No Port in a Storm? Crucial Safe Harbor Still in Doubt under New Medicare Section 111 Reporting Requirements

Insurance companies and self-insured businesses that pay liability claims arising from bodily injury to Medicare beneficiaries will start 2010 facing onerous new reporting requirements under Section 111 of the Medicare, Medicaid, and SCHIP Extension Act of 2007 (MMSEA).  The new mandatory insurer reporting requirements were adopted in part to facilitate the government's recovery of medical expenses paid conditionally by Medicare, from insurers and self-insured businesses that subsequently are determined (through settlements or judgments) to have the primary obligation to pay such expenses.  Adding to the pain, the reporting regime will require information pertaining to claimants that insurers and tort defendants often do not have in their possession and may not be able to obtain, rendering compliance literally impossible.  Until recently, many observers believed that this fundamental problem would be mitigated by a "safe harbor" provision protecting companies that have attempted in good faith to obtain the necessary information from claimants.  Recent statements from the Centers for Medicare & Medicaid Services (CMS), however, suggest that this optimism may have been misplaced-potentially leaving companies subject to ruinous penalties for essentially unavoidable reporting violations.  Although there is still time for CMS to take corrective action, the uncertainties and inconsistencies in the agency's guidance to date make it impossible for any company to develop a reliable compliance program or to protect itself fully from unfair penalties.

The backdrop for this regulatory shipwreck is a long-standing statutory provision, the Medicare Secondary Payer (MSP) statute, that deems Medicare to be the "secondary payer" for any medical costs that also are covered by a group health plan, liability insurance (including self-insurance, which CMS construes to include any deductible or self-insured retention), workers compensation insurance, or no-fault insurance.  Where Medicare has paid the medical expenses of a Medicare beneficiary, and the same expenses have been paid or will be paid by an insurer or self-insured entity, the statute under certain circumstances permits Medicare to recover the amount of its conditional payment from the Medicare beneficiary, the health care provider, or the insurer or self-insured business.

In 2007, Congress amended the MSP statute to impose the new reporting requirements, which are intended to facilitate Medicare's coordination of benefits and recovery efforts by alerting it to the resolution of claims involving bodily injuries to Medicare beneficiaries.  The new reporting regime promises to be burdensome for all reporting entities, but it poses a special threat to liability insurers and self-insureds facing third party liability claims, which in many instances are likely to find compliance impossible because they do not routinely receive-and cannot obtain-certain of the necessary information.  Notably, claim reports must include either the claimant's Health Insurance Claim Number (HICN) or the claimant's Social Security Number (SSN), but that information frequently is not in the possession of liability insurers or self-insured entities responding to tort claims.  Moreover, there is no statutory requirement for claimants to provide this information to the insurers and self-insured entities that make payments on bodily injury claims and therefore are obligated to report to Medicare.

Although compliance with Section 111 may be impossible, the potential penalties for reporting violations are severe.  A responsible reporting entity (RRE) that fails to report claims or submits late reports is subject to a statutory penalty of $1,000 per claim, for each day of violation.  For insurers or large self-insured entities facing substantial numbers of claims, penalties could quickly reach millions of dollars.

Many observers had assumed, based upon informal comments made by CMS representatives, that reporting entities who in good faith attempt to acquire necessary information from claimants, using a form request developed by CMS, would be protected against such penalties if claimants failed to respond or refused to provide the information.  A "safe harbor" makes sense in the context of liability insurers and self-insured entities that have no contractual relationship with the claimant, do not control the claimant's actions, and have no legally enforceable means for obtaining information from the claimant.

Although CMS recently published the prescribed form for requesting HICNs or SSNs from claimants, an agency "Alert" published on the CMS website stated only that the reporting entity would be considered "compliant" if it has obtained "a signed copy" of the form from the claimant.  ALERT: Compliance Guidance Regarding Obtaining Individual HICNs and/or SSNs for Non-Group Health Plan (NGHP) Reporting Under 42 U.S.C. 1395y(b)(8) (dated August 24, 2009).  Significantly, the agency's "Alert" did not explicitly address whether insurers and self-insureds would be protected if they transmit the form to a claimant, but the claimant fails or refuses to return it.  If protection is limited to instances in which the claimant returns the signed form to the insurer, the "safe harbor" is not really safe at all. 

It appears certain that many claimants will simply ignore or refuse to sign or return the form.  Claimants have little or no incentive to provide the requested information to liability insurers or self-insured entities, and in some circumstances they arguably have an incentive not to make the disclosure.  Indeed, CMS implicitly acknowledges that Medicare law imposes no legal obligation on claimants to provide the requested personal information, and without apparent irony has provided a space on the form for the claimant to explain the "Reason(s) for Refusal to Provide Requested Information."  Many observers believe that large numbers of claimants, however, will provide no such explanation and instead will simply ignore the request -- leaving the requesting entity with no signed copy of the form.  

In a town-hall teleconference on September 30, 2009, CMS representatives appeared to depart from the written guidance contained in the CMS Alert, and implied that the safe harbor might extend more broadly if the insurer could prove that it has a "process" in place to obtain information from claimants and could prove delivery  of the request form to a specific claimant by certified mail or otherwise.  But the CMS representatives did not define what sort of "process" the agency would regard as sufficient; did not address definitively what "proof" of delivery the agency would require (although in at least one instance agency representatives referred to the possible use of certified mail, a potentially costly exercise given the large number of claimants to be contacted); and suggested that the request form might have to be transmitted to the claimant more than once (particularly if there is a delay between the initial request and settlement of the claim) without providing any guidance regarding the length of delay or other circumstances that would trigger the need for a second request.  Adding to the confusion, the CMS representatives also appeared to suggest attempting to acquire the information through informal communications with the claimant before using the request form -- a concept that finds no support in CMS's prior written guidance-but did not provide any rationale for that approach and did not address the potential ethical problems that such an approach might pose for defense counsel in some circumstances.

The discussion in the September 30 teleconference was helpful to the extent that it suggested possible recognition by CMS that the safe harbor should extend to circumstances in which the claimant fails or refuses to sign and return the form, but it left potential RREs largely in the dark as to how they should structure their compliance programs.  At this point, insurers and self-insured entities have no way of reliably predicting whether they will be subjected to penalty assessments notwithstanding good faith efforts to obtain the required personal information from claimants.

Subsequent CMS teleconferences have addressed certain aspects of the safe harbor issue, at least obliquely, but have done little to eliminate the confusion.  For example, in a teleconference conducted by CMS on October 22, 2009, insurers raised questions regarding their inability to compel claimants to provide HICNs or SSNs, without which it is impossible to report claims.  CMS responded that a claimant who is a Medicare beneficiary would have an obligation to provide the HICN or SSN to the insurer, but that a claimant who is not a Medicare beneficiary would not be obligated to respond.  CMS, however, offered no statutory or regulatory authority for the proposition that Medicare beneficiaries have an obligation to provide information to liability insurers.  Although CMS on other occasions has alluded to a somewhat amorphous regulation obligating Medicare beneficiaries to "cooperate" with the agency's efforts to recover conditional payments, that regulatory provision does not expressly or implicitly require beneficiaries to provide any information to, or to cooperate with, liability insurers or self-insured entities.  The harsh reality is that insurers have no legal means to compel a response from claimants, and in the absence of a voluntary response will be unable to determine whether the claimant is a Medicare beneficiary and thus unable to report the claim.

At this writing, given the inconsistencies in CMS's statements and the imprecision in some of its comments, it is unclear whether CMS intends to foreclose safe harbor protection in situations in which the claimant fails or refuses to return the information request.  The restriction of safe harbor protection to circumstances in which the claimant signs and returns the form would leave reporting entities at risk of draconian penalties, despite the impossibility of compliance. 

The imposition of stiff monetary penalties upon RREs that are unable to report because they are unable to obtain the necessary information from claimants raises significant constitutional issues, and may violate the Excessive Fines Clause of the Eighth Amendment.  Fines, including civil penalties and forfeitures payable to the government, violate the Excessive Fines Clause if they are "grossly disproportional to the gravity of a defendant's offense." United States v. Bajakian, 524 U.S. 321, 334 (1998) (forfeiture of $357,144 in cash, based on "solely a reporting offense" when defendant failed to declare that he was transporting more than $10,000 in currency out of the country, held constitutionally impermissible).  Similarly, Medicare Section 111 penalties that are asserted based upon an RRE's failure to report information that it does not have and cannot reasonably acquire are unlikely to pass constitutional muster.

Medicare need not force such a constitutional showdown, nor engage in wishful thinking that companies will somehow report information that they do not have.  Section 111 reporting commences in the second quarter of 2010 (although RRE registration and data transmission testing already are underway).  There is still time for CMS to issue revised guidance providing a realistic safe harbor that protects RREs that have, in good faith, transmitted the CMS form request to claimants, but have been unable to obtain either the requested information or a signed copy of the form.  In the absence of such clarification by CMS, liability insurers and self-insured businesses would be ill-advised to assume that they are protected from penalty claims when their good faith information requests have gone unanswered.  Instead, we suggest that RREs develop a written protocol establishing a routine procedure for requesting the necessary information from each claimant; transmit the CMS form request to each claimant in accordance with such protocol; diligently document the date and mode of transmission for each such request; and prepare for the possibility of penalty disputes with CMS.