CMS Updates Section 111 NGHP User Guide and WCMSA Reference Guide

April 5, 2024

woman holding CMS-Updates binder

CMS Releases Updates to MMSEA Section 111 NGHP User Guide and WCMSA Reference Guide

The Centers for Medicare and Medicaid Services (CMS) began April with updates to two of its popular user guides, the MMSEA Section 111 NGHP User Guide and the WCMSA Reference Guide.  Notably, the NGHP User Guide, version 7.5, now includes details on the requirements to report WCMSA amounts with other relevant data. These will need to be reported as of April 4, 2025.

The NGHP User Guide, Section of Chapter III: Policy Guidance, was updated to state:

For workers’ compensation records submitted on a production file with a TPOC date on or after April 4, 2025, Workers’ Compensation Medicare Set-Aside Arrangements (WCMSAs) must be reported.

CMS also updated Chapter IV: Technical Information with similar language.

CMS Revisions to WCMSA Reporting Fields in Chapter V: Appendices

Additionally, CMS updated Chapter V: Appendices to identify the fields that will be added to the Claim Input File Detail for WCMSA reporting:

  • Field 37 – MSA Amount: This will be either $0 or an amount greater than $0. If an annuity is used, then the “total payout” is reported.
  • Field 38 – MSA Period: If the MSA amount is greater than $0, you need to enter the number of years the MSA is expected to cover the beneficiary.
  • Field 39 – Lump Sum or Structured/Annuity Payout Indicator: If the MSA amount is greater than $0, you will enter “L” for a lump-sum MSA or “S” for a structured/annuity MSA.
  • Field 40 – Initial Deposit Amount: If an annuity, then the MSA seed amount is reported.
  • Field 41 – Anniversary Deposit Amount: If an annuity, then the amount of the annual payments.
  • Field 42 – Case Control Number (CCN): If an MSA is submitted to CMS for review or is otherwise submitted to CMS post-settlement, it will be assigned a CCN. The CCN is entered in this field, although this is optional.
  • Field 43 – Professional Administrator EIN: Enter the Employer Identification Number of the professional administrator here if there is one. If this EIN is not provided, the “case administrator” defaults to the beneficiary. If the EIN does not match a registered administrator account in the Workers Compensation Medicare Set-Aside Portal (WCMSAP), then “case administrator” will also default to the beneficiary.

CMS provided a table of error codes for errors identified in the above-reported information.

Responsible Reporting Entities (RREs) can start testing these new fields on October 7, 2024. For further details, see the Tower article, CMS Sets Date for Start of Section 111 WCMSA Reporting.

CMS also incorporated the following notice into the NGHP User Guide:

As of January 1, 2024, the threshold for physical trauma-based liability insurance settlements will remain at $750. CMS will maintain the $750 threshold for no-fault insurance and workers’ compensation settlements, where the no-fault insurer or workers’ compensation entity does not otherwise have ongoing responsibility for medicals (Section 6.4).

The $750 reporting threshold has been in place for several years.

CMS included minor updates to the WCMSA Reference Guide, version 4.0

Specifically, CMS added:

Instruction specific to beneficiaries has been added to encourage them to use their access to the portal for the most efficient method of submitting attestations (Sections 11.1.1 and 17.5).

For further information on electronic reporting of attestations, see the above-referenced sections in the guide or the Tower article, CMS Adds Electronic Submission Option for MSA Attestations.

CMS also amended the link in Section 10.3 to reflect the most recent CDC Life Table link. The life tables are used to determine life expectancy for calculation of the MSA.

Tower’s Cybersecurity Measures Go the Extra Mile to Protect Your Data

April 3, 2024

remote employee working on a laptop taking all the right cybersecurity measures

Navigating cybersecurity landscape: Insights from CTOs on cybercrime trends

Cybercrime continues to mount, threatening organizations of all sizes and types. The right cybersecurity measures matter. And which cyber risks worry Chief Technology Officers the most?  That would be the danger of an employee accidentally opening the door to an attack.

A recent survey of CTOs showed that 59% considered human error a significant security threat.  Highlighted in a March 12 Risk & Insurance brief, the survey was conducted by STX Next with results reported in Technology Magazine.

The phenomenal increase in the sales of cyber insurance underscores the growth of cybercrimes and corporations’ concerns about their impact.  Cyber insurance sales, which were $1 billion in 2013, soared to $16 billion in 2023.

Still, only half the companies surveyed had a cybersecurity insurance policy. Tower, of course, has had cybersecurity insurance for years. It’s necessary, but we hope we never have to use it. Our focus is on detecting and preventing attacks in the first place.

Cybercrime spotlight: Cybercriminals zeroing in on users

Cybercriminals are becoming more sophisticated.  Forget the lone hacker in his basement; now there are large “professionalized” cybercrime operations. They know most companies that hold sensitive personal health or financial data have reinforced their networks and systems, and now criminals have their sights on soft targets, the people.

One wrong click can launch a devastating breach. Without the right kind of education and ongoing awareness of new viruses and scams, employees can easily fall prey to phishing, vishing, smishing, and social engineering issues.

Fortifying remote workforce: Tower’s cybersecurity education to combat cybercrime

Cybersecurity education is essential for a remote workforce, where an employee can’t quickly turn to a teammate for a second opinion on an email. Tower’s employees receive extensive cybersecurity training and understand how to do their part to prevent breaches.

Tower equips our remote workforce with virtual desktop infrastructure (VDI), including VPNs, anti-virus software, and software that analyzes and downloads electronic email attachments before they can be accessed by any of our devices. We also conduct monthly training sessions that cover topics such as how to detect phishing attacks and procedures for reporting suspicious email and malware, and how to handle email attachments that may contain them.

Enhancing cybersecurity protocols: Tower’s robust defense system against cybercrime

We don’t stop there, though.  We conduct annual penetration testing, also called pentesting, where a third-party security expert tries to find and exploit vulnerabilities. Ntierty, our cloud provider, keeps us up to date on the latest viruses and scans our network every week. Tower’s IT department also conducts its own weekly scans using different software as an extra precaution.

And the Tower management team engages in annual cybersecurity tabletop exercises to simulate real-world attacks on Tower’s systems.  These simulations probe for known vulnerabilities, which allows us to develop new strategies and procedures to secure our systems.

We also review our controls, processes and procedures to assess their effectiveness every year in a formal SOC 2, Type 2 audit.  All this is done to continually identify potential vulnerabilities so we can proactively fortify our defenses.

Tower invests significant amounts of time and money to ensure business continuity and the protection and privacy of data. This may sound like overkill, but we understand the risks, and we’re not willing to take chances on our security and the protection of our clients’ data.

To learn more about Tower’s security suite, please contact Chief Technology Officer Jesse Shade at


Human Error is Biggest Cybersecurity Threat, CTOs Say | Technology Magazine

5 things business leaders must know to combat the cybercrime menace – Liberty Mutual Business Insurance

CMS Sets April 16 for Webinar on Section 111 Reporting of WCMSAs

March 27, 2024

Webinar on Section 111 Reporting of WCMSAs

Prepare for Change: CMS Webinar on Expanding Section 111 NGHP TPOC Reporting to Include WCMSA Information

The Centers for Medicare and Medicaid Services has scheduled a webinar for April 16, 2024, at 2 PM ET to provide updates on the implementation of Section 111 reporting of Workers Compensation Medicare Set-Asides (WCMSAs).  Per the March 25, 2024 announcement:

CMS will be hosting a second webinar regarding the expansion of Section 111 Non-Group Health Plan (NGHP) Total Payment Obligation to Claimant (TPOC) reporting to include Workers’ Compensation Medicare Set-Aside (WCMSA) information. After the first webinar in November, CMS received additional questions and feedback from the industry. The intent of this webinar is to ensure that RREs will be prepared for the change once implemented. With that in mind, this webinar will include a background recap, summary of technical details, updated timelines and CMP impacts. The presentation will be followed by a question and answer session. Because this expansion impacts reporting of WCMSAs, it is strongly recommended that Responsible Reporting Entities (RREs) that report Workers’ Compensation settlements attend.

There is no pre-registration for the webinar.  Full details can be found here.

As of April 4, 2025, TPOC reporting must include Workers’ Compensation Medicare Set-Aside Arrangements (WCMSAs). (See CMS Sets Date for Start of Section 111 WCMSA Reporting).

The WCMSA reporting requirement applies to both CMS-approved and non-approved MSAs.  This information must be reported if the insurance type is workers’ compensation and the TPOC amount is greater than $0. The rule will be prospective only, meaning it applies to TPOC dates of April 4, 2025 and later.

To collect this data, CMS is adding new fields to the Section 111 Claim Input File.

Tower will provide a post-webinar summary.  If you have any questions, please contact Dan Anders at or 888.331.4941.