By W. Sean Harrison
Let’s talk about self-funded health plans. Specifically, let’s explore how they’re typically structured, how they’re managed, and most importantly, how far out of ERISA compliance they often are. Fiduciary compliance for health plans under ERISA has always been a challenge (not least because so many fiduciaries don’t even know that management of their self-funded health plan falls under ERISA), and it’s one that the industry has a history of conveniently setting aside: ‘I’m sure our TPA is handling that,’ or ‘our HR department is making sure everything is above board.’
Don’t you believe it.
The problem is that the people who are tasked with the day-to-day management and execution of a plan typically aren’t the same ones that are responsible for ERISA compliance. This has been the norm for many years, though, and in tedious reality, audits are rare, and things seem to work out. But what if that changes?
On December 27th, 2020, the Consolidated Appropriations Act of 2021 (the ‘CAA’) was signed into law, and it includes several provisions designed to increase transparency in healthcare pricing. Among these provisions are requirements that third-party administrators disclose certain information through a set of machine-readable files. These minimally include:
- In-Network Rate Files – These files define all the negotiated rates for all in-network providers. They include all the codes for all the covered procedures and service lines, and the negotiated prices for each, on a per-provider / provider group, per-procedure basis. Because each covered procedure and each medical provider in a network will have their own negotiated arrangement, these files can be massive.
- Out-of-network Allowed Amount File – This file includes information about the maximum allowed amounts and billed charges for services rendered by out-of-network providers during a specified timeframe, also down to the individual procedure code level.
- Pharmacy Benefits File – This file should provide detailed information about prescription drug pricing, including the negotiated rates with pharmacies.
Interestingly, the CAA requires these files to be posted publicly, where anyone can download them.
“But how does that affect me? This seems like a good thing!”
The new availability of these files is changing the compliance landscape, and there are both opportunities and challenges associated with these changes. On February 1, 2022, the United States Department of Labor Wage and Hour Division (DOL) announced a plan to hire at least 100 additional investigators to expand its compliance and enforcement efforts, and the overall number of audits is now increasing. This is combined with a new requirement from the Centers for Medicare and Medicaid Services that TPAs and similar entities that manage health plans on behalf of an employer provide a “Gag Clause Prohibition Compliance Attestation (GCPCA) indicating compliance with Internal Revenue Code (Code) section 9824, Employee Retirement Income Security Act (ERISA) section 724, and Public Health Service (PHS) Act section 2799A-9, as added by section 201 of Title II (Transparency) of Division BB of the CAA” to their clients, who must sign and affirm their compliance with these requirements.
These two recent events add up to the following for you and your plan:
- All the negotiated rates associated with your self-funded plan are available for download.
- Your TPA is expecting you to legally attest to their compliance with the requirements of the GCPCA, retroactively back to December 27th, 2020.
The short version: the buck has been passed to you.
You would be justified in thinking “Ok, I can download all of my negotiated rate information now, and my TPA will give me my medical claims data, so I can reconcile everything, begin recovery actions if required, and we’re compliant!”
Not so much.
Let’s talk about the new machine-readable files first. TPAs fought tooth and nail against this requirement, since these files basically detail every backroom deal, they ever make, and they open the door for a flurry of new litigation (witness the most recent $9B suit against MultiPlan amid allegations of price fixing and creating a ‘virtual digital cartel’, based solely on these files). Still, the legislation went through, and the files are available – the TPAs, though, don’t make it easy. They provide very little documentation, the file layouts vary wildly, they can change without warning, and they’re very large – often multiple petabytes in size, so it generally requires a dedicated IT group or external company to find your specific files and extract the relevant information. This is critical, as these files will contain not only your plan information, but the negotiated arrangement of the other plans who also engage your TPA; if you’re wondering what your competitors are paying for a certain family of procedures, the information is available in these files. You might be surprised – pricing disparities across negotiated arrangements between different plans can vary more than 2,000%. That means that there will be procedures that your competitors pay $45.00 for, and your plan might be paying $1,500.00, for the same procedure performed by the same medical provider at the same facility.
In the past, there was literally no way for plan fiduciaries to determine this information, short of litigation or otherwise acquiring the bulk claims of their TPA – plan managers could determine that their plan costs were in the same ballpark as many other plans, and claim ‘prudence’, and enjoy a long-term comfortable relationship with their TPA. Those days are over – now, you have access to the negotiated arrangements of other plans that share your TPA – can you claim prudence if you haven’t checked to see if the negotiated arrangements your TPA has made on behalf of your plan are competitive with the other plans your TPA administers?
Maybe.
It’s likely that many of the answers will reside in your raw medical claims data as well. Actual paid amounts, out of pocket costs, and all the real revenue streams will be included in your medical transaction data. Acquiring your own medical claims data from your TPA can be a challenge, though; many TPAs will include contractual language that limits the total number of records they have to provide (often 200 or less) for auditing and assessment purposes. These requirements are now unenforceable under federal law, but the TPAs will usually try to stick to them, nonetheless. In some cases, you may find it necessary to engage a lawyer to compose a legal ‘ask’ just to get the medical transactions that legally belong to your plan members.
Assuming you’ve successfully navigated these challenges, the DOL expects you to be able to associate your medical claims transactions with the defined negotiated arrangements per-procedure per-provider, and then determine if your plan has been managed in a prudent manner. Nothing to it, right?
You have until December 31st, 2023, so you better get moving.
December 31st, 2023 is the cutoff date for the GCPCA to be signed; this is where you and your plan confirm that your TPA complies with (and has complied with) all of the requirements of the GCPCA – this means you’re legally affirming that your TPA didn’t include any ‘gag clauses’ or similar contractual restrictions that might preclude you from acquiring your health care pricing and quality data from them. Please note that this attestation applies retroactively all the way back to December 27th, 2020, so be very sure you’re not making a false attestation. The burden of ensuring contracts is free of gag clauses rests entirely on employers, not their vendors. Access to previously confidential information also binds employers to use that data to drive improvements and make informed decisions for the plan as a core part of their fiduciary obligations.
Got all that?
The advent of the CAA, the GCPCA requirement, the new availability of machine-readable files combined with the continuing recalcitrance of TPAs in actually handing over medical claims – these very recent changes were designed to make compliance possible, not easy. TPAs in particular lobbied for changes that were beneficial to their own models, and now we’re faced with a perfect storm – increasing audits from a DOL that assumes that everyone now has access to their data, TPAs publishing machine-readable information that requires deep IT specialization and significant hardware to use, new attestation requirements that will require significant research and may not be something you want to execute (possibly requiring you to retain a new TPA), and a clock ticking down to December 31st.
It’s time to get moving. There are companies who specialize in helping employers navigate these waters, who have been planning and building their own infrastructures to deal with this data, to work with the TPAs, to assist you in acquiring, storing, and leveraging your data. In the past, plan fiduciaries could just take out some insurance, hand everything off to HR or their TPA, and forget about it; those days are gone. In order to achieve and maintain compliance under ERISA, in order to be able to demonstrate prudence, you’ll need to become part of the process.
You need a partner. BCI can help.