Category: Blog

New Section 111 Dashboard Can Help You Avoid Penalties

September 1, 2020

Section 111 Dashboard example

Tower MSA Partners has created an intuitive, easy-to-use Section 111 dashboard to help you avoid CMS’s penalties for non-compliance with Section 111 reporting. Once in effect, the penalties can amount to up to $1,000 per day per claimant for things like failing to accurately ORM and TPOC.

Our new Section 111 dashboard provides 24/7 access to your claims data and reporting oversight for all aspects of the reporting process. It will even remind you to update ORM Term Dates when claims settle. You can run all kinds of reports and correct errors on the fly.

For details, please see the news release: Tower MSA Partners Releases Medicare Mandatory Reporting Dashboard. And, for a quick refresher on CMS’s proposed penalties, see Tower’s Feb. 18 and April 27 posts:

CMS Issues Proposed Rule for Mandatory Insurer Reporting Penalties

CMP Comments Submitted

 

Tower MSA Partners Receives SOC 2 Type I Attestation

August 21, 2020

AICPA SOC logo

Tower MSA Partners has completed its SOC 2 Type I audit. Performed by KirkpatrickPrice, this attestation provides evidence of Tower’s strong commitment to security and delivering high-quality services to its clients by demonstrating that it has the necessary internal controls and processes in place.

A SOC 2 Type I audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, an organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design of Tower’s controls to meet the standards for these criteria.

“Tower’s processes have been technology driven from its beginning with the privacy and security of client data at the forefront of internal policy and procedure development,” said Tower CEO Rita Wilson.  “We are pleased to receive this affirmation from an independent analysis.”

“The SOC 2 audit is based on the Trust Services Criteria. Tower MSA Partners has selected the security and confidentiality criteria for the basis of their audit,” said Kirkpatrick Price President Joseph Kirkpatrick. “Tower delivers trust-based services to its clients and by communicating the results of this audit, its clients can be assured of their reliance on this company’s controls.”

Related Posts

Tower MSA Partners Completes SOC 2 Type II Audit

Towers’ VP of IT Jesse Shade on The Hot Seat

August 5, 2020

Jesse Shade Portrait

Jesse Shade, Tower’s Vice President of Information Technology, will be a panelist on the “Cybersecurity Threats: What You Can’t See Can Hurt You” webinar. Presented by WorkersCompensation.com as part of its The Hot Seat series, the free webinar starts at noon EDT on August 6.

Shade, who is a member of the Forbes Technology Council, brings more than 35 years of IT experience to the panel. He oversees all aspects of Tower’s technologies, including data security. 

Joining Jesse Shade in the information-packed session is the George State Board of Workers’ Compensation’s Director of Information Technology Bobby Allen and WorkersCompensation.com’s Media Director Nancy Grover.

Among the topics Jesse Shade will cover are:

  • Misconceptions about cybersecurity
  • Should organizations outsource cybersecurity efforts?
  • How can you guard against internet attack?

The webinar will be moderated by WorkersCompensation.com President and CEO Bob Wilson and Judge David Langham. There is no charge for the webinar.

CMS Releases Updated Section 111 and MSPRP User Guides – Schedules Reporting Webinar

July 17, 2020

Tower MSA Partners explains CMS updates to ORM and NOINJ rules in the Section 111 reporting user guide.

New CMS User Guides released.

The Centers for Medicare and Medicaid Services (CMS) recently released updated user guides for Non-Group Health Plan MMSEA Section 111 Mandatory Insurer Reporting and the Medicare Secondary Payer Recovery Portal (MSPRP).  CMS also just announced an August webinar on Section 111 reporting matters.

CMS User Guides: Updated MMSEA Section 111

On June 29, CMS released Version 5.9 of the NGHP MMSEA Section 111 User Guide.  Highlights of the updated user guide:

  • A reminder has been added that while the threshold for physical trauma-based liability insurance settlements remains at $750, this threshold does not apply to non-trauma liability reporting for alleged ingestion, implantation, or exposure cases. Any settlement, regardless of amount, should be reported for these types of cases. (Sections 6.4.2, 6.4.3, and 6.4.4).
  • The limit dollar amount that triggers a threshold error has been adjusted from $99,999,999 to $99,999,999.99. This error occurs any time the No-Fault Insurance Limit amount or the cumulative value of all reported TPOCs (detailed and auxiliary records) exceed this limit. Additionally, the No-Fault Insurance Limit field number has been corrected under “Exceptions.” (Section 7.3.2).
  • When considering the requirements for the Ongoing Responsibility for Medicals (ORM), remember, per current policy, that the dollar limit for No-Fault Insurance Limits (Field 61) represents a combined total of Med-Pay and Personal Injury Protection (PIP) (Section 6.7.1).
  • When considering the requirements for the Ongoing Responsibility for Medicals (ORM), remember, per current policy, that the dollar limit for No-Fault Insurance Limits (Field 61) represents a combined total of Med-Pay and Personal Injury Protection (PIP) (Appendix A).
  • The CR02 claim response file error code field number has been corrected (Appendix F) (Table F-4).

CMS User Guides: Updated MSPRP

On July 13, CMS released Version 4.9 of its MSPRP User Guide.  The MSPRP is a web-based application which allows authorized users to, among other tasks, investigate, dispute and resolve Medicare conditional payments.  Updates can be found on page 1-1 of the user guide.  Significantly, users can now view and print outgoing correspondence from the MSPRP.  This is correspondence that has been received or letters that have been sent related to a BCRC or CRC case.

Section 111 Reporting Webinar

CMS will be hosting a Section 111 NGHP webinar on August 13, 2020 at 1:00 PM ET.  According to the notice, “the format will be opening remarks by CMS followed by a presentation that will include NGHP reporting best practices and reminders.”  The webinar notice can be found here.

If you have any questions regarding the updates, please contact Dan Anders, Chief Compliance Officer at daniel.anders@towermsa.com or 888.331.4941.

PREMIER WEBINAR: Avoiding the Medicare Mandatory Reporting Penalty

June 29, 2020

Avoiding the Medicare Mandatory Penalty webinar banner

Regulations for Medicare Mandatory Reporting Penalty are in the process of being formalized!

Under the threat of up to a $1,000 per-day, per-claim penalty, most insurers and self-insurers have implemented processes to ensure Medicare beneficiary claimants are reported to Medicare per Section 111 of the Medicare, Medicaid, and SCHIP Extension Act of 2007 (MMSEA).

Penalties have never been imposed as the SMART Act specified that the Centers for Medicare and Medicaid Services (CMS) must formalize regulations prior to issuing them.  This past February, CMS released proposed regulations, which we detailed in this article: CMS Issues Proposed Rule for Mandatory Insurer Reporting Penalties.  Comments on the proposal were due in April and now we await a final regulation.

In a timely webinar, a full analysis of CMS’s penalties proposal will be provided by Tower’s Chief Compliance Officer, Daniel Anders, Esq.  Joining Dan will be Jesse Shade, Tower’s VP of Information Technology, who will break down new user-friendly enhancements to Tower’s Mandatory Insurer Reporting platform that are designed specifically to avoid the penalties CMS seeks to impose.     

A Q&A session will follow the presentation.  Plan to attend the webinar on Wednesday, July 22,  at 2 pm ET.

Thank you,

Dan Anders
Chief Compliance Officer

Register Now

CMS Provides Notices on Section 111 Reporting and Conditional Payment Processes

June 17, 2020

People using laptop and mobile phones to update Section 111 Reporting

CMS has recently issued two notices, one pertaining to mandatory Section 111 reporting and one relevant to Medicare conditional payment recovery.

First, in a “teaser” notice, CMS announced that on July 13, 2020 the Medicare Secondary Payer Recovery Portal (MSPRP) is scheduled to be enhanced to allow authorized users to view and print correspondence.

According to the notice,

MSPRP users who log in using Multi Factor Authentication will be able to view and print CMS mailed correspondence that is displayed on the Letter Activity tab. Additional information on how to use this new functionality will be available in Section 14.1.1.4 of the July version of the MSPRP User Guide.

Second, in an alert entitled “Reporting No-Fault Insurance Limit on Non-Group Health Plan (NGHP) Claim Input Files,” CMS reminds Responsible Reporting Entities (RREs) that they must combine both Med Pay and Personal Injury Protection (PIP) coverage limits for Section 111 reporting purposes.  This would be under circumstances where separate Med Pay and PIP coverages are being paid out on claims for the same injured party and incident under a single policy.

CMS also reminded RREs that ORM cannot be terminated until both Med Pay and PIP coverage limits are exhausted.  Further, that when providing the dollar amount for the policy limit, that it must accurately reflect two decimal places.  For example, a policy limits of $5,000 should be reported as 500000.

Practical Implications

In regard to the MSPRP enhancement to print documents, while we will have to see the specific guidance in the July update, this may prove quite useful in not having to wait for correspondence to come in the mail, print letters that were not received via the mail or reprint letters.

As for the alert to remind No-Fault carriers to report Med Pay and PIP coverage limits as a combined amount, while this guidance is already included in the NGHP User Guide, there was apparently some confusion that led CMS to provide this alert as a reminder of how such coverage must be reported.

If you have any questions, please contact Dan Anders, Chief Compliance Officer at daniel.anders@towermsa.com or 888.331.4941.

WorkersCompensation.com’s Coverage of the Pharmacy/Legacy Claims Webinar

June 1, 2020

stethoscope and insurance claim form

“The older the claim, the higher the costs—especially for prescription drugs,” wrote WorkersCompensation.com’s Nancy Grover, in this excellent recap of A Prescription for Settling Legacy Claims webinar. 

The May 19 webinar was presented by Dan Anders, Tower MSA Partners’ Chief Compliance Officer, and Phil Walls, Chief Clinical and Compliance Officer of myMatrixx. 

They said that aging claims increase the likelihood that the injured worker may become a Medicare beneficiary.  “That means those higher drug costs must be included in a Medicare Set-Aside,” she wrote.

The fast-paced webinar explains how and why prescription drug costs increase during the life of a claim. Brand name drugs, compounds (yes, still), and “prescription cascade” (prescribing new meds to address the side effects of other meds) top the list of cost-drivers.

To gain CMS approval of an MSA, medications that may not be needed or even being used must be allocated in the MSA. What’s more, they are priced at Redbook’s lowest average wholesale price (AWP), eliminating discounts the pharmacy benefit manager (PBM) once provided. Side note: Phil describes issues with AWP in detail during the Q&A at the end of the webinar. 

Dan and Phil discussed ways an MSA provider and PBM can partner to identify and address unnecessary costs—without negatively impacting the injured worker’s treatment.  “We reach out to the treating physician for last dates of service to see what’s going on,” Dan said. “We also do drug reviews to see if there are alternatives that can be implemented.”

Presenters cited a case where an intervention reduced the total morphine equivalent dosage from a dangerous 480 mg per day to 120 mg per day.  The changes produced a savings of about $1 million. 

“Our goal is never to keep the injured worker from obtaining the therapy they need, but not to expose them to unnecessary prescribing,” Phil said.

To download the recording of this valuable webinar, please go to: https://register.gotowebinar.com/recording/7163259288372148492

Best Practices for Cybersecurity

May 26, 2020

threatening hooded figure with the word cyber security superimposed to illustrate post on best practices for cybersecurity

Tower MSA Partners’ SVP of IT Jesse Shade offers advice to workers’ compensation companies on best practices for cybersecurity.

Did you know that personal health information (PHI) is more valuable on the black market than financial data?  This makes workers’ comp organizations very attractive targets for cyber criminals.

“Payers and other workers’ compensation organizations need to guard this sensitive data within their own enterprises. And, since these companies regularly exchange data with each other, each company needs to be just as concerned about the cybersecurity practices of its partners as its own,” says Tower’s Senior Vice President of Information Technology, Jesse Shade in this informative WorkCompWire article: Securing Data During COVID-19 and Beyond.

In last week’s article – COVID-19 Response Triggers Cybersecurity Threats to Workers’ Comp –  Jesse described the scope of the cybersecurity issue especially in the midst of COVID-19.  In this one, he outlines out best practices for cybersecurity in the form practical ways to protect PHI and other data and discusses the tools your IT department needs. He also gives you questions for your managed care organizations, MSP compliance companies and other service providers to ensure that their security practices can withstand attacks.

Cyberattacks have risen astronomically during COVID-19 and will continue long after the pandemic passes.  The IBM Cost of a Data Breach Report put the average cost of a data breach in the U.S. at $8.19 million in 2019.  In addition to the financial hit, companies risk their reputations and the trust of their clients, customers and partners. 

As Jesse says, you can’t afford to ignore cybersecurity.  

Related:

Building a Better Tower – Cybersecurity

 

Federal Court Rules on Plaintiff Refusal to Provide SSN

May 19, 2020

close up of judge's gavel with the scales of justice in the background

A federal magistrate judge got a full education in Section 111 Mandatory Insurer Reporting when a plaintiff refused to provide his Social Security Number (SSN) in a liability settlement with the State of Rhode Island.

The April 27, 2020 Rhode Island U.S. District Court decision came in the case of Genaro Ruiz vs. State of Rhode Island, et al., C.A. No. 16-507WES, April 27, 2020.  The judge held the defendant’s post-settlement effort to obtain the plaintiff’s SSN was “fully consistent with the express and implied terms of the Settlement Agreement” given the Medicare Secondary Payer Act (MSP) requirements. 

Further, the plaintiff could not use the federal Privacy Act to negate the defendant’s basis for requesting the information, again given MSP requirements.

Background

The 2007 Medicare, Medicaid and SCHIP Extension Act (MMSEA) created a requirement for non-group health plans (NGHPs), such as the defendant State of Rhode Island, to report settlements involving Medicare beneficiaries to the Centers for Medicare and Medicaid Services (CMS).  Consequently, NGHPs must determine whether a plaintiff or claimant is a Medicare beneficiary.

To verify their Medicare beneficiary status, a claimant, whether a Medicare beneficiary or not, is asked to produce certain information to the NGHP: including first and last name, date of birth, gender, SSN, Medicare number, or at least the last five digits of the SSN or Medicare number.

To ensure compliance, the statute provides for penalizing the NGHP up to $1,000 per day per claim for non-compliance. However, demonstration of good faith efforts to obtain the SSN can eliminate this penalty.  As the Court noted, CMS’s February 18, 2020 proposal described the penalties and what constituted a good faith effort.  (See Tower’s article, CMP Comments Submitted)

Rhode Island Case

The parties in the Rhode Island liability case reached a mediated settlement agreement with the following relevant components:

  • Plaintiff, who was at least 65 at the time of settlement, acknowledged that because he was a Medicare beneficiary, it was his responsibility to resolve any Medicare claim. However, the settlement negotiations did not define how defendants would obtain closure of any possible Medicare claim or lien.
  • Plaintiff never advised defendants that he would refuse to supply his SSN, or any part of it, as part of the settlement agreement. Providing the SSN would enable the State to ascertain his status as a Medicare beneficiary and to comply with the Medicare statutory reporting requirement.
  • Defendants never advised plaintiff that the submission of his SSN, or any part of it, was a precondition to their paying the settlement proceeds.

Post the settlement agreement the defendant provided the “RI Medicare Reporting Form” that requests the SSN the plaintiff attorney. Plaintiff attorney’s response was “n/a” to the SSN question.  Ultimately, the plaintiff attorney said they were refusing to provide the SSN, which caused the defendant to petition the court to intervene. 

The court held an off-the-record call with the parties that resulted in the decision that the plaintiff would either provide the SSN or an affidavit stating that he did not have an SSN. Plaintiff failed to provide either and filed a motion to enforce the settlement on the basis that the federal Privacy Act gives him an absolute right to refuse to disclose his SSN. He also made a claim for punitive damages, interest, and attorneys’ fees.  The defendant responded with a motion to enforce the agreement from the off-the-record call.

District Court Holding

The District Court held:

  • That the defendant made significant (and successful) efforts to comply fully with the letter and spirit of MMSEA. In an effort to comply, The State of Rhode Island made the requisite query using at least a five-digit iteration of Plaintiff’s SSN. (During discovery, the defendant apparently obtained the last four digits of the SSN and tried to add the fifth digit by performing a query of the multiple iterations).
  • The State’s actions fit neatly into the not-yet-established safe harbor limned by the Proposed Rule, so that any penalties and sanctions for non-compliance should not be imposed
  • The State (and the Court) appropriately relied on plaintiff’s acquiescence to the use of the information he produced in discovery to make the required report to CMS
  • There was no further need for plaintiff to disclose his SSN or any part of it as a prerequisite to receiving the settlement proceeds

Regarding the plaintiff’s claim for punitive damages, interest, and attorneys’ fees:

  • The State’s conduct in delaying payment of the settlement proceeds does not conceivably amount to “willful and wanton disregard” for plaintiff’s rights bordering on criminality.
  • The settlement agreement must be interpreted as incorporating and being subject to the MMSEA requirement of disclosure of the SSN (and, if that is not available, at least the last five digits of the SSN). It is not subject to the Privacy Act prohibition on SSN disclosure because MMSEA is a “Federal statute” requiring preferably full, but at least partial, SSN disclosure.
  • Plaintiff was contractually obliged to provide defendants with as much of the specified information as the State reasonably needed to make a CMS query about his Medicare status/ His refusal to disclose at least the fifth from the last digit of his SSN is a breach of the implied covenant of good faith and fair dealing.

Practical Implications

This is one of those cases where an uncooperative claimant appears to have hit a nerve with the Court, resulting in the Court going above and beyond to rule in favor of the defendant.  Its decision, though, shows how at least this federal court views the responsibilities of the settling parties in regard to the Section 111 Mandatory Insurer reporting requirement.

Key takeaways from the decision:

  • A defendant is allowed to request the SSN or an affidavit that the SSN will not be provided even post-settlement and such request does not constitute bad faith or a violation of the federal Privacy Act.
  • The plaintiff should either provide the full SSN (or their Medicare number), the last five digits of the SSN or Medicare number, or a statement or affidavit that the plaintiff is refusing to provide either.  CMS even provides a standard form if the plaintiff does not want to use the form provided by the defendant.

Best practice is to attempt to obtain the SSN prior to the settlement agreement. This is not only important to reporting requirements, but also to investigate Medicare conditional payments.  If the SSN or affidavit cannot be obtained prior to the settlement agreement, then the settlement agreement should include terms in which the plaintiff is required to provide such information.

If you have any questions, please contact me, Dan Anders, at (888) 331-4941 or daniel.anders@towermsa.com.

Tower’s Jesse Shade Warns of Cyberattacks During COVID-19 and Tells How to Mitigate Them

May 15, 2020

ominous figure embedded in coding to illustrate cybersecurity threats

When Tower held its cybersecurity webinar in February, presenters stressed that cyberattacks increase dramatically during a crisis. This certainly holds true for COVID-19. Attacks soared by 330% in its early weeks, according to an Atlas VPN report.

Workers’ compensation payers, third-party administrators, ancillary care providers, and MSP compliance companies pose very attractive targets – regardless of the size of the company.  

They store, manage, and transfer large volumes of protected health information (PHI), which is quite valuable to criminals.

In this WorkCompWire article, our Senior Vice President of Information Technology, Jesse Shade, explains how cyberattacks occur and describes security measures to protect networks, systems, and data.

During the work-from-home transition, experienced IT pros deployed VPNs to connect remote machines to enterprise networks and installed the latest and greatest security software.

However, if a company can buy antivirus and antimalware software off the shelf or online, so can criminals. And, they analyze these products and create ways to work-around their security  capabilities.

Threat actors can even enter a network undetected and stay there for months and learn how to circumvent its security measures. Jesse recommends proactive solutions to prevent breaches in this timely story.