Best Practices for Cybersecurity

May 26, 2020

threatening hooded figure with the word cyber security superimposed to illustrate post on best practices for cybersecurity

Tower MSA Partners’ SVP of IT Jesse Shade offers advice to workers’ compensation companies on best practices for cybersecurity.

Did you know that personal health information (PHI) is more valuable on the black market than financial data?  This makes workers’ comp organizations very attractive targets for cyber criminals.

“Payers and other workers’ compensation organizations need to guard this sensitive data within their own enterprises. And, since these companies regularly exchange data with each other, each company needs to be just as concerned about the cybersecurity practices of its partners as its own,” says Tower’s Senior Vice President of Information Technology, Jesse Shade in this informative WorkCompWire article: Securing Data During COVID-19 and Beyond.

In last week’s article – COVID-19 Response Triggers Cybersecurity Threats to Workers’ Comp –  Jesse described the scope of the cybersecurity issue especially in the midst of COVID-19.  In this one, he outlines out best practices for cybersecurity in the form practical ways to protect PHI and other data and discusses the tools your IT department needs. He also gives you questions for your managed care organizations, MSP compliance companies and other service providers to ensure that their security practices can withstand attacks.

Cyberattacks have risen astronomically during COVID-19 and will continue long after the pandemic passes.  The IBM Cost of a Data Breach Report put the average cost of a data breach in the U.S. at $8.19 million in 2019.  In addition to the financial hit, companies risk their reputations and the trust of their clients, customers and partners. 

As Jesse says, you can’t afford to ignore cybersecurity.  

Related:

Building a Better Tower – Cybersecurity

 

Federal Court Rules on Plaintiff Refusal to Provide SSN

May 19, 2020

close up of judge's gavel with the scales of justice in the background

A federal magistrate judge got a full education in Section 111 Mandatory Insurer Reporting when a plaintiff refused to provide his Social Security Number (SSN) in a liability settlement with the State of Rhode Island.

The April 27, 2020 Rhode Island U.S. District Court decision came in the case of Genaro Ruiz vs. State of Rhode Island, et al., C.A. No. 16-507WES, April 27, 2020.  The judge held the defendant’s post-settlement effort to obtain the plaintiff’s SSN was “fully consistent with the express and implied terms of the Settlement Agreement” given the Medicare Secondary Payer Act (MSP) requirements. 

Further, the plaintiff could not use the federal Privacy Act to negate the defendant’s basis for requesting the information, again given MSP requirements.

Background

The 2007 Medicare, Medicaid and SCHIP Extension Act (MMSEA) created a requirement for non-group health plans (NGHPs), such as the defendant State of Rhode Island, to report settlements involving Medicare beneficiaries to the Centers for Medicare and Medicaid Services (CMS).  Consequently, NGHPs must determine whether a plaintiff or claimant is a Medicare beneficiary.

To verify their Medicare beneficiary status, a claimant, whether a Medicare beneficiary or not, is asked to produce certain information to the NGHP: including first and last name, date of birth, gender, SSN, Medicare number, or at least the last five digits of the SSN or Medicare number.

To ensure compliance, the statute provides for penalizing the NGHP up to $1,000 per day per claim for non-compliance. However, demonstration of good faith efforts to obtain the SSN can eliminate this penalty.  As the Court noted, CMS’s February 18, 2020 proposal described the penalties and what constituted a good faith effort.  (See Tower’s article, CMP Comments Submitted)

Rhode Island Case

The parties in the Rhode Island liability case reached a mediated settlement agreement with the following relevant components:

  • Plaintiff, who was at least 65 at the time of settlement, acknowledged that because he was a Medicare beneficiary, it was his responsibility to resolve any Medicare claim. However, the settlement negotiations did not define how defendants would obtain closure of any possible Medicare claim or lien.
  • Plaintiff never advised defendants that he would refuse to supply his SSN, or any part of it, as part of the settlement agreement. Providing the SSN would enable the State to ascertain his status as a Medicare beneficiary and to comply with the Medicare statutory reporting requirement.
  • Defendants never advised plaintiff that the submission of his SSN, or any part of it, was a precondition to their paying the settlement proceeds.

Post the settlement agreement the defendant provided the “RI Medicare Reporting Form” that requests the SSN the plaintiff attorney. Plaintiff attorney’s response was “n/a” to the SSN question.  Ultimately, the plaintiff attorney said they were refusing to provide the SSN, which caused the defendant to petition the court to intervene. 

The court held an off-the-record call with the parties that resulted in the decision that the plaintiff would either provide the SSN or an affidavit stating that he did not have an SSN. Plaintiff failed to provide either and filed a motion to enforce the settlement on the basis that the federal Privacy Act gives him an absolute right to refuse to disclose his SSN. He also made a claim for punitive damages, interest, and attorneys’ fees.  The defendant responded with a motion to enforce the agreement from the off-the-record call.

District Court Holding

The District Court held:

  • That the defendant made significant (and successful) efforts to comply fully with the letter and spirit of MMSEA. In an effort to comply, The State of Rhode Island made the requisite query using at least a five-digit iteration of Plaintiff’s SSN. (During discovery, the defendant apparently obtained the last four digits of the SSN and tried to add the fifth digit by performing a query of the multiple iterations).
  • The State’s actions fit neatly into the not-yet-established safe harbor limned by the Proposed Rule, so that any penalties and sanctions for non-compliance should not be imposed
  • The State (and the Court) appropriately relied on plaintiff’s acquiescence to the use of the information he produced in discovery to make the required report to CMS
  • There was no further need for plaintiff to disclose his SSN or any part of it as a prerequisite to receiving the settlement proceeds

Regarding the plaintiff’s claim for punitive damages, interest, and attorneys’ fees:

  • The State’s conduct in delaying payment of the settlement proceeds does not conceivably amount to “willful and wanton disregard” for plaintiff’s rights bordering on criminality.
  • The settlement agreement must be interpreted as incorporating and being subject to the MMSEA requirement of disclosure of the SSN (and, if that is not available, at least the last five digits of the SSN). It is not subject to the Privacy Act prohibition on SSN disclosure because MMSEA is a “Federal statute” requiring preferably full, but at least partial, SSN disclosure.
  • Plaintiff was contractually obliged to provide defendants with as much of the specified information as the State reasonably needed to make a CMS query about his Medicare status/ His refusal to disclose at least the fifth from the last digit of his SSN is a breach of the implied covenant of good faith and fair dealing.

Practical Implications

This is one of those cases where an uncooperative claimant appears to have hit a nerve with the Court, resulting in the Court going above and beyond to rule in favor of the defendant.  Its decision, though, shows how at least this federal court views the responsibilities of the settling parties in regard to the Section 111 Mandatory Insurer reporting requirement.

Key takeaways from the decision:

  • A defendant is allowed to request the SSN or an affidavit that the SSN will not be provided even post-settlement and such request does not constitute bad faith or a violation of the federal Privacy Act.
  • The plaintiff should either provide the full SSN (or their Medicare number), the last five digits of the SSN or Medicare number, or a statement or affidavit that the plaintiff is refusing to provide either.  CMS even provides a standard form if the plaintiff does not want to use the form provided by the defendant.

Best practice is to attempt to obtain the SSN prior to the settlement agreement. This is not only important to reporting requirements, but also to investigate Medicare conditional payments.  If the SSN or affidavit cannot be obtained prior to the settlement agreement, then the settlement agreement should include terms in which the plaintiff is required to provide such information.

If you have any questions, please contact me, Dan Anders, at (888) 331-4941 or daniel.anders@towermsa.com.

Tower’s Jesse Shade Warns of Cyberattacks During COVID-19 and Tells How to Mitigate Them

May 15, 2020

ominous figure embedded in coding to illustrate cybersecurity threats

When Tower held its cybersecurity webinar in February, presenters stressed that cyberattacks increase dramatically during a crisis. This certainly holds true for COVID-19. Attacks soared by 330% in its early weeks, according to an Atlas VPN report.

Workers’ compensation payers, third-party administrators, ancillary care providers, and MSP compliance companies pose very attractive targets – regardless of the size of the company.  

They store, manage, and transfer large volumes of protected health information (PHI), which is quite valuable to criminals.

In this WorkCompWire article, our Senior Vice President of Information Technology, Jesse Shade, explains how cyberattacks occur and describes security measures to protect networks, systems, and data.

During the work-from-home transition, experienced IT pros deployed VPNs to connect remote machines to enterprise networks and installed the latest and greatest security software.

However, if a company can buy antivirus and antimalware software off the shelf or online, so can criminals. And, they analyze these products and create ways to work-around their security  capabilities.

Threat actors can even enter a network undetected and stay there for months and learn how to circumvent its security measures. Jesse recommends proactive solutions to prevent breaches in this timely story.

The Penalties are Coming

April 6, 2020

graphic of dollar signs with the word panalties overlaid

The Penalties Are Coming

With COVID-19, it’s understandable if Civil Monetary Penalties (CMPs) have slipped your mind.  CMS has proposed stiff penalties—up to $1,000 per day per claimant—for incorrect MSP reporting or failure to report. (Our Chief Compliance Officer Dan Anders posted on these in February.) For a well-written synopsis of how they could affect you, read this article by Michael Stack, CEO of AMAXX, LLC: Increased Penalties are Coming for Incorrect Medicare Secondary Payer Reporting.

CMS’s Revised Consent to Release Form Becomes Mandatory April 1

March 18, 2020

illustration of Revised Consent to Release form signing

As of April 1, 2020, submissions of Workers’ Compensation Medicare Set-Asides (WCMSAs) must include CMS’s revised Consent to Release form.  The form indicates that the need and process for the WCMSA have been explained to the injured worker, and that the injured worker has approved the contents of the submission, including the allocated funds.

First announced with the release of an updated WCMSA Reference Guide on October 10, 2019 (Version 3.0), the revised consent must include the following language:

Further, I have had the Workers’ Compensation Medicare Set-Aside Arrangement need and process explained to me, and I approve of the contents of the submission.

Beneficiary Initials: ____

A copy of the revised consent to release can be found here.

Practical Implications

If the claimant is represented by an attorney, the attorney will typically explain why an MSA is needed in settlement of their WC case.  If not represented, this responsibility may fall to the adjuster or defense attorney.

CMS provides resources to assist with the MSA explanation in both the WCMSA Reference Guide and the Self-Administration Toolkit.  Additionally, for professionally administered MSAs, our partner Ametros provides general information as well as individual consultation to walk the injured worker through how the MSA will work post-settlement.

As mentioned above, the revised consent requires the claimant to approve the contents of the MSA submission.  While a review of the MSA report alone by the claimant or their attorney may be enough to obtain the beneficiary’s approval, if the injured worker requires additional documentation prior to their approval, Tower will provide it.

Finally, keep in mind, consent without the revised Consent to Release language will no longer be valid as of April 1.  Consequently, Tower may provide a revised consent form to be executed by the claimant prior to submission or resubmission of the MSA to CMS.

If you have any questions please contact Tower’s Chief Compliance Officer, Dan Anders, at (888) 331-4941 or daniel.anders@towermsa.com.

Meloxicam’s Price Drop – Good News for MSAs

March 16, 2020

Prescription drug bottle to illustrate Meloxican's price drop

Our Chief Compliance Officer Dan Anders’ blog post on the huge price drop of Meloxicam prompted a WorkCompCentral article, quoting Dan.  Previously priced at $4.25 per pill for 15 milligrams, it’s now 5 cents per pill.  Over a 20-year life expectancy of an injured worker taking 15 milligrams a day, the old price meant an MSA allocation of $30,000. With the reduced price, that allocation would be $300.  For details, see http://bit.ly/2IHjYwn (subscription required).

Tower’s Dan Anders Comments on NY Ban on Hold-Harmless Clauses in Settlement Agreements

March 6, 2020

Dan Anders who was quoted in the Claims Journal

New York Workers’ Compensation Board recently issued a bulletin indicating it will not approve settlements requiring injured workers to indemnify or hold insurers harmless if Medicare demands future reimbursements. Tower’s Chief Compliance Officer Dan Anders said the board may be responding to a growing trend of MSAs and settlements that are not submitted to Medicare for review. See WorkCompCentral’s coverage here (subscription required)

Business Insurance: Insurers could face stiff MSP penalties

March 3, 2020

bullhorn illustration alerting you to avoid reporting penalties

Business Insurance’s Angela Childers examined CMS’s proposed rules for Section 111 Mandatory Insurer Reporting penalties in this Feb. 26 article.  She quoted Tower’s Chief Compliance Officer Dan Anders on the severity of the possible $1,000 per-day-per-claim penalty for not reporting MSP data or not reporting it with sufficient accuracy. You don’t want to face a $365,000 or more penalty. See Dan’s post for proposal details and contact him at Daniel.anders@towermsa.com for direction on how to submit comments and prepare for the impending penalties.

Cybersecurity Threats & You

ominous figure embedded in coding to illustrate cybersecurity threats

Many businesses don’t think a data breach will happen to them; small businesses especially assume they’re too small to attack. However, Tower’s Feb. 19 cybersecurity webinar featured a survey that showed that 11% of very small businesses and 44% of midsized organizations experienced a data breach in the last 12 months.  A quarter of these companies had to file for bankruptcy, 10% went out of business entirely. See Nancy Grover’s excellent coverage of the webinar for workerscompensation.com.  And, you can watch the webinar at Tower’s webinar.