CMS |

No Surprises Act IDR Portal Now Open For All Covered Health Claims; Added Deadline Extensions Announced

December 15, 2023

The No Surprises Act (“NSA”) Federal Independent Dispute Resolution (“IDR”) portal now is reopened for processing all health benefit disputes covered by the NSA between health care providers, facilities, and providers of air ambulance services (“providers”), and group health plans, health insurance issuers, and Federal Employee Health Benefits Program carriers (“payers”) (collectively, “disputing parties”). The Departments of Health & Human Resources, Labor and Treasury (“Departments”) reopened the IDR Portal on December 15, 2023 for all types of NSA-covered claims including previously initiated batched disputes, new batched disputes, and new single disputes involving air ambulance services.

As part of its provisions to protect patients from “surprise bills” or out-of-network services covered bu the NSA, the NSA establishes rules and procedures for providers and payers to determine the appropriate out-of-network payment rate for out-of-network services received by patients enrolled in covered payer programs. Where payers and providers cannot agree about the appropriate payment rate using other NSA procedures, the IDR portal is the online system established under the NSA for disputing payers and health care providers arrange for a certified IDR entity to resolve disagreements about the appropriate out-of-network payment rate for items and services subject to the surprise billing protections in the NSA through a process in which the certified IDR entity reviews offers made by each disputing party along with supporting information about the dispute. Once established under the NSA, payers are required to pay providers the appropriate payment rate for the covered out-of-network services provided to the member patient and the provider is prohibited from balance billing charges in excess of the appropriate payment rate for those services. The Departments previously suspended the operation of the IDR portal earlier this year after a federal court ruled that rules adopted by the Departments implementing the NSA violated the NSA.

In connection with the reopening of the IDR Portal, the Departments also announced the following extensions of the applicable IDR deadlines for the initiation of new batched disputes and new single disputes involving air ambulance services, resubmission of disputes determined by certified IDR entities to be improperly batched, and selection or reselection of a certified IDR entity.

Parties for whom the IDR initiation deadline under applicable regulations fell on any date between August 3, 2023 and December 15, 2023 will have until the 20th business day after the Federal IDR portal reopens, which is January 16, 2024, to initiate a new batched dispute or a new single dispute involving air ambulance services. Parties for whom the IDR initiation deadline falls between December 16, 2023 and January 15, 2024 will also have until January 16, 2024 to initiate a batched or air ambulance dispute. Parties whose initiation deadline falls on January 16, 2024 or after will have the usual 4 business days after the end of the Open Negotiation Period, or if the dispute is subject to the 90-calendar-day suspension period following a payment determination, the usual 30 business day period, to initiate a batched or air ambulance dispute in the Federal IDR portal.
For batched disputes and single disputes involving air ambulance services initiated under extensions of deadlines after the Federal IDR portal reopens, the deadline for the parties to jointly select a certified IDR entity will be 10 business days after initiation.
For disputing parties that were engaged in certified IDR entity selection for batched disputes when the Federal IDR portal temporarily closed, the deadline for parties to jointly select a certified IDR entity will be 10 business days after the Federal IDR portal reopens, which is December 29, 2023.
An initiating party that has received a notification from a certified IDR entity that a dispute initiated before August 3, 2023 was improperly batched will have one opportunity to resubmit the improperly batched items and services for reconsideration within 10 business days of being notified by the certified IDR entity, provided that the initiating party’s 4-business-day period to resubmit the batched dispute expired between August 3 and August 9, 2023.
The deadline to submit fees and offers will remain 10 business days after certified IDR entity selection.
Disputing parties with batched disputes that were impacted by the temporary suspension of use of the notice of offer form will be granted an additional 10 business days to submit offers, as communicated to impacted disputing parties by email from the Federal IDR Inbox.

The deadline extensions announced December 15, 2023 supplement extensions the Departments previously announced in November, 2023. On November 22, 2023, the Departments used their statutory authority (Internal Revenue Code Section 9816(c)(9), ERISA Section 716(c)(9), and PHS Act Section 2799A-1(c)(9)) to grant extensions in the following circumstances:

Disputing parties may request additional time, beyond the current business day deadline, to respond to the certified IDR entity’s requests for additional information. The Departments instructed certified IDR entities to grant such requests through January 16, 2024.
Certified IDR entities may provide parties, upon request, an additional 10 business days after the original offer deadline to submit an offer. Certified IDR entities may provide parties this additional time, as needed, through January 16, 2024.

On November 29, 2023, the Departments also announced another extension of the timeline for disputing parties to select a certified IDR entity. Under this extension, disputing parties will have 10 business days to select a certified IDR entity for all disputes through January 16, 2024. This extension will be provided automatically and does not require a request by disputing parties.

The Departments already announced the November 22, 2023 and November 29, 2023 extensions until January 16, 2023 for new single and bundled disputes and these extensions will persist for all disputes until January 16, 2023.

In connection with their full reopening of the IDR portal, the Departments renewed prior reminders to parties accessing or using the IDR portal to clear their computer’s cache or open the Federal IDR initiation web forms in a private or incognito window to see all the new features at least once a week to ensure access to the most up-to-date version of the initiation form as the Departments continue to implement Federal IDR web forms to accommodate guidance-related and system enhancements. Users failing to follow this recommendation risk additional follow-up with certified IDR entities or system errors. 

Users also are encouraged to review other previously published guidance, including No Surprises Act (NSA) Independent Dispute Resolution (IDR) Batching and Air Ambulance Policy Frequently Asked Questions (FAQs), FAQs about Affordable Care Act and Consolidated Appropriations Act, 2023 Implementation Part 63 (FAQs Part 63), FAQs about Consolidated Appropriations Act, 2021 Implementation Part 62 (FAQs Part 62), and the August 2023 IDR Administrative Fees FAQs for further information. Parties can also reference

Parties should reference the No Surprises Act (NSA) Independent Dispute Resolution (IDR) Batching and Air Ambulance Policy Frequently Asked Questions (FAQs), FAQs about Affordable Care Act and Consolidated Appropriations Act, 2023 Implementation Part 63 (FAQs Part 63), FAQs about Consolidated Appropriations Act, 2021 Implementation Part 62 (FAQs Part 62), and the August 2023 IDR Administrative Fees FAQs for further information. Parties can also reference updated IDR system job aids and updated guidance documents for further information.

Questions can be directed to the Federal IDR mailbox at FederalIDRQuestion@cms.hhs.gov. Any additional updates will be provided at www.cms.gov/nosurprises as they become available.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Leave a Comment » | Health Care | Tagged: air ambulance, arbitration, balance billing, CIICO, CMS, debt, Health, Health Care Reimbursement, Health Insurance, Health Plan, Hospital, law, no surprises act, Patients, Physician | Permalink
Posted by Cynthia Marcotte Stamer

Banner Health Pays $1.25 Million To Settle Cybersecurity Breach Impacting Nearly 3 Million Individuals

February 3, 2023

Phoenix-based nonprofit health system Banner Health and its affiliates (“Banner Health”) paid $1.25 million and agreed to take corrective actions to resolve its exposure to potentially much greater Health Insurance Portability and Accountability Act (HIPAA) Security Rule civil monetary penalty exposure for a 2016 cyber hacking breach that compromised the personal health information of 2.81 million consumers. OCR used its February 2 announcement of the Banner Health settlement to warn health care providers, health plans, health care clearinghouses (“covered entities”) and business associates covered by HIPAA to guard their own systems containing protected health information against breach by cyber hacking.

Banner Health Settlement

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona and one of the largest in northern Colorado.

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions. The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

The potential violations OCR identified specifically included:

A lack of an analysis to determine risks and vulnerabilities of electronic protected health information across the organization;
Insufficient monitoring of its health information systems’ activity to protect against a cyber-attack;
Failure to implement an authentication process to safeguard its electronic protected health information; and
Failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.

Under the Resolution Agreement and Corrective Action Plan negotiated to resolve these potential violations, Banner Health paid $1,250,000 to OCR. Banner Health also agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Under the corrective action plan, Banner has agreed to take the following steps:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

OCR Warns Other HIPAA-Covered Entities

In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. OCR’s announcement of the settlement reports 74 percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents.

The announcement also notes OCR offers an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules,

The settlement and OCR’s announcement warn other covered entities and business associates to use these and other necessary resources to protect their systems with protected health information from cyber hacking and other breaches.

In conjunction with reminding other covered entities of these resources, the settlement announcement quotes OCR Director Melanie Fontes Rainer as a warning, “Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals, … It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. … Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

OCR’s enforcement record confirms these are not idyl threats. Breaches of the Security or Breach Notification Rules often result in significant civil monetary penalty assessments or negotiated settlements to mitigate civil liability exposures arising out of such breaches. See e.g., Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches(October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020).

Alerts issued by OCR regarding heightened security risks in recent months and a growing tide of highly publicized breaches send a strong warning to other covered entities and their business associates to reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections by among other things:

Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near-miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board-level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because of susceptibilities in systems, software and other vendors of business associates, suppliers and other third parties, covered entities and their business associates should use care to assess and manage business associate and other vendor-associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Beyond these HIPAA exposures, breaches and other HIPAA noncompliance carries other liability risks. Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders. For instance, the Department of Health & Human Services has warned health care providers participating in Medicare or other federal programs and Medicare Advantage health plans that HIPAA compliance is a program term of participation.

Health care providers and health insurers can face liability under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.

Health plans also face a myriad of other exposures from failing to use appropriate cyber safeguards. Plan fiduciaries of employment-based health plans covered by the Employee Retirement Income Security Act (“ERISA”) risk liability under ERISA’s fiduciary responsibility rules. The Department of Labor Employee Benefit Security Administration (“EBSA”) now audits the adequacy of the cybersecurity and other HIPAA compliance of health plans and their third-party administrators and other business associates as part of EBSA’s oversight and enforcement of ERISA. Department of Labor Assistant Secretary for EBSA Lisa Gomez confirmed audit and enforcement of cybersecurity obligations is a key priority in EBSA’s current work plan in her February 4, 2023 comments to the American Bar Association.

Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other public companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations.

Furthermore, appropriate cyber security practices also may be advisable elements for organizations to include in their Federal Sentencing Guideline Compliance Programs to mitigate potential organization liability risks under federal electronic crime and related laws.

In the face of these risks and warnings, all covered entities and their business associates should reassess and confirm the adequacy of their and their business associates’ cyber security defenses and breach response preparations.

More Information