U.S. Supreme Court: MSP Rules Do Not Preclude
Limited Coverage for Outpatient Dialysis
The U.S. Supreme Court has ruled that a group health plan does not violate the Medicare Secondary Payer (MSP) rules by limiting coverage for outpatient dialysis–a treatment used almost exclusively for patients with end-stage renal disease (ESRD). In the underlying case, a large dialysis provider sued the plan and its TPA, challenging the plan’s classification of all dialysis providers as “out-of-network,” resulting in a lower reimbursement rate for them than for providers of other medical services. Acknowledging that the plan provision applied equally to all covered individuals receiving dialysis, the provider nevertheless argued that nearly all dialysis patients have ESRD, so the lower reimbursement rate for dialysis than for other treatments effectively discriminated against ESRD patients and had a disparate impact on them, in violation of the MSP rules. A federal trial court dismissed the claim, but the Sixth Circuit revived it, holding that the MSP antidiscrimination provisions prohibit conduct beyond the express differential treatment of ESRD patients. Two months later, in a similar case involving the same dialysis provider, the Ninth Circuit rejected the provider’s disparate impact argument, ruling that the MSP statute prohibits group health plans from providing different benefits to ESRD patients than to patients without the condition. Still, it does not bar other differences that merely have a disproportionate effect on ESRD patients. The conflicting decisions by the two appellate courts set the stage for the Supreme Court’s review.
Finding no MSP violation, the Court ruled in favor of the plan. The Court acknowledged that the MSP statute prohibits a plan from differentiating in benefits between individuals with and without ESRD or taking into account the Medicare eligibility of an ESRD patient. The Court concluded, however, that the plan provided the same benefits to all plan participants regardless of whether they had ESRD. Thus, the plan neither differentiated in benefits nor took into account Medicare eligibility due to ESRD. Rejecting the argument that the MSP statute also authorizes liability if a uniform coverage limitation has a disparate impact on ESRD patients, the court concluded that neither the statute’s text nor its implementing regulations encompass a disparate-impact theory. The Court further opined that such a theory would be practically impossible to administer because it is premised on the idea that plans must provide “adequate” coverage for dialysis, with no guidance as to what is adequate.
The Court’s ruling seems likely to encourage insurers and group health plans to reduce coverage for outpatient dialysis, thereby shifting the cost of dialysis to Medicare. The two dissenting justices observed that the Court’s opinion “tells plans they can do just that, so long as they target dialysis, rather than the patients who rely on it, for disfavored coverage.” Although the dissenting justices declared that “Congress would not – and did not – craft a statute permitting such a maneuver,” plans appear to be safe in taking this approach, at least for the time being.
Delayed Reaction to Hacking Breach
Leads to $875,000 HIPAA Settlement
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced an $875,000 settlement with a university medical center to resolve potential violations of HIPAA’s privacy, security, and breach notification rules. In January 2018, the medical center filed a breach report stating that an unauthorized third party had gained access in November 2017 to a web server that contained electronic Protected Health Information (PHI). According to the report, the hacker installed malware that resulted in disclosure of the PHI of more than 275,000 individuals, including their names, Medicaid numbers, health care provider names, dates of service, dates of birth, addresses, and treatment information. The medical center later reported the unauthorized access had first occurred in March 2016 and had been discovered
in September 2016 – but had not been reported previously because the medical center was not aware that PHI was stored on the compromised server. Based on its investigation, OCR determined that the medical center had allowed unauthorized uses and disclosures of PHI and had not implemented adequate security incident response and reporting protocols, conducted an adequate risk analysis or evaluation, adopted adequate audit controls, or provided timely breach notification to individuals or HHS.
In addition to the settlement payment, the medical center agreed to an extensive Corrective Action Plan (CAP). The CAP requires an enterprise-wide risk analysis and corresponding risk management plan, each subject to OCR review and approval. Within 30 days after OCR’s approval, the medical center must revise its privacy, security, and breach notification policies and procedures consistent with the risk analysis and risk management plan. The approved policies and procedures must be distributed to workforce members and incorporated into proposed training materials that, following OCR approval, must be included in training sessions for all workforce members. New workforce members must be trained within 15 days after they start work. The medical center must engage, subject to OCR approval, an independent monitor to analyze and assist with the medical center’s compliance with the CAP. For two years from the effective date, the monitor and the medical center must submit periodic reports to OCR describing compliance with the CAP.
A recent OCR cyber security newsletter explained how an IT asset inventory can strengthen HIPAA security. This resolution agreement provides a concrete illustration of the importance of taking a thorough inventory to understand all the places where PHI is created, received, maintained, or transmitted anywhere within a covered entity’s environment. This medical center may have avoided some of the adverse consequences included in the resolution agreement if it had realized at the outset that the compromised server stored PHI.
Court Denies Remedies for
Mental Health Parity Violation
A self-insured health plan denied coverage for a minor child’s residential mental health treatment, finding that the treatment was not medically necessary. The child’s family sued the plan, plan administrator, and claims administrator for – among other things – violating the Mental Health Parity and Addiction Equity Act (MHPAEA). A Utah federal court held that the administrators violated the parity rules by using more stringent criteria to determine medical necessity for mental health benefits than for medical / surgical benefits of the same classification and directed the parties to submit further arguments as to the appropriate remedy.
The court considered the family’s requested relief:
- An injunction preventing the administrators from using the more stringent criteria to evaluate claims for residential mental health treatment while using only plan language to evaluate comparable medical / surgical claims;
- Reevaluation of their claims based solely on plan language; and either
- A “surcharge” of $217,086 to compensate for losses due to the parity violation or
- “Disgorgement or restitution” of $211,757 for out-of-pocket payment of medical expenses.
The court denied the family’s requests, concluding that an injunction was inappropriate because the family did not prove it faced a continued or repeated threat of injury, and reevaluation would be futile because the child’s treatment would not be considered medically necessary, even under the lesser standard of the plan’s language. Based on its finding that residential treatment was not medically necessary even without the application of the additional criteria, the court denied the requests for surcharge, disgorgement, and restitution because no harm or loss had been proven. The court awarded attorney’s fees and costs, in addition to amounts previously awarded as statutory penalties for the administrators’ delay in providing requested plan documents. MHPAEA litigation by plan participants does not always result in a big payout, especially where, as here, the claim resolution would have been the same even if the parity rules had been followed. Nevertheless, careful adherence to the rules is a must for plan sponsors wishing to avoid costly, time-consuming litigation and potential agency enforcement.
Court Allows Claim for Equitable
Relief Based on Fiduciary Breach
in ERISA Plan Enrollment
A federal appellate court has reinstated a lawsuit brought by the surviving spouse of a participant in an ERISA-governed life insurance plan. The lawsuit alleges that while helping the participant enroll in $350,000 of supplemental life insurance coverage, the participant’s employer breached fiduciary duties when it did not provide the required form for evidence of insurability or indicate that the form was necessary or missing. Despite the defective enrollment, the employer deducted premiums for the supplemental coverage for three years and provided a benefits summary stating that the supplemental coverage was in effect. After the insurer denied the claim for supplemental benefits because it had never received the evidence of insurability form, the surviving spouse sued the employer under ERISA to recover benefits due under the plan. The employer moved to dismiss, contending that the insurer, not the employer, was obligated to pay plan benefits. Conceding that point, the spouse sought to amend his complaint to sue the employer for breach of fiduciary duty and seek appropriate equitable relief. The trial court dismissed the lawsuit and denied the request to amend the complaint, concluding that an award of lost benefits would be compensatory rather than equitable relief and, consequently, was not recoverable for breach of an ERISA fiduciary duty.
The appellate court reversed, holding that ERISA permits actions to recover money equal to insurance benefits lost due to a breach of fiduciary duty. Citing the Supreme Court’s Amara decision, the court ruled that an equitable surcharge, although a form of monetary relief, is a typical equitable remedy that may be imposed for a breach of fiduciary duty. The court determined that the spouse adequately alleged that the employer acted as a fiduciary by providing enrollment paperwork to the participant, guiding him through it, notifying him when important components – such as proof of dependent eligibility – were missing, providing a benefits summary reflecting supplemental coverage, and deducting premiums for supplemental coverage. Assertions that the employer provided misinformation about benefits and failed to notify the participant about evidence of insurability adequately stated breaches of fiduciary duties. The court rejected the employer’s argument that the spouse impermissibly and inconsistently pled both a claim for benefits and a claim for equitable relief, noting that claimants are allowed to bring alternative claims for relief and – because he lacked a claim for benefits due to the failure to submit evidence of insurability – the spouse must rely on the claim for equitable relief or have no remedy at all.
The line between fiduciary and non-fiduciary actions is sometimes unclear, but employers step into a danger zone when assisting employees with enrollment. This court was obviously troubled by the administrative mistakes that deprived the surviving spouse of substantial insurance benefits. Employers should ensure that staff performing enrollment functions are thoroughly familiar with the terms and conditions of coverage.
This publication was written by Carolyn Cox, Moreton & Company General Counsel. Carolyn provides Moreton & Company clients with Compliance services. For additional questions, please contact her at 801-715-7110 or [email protected] © 2022 by Moreton & Company. This newsletter is intended to alert recipients to recent legal developments. It does not constitute the rendering of legal advice or recommendations and is provided for your general information only. If you need legal advice, please consult your legal counsel.