able to log into Cash App’s system and download user reports,” stated Flittner.  “These are the same reports the employee was authorized to view while still working there.  Even if no personally identifiable info was accessed, the data that was downloaded is PRIVATE info that people only want to share with their tax accountant or investment advisor.  That sort of info helps criminals pick which people to target in phishing scams.  Think Frank Abagnale Jr, the real-life person played by Leonardo De Caprio in “Catch me if you can.”  Frank just needed some info about people to pretend to be them…and scam money.”

T-Mobile Breach

I also discussed the recent T-Mobile attack by Lapsus$, since it was the same hacker group as the Microsoft hack, with Ted Flittner, and asked him to let us know what happened and how it happened.

“The T-Mobile attack by Lapsus$ did not breach customer data directly.  T-Mobile has had its share of that, including a breach of 47 million customers’ personal data in 2021.  This Lapsus$ attack involved BUYING T-Mobile employee VPN (virtual private network) login info.  These were purchased on the dark web with the goal of escalating and accessing T-Mobile’s account management system and ultimately allowing hackers to “SIM swap.”  That’s when you tell the phone company that the phone number is now tied to a different SIM card.  This lets someone hijack your cell phone.  And if your cell phone is used for account verification – text messages for example, the hacker now can bypass multifactor authentication.”

Flittner continued: “Though hackers didn’t get far enough this time, it highlights the problem of phone numbers being hacked.  And why we recommend using multifactor authentication with a hardware key – like Yubico.”

Are Banking Apps Safe? 

The world of banking has evolved to the now “must have” banking apps on your mobile devices.  Banks need to draw new customers, and many of them are young and tech-savy.  They’ve literally grown up on the technology some of us are still trying to adapt to in our everyday lives.

Zelle is used by many banks in the USA today for easy transferring and sending money.  These banks include Bank of America, Capitol One, Wells Fargo, US Bank, JP Morgan Chase and PNC bank.  Of course, Apple also offers their Apple Bank mobile app, and there are many more.  But are they safe?

I briefly described earlier the recent scams using Zelle that cost customers of Bank of America and Wells Fargo hundreds to thousands of dollars as scammers spoofed the banks’ phone numbers and the customers were sent text messages, followed by a phone call, which informed them of an attempt to transfer funds.  As a “preventive measure” the scammers gave instructions to the customers which instead sent their funds off to the scammers.  The banks are not actually obligated to replace the money in their accounts if their customers authorized the money to be transferred, which in these instances happened.

So how do we keep our money safe if we’re using banking apps on our mobile devices?  To assist me with this question, I once again went to Aditi Group, to give you more information from the tech side.

“These banking scams are really using age old tactics: pretending to be someone they’re not,” stated Ted Flittner.  “The callers use false Caller ID for the phone call and text messages to innocent bank customers.   They SAY they’re from Wells Fargo or BoA or another of the most common banks.  Some people have been fooled into divulging their account credentials ‘to avoid attempted fraud.’ And in the process they ALLOW the fraud.”

Flittner continued: “This is not a failure by the application.  This is a failure to understand how a fraud investigation really works.  The financial institution doesn’t ask for your login credentials.  But when you call them, they ask you to verify who you are – name, birthdate, address, last 4 numbers of your of social security number.  We all need to be sure WHO we’re talking to on the other end of the line.  Is it the BANK or a SCAMMER?  We recommend always calling them back.  Check the number they give you and see if it matches the phone number on the back or your credit card or the bank.  It not, call the phone number you KNOW for your bank and ask about it.”  That is something that we’ve encouraged people to do for several years.

“Banking Apps are as safe as using web browser normally,” continued Flittner.  “Potential security problems include logging into apps when others can see you, or working on public wifi, where hackers may have obtained access to your phone or computer.  Other problems are the general ones that apply whether it’s a mobile app or web browser on a computer, like using weak passwords or leaving your password around for others to find.  And with phones, leaving them unattended without a strong password to keep others from doing bad things while you’re not looking.”

The Risks of Using QR Codes

QR Codes are all the rage… If you don’t have one and you’re trying to advertise something, you feel like if you don’t have one, you’ll be left behind and lose out to your competitors… And now it’s not just advertising… QR codes can be found everywhere now…   The problem is, they too can be compromised.  Thieves and bad actors have begun placing their own QR codes over the originals and sending your phones to unsafe sites where again, bad things can happen.  Keep in mind, a QR code uses the phone’s camera… therefore it needs access to your camera, and will often ask for (and people automatically give) permission to view all of your files and photos on your device.  Wait, what?  All of your photos and all of your files?  Are your company files in dropbox, which you can access from your phone?  Are your emails from your customers, or their private information such as their names, phone numbers, account numbers, maybe credit card number in those files on your phone?  If so, do you want every entity that you scan a QR code for to have all of that information?  If not, you might want to think twice about using QR codes without scrutinizing them.

Again, I went back to my tech experts to provide some more detail from the technology side.

“Look before you leap,” stated Flittner.  “Does the QR code look legit or is it like sticker graffiti on a traffic light pole?  If it looks like someone pasted a sticker on the original, stop.”  It sounds simple, but many people just don’t stop to take that second look, and that is a real problem.

“If you do scan the code, look at the website address (URL) that it shows before agreeing to load the page. Only use the QR code read apps or camera apps that let you choose to visit the website or not, instead of having it load automatically,” continued Flittner.  “Once it loads, look at the website to be more certain it’s real before you enter any personal data, credit card or sensitive info.”

Mobile Ticketing Apps

Whether you’re a concert-goer or a sports fan, or anything in-between, it’s likely your event is now using Mobile Ticketing only.  The problem with mobile ticketing apps is that they can be unsafe because people don’t always look at the permissions they are granting to the app when using, and automatically clicking yes to accept the terms without looking further or questioning the app’s intentions.

My company has season tickets for the Anaheim Ducks (NHL) and the LA Rams (NFL), and both have mobile ticketing… But me being me, and being worried about the dangers of mobile apps, always asks the team if I can get paper tickets.  Yes, it’s old-fashioned, but much safter.  Sometimes if you ask there is no charge to getting paper tickets.  Sometimes you have to pay a paper ticket fee, but to me, it’s worth it.  Why?  What’s so scary about these apps?

I’ve seen these apps asking for permission to access your files, your photos, and get this, your network access in these apps.  So, before you start clicking ok for all of these permissions you’re granting them, you need to slow down and figure out how to see all of the permission requests and how to say no to what they do not need and what you do not want to give them access to.  If you’re not sure, contact an IT or security expert.

Another option is to have a second phone; one for business and one for things like mobile ticketing apps.  For the latter, don’t store anything on the second phone.  Use it only for those concerts or sporting events.  (But yes, that can be expensive to have 2 phones – see if a very limited plan can be used for the latter).

Crypto Currency

Crypto currency is the latest rage… Everyone wants it, even buildings now display their names, but no one is regulating it.  In January, 2022, it was reported that $30 Million was stolen in the Crypto.com breach.  ($18 million in bitcoin and $15 million in Ethereum, as well as other cryptocurrencies).   I asked Aditi Group if they could tell us more about crypto currency and the dangers of using it, and if people are buying it and trading with it, is there anything that can be done to protect them?

“There are probably THOUSANDS of crypto currency offerings now,” stated Flittner.  “It takes very little to create one and make it public.  And without regulation and with investor frenzy over potential profits to be made, it’s easy to get caught up in emotion and skip due diligence.  Simply from an investment perspective, crypto investing is gambling.  It can pay off for you or wipe your savings. 

“From a security perspective, it requires smart and strong password management.  The main path of breach is someone getting your login and password to your crypto wallet.   Guard those passwords.  Make them as strong as possible,” warned Flittner.

“Crypto.com, which is a crypto trading platform, was breached by hackers and discovered this January. Hackers were able to bypass the 2-factor authentication for user accounts and 483 accounts were accessed and $30 M in bitcoin and etherium (crypto coin) was stolen.  Cryto.com reimbursed the user accounts and stopped other attempted transfers.  They have since announced stronger ‘multi-factor’ authentication coming this year,” stated Flittner.

“Part of the risk with crypto is once it’s stolen, you may have no recourse,” continued Flittner.  “Crypto.com is rolling out a new Worldwide Account Protection Program that can insure your account up to $250,000 – if you meet certain conditions.” So if you’re thinking of investing in crypto currency, be sure you do your homework and put in the necessary security protocols before you invest.

How Do We Protect Ourselves and Our Companies?

So how do we protect ourselves from these common threats?  As a privacy & security consultant and trainer, my first instruction is always to DO A RISK ASSESSMENT.  You need to figure out where your risks are before you can mitigate those risks.  You need to know where you are before you can move forward with a security plan.

“This is all about being aware of danger before it strikes,” stated Flittner.  “And preparing to reduce risk and recover faster if it does.”

The Need for Risk Assessments – An Ongoing Security Tool

Every article I write about this topic and every training I do includes my preaching to you all about the need to do Risk Assessments.  This means you must look at every device, every tool, every router, your network, and everything else to determine where the risks are, and figure out how to mitigate those risks.

According to Ted Flittner, “In basic terms, this is a comprehensive review of you or your business to consider what risks you may face (stolen computer, ransomware attack, even physical break-in), what inherent vulnerabilities you have (staff bringing their own computers, work at home, out of date software), the likelihood of each type of problem actually happening, and the impact if they do.  Then we decide which items are really critical to address, less serious, and on down.  Sometimes we conclude that chances are LOW that a problem happens, but the IMPACT would be catastrophic, so we take steps to avoid or easily recover (think Life Insurance).”

Flittner continued: “The result should be ACTION to address the dangers.  HIPAA and HITECH require it for businesses that fall under HIPAA.  And it’s often mentioned by the federal investigators as missing or lacking in HIPAA violations.”

Identifying technical vulnerabilities to include in their risk analysis, according to OCR in their March 17, 2022 Newsletter, “OCR Cybersecurity Newsletter: Defending Against Common Cyber Attacks,” (which I’ll mention again below and include the link to view it), include the following: 

• subscribing to Cybersecurity and Infrastructure Security Agency (CISA) alerts (https://us-cert.cisa.gov/ncas/alerts) and bulletins; (https://us-cert.cisa.gov/ncas/bulletins)
• subscribing to alerts from the HHS Health Sector Cybersecurity Coordination Center (HC3);   (https://www.hhs.gov/about/agencies/asa/ocio/hc3/contact/index.html)
• participating in an information sharing and analysis center (ISAC) or information sharing and analysis organization (ISAO);
• implementing a vulnerability management program that includes using a vulnerability scanner to detect vulnerabilities such as obsolete software and missing patches; and
• periodically conducting penetration tests to identify weaknesses that could be exploited by an attacker.

Regulated entities, according to OCR, should not rely on only one of the above techniques, but rather should consider a combination of approaches to properly identify technical vulnerabilities within their enterprise.  Once identified, assessed, and prioritized, appropriate measures need to be implemented to mitigate these vulnerabilities (e.g., apply patches, harden systems, retire equipment).

How often should a Risk Assessment be done?  According to Ted Flittner: “We recommend a yearly review or when major changes happen with the business.”

Who should be involved in a Risk Assessment?  Is it just IT?  “Risks involve the whole team,” stated Flittner.  “Key supporters of Risk Assessments should include executives, especially financial leadership.  But really, everyone should be involved in some way.”

What are some of the areas in an organization that need to be looked at in a risk assessment?  Again, I went to Aditi Group for their comments.  “Everywhere that sensitive info moves throughout your business,” replied Flittner. “This could just be one department like Human Resources, or it could affect everyone.”

What sort of questions, tasks, need to be included in a Risk Assessment?  Ted Mayeshiba of Aditi Group responded as follows: “Physical inventory – what devices hold sensitive data (PHI in HIPAA terminology).  Important questions include:  ‘Where does the data reside?  What’s in ‘the cloud’ with 3^rd party companies?  Who should access the sensitive info?  And how do you control access?  Is there a BA agreement in place?  Does the 3rd party company have access to the data?’    All of these should be considered and discussed within your organization.”

We always recommend that a Risk Assessment be done by an independent third party.  Why?  “Three main reasons: first it’s not the main job of employees, so it rarely gets priority; second, outside eyes tend to notice problems that people who see the process every day can miss (can’t see the forest through the trees in front of them); and third, employees sometimes are reticent to admit to weaknesses in the process,” stated Flittner.

I asked Ted Flittner what message he would share with every business owner, large or small, related to Risk Assessments and their importance in protecting their data?  Ted replied: “Know before it’s too late.  Be Prepared.  As a former Boy Scout, I learned to live by the motto long ago.   Security is always evolving and where you didn’t think you have risk in the past may be totally different today.  And the cost of problems like data breaches and ransomware are much higher than the cost of prevention.”

Weak Cybersecurity Practices

It is well known that a regulated entity that has weak cybersecurity practices makes itself an attractive soft target for hackers and cyber criminals.  Weak authentication requirements are frequent targets of successful cyber-attacks (over 80% of breaches due to hacking involved compromised or brute-forced credentials, according to OCR).  (Verizon. 2020 Data Breach Investigations Report. (2020, p. 19). Retrieved from https://enterprise.verizon.com/resources/reports/2020/2020-data-breach-investigations-report.pdf).

Weak password rules and single factor authentication are among the practices that can contribute to successful attacks.  Once inside an organization, if the entity has weak access controls, this can further contribute to an attacker’s ability to compromise systems by accessing privileged accounts, moving to multiple computer systems, deploying malicious software, and exfiltrating sensitive data.

HIPAA rules state that regulated entities are required to verify that persons or entities seeking access to ePHI are who they claim to be by implementing authentication processes. (See 45 CFR 164.312(d): Standard: Person or Entity Authentication) A regulated entity’s risk analysis should guide its implementation of appropriate authentication solutions to reduce the risk of unauthorized access to ePHI.  For example, authenticating users that access a regulated entity’s systems remotely (e.g., working from home) may present a higher level of risk to a regulated entity’s ePHI than users logging into their desktop computer at work.  To appropriately reduce the higher level of risk of remote access, a regulated entity may consider implementing stronger authentication solutions, such as multi-factor authentication.

According to OCR’s March 17^th newsletter, implementing access controls that restrict access to ePHI to only those requiring such access is also a requirement of the HIPAA Security Rule.  (See 45 CFR 164.312(a)(1): Standard: Access Control.) Here, too, the risk analysis should guide the implementation of appropriate access controls.  For example, a regulated entity may determine that because its privileged accounts (e.g., administrator, root) have access that supersedes other access controls (e.g., role- or user-based access) – and thus can access ePHI, the privileged accounts present a higher risk of unauthorized access to ePHI than non-privileged accounts.  Not only could privileged accounts supersede access restrictions, they could also delete ePHI or even alter or delete hardware or software configurations, rendering devices inoperable.  To reduce the risk of unauthorized access to privileged accounts, the regulated entity could decide that a privileged access management (PAM) system is reasonable and appropriate to implement.  A PAM system is a solution to secure, manage, control, and audit access to and use of privileged accounts and/or functions for an organization’s infrastructure.  A PAM solution gives organizations control and insight into how its privileged accounts are used within its environment and thus can help detect and prevent the misuse of privileged accounts.

Regulated entities should periodically examine the strength and effectiveness of their cybersecurity practices and increase or add security controls to reduce risk as appropriate.  Regulated entities are required to periodically review and modify implemented security measures to ensure such measures continue to protect ePHI. (See 45 CFR 164.306(e): Maintenance.) Further, regulated entities are required to conduct periodic technical and non-technical evaluations of implemented security safeguards in response to environmental or operational changes affecting the security of ePHI to ensure continued protection of ePHI and compliance with the Security Rule. (See 45 CFR 164.308(a)(8): Standard: Evaluation.) Examples of environmental or operational changes could include: the implementation of new technology, identification of new threats to ePHI, and organizational changes such as a merger or acquisition.  But even if you’re not a HIPAA Covered Entity, these practices should apply to any organization due to the many other state and federal privacy and security rules, and as a matter or overall good business practice to keep your organization’s data safe.

New Federal Guidance on Defending Against Common Cyber-Attacks

In the past few months, both the IRS and HHS’s Office of Civil Rights have issued guidance and newsletters for HIPAA Covered Entities on keeping you safe against common cyber threats.  I’ll try to highlight some of the most important tips.  I would suggest you read the HHS Office for Civil Rights In Action March 17, 2022 Newsletter, “OCR Cybersecurity Newsletter: Defending Against Common Cyber Attacks,” which I mentioned above.  It can be found at:  https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-first-quarter-2022/index.html.  In addition, the IRS published several releases in February, 2022, to protect tax payers from scams and fraudulent activity (https://www.irs.gov/newsroom/irs-warning-scammers-work-year-round-stay-vigilant), , as well as announcing a transition away from the use of third-party verification involving facial recognition (https://www.irs.gov/newsroom/irs-announces-transition-away-from-use-of-third-party-verification-involving-facial-recognition).  I will attempt to summarize some of the more important items discussed in these publications and provide additional commentary.  I also want to point out that since we don’t have a single national entity regulating all forms of electronic and cybersecurity, even if you’re not a covered entity under HIPAA rules, the HIPAA Security and HITECH rules are very effective in protecting your organization from all types of electronic and cybersecurity threats.  Simply, it’s all we have, for the most part, so use those rules to your advantage.

Phishing, Spear Phishing and Whaling

As discussed in my last article, one of the most common attack vectors is Phishing.  This is a type of cyber-attack that is used to trick individuals into divulging sensitive information via electronic communications, such as by email, or by impersonating a trustworthy source.  According to HHS, a recent report noted that 42% of ransomware attacks in Q2 of 2021 involved phishing.

If you’re subject to HIPAA Security and HITECH (meaning you are a HIPAA Covered Entity, such as a sponsor of a health plan, an insurance company or a provider of health care services) your workforce members should understand that they have an important role in protecting the ePHI of their organization from cyber-attacks, according to OCR.  Part of that role involves being able to detect and take appropriate actions if someone in your organization encounters a suspicious email.  The problem is, if they are not trained to detect suspicious emails, they will go unnoticed, and bad things generally tend to happen as a result.  These regulated entities should train their workforce (there is that word again… train…) to recognize phishing attacks and implement a protocol on what to do when such attack or suspected attack occurs.  Do you have such protocols in place in your organization?  Do your employees know who they are supposed to report suspicious emails to in your organization?  Is anyone assigned to be that person or department?

Ted Mayeshiba of Aditi Group had these words to share.  “In the latest Office of Civil Rights Newsletter, the government has tipped their hand as to the raising of the threshold of ‘reasonable efforts’ for evaluating companies `’best efforts’ defending against common cyber-attacks.  There is a new and repeated reference to ‘penetration attacks’ as a best practice which should be adopted by companies.”

Ted Mayeshiba continued: “Penetration testing is usually a third party outside attack on your company’s network by ‘friendly’ forces that test weaknesses in your network.  This is really nothing new, this is done by Fortune 500 firms.  It is the first time that we’ve witnessed this idea put forth in a regular OCR Cybersecurity Newsletter.  Of particular interest was the reference to tie cybersecurity training programs with a follow up with friendly ‘phishing’, ‘spear phishing’ and ‘whaling’ attacks to test the effectiveness of the training.  As attacks become more frequent and target even ‘small’ firms, it is becoming increasingly urgent to tighten cybersecurity for all firms.”

According to Mayeshiba, “‘phishing’ is a type of social engineering attack commonly used to steal user data including login credentials or other financial data.  It commonly occurs when an attacker, masquerading as a trusted entity, dupes a victim into revealing sensitive information by opening an email, link or text message.  ‘spear phishing’ is similar to phishing, but the attack includes specific information unique to the individual being attacked, thereby increasing the likelihood of the victim opening the email, link or text message.”

Another term not mentioned in the OCR Newsletter is ‘whaling’.  Mayeshiba defines this as “similar to phishing, but the attack is specific to executives (C-suite) or to others where the bad actor masquerades as the executive to coerce a trusted employee to divulge sensitive information.”

According to the HIPAA Security Rule, regulated entities are required to implement awareness and training programs to all its workforce members, and such programs should be an ongoing and evolving process, so that it changes as new threats develop.  Your management personnel should also be participating in training… I’ve seen far too often that they want their employees to be trained, but the executives fail to go through it themselves, and then when they are targeted, which they often are, because they have access to a generally a higher amount of ePHI in phishing email attacks, they don’t follow protocols, and they often are the reason for such schemes resulting in bad things happening.

The key to an effective security training program is repetition and periodic security reminders.  In fact The Security Rule includes an addressable provision for such reminders.  Are you doing this within your organization?

OCR suggests in their newsletter that covered entities should, for example, send simulated phishing emails to your workforce members to gauge the effectiveness of their security awareness and training program and offer additional, targeted training where necessary.  An educated workforce can be an effective first line of defense and an integral part of a regulated entity’s strategy to defend, mitigate, and prevent cyber-attacks.

In my opinion, the worst type of training you can provide is a canned, “check-the-box” training consisting of a few simple presentation slides.  It’s best to think of interesting, innovative ways to engage your workforce to understand the risks and prevent cyber-attacks.

OCR suggests that regulated entities can mitigate the risk of phishing attacks by implementing anti-phishing technologies.  This could mean examining and verifying that received emails do not originate from known malicious sites.  If an email is suspected of being a threat, it can be blocked and appropriate personnel can be notified to step in and deal with the threat head-on.  Other approaches, according to OCR, can involve scanning web links or attachments included in the emails for potential threats and removing them if a threat is detected.  Newer techniques can leverage machine learning or behavioral analysis to detect potential threats and block them as appropriate.

The key is developing and implementing “policies and procedures to protect ePHI from improper alteration or destruction.”  It’s important to note that the Security Rule requires regulated entities to assess and reduce risks and vulnerabilities to the availability of ePHI, as well as confidentiality and integrity.

Anti-phishing technologies can impede or deny the introduction of malware that may attempt to improperly alter, destroy, or block authorized access to ePHI (for example, ransomware), and thus can be a helpful tool to preserve the integrity and availability of ePHI, according to OCR.

It is always advisable to combine an educated, engaged workforce with technical solutions in order to achieve the best opportunity to reduce or prevent phishing attacks.

Exploiting Known Vulnerabilities

I think most of you know and understand that hackers can penetrate an entity’s network and gain access to ePHI or other sensitive data by exploiting known vulnerabilities, where it is publicly known to exist.  The National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD), which provides information about known vulnerabilities.  Exploitable vulnerabilities can exist in many parts of your information technology infrastructure, such as on your server, your desktop, mobile device operating systems, applications, databases, your web software, your router, your firewalls, and other device firmware.  Often known vulnerabilities can be mitigated by applying vendor patches or upgrading to a newer version.  If a patch or upgrade isn’t available from the vendor, they may suggest actions you can take to mitigate a newly discovered vulnerability.  These could include modifications of configuration files or disabling affected services.

It’s important to remember that older applications or devices may no longer be supported with patches for new vulnerabilities, so you will need to take appropriate action if a newly discovered vulnerability affects older applications or devices.  If an obsolete and unsupported system cannot be upgraded or replaced, then additional safeguards must be implemented or existing safeguards enhanced to mitigate the known vulnerabilities until an upgrade or replacement can occur.  This may involve increasing access restrictions, removing or restricting the old device from network access, or disabling unnecessary features or services.

The bottom line is, you need to do a risk analysis to determine these potential risks and vulnerabilities.  Not once, but often and on an ongoing basis.

Read, Sink In, Repeat – The Need for Continued Training

Although I discussed this in detail in my first article, I do want to touch on it again… It’s imperative that employers take the time to train their employees on the electronic risks that are out there, because if you don’t, it only takes one wrong click on an emailed link to download malware, worms or other things that can bring your systems to a screeching halt.  As Ted Flittner stated in that article, “Know company policies and why it matters to follow them.   The key topic these days is email diligence.  Don’t click on email links or download files that you don’t really know.  Slow down and take time to scrutinize.  Teach people how to recognize fakes and legitimate messages,” he stated.  “And train people on how to react if malware, ransom, or phishing attempts succeed.  Who should they call and what should they do next?  That seems to be one of the glaring missing pieces in most employers’ privacy policies.”

Bottom line, train now and train often.  You can never train enough.  Things change, and so should your training.  Keep up to date and keep up with the latest threats.

Same Message, Different Result?

Although to some extent I am sharing with you the same message as my prior article from 2021, I’m hoping for, someday soon, a different result.  We don’t need to keep repeating the same mistakes and putting off for tomorrow something that should have been done yesterday.  The only way to have a different result, a better result, with less hacks, less cyber-attacks, is to do what you know you need to do.  Do a risk assessment.  See where you are and where you want to be and develop policies and procedures to help you meet your goals.  And don’t forget to train your employees regularly and often, keeping up to date with the latest threats.  I’d like to think that perhaps someday soon I won’t have to keep writing these articles every year….  So  let’s work on a different result, please!

Authors Note:  I’d like to thank Ted Flittner and Ted Mayeshiba of Aditi Group for their assistance with this article.  I can be reached at Advanced Benefit Consulting, dmcociu@advancedbenefitconsulting.com, or by phone at 714 693-9754 x 3.  Ted Flittner and Ted Mayeshiba can be reached at AditiGroup.com, or by email at ted.flittner@aditigroup.com or ted.mayeshiba@aditigroup.com. Advanced Benefit Consulting & Aditi Group offer privacy & security training, consultation and implementation system assistance, as well as Risk Assessment services on an ongoing basis.

Dorothy Cociu is the President of Advanced Benefit Consulting, Anaheim, CA, and the current Vice President, Communications, of the California Agents & Health Insurance Professionals (CAHIP) 2021-2022. 

References & Sources:

HHS Office of Civil Rights March 17, 2022 Newsletter, “OCR Cybersecurity Newsletter: Defending Against Common Cyber Attacks.”

IRS publications February, 2022:  (https://www.irs.gov/newsroom/irs-warning-scammers-work-year-round-stay-vigilant) and (https://www.irs.gov/newsroom/irs-announces-transition-away-from-use-of-third-party-verification-involving-facial-recognition).

Plus sources referenced above in the article.

By: Dorothy Cociu, RHU, REBC, GBA, RPA, LPRT

President, Advanced Benefit Consulting & Insurance Services, Inc.

We’ve all been there, or know someone close to us that has, or for health agents, you’ve seen this from the clients we all serve. You need healthcare, you see a doctor or go to an emergency room. You may even be hospitalized. If it’s an emergency, you go to the nearest emergency room, which may or may not be part of your health plan’s network. Even if the ER is part of the network, you are seen by an ER doctor, who it turns out, is not part of the network. Or you have surgery, and although the surgery center may be a network facility, the surgeon or assistant surgeon, or more commonly, the anesthesiologist or radiologist, is not. You go about your life, you pay your co-pays or coinsurance, and think everything will be fine, because after all, you have insurance! One day, you come home from work, check your mail, and there is an envelope with a medical provider’s address on it. You open it, thinking it’s only a confirmation of the insurance payment, or a copy of the plan’s EOB or something. And then, as you’re staring at the black and white in front of you, the text becomes blurred, you start to feel tunnel-vision coming on, because you’re staring at a bill from the provider that says you owe $800+ dollars, even though your most recent EOB that you received says that the bill was paid by your health plan. After the initial shock, you think it’s a mistake, so you wait until the next day and call your health plan, and you discover that the health plan has paid everything it was supposed to pay, so the provider has “balanced billed” you the difference between the billed charge and the amount paid by your health plan.

Imagine now (or recall from personal experience if it’s happened to you) a similar situation after you were hospitalized for a major surgery. There was only one hospital near you, or perhaps they had to move you to a hospital that specializes in the type of care you need. You thought you did all of the right things. You had the surgery or procedure pre-authorized, and again, you thought everything would be fine after you pay your co-pays or coinsurance, because once again, you have insurance! And then it arrives in the mail… that “surprise” bill that says that you owe $47,500 for your recent hospitalization or surgery expenses. This time, it’s not just tunnel-vision; it is panic. Your body is drenched in sweat and you are visibly starting to shake, because you don’t have $47,500 right now to pay for this! As someone who in my past ran a third party administrator and have seen many, many balance bills, I will tell you that I’ve seen balance bills of over $125,000 for hospitals and over $75,000 for air ambulance charges, and I’ve heard of them up to $100,000!

Some people actually ended 2020 and began 2021 in a positive financial position, because they were able to keep their jobs during the pandemic, and because you were stuck at home, you didn’t spend much, so your bank account balance is higher than normal. But for many, it’s been a tough financial 18+ months. COVID has impacted our lives in so many ways, including, in many cases, our income. We may feel lucky that we didn’t lose our jobs, but basic expenses, like the cost of buying a home, the cost of fuel for your vehicle, and the cost of groceries we need have all increased, and our pay has decreased or stayed the same. Or perhaps you were laid off, and you’re now just starting to get back on your feet, but it seems like everything you do or need to buy is now more expensive. Your savings account has decreased, or perhaps been depleted.

Whatever your financial position may look like right now, none of us wants a surprise medical bill. The good news on that front is that recent federal actions, it is hoped, will stop these sorts of provider practices from happening in the future.

For some time, many in the health insurance industry have asked for two important pieces of legislation…. transparency in health care costs and the control of providers that “balance bill” their patients after insurance payments and normal plan co-payments and coinsurance have been paid, an amount in excess of the expected or “usual and customary” or “reasonable” amount. This “Surprise Billing” practice is so common that it has become almost the norm. It’s definitely one of the most important issues in the healthcare industry in the minds of consumers, and therefore, the legislators. Recent legislation on both of these items will soon be in effect. New legislation, as we all know, often comes confusion and misunderstanding. I will attempt today to break these rules down for you in understandable terms.

On July 1, 2021, federal departments (HHS, DOL and Treasury, as well as the Office of Personnel Management (OPM)) released an interim final rule IFR) with a comment period on the No Surprises Act (NSA – if you choose to use an acronym, and not the National Security Administration, which could get confusing), which is part of the Consolidated Appropriations Act (CAA) of 2021; one of the largest pieces of legislation in the health care and insurance industry since the ACA, and it goes into effect on January 1, 2022. This rule is entitled “Requirements Related to Surprise Billing: Part 1.” This was followed by Frequently Asked Questions (FAQs) in late August, which dove into many provisions of the No Surprises Act and Transparency in Coverage rules.

Background

Most health plans, whether they are group plans, individual plans, a Marketplace plan or Medicare plans, offer a network of providers and facilities (your PPO or EPO network – or “in-network” providers) that agree to accept payment at an established, contracted rate. Non-network providers generally charge higher amounts as there is no contract rate pre-established for that service or stay. In many cases, the out-of-network provider may balance-bill the patient for the difference between the billed charge and the amount that the health plan or insurance has paid, unless it’s prohibited by state law. Balance bills can happen in both emergency and non-emergency care.

In the case of an emergency, as briefly described above, the patient usually goes to the nearest emergency room. In many cases, although the ER is a network-contracted facility, many of the providers that work inside of that facility may not be part of those networks. Often emergency rooms are staffed by independent contractors or doctors not belonging to many networks; they are often non-negotiated third parties, providing services such as anesthesiology, pathology, radiology, rehabilitative care, physical therapy, or neonatology. In many cases, the patient has no control over the physician or other provider inside those facilities. When I was managing a TPA some years ago, we called these “forced providers.” It’s unfortunate, but common, and even more so because most consumers do not routinely ask their providers inside of an emergency room or hospital if they are contracted… Perhaps a good practice may be to ask simply, “who pays you?” Let’s face it… Most people are too concerned with getting care in an emergency situation, and family members are too concerned about their loved ones to ask those basic questions. The result is often a balance bill.

We also see this often in the event that you need an air ambulance… you generally do not have the ability to select an air ambulance from a network provider directory. Air ambulance companies have notoriously over-charged in many circumstances.

It’s important to note that in most cases, surprise bills usually do not count toward your deductibles or out-of-pocket maximums, which many people do not understand.

According to CMS (Fact Sheet – Requirements Related to Surprise Billing: Part 1 Interim Final Rule with Comment Period, July 1, 2021):
• A recent study found that payments made to providers by people who got a surprise bill for emergency care were more than 10 times higher than those made by other individuals for the same care.
• 9% of individuals who got surprise bills paid more than $400 to providers, which may result in financial distress for consumers, given recent findings that show 40% of Americans struggle to find $400 to pay for an unexpected bill.
• Studies have shown that in the period from 2010-2016, more than 39% of emergency department visits to in-network hospitals resulted in an out-of-network bill, increasing to 42.8% in 2016. During the same time, the average amount of a surprise medical bill also increased from $220 to $628.
• Although some states have enacted laws to reduce or eliminate balance billing, these efforts have created a patchwork of consumer protections. Even in a state that has enacted protections, they typically only apply to individuals enrolled in insured health insurance coverage, as federal law generally preempts state laws that regulate self-insured group health plans sponsored by private employers. In addition, states have limited power to address surprise bills that involve an out-of-state provider.

It is important to understand that the provisions of the No Surprises Act relate back to former ACA requirements, such as the requirement of plans to reimburse emergency services at a rate at least the amount that would have been paid in-network, regardless of whether or not there was a network in place. The ACA did not, however, prevent the out-of-network emergency room from any sort of balance billing.

The interim final rules generally apply to group health plans and health insurance issuers offering group or individual coverage, including grandfathered health plans, effective January 1, 2022. The No Surprises Act does not apply to retiree-only plans, excepted benefits, short-term limited-duration plans, Health Reimbursement Accounts (HRAs), flexible spending accounts (FSAs) or health savings accounts (HSAs).

What Is the Intention of The No Surprises Act?

The No Surprises Act was passed in December, 2020, as part of the Consolidated Appropriations Act of 2021, and goes into effect, as mentioned above, on January 1, 2022. The intention of the law is to protect consumers from the types of balance-billing or surprise billing practices described above. The No Surprises Act focuses on billing practices in certain non-network situations by limiting the amount of the bill to the amount that would have been payable under an in-network arrangement. This piece of legislation was bipartisan, which is not exactly common in Washington in recent years. That tells you that everyone seems to agree on the intent… To protect consumers from these horrendous and detestable provider practices. However, I do want to mention up front that although this legislation, as it stands now, protects consumers from these practices in non-network situations, it may not fully protect self-funded health plans when they use financing methods such as reference-based pricing, which I will address later in this article.

Summary of The No Surprises Act’s Interim Final Rules (IFR)

Protections addressed in the No Surprises Act apply primarily to emergency services, non-emergency services delivered by out-of-network providers at an in-network facility, and out-of-network air ambulance services.

If a plan or health insurance coverage provides for any benefits for emergency services, this rule requires emergency services to be covered without any prior authorization, regardless of whether the provider is an in-network or out-of-network emergency facility. In addition, plans must cover emergency services regardless of other terms or conditions of the plan or health coverage, other than exclusions due to coordination of benefits or any waiting period.
The interim final rule limits cost sharing for out-of-network services to be limited to the amount paid in-network, and requires such cost sharing to count toward any in-network deductibles and out-of-pocket maximums. Most importantly, it prohibits balance billing.

The IFR state that these limitations apply to out-of-network emergency services, air ambulance services furnished by out-of-network providers, and certain non-emergency services furnished by out-of-network providers at certain in-network facilities, including hospitals and ambulatory surgical centers.
Specific provisions of the No Surprises Act limit out-of-network services to billing amounts without cost-sharing requirements that are greater than those applied in-network, and limits cost-sharing as if the total amount billed for services are equal to the “recognized amount.” Commonly, in an out-of-network scenario, this has been limited to the Usual, Customary & Reasonable (UCR) amount. Under the No Surprises Act IFR, the amount must be calculated based on one of the following amounts:
• An amount determined by an applicable All-Payer Model Agreement under section 1115A of the Social Security Act.
• If there is no such applicable All-Payer Model Agreement, an amount determined under a specific state law.
• If neither of the above apply, the lesser amount of either the billed charge or the “qualifying payment amount,” (or QPA), which is generally the plan or issuer’s median contracted rate. (We now have a new industry acronym – QPA – for qualifying payment amount, ju in case you are confused).

According to the IFR, the All-Payer Model Agreement is an agreement between the Centers for Medicare & Medicaid Services (CMS) and a state to test and operate systems of the all-payer payment reform for the medical care of residents of the state under the authority of Section 1115 A of the Social Security Act, and it may voluntary or mandatory for a given payer.

Emergency services also include any post-stabilization services, unless all of the following conditions are met:
• The treating provider determines the patient is able to travel using non-medical transportation to an available provider or facility;
• The provider or facility provides notice and obtains consent;
• The patient is in a condition to receive the information and provide informed consent;
• The provider or facility satisfies any additional requirements or prohibitions under state law.

Employer/Plan Sponsor Concerns

Employers are just now starting to realize that all of the provisions of the No Surprises Act will impact them. I asked our attorney, Marilyn Monahan of Monahan Law Offices, what she thinks are the most important/impactful sections that affect employers and their insured participants? Marilyn responded as follows:
a. “The restrictions on surprise billing for out-of-network emergency and non-emergency services will be good news to many participants who have experienced—or who are worried about experiencing—surprise medical bills. During open enrollment, employers should consider the most effective way to explain these new rules, so that participants understand when and how they apply.
b. The new restrictions on ancillary services provided in conjunction with a non-emergency visit to an in-network facility (such as anesthesiology, pathology, radiology, and diagnostics) will also be good news, since the definition of ‘ancillary services’ encompasses a broad range of services that have often been the basis for surprise bills in the past.
c. Employers with self-funded plans should review their plan documents to ensure that the terms are consistent with the IFR. These employers should also communicate with their TPA to ensure that the TPA will be prepared to administer benefits according to the new rules as of the applicable effective date and make any amendments to their services agreement that may be necessary. In fact, a detailed conversation with the TPA about the implementation process for the many provisions in the CAA that impact health and welfare plans is essential.”

Administrative Concerns & Confusion Over the No Surprises Act

The No Surprises Act throws confusion into the claims payment industry by requiring that coverage be provided without limiting what constitutes an emergency medical condition, solely on the basis of diagnosis codes, such as the ICD-10 codes, which are common in claims adjudication use. The federal departments appear to have expressed their disapproval of claims practices which do not look at all of the facts and circumstances, relying solely on the diagnosis codes to determine if a claim is eligible for payment. Many plans and claims administrative practices will automatically deny an emergency claim, for example, based on a pre-determined list of final diagnosis codes without regards to the actual symptoms being presented to them at the time of care. It is often only following claim denial that a plan or claims administrator will review all of the facts, and generally upon a formal (but sometimes informal) appeal.

If you review the term “emergency medical condition,” it refers to a medical condition manifesting itself by acute symptoms of sufficient severity (including severe pain) such that a prudent layperson, who possesses an average knowledge of health and medicine could reasonably expect to either 1) place their health in serious jeopardy, 2) seriously impair bodily functions, or 3) cause serious disfunction to a bodily organ or part. In general, it requires a plan to consider anything a prudent layperson should consider, given all documentation and all symptoms, without relying solely on an ICD-10 code. This includes mental health and substance abuse disorders. Plans must ultimately determine whether the standard was met by reviewing presenting symptoms, without imposing any type of time limit between onset and presentation for emergency care.

I asked Marilyn what she thinks plan sponsors and administrators need to focus on to apply this prudent layperson standard in an emergency situation? Marilyn responded: “If the plan documents apply a different standard to claims for emergency services, amendments will have to be made. The TPA’s claims procedure manual and processes must also be updated. The TPA should also consider this guidance from the preamble: ‘the determination of whether the prudent layperson standard has been met must be based on all pertinent documentation and be focused on the presenting symptoms (and not solely on the final diagnosis).’ Based on this reminder, the revised claims procedures should also include, as necessary, updated record keeping requirements that will enable the plan to prove that it is has satisfied the new legal standard in each case. The emphasis placed on the prudent layperson standard in the preamble to the regulations implies that this issue may be a priority for the Departments. (86 Fed. Reg. 36872, 36879-36880.)”

In relationship to the administrative and legal process for plans, including plan documents and plan communications, Marilyn continued: “The Surprise Billing IFR—along with the other provisions of the CAA applicable to health and welfare plans—place many new obligations on plans and issuers. Employers with fully insured plans should communicate with their carriers to ensure the carriers intent to comply on time. Employers with self-funded plans have more work to do. The changes created by the CAA will probably require changes to plan documents, ID cards, provider directories, and more. They may also require changes to the terms of TPA contracts and claims processing manuals. Employers should be prepared to discuss with their TPA who will be responsible for implementing each relevant section of the CAA, and the timeframe for implementation. Employers should also consider whether any changes need to be made to the written contract with the TPA, including adjustments in cost, scope of services, indemnification, and other key clauses.”

Some plans and administrators may be concerned that if you can’t control costs by using strict ICD-10 codes, what can plans and administrators do to control the cost of health care, particularly in a self-funded health plan? Plans may have to find alternate ways of reducing or maintaining costs, such as higher ER copays or coinsurance, raising deductibles, or having additional deductibles for ER services. Other ways of keeping ER costs down in a health plan is to educate your employees on more cost-effective steps prior to walking into an emergency room. This would include things like using Urgent Care Centers instead of high-cost emergency rooms, or for many services that are not life-threatening, implementing new or encouraging plan participants to use Telehealth options.

Qualifying Payment Amount – QPA – Applications to Self-Funded Health Plans

The definition of a qualifying payment amount and applications to the marketplace are a bit confusing… Particularly in the self-funded market. The QPA is defined as the median of the in-network (or contracted) rate in a geographic area, and applies in other portions of the law, including the base-line factor that an arbiter may consider when they determine the final amount to be paid under the new federally-established independent dispute resolution process (IDR – yes, another new acronym).

Another important self-funded consideration is that ERISA must always pre-empt state surprise billing laws when applied to self-funded plans. The IFR allows the option for self-funded plans to voluntarily opt-in to a state law.

Under the No Surprises Act, when a self-funded plan and an out-of-network provider cannot agree on a rate, they must go through an independent dispute resolution process. The IFR stated that a median contract rate should be determined by taking into account every group health plan offered by the self-insured plan sponsor. The IFR allows for administrative simplicity for self-funded plans to permit the TPA who processes their claims to determine the QPA for the plan sponsor by calculating the median contract rate based on all of the plans that it processes and administers claims for. The IFR states that the contracted rates between providers and the network provider for the health plan would be treated as the self-insured plan’s contracted rates for purposes of calculating the QPA.

Third Party Administrators will find the No Surprises Act quite complicated, and frankly, quite expensive to administer. TPAs will need to set up their claims payment systems to administer the QPA. Most self-funded health plan sponsors will rely on their TPAs to assist them with all of the No Surprises Act requirements, and it will likely be the norm for TPAs to assist self-insured plans with the Model Notice that is required. Ultimately, the No Surprises Act will be costly to administer for TPAs. They will need to determine the QPA, which will not be easy and will not be cheap in most cases. In addition, changes will need to be made in understanding the implications of the ER services determination – and taking the extra steps up front to examine more documentation and understand symptoms, rather than initially denying a claim up front, and all of that will cost more; in claims adjudication training, in system adjustments, and more. Not to mention the QPA’s independent dispute resolution process. What this means to self-funded employers is that they should expect their claims fees to increase due to the No Surprises Act.

The geographic regions used to determine the contracted rates will follow the metropolitan statistical areas (MSA) used by both Medicare and the U.S. Census. The IFR includes the “rule of three” expansion, meaning that if a plan cannot identify three rates to determine a median rate within an MSA, then the plan is permitted to increase the size of the MSA to include the state as a single region.

The IFR issued clear guidelines for steps to be taken in order to determine the appropriate rate, using primarily databases. This piece ties in directly with the Transparency rules, which were in part also addressed in the IFRs. One important provision that was included in the IFR addressed self-insurance industry concerns related to the possibility of conflicts of interest while using databases. The IFR states that the organization maintaining the database cannot be affiliated with, controlled by, or owned by any health insurance issuer, provider, or healthcare facility.

Although the IFR did not address all self-funded concerns, the rules did for the most part, follow comments made from industry associations such as the Self-Insurance Institute of America (I am a member of this association), and overall, the self-funded industry seems pleased with the initial set of rules, and are anxiously awaiting additional guidance.

From an administrative perspective, many of the requirements were not addressed in Part 1, but we’re hoping those will follow soon in expected fall rules and guidance. We are expecting more guidance on the arbitration/IDR process to be released in early September.

Independent Dispute Resolution (IDR) Process

Although I mentioned the IDR above, I wanted to come back to it and explain a bit more about how this will work. Under the Interim Final Rules (IFR), if a payer, such as a carrier or health plan, cannot resolve a payment settlement with a provider, then the payer and provider must resolve the payment dispute using methods of negotiation and arbitration. The No Surprises Act requires payers to send an initial payment or denial of payment of a claim no longer than 30 days after a claim is submitted. After the 30-day period, either party may begin negotiations on a claim. If the parties involved cannot agree on payment terms during the 30-day period, then they will move to an Independent Dispute Resolution (IDR) process. This process may be initiated within 4 days after the end of the open negotiation period of the 30 day period (for a 34-day window). Each entity will offer a final payment amount and then the arbiter will use a variety of factors to determine the final amount, including geographic areas, service codes, etc. The intent is to make it fair to both parties.

Under the IDR process, they are not allowed to use lower payment rates such as Medicare or Medicaid.

The good news is that the IDR does not impact the consumer or plan participant. The dispute is between the provider and the health plan. The provider has no recourse against the consumer, and therefore, it is not an adverse benefit determination.

The agencies will issue the IDR process by December 27, 2021, so we can expect a happy holiday season….

Facility/Provider Notices

cilities and Providers. The first is the Patient Consent for Out-of-Network Care, which requires providers and facilities to provide a notice to a patient regarding potential out-of-network care. The patient must consent to such out-of-network care and any additional costs that may be incurred. However, there are exceptions. A patient is not required to sign the form and should not sign it if they didn’t have a choice of health care providers when they received care (i.e. a forced provider).

There is also a Public Notice requirement for facilities and providers to post a one-page notice on a public website. The Model Disclosure Notice Regarding Patient Protection Against Surprise Billing is required under Section 2799B-3 of the Public Service Act. A provider must make publicly available such notice by posting it on a public website of the provider or facility, and provide a one-page notice that includes information in a clear and understandable language on 1) the restrictions on providers and facilities regarding balance billing in certain circumstances, 2) any applicable state law protections against balance billing, and 3) information on contacting appropriate state and federal agencies in the case that an individual believes that a provider or facility has violated the restrictions against balance billing.

The Model Notices can be found at: https://www.cms.gov/httpswwwcmsgovregulations-and-guidancelegislationpaperworkreductionactof1995pra-listing/cms-10780.

Health Insurance and Health Plan Notice

Health insurers and Health Plans must provide a notice to individuals about their rights under the No Surprises Act. There is a Model Notice available on the DOL website (although it has been on and off the site a few times since I started researching for this article, so they could be updating it). The notice must be posted on the plan’s website and be included on each EOB for an item or service covered by the No Surprises Act. Although TPA’s may assist in preparing this notice for self-funded plans, the plan sponsor has the ultimate responsibility for compliance. Plan participants can expect that their EOBs will become quite thick when they receive them in the mail… Hence, more administrative/postage costs also.

I asked Marilyn if a plan is self-insured and uses a TPA, is there coordination that is needed between the plan sponsors and the TPA about the notices that are included in the EOB? Does (or should) the Plan Sponsor notices be the same, consistent notices? I expressed to her my fear that the plan notice may differ from the TPAs notice, causing some confusion and possible liability. Marilyn clarified: “The IFR contains new notice and posting requirements. For example, health care providers must provide certain notices to the plan or issuer, and additional notices to patients. Another notice and posting requirement applies to plans and issuers; plans/issuers must post and provide certain notices to participants, including a notice that should accompany explanations of benefits (EOB). Regulations have not yet been issued on the mandate applicable to plans/issuers. In the meantime, the Departments expect plans/issuers to comply using a ‘good faith, reasonable interpretation’ of the CAA. Also in the meantime, a model notice has been issued which may be used by plans/issuers. Ultimately, in the case of a self-funded plan, the responsibility for issuing compliant notices rests with the plan, and not the TPA. The employer should therefore work with its TPA to ensure that compliant notices are prepared and distributed, and that all legal requirements are satisfied.”

No Surprises Act Impact on Self-Funded Health Plans Using Reference-Based Pricing

The No Surprises Act’s limitation on balance billing for services provided in an “in-network” facility by an out-of-network provider is likely to be quite problematic for self-funded plans that use Reference-Based Pricing as their financing method, in place of a PPO network. Because there is no network, and all claims are generally paid at a reference-based rate (most commonly a percentage above known Medicare Rates, such as 150% or 200% of Medicare), such self-funded health plans and their RBP vendors will need to discuss how they intend to deal with the No Surprises legislation, sooner rather than later.
Financing plans with reference-based pricing have grown in popularity over the last decade. However, as RBP has become more prevalent in the industry, hospital systems have become more knowledgeable about it, and at times, have refused payment entirely from RBP plans, and instead, have opted for immediate balance billing to all plan participants. In response to these provider actions, certain RBP vendors are struggling to produce solutions that will limit disruption to employer and employees while attempting to retain as much of the savings that RBP Plans have been known for. RBP plans generally pay claims at a stated percentage above Medicare (such as 140%, 150%, 200%, etc.), while PPO contracts, although a great savings over non-contracted provider rates, generally result in (if compared to Medicare, which of course their rates are not based on) costs ranging from 300% to 800% of Medicare rates. Sadly, I’ve seen many initial bills from hospitals coming in at over 1,000% of Medicare rates when no network is in place.

“Work-arounds” for RBP vendors have included (so far) one-off facility agreements, creating a networked facility, or single case agreements, which is negotiated often-times prior to the participant entering the facility for service. An example is a known procedure or surgery, such as an ACL reconstruction, hip replacement or other procedure. In these cases, some RBP vendors have opted to offer pre-payment to the facility, to encourage them to accept the patient at the RBP rate. There is concern, however, that such pre-negotiated rates could be perceived as a contracted rate, and may set precedents. One of the administrative concerns of this type of solution is the burden that would likely result from pre-negotiations, as well as a possible delay in service while negotiations are in the works.

Another work-around may be direct provider contracts, but those may likely be limited to certain services only, and if providers result in providing additional services, they could opt to balance-bill for those additional services, which may or may not be prohibited under the No Surprises Act, depending on the type of service.

It is assumed by most in the self-insured industry that work with RBP plans that the level of payment for RBP plans may end up increasing to a higher percentage, to still provide savings over PPO plans, but not at the wide difference we are seeing currently. Many of us are expecting payment levels to raise from the 140%-200% rate to perhaps raise to something more like perhaps 200% to 250% for normal facility payments, to cut back on the provider pushback and possible refusal to accept patients under RBP plans.

Because we are still awaiting guidance, I asked two RBP vendors I work with about how they intend to deal with the No Surprises Act. When asked how HS Technologies, an RBP vendor based in Orange County, California, will adjust, President Ryan Day responded as follows: “The No Surprises Act impacts reference-based pricing programs with no facility network. The Interim Final Rule published in July specifically mentions these types of plans in the context of indemnity plans, acknowledging that the scope is limited to emergency facility and professional claims.

If there is no facility network associated with a plan, there can’t be a scenario where a member is surprised by receiving services at an in-network facility from an out-of-network provider. This limited scope doesn’t apply when there are one-off agreements with a facility. Our reading of the rule made clear that these agreements would now make it a surprise bill if a member receives out-of-network care at a facility that has such an agreement.”
Ryan continued with additional solutions. “HST will be able to identify these surprise bill scenarios and, when the plan includes access to a MultiPlan network, ensure the plan administrator has the network QPA needed to determine the member’s cost share.” HST is now part of Multiplan, with contracted national networks such as PHCS and MultiPlan.

I asked the same question of Larry Thompson, Chief Revenue & Strategy Officer for AMPS, another RBP vendor. Larry stated: “There are many pieces to this. Our Chief Legal Counsel is working on a White Paper to address all of this, and I will provide it once it is complete. In the interim, here are few things to consider. The Act does not specifically target RBP or repricing. While it does address OON, we are prepared to assist our clients who use us for this service. More to follow from our CLO.”

I also asked Ryan how they propose to bridge the gap if/when facilities refuse to accept payment entirely from RBP plans? Ryan replied: “HST has routinely experienced a 98% acceptance rate from providers, recognizing not only the fair reimbursement we generate, but also the benefits we can bring to high-accepting facilities. Our HST Connect application helps to steer plan members to those providers, delivering the steerage benefits they typically only expect from network participation. We also engage the provider at key points before service is rendered, to ensure they understand the plan benefits. Should the facility disagree with the reimbursement, our PAC program and settlement portal make it efficient for the provider to engage in the negotiation now required by the No Surprises Act. Any subsequent arbitration resulting from an inability to reach agreement will leverage the analytic and arbitration support services of MultiPlan to help our employers present the best case.”

Larry Thompson, when asked the same question, responded as follows: “Rarely does this happen – less than 1% of our members ever face this problem. When they do, our advocates work with the facility to explain how our program works, and in the majority of the cases, access is allowed. Failing that, we offer single case agreements so that the facility will allow service. Barring that, we can revert to safe harbor contracts we have in AMPS America, or redirect the service to another facility.”

I also asked Larry how the RBP vendor will coordinate these efforts with the TPA? “Our TPA’s are the first line of contact for most members and providers,” responded Larry. “Through our integration the TPA will know when to transfer members to our Advocacy or Care Navigation teams to resolve any issues with providers.”

Lastly, I asked Ryan what types of plan changes/provisions they are recommending plans that are using reference-based pricing add to their plan documents specifically related to the No Surprises Act? “We are considering adjusting the negotiation corridor to allow for settlement above the typical level for surprise bills specifically ER claims. We are also looking at changing the default reimbursement for ER claims that are impacted by the No Surprises Act.”
Many questions remain related to RBP plans by the Departments in future guidance. We don’t know whether the Departments will treat pre-negotiated rates as contracted rates or “network” rates. Several industry groups are known to have asked the Departments for further guidance in this area, so we expect answers in the coming months.

Federal vs. State Balance Billing Laws

It is important to note that the No Surprises Act is not intended to displace any state balance billing laws. The issue of state vs. federal law is quite complex and I suggest you seek the advice of legal counsel on this. I will attempt to summarize just the basics of the interaction, but again, this is only a brief summary.

The Interim Final

Rules defer to existing state requirements with respect to state laws and states that have an established process in place to resolve payment disputes and allow for arbitration. Self-funded plans have the option to opt into a state law where payment standards of the state are expanded, with full protection against balance billing.

Existing federal law says that the out-of-network provider must have a patient sign a consent to receive non-emergency services, but the sate law might prohibit an individual from providing consent to be balance-billed. If a state develops model language that is consistent with the No Surprises Act, HHS will consider a provider or facility that makes appropriate use of the state-developed model language to be compliant with the federal requirement. Again, this is quite complex. I asked Marilyn Monahan if she could comment on the state of California’s balance billing laws and how they will interrelate with the No Surprises Act… “Existing state limits on balance billing – and California has some – will remain in effect for fully insured plans, to the extent that they provide participants with greater rights than they are entitled to under the CAA.”

Enforcement

Enforcement of the No Surprises Act is similar to that of the Affordable Care Act. If a fully insured plan sponsor contracts with a third party, then the third party will be responsible for compliance. In a self-funded health plan, the employer plan sponsor will be responsible for compliance, even if they contract with a third party, such as a TPA, to assist them with providing all of the necessary requirements. The Department of Labor will regulate self-funded plans, and fully insured plans will be regulated by the states.

As of now, it is stated that up to 25 health plan audits per year will be performed to ensure compliance with the Act, starting in 2022. If, however, the Departments should receive a consumer complaint, they can audit that consumer’s health plan.

Complaints

The No Surprises Act requires the Departments to establish a process for receiving complaints regarding potential violations of the law by providers and insurers. They announced their intention to create one system to intake all complaints related to the various components of the law and direct them to the various departments. The IFR clarifies that there will be no time-limit on complaint filing, but the relevant departments must respond in writing no later than 60 business days after a complaint is received. The regulations contained within the IFR are set to be effective on September 13, 2021, which is 60 days after its publication in the Federal Register.

Next Steps & Conclusion

If you’re feeling stressed over these rules, or if just reading them is making you have that tunnel vision I mentioned in the beginning, or you begin to panic or sweat, remember to breathe, and remember, the goal of this legislation is to help people and prevent surprise billing practices. Anything new is often confusing and frustrating. Just take one step at a time and keep an eye out for the anticipated end game. Won’t it be nice to one day soon, not have to listen to the anxiety in your family member or your clients’ voices and angst in their eyes when they tell you they’ve received an unexpected, surprise medical bill? The No Surprises Act won’t help in every case, but it should help the majority of cases in which surprise medical bills show up in our mailboxes. Personally, I’m hoping they expand the No Surprises Act (or offer something similar) to cover other provider bills not covered under this legislation.

We are anticipating additional guidance on many parts of the CAA and Transparency rules in the next few months. We expect rules on the IDR process (sections 103 and 105) around the first of September, as well as patient-provider dispute resolution (section 112), patient protections through transparency (section 112), and price comparison tools before the year is out. In addition, we are expecting guidance on the Broker Compensation Disclosure rules under the CAA around October of this year (although many parties, such as NAHU, have asked for a delay of implementation date until after the rules are released and brokers have time to review and implement the requirements). I expect that my next article will be focused on many of these new rules, so we can look forward (or not!) to that!

Helpful Links

If you need/want additional information, you can visit the following links to assist you…
Interim Final Rule and Comment Period: CMS: https://www.cms.gov/files/document/cms-9909-ifc-surprise-billing-disclaimer-50.pdf
Federal Register: https://www.federalregister.gov/documents/2021/07/13/2021-14379/requirements-related-to-surprise-billing-part-i
CMS Fact Sheets: https://www.cms.gov/newsroom/fact-sheets/requirements-related-surprise-billing-part-i-interim-final-rule-comment-period
https://www.cms.gov/newsroom/fact-sheets/what-you-need-know-about-biden-harris-administrations-actions-prevent-surprise-billing
References: All of the links above, plus NAHU Webinar, “Surprise! An Overview of the First Balance Billing Interim Final Rule”, By Josh Gertz and Deanna Sizemore, July, 2021; “Interim Final Ruling for the No Surprises Act Meets Industry Approval,” The Self-Insurer, August, 2021.

Author’s Note

I’d like to thank Marilyn Monahan, Ryan Day and Larry Thompson for their assistance with this article. I’d also like to thank NAHU for the informative webinar in July, which started me on the path to fully research this topic.

About the Author

Dorothy Cociu is the Vice President, Communications for the California Association of Health Underwriters and the President of Advanced Benefit Consulting & Insurance Services, Inc., Anaheim, CA. She also hosts the Benefits Executive Roundtable Podcast series on many important educational topics. Other educational articles, educational classes and other important information can be found on her company’s website at advancedbenefitconsulting.com. She can be reached at dmcociu@advancedbenefitconsulting.com. Educational classes can be found on her educational platform, the Empowered Education Center, at https://advancedbenefitconsulting.com/empowered-education-center/.

REPRINTED by permission of CAHU

http://camsdev.net/cahu/magazine/september-october-2020/?page=4

By: Dorothy Cociu, RHU, REBC, GBA, RPA, LPRT, CAHU Vice President, Communications

The year 2020 will be a memorable one for many reasons; most of them not positive, and for many, devastating. The COVID-19 Pandemic has caused nation-wide layoffs equaling the great depression, people are struggling to pay their rent, pay their mortgages, and feed their families. As we all know, the pandemic forced the closures of hospitality businesses, hotels, restaurants, gyms, hair salons, and many other industries for weeks or months. The restaurant industry was reduced to take-out only, then allowed to reopen at 50% capacity, only to be closed again, followed by outdoor dining only. So if you’re employed in one of these hardest-hit industries, you are likely just trying to barely survive. But those aren’t the only businesses affected, of course. Manufacturing and production facilities that were non-essential businesses were shut down, and even after massive cleaning efforts and purchasing personal protective equipment (PPE), putting in policies and social distancing, some still have not yet returned to work. Some, however, have been offered the opportunity to return to work, yet declined to return (due in part to being paid by federal unemployment benefits through July more money than they would have been paid on the job). Many office workers have been and will continue to be working from home, when able, but this just continues to impact our economy and our well-being.

State and National Unemployment Numbers

California saw a record-breaking unemployment rate in April, 2020 of 16.4%, which skyrocketed from March’s 5.5%, lowering slightly to 16.3% in May. In June, California improved to 14.9%. Nationally, we increased from 4.4% in March to 14.7% in April, 13.3% in May and 11.2% in June. These are not numbers we can brag about.

Is the Employer-Based Health Care System in Jeopardy?

There has been a lot of press on the effectiveness of the employer-based health care system, most recently due to the pandemic layoffs. This system, which covers nearly half of the insured in our country, is something that needs to be preserved and employers should be applauded for the coverage they offer, yet the single payer advocates are back on the forefront, slamming its effectiveness and looking to replace it with something unrealistic and costly… Single Payer. In mid-August, the anticipated report from the “Healthy California For All” committee was released, which warrants serious review. (We’ll address this further later on in this article). The press is also hitting heavily

on the fact that some insurers are seeing high profits during the first two quarters of the pandemic, with no discussion on the fact that they will have to pay for future claims, once pandemic-delayed services are rescheduled. And during the pandemic, we are not seeing huge increases in premium rates. In fact, just the opposite, and multiple carriers have been going out of their way to keep people enrolled, with forgiveness on premiums for small employers, extending marketplace open enrollment, and lightening their normal underwriting guidelines to help people get or stay insured. The bottom line is, there have been numerous reports with misinformation, and I’d like to attempt to set the record straight.

A Look Into the Reality

So is all of this true? Are so many uninsured because of the employer-sponsored health plan market? Are employers to blame? Are the insurance companies profiting while hospitals and providers are suffering? Are the uninsured numbers true and do they tell the whole story? Sadly, only part of the stories are being told. My job today is to try to point out some of the realities, and help you to understand the facts, particularly as we head into the fall election cycle, where we know all of these things and more will be battled in the press, TV advertising and debate stages.

I spoke with Mike Ferguson, CEO of the Self-Insurance Institute of America, who commented: “Yes, people have been laid off and losing coverage, because of the situation, but what’s important is to gather the market segments, and how it intersects with the self-funded market. We’ve been hav-ing monthly calls with our Diamond sponsors, which are our big stop loss carriers, TPA firms, etc., [representing many large, self-funded employers]. At the beginning of this, since March, there was a concern the plan participant count was going to drop dramatically, but as we got into this, we’re not seeing this. We’re not seeing a significant erosion in plan population… Meaning, people are not getting laid off, and they are getting their benefits taken care of. Now, keep in mind, in the self-funded world, mostly you’re not dealing with companies with fewer than 50 employees. The under 50 employee market, arguably, a lot of those types of companies are more susceptible to layoffs…. Because they are in the hospitality industries, gyms, or things with higher degree of restrictions [such as] restaurants, hotel workers, etc… they are getting laid off. Most are not part of a self-funded health plan. In our market, the self-insured market, there has not been a significant erosion in plan population….”

But the employer-based heath insurance marketplace also covers small, mid-size and large groups that may not be self-insured, so I want to also mention how important that coverage is to workers. And if they are laid off due to COVID-19 (or any other reasons), it’s important to note that they do have options available to them, quite often without a lapse in coverage. They can enroll in a Marketplace plan, which the ACA set up for just these reasons… Here in California, we offer Covered California, which is the most successful ACA marketplace in the country. Covered California also, incidentally, welcomes the services of insurance agents, who can assist these individuals when they do lose coverage, and direct them to subsidized health plans or even Medi-Cal.

Press Hot Topics

During this time, as people fear most about getting sick, the press has been hitting heavily on the pandemic’s causing massive health insurance coverage losses, and reporting the “greatest health insurance losses in American history.1 In this footnoted article, Families USA reported that because of job losses between February and May of this year, 5.4 million laid-off workers became uninsured, and re-ported that these recent increases in the number of uninsured adults are 39% higher than any annual increase ever recorded. The New York Times later picked up this story and added to it, citing that Kaiser Family Foundation has estimated that 27 million Americans have lost coverage in the pandemic, and reported that the Urban Institute and the Robert Wood Johnson Foundation project-ed that by the end of 2020, 10.1 million people will no longer have employer-sponsored health insurance or coverage that was tied to a job they lost because of the pandemic.2

In addition, several news outlets have reported that insurance carriers in the fully insured markets are reporting huge profits due to COVID-19. In Forbes, August 6, 20203, it was reported that “In some parts of the country, hospitals are being overwhelmed by an influx of patients and many have announced staggering financial losses. Meanwhile, insurers have been able to avoid shelling out big money for surgeries and other complicated medical procedures while people have been less likely to visit their doctors over the past couple of months.” Forbes went on to report that “UnitedHealth Group saw its net income double from $3.4 billion to $6.7 billion, while Anthem’s grew two-fold, climbing from $1.1 billion to $2.3 billion.” They also stated that CVS Health (which owns Aetna and other brands, including pharmaceutical companies) add-ed an extra billion dollars in net income in the second quarter of this year, increasing from $1.9 billion to $3 billion. There were others, including Humana, discussed in the article.

The press makes it sound like all employers are experiencing massive layoffs. They are not. Industries like the trucking and distribution industries are booming, be-cause they are supplying groceries and other needed items to retail markets. Grocery retailers are booming and can’t find enough workers to fill of the jobs. And self-insured employers, for the most part, mostly due to their size, are not seeing massive layoffs like the smaller employers, as discussed above. Generally speaking, the self-insured market has seen less layoffs than the fully insured and smaller group market. What seems to be most common is layoffs in the under 50 employee mar-ket; small employers are definitely the hardest hit. Of all of my own self-funded clients, only one had layoffs, which resulted in a loss of about 30 to 40 people; so not significant numbers.

Next, let’s talk about the hospitals suffering and the insurance carriers profiting during these times. I find it quite interesting that none of the articles I read mentioned anything about the fact that just because people may be putting off services/surgeries and other medical procedures now temporarily, does not mean that they won’t happen. Insurance companies need to be prepared for when they do… I read no mentions of reserves for such times… So let’s discuss that.

It’s true that many hospitals are hurting and have a shortage of beds, PPE, and medical providers. Our health care heroes continue to be just that- our heroes; graciously and unselfishly serving the needs of their patients, often at the expense of their families. Many are sleeping in garages, cars or hotels during this time to keep their families safe. No one is arguing that, and I, as well as all of CAHU, thanks them for their never-ending love, support and care of our friends and families in the hospital and medical facilities. In my opinion, they should all be given “combat pay” and should be compensated for their actions accordingly, and more importantly, they should be given ample support for their families, their children in day-care, and for all of their personal suffering. However, hospitals and other medical providers are not making the extra income they normally do for elective surgeries and other more profitable services, leaving them in a financial bind. This of course some-times leads to price increases and gouging on other services, but that is a topic for another day; another article. At this point, I want to focus on the goodness of the healthcare workers and all of the other essential workers in the medical facilities, from cafeteria workers to maintenance and cleaning staff, and everyone else who are there every day during this pandemic crisis. In addition, I also want to mention that many health insurance companies have been doing everything they can to get and keep people enrolled throughout this pandemic.

Insurance Carriers & Reserves

Insurance companies have been made out to be the bad guys in the news, and although there are times when I’m not happy with them, I must point out the obvious to anyone who works in the health insurance industry. To us, this may seem obvious, but to the general public, they often know what they read in the press, even if it’s far from reality. I’m speaking not only as a health benefits broker and consultant, but also as a former TPA executive.

Yes, it’s true many insurance companies may be reporting higher than normal profits, but they should be reserving much of those profits for future claims… Just because people are not scheduling surgeries and other procedures now, or haven’t since March, when the pandemic shut us down, doesn’t mean that they won’t have them. Even now in August, people are starting to schedule their procedures. They may not be until the fourth quarter, and some may even be put off until after the first of the year, but they likely will happen. So the carriers need to have funds set aside for the future claims. And if a plan is self-insured, they, too will need to set aside reserves for these future claims expenses. And, the reality is, here in California, we have medical loss ratio (MLR) requirements for fully insured carriers, which simply stated, requires that carriers spend 80-85%% on direct patient care, leaving only the remaining 15-20% for administration and profit. Why isn’t that in the media? Existing California law requires health plans to annually submit to the federal Department of Health & Human Services (DHHS) ratios of incurred losses to earned premiums or MLRs, and requires beginning in 2012, health plans and health insurers offering group or individual coverage to provide an annu-al rebate to enrollees if an MLR is less than 85% for its large group business, or 80% for its small group or individual business.

To reinforce the reality, I asked some industry experts for their opinions on this. “The health insurance companies are inevitably experiencing a very short term jump in profitability simply due to the fact that their expenses have been lowered due to the cur-rent pandemic,” stated Brad Davis, Vice President, Legislation, for the California Association of Health Underwriters (CAHU). “Those ‘profits’ will soon be used to pay the claims that have been pent up due to the stoppage of non-essential procedures and vis-its. Any wise observer should look at this situation with the long view and not make sweeping generalizations based on 1 or 2 sets of quarterly earnings reports. Assuming no major change in historical average consumer demand for services, we fully expect to see these profits returned to the consumer quite literally as re-bate checks in the Spring and/or a flattening of the premium in-crease curve.”

In the self-insured marketplace, which I literally grew up in, having run a self-funded TPA for many years, and continuing to support self-funding in the marketplace, I currently have a good percentage of self-funded large groups in my book of business. Most have seen a serious reduction in claims expenses during the second and third quarters of 2020. However, we have advised them not to spend the money they are saving… They should be reserving it for the claims that they will likely see as the pandemic gets more under control and people feel safer and are more willing to see their doctors and schedule their procedures. Mike Ferguson, CEO of the Self-Insurance Institute of America, stated: “ There is a bit of apprehension, but so far so good, claims are down now, but are in the 4th quarter [or later] are we going to have a tsunami of health care claims?” That’s what we’re planning for.

So a word to the wise… don’t assume large profits for insurance companies are long-term. It is likely that, as Brad said, we should be a wise observer and not make sweeping generalizations based on press comments.

Attack on the Employer-Based Health Care System

The most effective, most well-liked system we have is the employer-based health care system. It works. Employers like to offer health benefits, because it helps to attract and retain employees, and prospective employees analyze health plans and other employee benefits almost as much as salaries. And yet, with current economic and unemployment statistics, it’s being attacked from all sides.

“The employer-based health insurance system in the U.S. is robust and responsible for almost 50% of all insured in America,” stated Brad Davis. “The other half is a mix of public programs like Medicare, Medicaid, and government workers. Private employers offer health insurance to recruit, retain, and boost the productivity of its workers. Hospitals and physician groups are also reliant on a good mix of privately insured to subsidize their publicly insured patients.”

It’s important to note that laid off employees do have options, and the market has responded positively, which the press is not reporting. “Even during the biggest health crisis in a century, the insurance market responded quickly to sustain coverage for consumers throughout California. Our members reported that most, if not all, of the insurance companies, have relaxed the rules to keep as many people covered as possible,” stated Maggie Stedt, President of the California Association of Health Underwriters (CAHU).

The current employer-based health care system is strong and offers a variety of coverage options. Employers are perfectly positioned to determine what their employees want and need.

Options Available to Laid Off Workers

It’s important to note that here in California, Covered California has reported low premium increases for upcoming renewals, which is welcome to hear. “Despite the volatility of the current economy,” stated Maggie Stedt, “Covered California reported that all 11 carriers will return to the individual market with some plans even expanding into new regions. Even during a pandemic, the average premium increase statewide will be less than one percent. Further, consumers that use the professional services of an agent to shop within their current metal tier, can save an average of 7%.” So why isn’t this being reported in the media?

It’s true that some employees have been laid off and may have lost their group health insurance, but the reality is, they really don’t have to be uninsured!

Of course, the employer (if over 20 employees) offers COBRA (and Cal-COBRA in California for smaller groups), but the cost of often rich employer-provided benefits may not be affordable for a laid off employee. But that’s one of the reasons we have the Affordable Care Act (ACA), isn’t it? If someone has lost coverage due to a layoff, that is a qualifying event to enroll in their state’s Marketplace, which is Covered California here in this state, they can choose from many plans and premium options, and quite often qualify for either a subsidized plan or no-cost Medi-Cal. The reality is that all you have to do is apply! Many employees that are offered coverage, which has been deemed “affordable” by the ACA, simply choose not to enroll. CAHU understands that what the ACA deems as “affordable” may not be affordable to all employees, and we understand that the high cost of health insurance is due to the high cost of medical care. That’s why agents are here to help guide those individuals into coverage they can afford.

“There are so many safeguards in place to ensure universal access to health insurance that a true loss of insurance is rare and unlikely,” said Brad Davis. “An experienced and/or informed agent should be able to successfully walk any person or family through a litany of options, including state-assisted programs like Medi-Cal or Covered California, as well as private options like COBRA, or plans directly from a host of competitive carriers that cannot deny coverage.”

Most fully insured carriers in California (as well as other states) have relaxed their enrollment/underwriting rules, so that more people could enroll during the COVID-19 crisis, so individuals have had MANY opportunities to enroll.

“The exchange issued and extended numerous special enrollment periods and agents worked around the clock to ensure that millions of Californians were able to maintain coverage in existing or new channels to meet their needs,” stated Maggie Stedt. “Our members also worked with regulators to ensure that consumers were not being balanced billed for COVID treatments and services.”

Healthy California for All Committee Report ⁴

In a newly released report from the “Healthy California for All” Committee, which was created by California Governor Gavin Newsom in 2019, with its purpose to “develop a plan for advancing progress toward achieving a health care delivery system for California that provides coverage and access through a unified financing system, including but not limited to a single payer financing system,” the committee is (in my personal opinion, and not necessarily that of the California Association of Health Underwriters) openly and purposefully attacking the employerbased health care system, as well as the successful government programs of Medicare and Medicaid (MediCal in California) and wants to replace it with a “unified financing system” (which many of us define as a single payer option), or something similar.

Governor Newsom stated “As our march toward universal coverage continues I am calling on the brightest minds- from public and private sectors- to serve in the Healthy California for All Commission to improve the health of our state.” We will discuss later in this article what “universal coverage” means. But I think I should point out that our Governor may not be 100% familiar with health insurance terminology. He seems to mix his terms frequently. The Governor and Newsom Administration recently called Covered California a public option, in his Proposed Budget Summary5, which it is not. “This year, the Budget proposes additional investments to continue this momentum on affordability and cover age in California’s health care system. Specifically, the budget includes bold plans to address health care cost trends, strengthen California’s public option [referring to Covered CA], lower prescription drug prices for all Californians, and continue progress towards universal health care. These efforts will focus on returning cost savings to consumers and employers and will align with the efforts of the Healthy California for All Commission, which is charged with exploring policy solutions that drive toward a unified health care system that is universal, affordable, high-quality, and equitable for all.”

In addition, Governor Newsom has referred to Medicare as a “single payer”6 model (which it is not): “However, to address this ongoing cost crisis in health care in the most effective way, we must have the federal tools to support California’s ability to provide quality healthcare for everyone, financed through a single-payer model like Medicare. We must have the tolls to innovate and expand the Affordable Care Act, even as we build towards a more comprehensive, universal system that works for patients, providers, and taxpayers alike.”

Yes, terminology is used incorrectly in both of these statements, but they may give us a more realistic idea of what ‘Universal Healthcare’ may look like for the Newsom Admimistration.

According to the Healthy California for all report, 46% of people in California are covered under employer-sponsored health insurance, 40% are covered by Public Medicare or Medi-Cal pro-grams in California, 5% are covered by the individual market, and 9% are uninsured. Let’s talk for a moment about the 9% uninsured that the report cited. That’s 3.5 million people that are uninsured. Of that 3.5 million, 550,000 are actually ELIGI-BLE for employer-sponsored coverage, but chose not to enroll, 370,000 are eligible for Covered California, over 400% of the FPL (meaning not eligible for premium subsidies), 610,000 are eligible for Covered California under the 400% FPL (eligible for a premium subsidy), 660,000 are eligible for Medi-Cal (i.e. no-cost health care coverage) and 1.3 million are undocumented. I’d like to point out an error in the above report… Premium assistance through Covered California is now available for in-comes up to 600% of the federal poverty level, not 400%. Subsidies reduce consumer health plan premiums considerably, so you or your clients may be eligible for no-cost MediCal. So the reality is, most of that 3.5 million number are eligible for some form of existing coverage. The 1.3 million undocumented are the largest portion of the remaining uninsured population. However, it should be noted that many receive services for births and hospitalizations through restricted scope Medi-Cal. There are also county services that are also available to undocumented residents, which does not count towards the fully insured numbers for purposes of the report. Those eligible for subsidized coverage may be surprised at how little they would have to pay, if they’d only go online to find out, or talk to a qualified health agent (preferably).

In the report, the committee recognizes the employer-based health care system, but quickly negates its effectiveness, due to insureds having to pay co-payments and deductibles, and calls pre-tax contributions a means to the loss of tax revenue. “Employer-sponsored insurance is paid for through the employer and worker premium contributions using pre-tax dollars, which means that federal and state governments essentially subsidize employer-sponsored insurance via foregone tax revenue. In addition, most plans require that workers or their family members make payments when they access care, typically via co-payments or deductibles.”

The report also discusses how “Consumers struggle with health insurance literacy.” The committee does recognize that here in California, “individual market consumers… face fewer challenges navigating the purchase of health insurance compared to consumers in most other states.” How-ever, they do not say why that is… We all know that is be-cause Covered California welcomed agents, and quickly discovered that their largest population of enrollment came from independent agents who enrolled their clients in Covered California. “Nevertheless,” the report continues, “California consumers have trouble evaluating health coverage options and making well-informed choices when their coverage source shifts or they move from one plan to another. Less educated Californians, those with limited English proficiency, and those with low levels of health literacy face particular obstacles related to the complexity of health insurance information.” The California Association of Health Underwriters has been involved with the creation of many educational materials for all of these Californians, and such materials are available on the CAHU website at cahu.org, through our Public Affairs committee, as well as through the CAHU Foundation. We look at this entire section of the re-port as an opportunity to promote the use of agents when consumers are making health care decisions.

In a section of the report entitled “How Will a Pandemic Affect California Health Care?,” the committee discusses “shortcomings” of our current system, but it fails to mention the obvious parts which I mentioned above….like premium subsidies available. Most Californians who lose job-based coverage have an option to maintain that coverage under the federal COBRA or state Cal-COBRA laws. If individuals find COBRA prohibitively expensive, they may elect to enroll in Medi-Cal or purchase insurance through Covered California in just a few short minutes with the help of an agent.

Committee Report Proposes to “Work Around” ERISA and Eliminate Self-Funded Health Plans

The most important provisions in the report, I feel, are the Committee’s attack not only on the employer-based health care system, but on ERISA. The Employment Retirement Security Act is federal law that has been around since 1974, and protects the rights of employees enrolled in health and welfare (health insurance) plans as well as retirement plans. Understand that the Committee Report proposes to use a somewhat crazy and awkward solution to basically just work around ERISA!

Let me first provide some background. Further into the Pandemic section of the report, they talk about how a “unified financing approach would allow the state to move toward a more accountable and equitable system. How-ever, because Californians are situated so differently to-day, moving to unified financing will involve change and disruption, particularly in the short run. To achieve a universal health care system that assures access, affordability, high qualify, and equity will require purposeful design decisions and transition planning.” Let’s think about this… Change and disruption doesn’t make things easier… it often makes things much harder! Yes, you have to elect to participate in things like Medi-Cal (or Medicaid in other states), but it works…. So now let me discuss how they anticipate changing our industry and the health insurance market, beginning with ERISA.
ERISA includes provisions that apply to many populations. First and foremost, self-funded health plans, but also to fully insured groups (those with over 100 employees must file 5500 forms and comply with other ERISA provisions, but ERISA also applies to smaller groups as far as requirements to have plan documents, summary plan descriptions, and other disclosure requirements), and union plans. I have to admit, I take this section very personally, as I’ve spent my entire career working with ERISA plans and self-funded plans. In addition, I personally have written many ERISA wrap-around Plan Documents for my full-insured groups, to assure that they comply with the federal law (as Certificates of Coverage generally do not meet ERISA requirements). So, some would call me very much an expert in this area. Given that this is my exper-tise, I will defend this area to the best of my ability. Please accept my apologies in advance if my emotions on this issue affect my words in this article.

It’s obvious that the report is designed to present a positive case for “unified financing” (single payer), as that is what it was tasked to do. However, the reckless attack on federal law is more than irritating… In my world, it’s almost criminal. I know that sounds harsh, so let me explain my views. (I sup-pose at this point, I should re-state that the views and opin-ions of the author are not necessarily those of the California Association of Health Underwriters, so CAHU, that’s my dis-claimer!)

I’d like to preface this section with some quotes from the pre-ERISA attack portion of the report, which of course leads up to the (in my opinion) most important and egregious sections.

The report then goes into steps to prepare to transition to Unified Financing (ie single payer), then goes into to revisiting employer contributions and obligations. In this section, the blatant attack on ERISA and self-funding begins.

“In developing a united financing policy, the state will need to address potential conflicts with the federal Employee Retirement Income Security Act (ERISA) in relationship to self-funded plans. Self-funded plans are those in which the em-ployer assumes the financial risk of employees’ health care cost and pays for their health care expenses directly rather by purchasing insurance and having the risk shifted to a third party. Very large employers are most likely to self-fund be-cause their size better positions them to forecast and spread risk, and because it allows them to offer uniform benefits to their employees nationwide, avoiding both state benefit man-dates and state-imposed insurance taxes. At least 5.5 million Californians are covered through self-funded employer arrangements.”

Let me just stop there to make some important points. First, an employer does not have to be “very large” to self-fund. Although some are smaller, most are 100 or more employees. The 100 to 500 market also does very well self-funding in many instances. And I will defend the ERISA rule that allows employers to have one set of plan rules, regardless of employee locations across state lines. That is one of the best ad-vantages to self-funding. For employers who operate in multiple states, this drastically reduces administrative and human resources costs.

The report goes on to state: “ERISA sets federal standards that apply to private sector employers that establish employee benefit plans. Intended to assure that multi-state employers can provide consistent benefit programs across multiple states, ERISA preempts ‘any and all State laws insofar as they may now or hereafter relate to any employee benefit plan’ covered by ERISA. ERISA does not prevent states from directly regulating health insurance carriers and the products they sell to employee benefit plans but does exempt self-funded ERSIA plans from state health insurance regulation. ERISA would preempt a prohibition on self-funded employer sponsored plans in the state.” This is all true, and they do have it footnoted with code sections. What they fail to state is how successful these provisions have been to keep the costs down for self-funded employers. Self-funded plans generally see 10 to 30% savings over fully insured plans of equal benefit value, and some plans, including reference-based pricing self-funded plans, can see even greater savings. And the convenience of having one set of plan rules for all participants is not only easi-er to administer, but generally less expensive for employers. As they said, 5.5 Californians are covered by self-funded plans. Nationally, that number increases drastically.

The report continues: “How ERISA’s complex provisions may apply within the context of a specific state policy construct would be subject to court interpretation. State single payer proposals offer a range of plans that include employer contributions, such as broad-based payroll taxes. Another approach could be to place restrictions on providers, for example prohibiting providers from accepting payment from any source other than the unified system or at any different rates. These strategies would allow employers to continue to offer a self-funded plan if they chose to do so. Employers’ decisions would depend on the perceived value to employees of the self-funded plan when compared to services available under unified financing at little or no additional cost. While strong legal arguments can be made for these approaches, given the high financial stakes, litigation is likely.”

Let me make this clear, in case you didn’t quite understand what was said here. What they are saying is that they could make it illegal for providers to accept payment from other sources or plans other than the unified system (single payer). In other words, they could defy federal laws, defy the right for an employer to self-fund their plans, which have proven to be cost-effective and successful over the long term, and they would put the burden on the providers to not accept their payments. So, the Committee’s conclusion is that they should choke off the private sector, self-insured market supply to the providers. In essence, they would try to ELIMINATE self-funded plans in California. (In the rest of the report, you will see that their intent is to eliminate all types of plans -all lines of group and individual coverages, as well as Medicare and Med-Cal). And, as they said, they would be willing to spend taxpayer dollars on a very expensive legal fight, and trust me, it would definitely result in a huge legal fight.

I discussed these ERISA provisions with my own legal counsel on ERISA. “Legal challenges are a certainty,” stated Marilyn Monahan of Monahan Law Office, and author of the “Legal Briefs” in the STATEMent, “with numerous stakeholders – including issuers, providers, employers, and plans, weighing in. Prolonged legal challenges will cause delays and confusion.” Not to mention plenty of expense.

“The ideas under consideration to avoid ERISA preemption – a payroll tax on employers, or restricting providers from taking reimbursements from plans – would strongly discourage an employer that wanted to maintain its own self-funded plan,” Marilyn continued. “A state-by-state approach to restructuring health care will create numerous legal and administrative challenges. ERISA was intended to create a uniform system of regu-lations across the country, so that employers were not subjected to piecemeal regulations. The benefits of a uniform approach are particularly important to multi-state employers, including employers that hire remote workers who may live anywhere in the country.”

The truth is on our side. Self-funding works. It’s plain and simple. And our group, individual and Medicare markets work. We just have to get that message out.

THE POLITICAL ENVIRONMENT

I think I should start this section with a reminder that California entered 2020 with a budget surplus, is now in a serious budget deficit position. To pass such a state solution, you need federal dollars. The federal government can deficit-spend. The state cannot.

In the current political environment, we know there will be a lot of talk about changing the health care system. Understand that the Democratic super-majority in California will have a HUGE part in what happens here. California’s legislature has more than a 2/3 democratic majority, and 2/3 also happens to be the vote requirement to pass taxes. Further, the Democratic platform supports single payer. In our California primary in March, neither Presidential Democratic nominee Biden nor Kamala Harris won California. Bernie Sanders did, and he is all about single-payer. In 2017, SB 562 passed in the California Senate, but the Assembly op-posed it due to no identified funding source; the Healthy California Committee Report paves the way for deficit spend like the federal government can. Which means that in a year like 2020 when California is pro-jecting a $54 billion deficit, healthcare services, or other vital public services would most likely be on the chopping block. Subsequently you could also see tax increases imposed on many Californians at a time they could least afford it.”

So, I ask, is now the time to take on the single payer fight? Can California, with its huge deficit, afford to take on a $400 Billion single-payer plan, plus a legal federal battle over ERISA and the right to self-fund? You and I may think not, but legislators in Sacramento, and possibly the federal government, should the Biden/Harris ticket win in November, may see it as a longer-term possibility.

It’s an election year. The fight will be vocalized in the media. I asked Mike Ferguson of SIIA what his thoughts were on this, and what we should expect. “The components of a robust government participation in the HC system are becoming more sophisticated in their arguments, and I think what is most effective and what you’re going to see, is that instead of simply saying we need more government control and putting in contrast with the pri-vate market, they’re going to start pointing out problems with the existing private marketplace. The goal is to create a narrative by which the private market looks as bad as possible.” He continued, “They want to muddy up the waters, and say, yes, there are some problems, there are some issues with a gov’t run health care system; we’ll figure those out of course, but it’s not like we’re comparing to a system that runs well. Really, it’s trading a smaller set of problems for a larger set of problems that we al-ready know are happening in the private marketplace. The critics of government- controlled system are theorizing or projecting potential issues, where in the private marketplace, there are is-sues that are tangible right now. You’re going to see more and more thinktanks and thought-leaders on that side of the political spectrum that are going to be poking holes in the private healthcare system. There are more opportunities to poke holes in the existing private marketplace. You can certainly critique fully insured carriers over their profit margins, and other business practices… it’s harder to critique the self-funded marketplace, but I’m sure you can find a situation where some plan participant had a bad outcome. Maybe a claim was denied, or something went wrong in the process. You can pick your scenario. Given the law of large numbers, you can find something that is not working well, on a case by case basis in our marketplace, so we need to be prepared for that.”

I’d like to conclude this article with some reader takeaways, or a summary message to our readers.

What are the Main Messages & Takeaways for Our Readers?

I’d like to try to summarize and give our readers some key takeaways and messages as we go forward.

1. Know how to respond to attacks on the employer-based health care system: The employer- based health care system has been working well for many years. It currently covers nearly half of the insureds in our country. The employer-based marketplace has been stable over a long period of time and allows employers to offer robust health care plans at affordable rates. Instead of blasting single payer, perhaps a more politically correct response should be to point out the good in the employer-based health care marketplace;
   • A) The employer-based health care system is the one segment of the market that has worked very well over a long period of time. It’s the most stable part of our health insurance market.
   • B) Employers use health benefits as a good recruiting and retention tool.
   • C) Employees like receiving employer-based health coverage. It’s affordable and it’s easy.
2. The ACA created exchange Marketplaces to assist small employers and individuals in getting affordable coverage. Our Covered California is the most successful Marketplace in the country, and it provides subsidies for individuals up to 600% over the Federal Poverty Line, and easily allows people to qualify for Medi-Cal. In addition, the use of agents is a no-cost and easy solution for individuals and small employers to get the help they need to understand how to enroll and see what is offered to them.
3. Understand the message: The Healthy California For All Committee’s intention is to get rid of the current combination of private sector (employer-based system) health care system and public system (Medicare and Medi-Cal) and replace it with unified financing system. Understand what that means. Governor Newsom says a unified financing system, including but not limited to a single payer financing system. Keep in mind that our Governor also has misstated important terminology. Many of us believe that the Healthy California For All Committee report this is a road map to single payer. After all, that’s what the committee was tasked to do…. Find financing to pay for single payer.
4. Understand the difference between Universal Health Care and Universal Access to Health Care. CAHU and NAHU want Universal Access to Health Care and pro-mote it. That’s what we want. We want to do it with a combination of private and public financing. The ACA has made many strides that are working. No pre-existing condition exclusions, no plan maximums, the ability to go to the Marketplaces and get cover-age with possible subsidies or no-cost Medi-Cal (or Medicaid) coverage for the lowest income families.
   
   It has become obvious that those speaking about single-payer, universal healthcare and “Medicare for all” are using those terms interchangeably. These terms are not interchangeable and already have a set definittion of what they are and what they are not. For ex-ample, universal access to healthcare is a broad term for a program(s) that makes some level of basic coverage available to all (likely through a government program), but also allows for private insurance as choice to the consumer. Universal access to health care which includes a private insurance option would allow consumers and employers to continue their current types of health plans, assuming those plans offer at least the basic coverage required. Some examples include Canada, United Kingdom, Germany and Japan.
   
   MEDICARE FOR ALL is one type of universal health care plan where basic coverage is provided through an expansion of the federal Medicare program, but this type of plan would still allow for the purchase of private insurance, as it does currently, and is administered by an insurance company, not by the state. This is not what the Healthy California Act (SB 562) pro-poses. Healthy California Act proposes a single payer plan.
   
   Single-payer is a system in which all residents pay the state – via taxes in amounts determined by the state – to cover all healthcare costs for all residents. This would end all individual’s option to buy or not buy health coverage from private insurers based on their specific needs and ability to pay. Both the Healthy California Act and the New York Health Act are true single-payer plans, which would eliminate all private and public insurance programs, including Medicare, Medi-Cal, Veteran’s health care, among others. The actual funding of a “single-payer” system comes from all or a portion of the covered population via new taxes.
   
   For more information, to go www.cahu.org, or email info@cahu.org.
   
   
5. Learn your “elevator speech” in response to single payer. The expense to take on such a system will exceed, according to the state of California during the SB 562 fight, over $400 Billion. That is DOUBLE the existing budget for the entire state. Re-member that you’d lose your ability to choose your plan and doctors. Understand that single payer results in shortages and long wait times. Understand that single payer would likely result in many doctors leaving the profession. Understand that it costs a lot of money… Higher taxes per family and per employer. Is this what we want?

Author’s Note: I’d like to thank the contributors to this article: Maggie Stedt, Brad Davis, and Faith Borges of CAHU, Mike Ferguson of SIIA, and Marilyn Monahan of Monahan Law office.

Disclaimer: The opinions stated in this article are the opinions of the author, and not necessarily those of the California Association of Health Underwriters. This article is not intended to provide legal advice of any kind. We always advise you to consult your own legal counsel as situations vary.

Footnotes: 1) “The COVID-19 Pandemic and Resulting Economic Crash Have Caused the Greatest Health Insurance Losses in American History,” By Stan Dorn, July 13, 2020, Families USA; 2) “Millions Have Lost Health Insurance in Pandemic,” By Sheryl Gay Stolberg, July 13, 2020, The New York Times; 3) “US Health Insurers Profits Boom Amid Pandemic,” By Niall McCarthy, August 6, 2020, Forbes; 4) “An Environmental Analysis of Health Care Delivery, Coverage and Financing in California,” Report by Healthy California For All, Final Report: August, 2020; 5) Governor Newsom’s Proposed Budget Summary, page 25, at http://www.ebudget.ca.gov/2020-21/pdf/BudgetSummary/HealthandHumanServices.pdf; 6) Governor Newsom’s Administration letter to President Trump and Congress, linked at: https://www.gov.ca.gov/wp-content/uploads/2019/01/1.7.19-Letter-to-the-White-House-and-Congress.pdf

#