As prescription drug use explodes and prices soar, health plans are increasingly being forced to tap other avenues and patient advocacy
Get the peace of mind and support it takes to self-fund your healthcare.
Self-insuring your healthcare benefits can open up new possibilities for your business — affording you greater flexibility in how you manage your healthcare spend. Trust the expert team at QBE to tailor a solution that meets your unique needs.
We offer a range of products for protecting your assets, your employees and their dependents:
• Medical Stop Loss
• Captive Medical Stop Loss
• Organ Transplant
• Special Risk Accident
We'll find the right answers together, so no matter what happens, your business is prepared.
By Caroline McDonald
By Bruce Shutan
By Greg Lyon
By Laura Carabello
Banking on Rx Alternative Funding
As prescription drug use explodes and prices soar, health plans are increasingly being forced to tap other avenues and patient advocacy
Written By Bruce Shutan
SSpecialty
drugs, along with cell and gene therapy, have made a growing number of scripts unattainable for many working Americans. However, self-insured health plans have several avenues of alternative funding and patient advocacy at their fingertips to help defray enormous price tags.
One such source, patient assistance programs (PAPs) also known as medication assistance programs, come courtesy of pharmaceutical manufacturers that are able to earn goodwill with the public, along with tax breaks. However, the rising cost of prescription drugs, tightening Rx margins and a federal crackdown on high prices have pared the number of PAPs, which some insiders are predicting will disappear altogether.
Another is the 340B federal subsidy set up in 1992 for those in need of charitable care, which is ascending. It’s now the second-largest federal prescription drug program behind Medicare Part D. However, 340B has sparked a congressional investigation and federal lawsuits and even triggered a Supreme Court ruling. Created to support hospitals that care for a disproportionate number of low-income patients, it requires discounts on outpatient drugs by as much as 20% to 50% off the list price. A tug of war has ensued between pharmaceutical manufacturers miffed about lost profits and safety-net hospitals wanting to preserve a lifeline for cash-strapped facilities.
In addition, there are many opportunities to land grants to reduce out-of-pocket costs for the neediest patients. But even with the best of intentions in mind, the Rx alternative funding market is rife with fraudulent activities or egregious practices involving service providers, PBMs and brokers exchanging fees below the radar that compromise savings.
PASSING ALONG SAVINGS
While alternative funding may target the neediest patients, the swath of assistance is potentially wider than meets the eye. “People often assume that in order to be effective through the advocacy process that the patient has to be nearly qualifying at an indigent income level or no income, and that’s not true,” explains Bill Stafford, a recently retired principle with Rx Help Centers, an independent patient advocacy group for prescription drug use.
Those who qualify for a PAP typically earn $75,000 gross adjusted income as individuals and $100,000 for families, according to Ryan Rice, president and founder of Prism Health Group, LLC, which provides consulting and analytics solutions in the pharmacy benefits space. They’re able to receive drugs at a highly subsidized rate or at no cost whatsoever. He says another type of funding involves copay assistance for patients with insurance who are underinsured as more of a true subsidy.
The trick is seeing through industry smokescreens. Pharma earmarks as much as 56 cents on the dollar for rebates, patient assistance or coupons, reports Anthony Masotto, general manager and executive VP for Drexi, an AMPS Company and PBM devoted to price transparency. The real issue, however, is that it doesn’t get back to the end user. He explains further: “If you look at the drug Stelara, for example, it’s $25,000 a month. The rebate on that drug is around $15,000. But the plans never get to that because the group purchasing organization, PBM and brokers take their piece, and so now, all of a sudden, you’re
buying a drug for $25,000. You might get a $5,000 rebate. You’re netting out $20,000, but you really should be netting out somewhere around $10,000.”
Without question, alternative funding entities have good intentions. Masotto notes that AbbVie was the first to catch on that patient access was being limited and involved jumping through loopholes as drugs became very expensive really quickly. But they’re still going to charge $7,000 a month or $100,000 a year for a drug that they’re selling in other parts of the country for a fraction of that, he adds.
WEIGHING MULTIPLE OPTIONS
More than half of the several hundred resources Rx Help Centers taps throughout the year as a patient advocate do not involve pharmaceutical manufacturers. “You may only have one or two patients with a particular resource,” Stafford says, “but that’s the difference between active advocacy and just some type of an alternative funding mechanism. Whenever we save patients money through the advocacy process, we save the employer groups hundreds of millions a year.”
He says there are many types of programs available, including independent grants and patient foundations, some of which are public while others are private. There are also discounted
Depend on Sun Life to help you manage risk and help your employees live healthier lives
By supporting people in the moments that matter, we can improve health outcomes and help employers manage costs.
For over 40 years, self-funded employers have trusted Sun Life to help them manage financial risk. But we know that behind every claim is a person facing a health challenge and we are ready to do more to help people navigate complicated healthcare decisions and achieve better health outcomes. Sun Life now offers care navigation and health advocacy services through Health Navigator, to help your employees and their families get the right care at the right time – and help you save money. Let us support you with innovative health and risk solutions for your business. It is time to rethink what you expect from your stop-loss partner.
Ask your Sun Life Stop-Loss Specialist about what is new at Sun Life.
purchasing opportunities through both domestic and international sourcing through so-called tierone countries such as Canada, New Zealand, Australia, the U.K. and France.
Oftentimes, Stafford notes that situations arise wherein the relationship with a particular vendor becomes invaluable. One example is the infusion therapy space, where a service provider may have access to better patient prices for onsite or home infusion or whatever the particular drug calls for. “There are ways of getting pretty good discounts with some of those organizations that provide those services that may or may not be the preferred vendors of the carriers,” he adds.
To vet the integrity of Rx alternative funding, self-insured employers are advised to pay close attention to shared savings, which Rice says is the primary method and mechanism for how fees are garnered.
“There’s only so much juice in the sweets and the math – and how it’s ultimately performed in front of a client can be quite extravagant,” he observes. “Let’s call it sales math... The starting point in the calculation of savings is oftentimes very much against the employer, meaning the average wholesale price is not what is paid if they don’t have patient assistance. They’re paying a discount off of the average wholesale price.”
If the average wholesale price of Humira is $10,000, for example, the discount that the PBM applies is about 20%, or $2,000, that’s being applied to that transaction. “So why should I pay a 20% premium for that?” Rice asks.
“I am saving a lot in terms of not having to pay for the drug,” he continues. “But that basis of savings should be $8,000, not $10,000, and that optic is very complex for folks to understand. They don’t know what AWP is; they think it means ‘ain’t what’s paid,’ and they’d be right. But the fact is, it’s that tactic that we find the most prevalent. They’re calling them marketing fees or some other kind of fee that falls outside the realm of what the 5500 and Consolidated Appropriations Act demands. That’s why we have tried to commoditize these programs by capping fees with flat dollar amounts instead of this open-ended shared saving.”
With alternative funding, the goal is to obtain a true transparent or pass-through arrangement that passes along savings to the patient. “They’re adding on a transactional or per-fill fee, or they’re doing a flat PEPM administrative charge,” Stafford says, “but the cost of the drug is the cost of the drug that your self-funded client is paying to that PBM.”
There are players in the Rx alternative funding space that may misrepresent patient income, number of dependents and other things that have an impact on qualifying a patient, he warns. “It’s a bad thing for the industry,” he says. “But in recent years, there have been a number of those who have gotten caught with their hands in the cookie jar. If any buyer is taking a percentage savings as a PEPM or some type of a fixed-fee arrangement, I think they’re working on a very thin tightrope.”
THE FATE OF PAPS
Massive expenditures associated with expensive products such as Humira and Cosentyx are wreaking havoc to a point where half of the overall pharmacy spend is for specialty pharmacy, Rice explains. He says this is why there’s such a high demand to offer patients financial relief.
The genesis of PAP, which his firm began warning four years ago would eventually vanish, was to provide a meaningful cost offset and relief for patients who needed it most, as well as employers.
Medications under PAPs are covered, generally speaking, for a year, and when it comes time to renew those prescriptions, the drug manufacturer will request updated income verification information,
explains Mary Ann Carlisle, COO of ELMCRx Solutions, LLC, a PBM solution hub. Many times, she says doctors will apply for medications on behalf of their patients.
These strategies help manage specialty medications, which account for 35% to 55% of an employer’s drug spend and typically fewer than 5% of claimants, she notes. “So usually in these programs, you don’t have that many people, maybe 10 or 15 per 1,000, that these alternative funding companies manage and procure the medications for,” according to Carlisle.
PBMs have responded in kind to both demand and opportunity for alternative funding. There’s a segment of PBMs that aren’t the Big Three with different mechanisms and levers that have to be flexible in meeting the consumer where they are, Rice explains. In many cases, he says, it has resulted in building PAPs that ultimately help employers offload some of the Rx cost. “The shelf life of these programs is very much limited in some of the lawsuits that we’ve seen against Payer Matrix, ScoutRx and others, which are very much good examples of where and why this is bound to change, and how I think employers were getting why the getting was good,” he says.
There are caveats to consider along the way to procuring PAP funding. “Patient assistance is going away,” Masotto bluntly reports. “Gentech just pulled out and redid their contract. Johnson & Johnson and AbbVie are all following suit, saying, ‘If you have commercial insurance, I don’t care if you carve anything out or not. We are not going to approve you for free drugs.’ What’s happening now is all of these bolt-on vendors were making a lot of money on that, 25% or 30% of savings. Then, you have to factor in the loss of rebate and member copay.
“You have to be very careful about the entities that you do
Start Realizing the Possibilities!
Ringmaster is dedicated to developing cloud-based software that will improve your Stop-Loss and PBM quoting, administration, and the reporting capabilities for Carriers, Managing General Underwriters (MGUs), and PBMs. By partnering with Ringmaster you will:
• Increase revenue
• Improve vendor partnerships and contracts
• Reduce processing time and complexity
• Access extensive data warehouse
• Receive real-time actionable analytics
Step Into the Ring and utilize Ringmaster’s cloudbased solutions to make your business thrive!
this stuff with,” he continues in cautioning self-insured health plans, “because now you are creating another hurdle for members to acquire their drugs. Is all of that worth it now for a 10% savings vs. where it should be 30% to 40%? And are some of these entities moving drugs that shouldn’t be moved in the first place? Discounts mean nothing because they can be manipulated.”
Aside from PAPs, there are other opportunities for employers to reduce costs for their neediest health plan members. Grants, for example, are most prevalent with highly complex treatments such as gene and CAR T-cell therapies, or orphan-class drugs, according to Rice. He says cystic fibrosis is “another good example of where some manufacturers are the only gig in town and know they have the golden goose.”
In instances where the complexity of care is significantly higher, Rice notes that more charitable organizations, such as faith-based entities and not-for-profits like the American Cancer Society, have created pharma-aligned programs. That’s because pharma receives valuable
research and information through different kinds of opportunities to collaborate with patients.
UNPACKING 340B PROGRAMS
As suggested earlier, the federal government appears to be a safer conduit for helping dispense Rx discounts than pharmaceutical manufacturers, but there’s a logical explanation as to why that’s the case. Under the 340B program, hospitals are able to purchase drugs at next to nothing or very low prices in contrast to conventional wholesale contracts and sell them for a significant markup. This allows facilities that
We know what it’s like to feel FOMA, or Fear Of Missing Anything. That’s why we invented Curv®, so you can zero in on catastrophic claims risks with the industry’s most predictive and trusted risk score, making it easier than ever to see more stop loss risks and opportunities—and competitively price plans across your spectrum of underwritten groups.
target underserved populations to mine another revenue stream to help keep their doors open. “I think there’s this misconception across much of the market about getting the shaft by hospitals because they’re buying them cheaply,” Rice observes.
If the 340B program were to go away, he cautions that the U.S. healthcare system would crater because so much of care is delivered in disproportionateshare hospitals, research facilities, federally qualified health centers and criticalaccess hospitals. “Many of these
institutions make millions of dollars in terms of the revenues from 340B,” he adds. “If that were to just atrophy and go away, we would be looking at one of the largest crises in American healthcare that we’ve ever seen. So, it’s too big to fail.”
Whatever the future holds for 340B, Carlisle expects the emergence of a catastrophic fund that people will contribute to in the future, which will cover the exorbitant cost of cell and gene medications. The thinking behind this concept is that it will be well managed and peeled out of the regular plan. “Ultimately, that fund will have enough of these claims to potentially do some negotiating,” she says. “When you can get everything together and have the power of bargaining, that’s potentially a plus.”
Bruce Shutan is a Portland, Oregon-based freelance writer who has closely covered the employee benefits industry for more than 35 years.
Steadfast protection for the unpredictable
Stop Loss coverage that weathers any storm
Our Stop Loss Insurance mitigates the impact of devastating medical claims through flexible contracts, customizable plans and a consultative, client-focused approach. Our experience and service in the Stop Loss market has provided a guiding hand for nearly half a century - while maintaining a pulse on new trends. We work with self-funded groups down to 100* lives and individual deductibles down to $25,000. Our Stop Loss Edge program offers an innovative way to take advantage of self-funded health plan coverage for employers with 100*-500 employees. Whether you’re carving out Stop Loss for the first time or an experienced client looking for cost containment solutions, we can help. We’ll be by your side every step of the way.
Visit voya.com/workplace-solutions/stop-loss-insurance for more information
* 150 enrolled employee minimum for policies issued in CA, CO, CT, NY, or VT. Stop Loss Insurance is underwritten by ReliaStar Life Insurance Company (Minneapolis, MN) and ReliaStar Life Insurance Company of New York (Woodbury, NY). Within the State of New York, only ReliaStar Life Insurance Company of New York is admitted, and its products issued. Both are members of the Voya® family of companies. Voya Employee Benefits is a division of both companies. Stop Loss Policy #RL-SL-POL-2013; in New York Policy #RL-SL-POL-2013-NY. Product availability and specific provisions may vary by state.
Overcoming Vulnerabilities for Stewards of Member Health Data and Information
IWritten By Laura Carabello
It’s just mid-year 2024, and the U.S. healthcare industry has already experienced some of the most dangerous cyberattacks in history, with unprecedented breaches in terms of stolen health and personal data. Healthcare organizations nationwide, including selfinsured companies, now wonder if they, too, are vulnerable – and how to thwart these criminal attacks. As a caveat, cybercrime can follow each one of us home with devastating effects on our personal lives.
The healthcare sector is increasingly facing cyber threats and over the last five years, analysts report there has been a staggering 256% rise in significant hacking-related breaches and a 264% surge in ransomware incidents reported to the Department of Health and Human Services (DHHS) Office for Civil Rights (OCR). Companies covered by the Health Insurance Portability and Accountability Act (HIPAA) are required to notify HHS of data breaches involving protected health information, such as medical data and patient records.
In response, many advisors recommend that covered entities and business associates subject to HIPAA re-double their efforts and proactively attempt to diminish or prevent this growing menace.
According to Scott Fuller, chief of cybersecurity at CyberPro Partners, a HealthWare Systems company, “No healthcare entity is immune from a cyberattack, and every single person in the organization has the same threats and the same troubles in terms of trying to remain safe with cybersecurity. Today, a third-party audit confirming security is virtually mandatory, especially for small to mid-size organizations that can ill afford to have a full-time cybersecurity specialist constantly looking at their vulnerabilities. This is an underserved, fastgrowing market that desperately needs protection from the growing legions of cybercriminals.”
Source: Health Day News
In the past, Fuller says that it was considered healthy to have a “penetration test” performed annually. Someone would pose as
a hacker and try to uncover vulnerabilities, repeating the test the following year to see if all the holes were plugged.
“Fast forward to today where these cyber criminals are coming out so fast with hacking techniques, monthly testing is a necessity,” he says.
“Organizations need to be aware of what occurred even in the past week, recognize the weaknesses and determine how to fix it –apply the patch from the software company, restart the server and know that the vulnerability is gone. But if you’re not doing that on a monthly basis, it may get to the point where the system needs to be looked at constantly. It’s just the ever-evolving world of cybercrime.”
The cascade of hacking events this year followed the 725 large security breaches in healthcare reported to the DHHS OCR in 2023, beating the record of 720 healthcare security breaches set the previous year. Even the federal government is vulnerable. The Cybersecurity and Infrastructure Security Agency (CISA) reported that Russian government-linked hackers stole correspondence between a number of U.S. federal agencies and Microsoft in a months-long hack this year. CISA’s disclosure in April is the first acknowledgment that federal agency emails with Microsoft were stolen.
DATA BREACH
A data breach occurs when sensitive information is accessed or disclosed without authorization, posing a risk to individuals or organizations. Such breaches can put various types of data at risk, including personal, financial, and medical information.
Source: Health Day News
Here’s a snapshot of high-profile healthcare cyberattacks reported thus far in 2024:
January
•Concentra Health Services: Protected health information (PHI) of nearly 4 million patients was compromised in the cyberattack the previous year on Perry Johnson & Associates, Inc. (PJ&A), a provider of medical transcription services to healthcare facilities. The files contained the PHI of individuals, potentially including names, dates of birth, addresses, medical record numbers, hospital account numbers, admission diagnoses, and dates and times of service.
• INTEGRIS Health reported that 2.4 million patients had been affected in a December 2023 cyberattack. Patients received extortion emails informing them that their data had been stolen in a cyberattack on the healthcare network and that the data would be sold to other threat actors if they did not comply with the extortion demand.
• Eastern Radiologist, Inc., North Carolina, revealed unauthorized access to its network at the close of 2023, affecting data from over 886,000 patients. Some documents were accessed and/or copied from their system containing various patient data, potentially including names, contact information, Social Security numbers, insurance information, exam and/or procedure details, referring physicians, diagnoses, and/or imaging results. As a result,
February
• UnitedHealth Group’s (UHG) Change Healthcare was victimized by a ransomware attack, compromising the data from one-third of Americans and now characterized as one of the worst hacks to hit American healthcare as malicious hackers stole compromised credentials on an application that allows staff to remotely access systems. UHG manages 15 billion transactions per year and touches one in every three patient records. UHG conceded both that it had paid the cybercriminals $22 million, and that patient data nonetheless ended up on the dark web -- and information may still remain vulnerable. UHG expects between $1 billion and 1.15 billion USD in direct costs this year as a result of the attack and forecasts a further $350 million to 450 million USD as a result of business disruption, including lost revenue. The State Department is now
offering a $10 million bounty for information on ALPHV or BlackCat, the cybercriminal gang behind the breach. Another hacker group, which calls itself Ransomhub, posted 22 screenshots on the dark web for about a week.
•Lurie Children’s Hospital, Chicago, reports cyber criminals took down the electronic health record systems and MyChart online, although these patient-facing systems have since been reactivated.
•Medical Management Resource Group, operating as American Vision Partners and providing administrative support for ophthalmology practices, announced unauthorized access to its network the previous November. Hackers had obtained personal information belonging to patients of American Vision Partners’ clients, including names, contact details, dates of birth, medical records, and, in some cases, Social Security numbers and insurance details, impacting approximately 2.35 million individuals.
April
•Kaiser Permanente, which operates 40 hospitals and 618 medical facilities, reported a breach in April, purported to be the largest data breach reported so far this year to the HHS’ OCR and impacting 13.4 million current and former plan members. The data breach purportedly stemmed from tracking technology
a Leading National TPA
• Custom built, scalable plans Innovative solutions, built around you. Your employees are unique. Your health plan should be, too.
• Specialized, in-house teams
• Guided performance analysis and consultation
• Full-service concierge team
• Next-gen navigation tools
• Strategic point solution partnerships
– which has since been removed from their websites and apps- that unwittingly shared patient information with advertisers and third-party vendors, such as Microsoft, Google and X (formerly Twitter.) These vendors were able to access information -- patient names and I.P. addresses, indicators that they were signed into a Kaiser Permanente account and the ways they navigated different websites or applications.
•City of Hope, a cancer hospital operator and clinical research organization, disclosed a data breach that compromised the personal and health information of 827,149 patients. The suspicious activity began late in 2023 when the organization engaged a leading cybersecurity firm that determined that hackers accessed its I.T. systems. Hackers stole files that may have contained patient names, contact information such as email addresses and phone numbers, dates of birth, Social Security numbers, driver’s license or other government identification, financial details (such as bank account numbers and/or credit card details), health insurance information, medical records and information about medical history and/or associated conditions, and/or unique identifiers to associate individuals with City of Hope, like a medical record number.
May
•Ascension, the St. Louis-based nonprofit Catholic health system that runs 139 hospitals and 40 senior living facilities across the country, confirmed a hit by Russian-speaking ransomware group Black Basta. This led to a diversion for emergency medical services and interruption in services concerning its electronic health records system (EHR), among other tools. The system is already facing patient class action lawsuits alleging harm from exposure of private information which they claim was “foreseeable and preventable” if Ascension had implemented “adequate and reasonable cybersecurity procedures and protocols.”
LESSONS LEARNED
“The lesson re-learned is you don’t have to get directly attacked to be affected,” says Rob Gelb, CEO, Valenz Health, noting that thankfully, Valenz has not experienced a cyberattack, but leadership at the very top fully supports and backs I.T. Security. “Cybersecurity is a team sport and preventing a breach with reasonable protections and strategies costs far less than getting compromised. Collectively, healthcare information security teams should start collaborating and sharing the best security practices they are implementing.”
He recalls an incidence in 1980 following the MGM Grand fire when MGM shared everything they learned from that experience with all the casinos on the strip. They all realized one casino’s tragedy was everyone’s tragedy.
“Third-party security assurance goes part of the way but lacks team collaboration,” says Gelb. “I want a format that inspires companies to help each other openly.”
Gordon Thompson, FCAS, FSA, MAAA, actuarial consultant, Amerisk Consulting, shares this response to the Change Healthcare attack, “The attack is being attributed to the absence of multi-factor authentication, which left the remote systems vulnerable. To create a secure environment, you need to include every member of your team as an active participant in your digital security team. Some portions of your risk can
be secured by forced software updates to the most secure versions and patch known vulnerabilities.”
According to Verizon’s Annual Data Breach Incident Report, 74% of all breaches include a human element, to which Thompson advises, “Frequently educate your employees about the latest data breaches and their causes and how they can avoid them. Empower your entire team by arming them with information and best practices. Knowing what your risks are and constantly working to secure them is only one step in guarding against this type of breach, but it’s a foundational one.”
He says we all need to make sure we cover at least the basic cyber defensive tactics, warning, “Cyber criminals are frequently one step ahead of the best security practices, innovating and finding new ways to hack into sensitive systems. However, this attack was due to a lack of multi-factor identification, which left a remote access application exposed.”
Requiring multi-factor identification is a basic security defense, one that even the most routine security audit would have found and addressed, saving UnitedHealth an estimated $1.5 billion in damages in this one instance.
“Paying attention to the latest tactics attackers are using can help your organization check their cyber defenses and be alerted to potential exposure in your own organization,” continues Thompson. “A cyber risk audit to find the potential exposures in your organization is a great place to start.”
WHAT IS RANSOMWARE?
Ransomware is malicious software designed to encrypt data on victim computers, allowing bad actors the ability to demand a ransom payment in exchange for the decryption key.
For example, ZCryptor is a ransomware cryptoworm that encrypts files and self-propagates to other computers and network devices. The first victim on the network is infected by common techniques, masquerading as an installer of a popular program or malicious macros in Microsoft Office files.
Fuller says that many organizations want to know if they should pay the ransom and assume the problem is over. “That’s not the case,” he advises, as demonstrated by UHG where the ransom was paid, and the info remained on the dark web.
Here’s another example: Not too long ago, an OBGYN doctor with just a small clinic and five employees was hacked, with the cyber criminals leaving ransomware notes on all the office computers and demanding $15K. Fuller advised the doctor not to pay the ransom since once they know you are going to pay, they will strike again and again.
“They have no idea about who you are or the size of the organization but figure you are an I.P. address and an easy target – low-hanging fruit,” recounts Fuller. “They looked at the doctor’s QuickBooks and assumed she could probably spare $15K. In this situation, it only took about two days to trace the culprits in North Korea and basically bring her system back. Some pain, but not worth paying a ransom. There’s no honor among criminals.”
PLAN SPONSOR PREPAREDNESS
Cyber-criminals appear to have a sixth sense that ERISA-covered plans, regardless of their size, are great targets given their financial assets and maintenance of personal data on participants. With a target on their backs, responsible plan fiduciaries have an obligation to ensure proper assessment and mitigate cybersecurity risks.
As the number and sophistication of cyberattacks increase, plan sponsors and participants need to stay current on the Employee Benefits Security Administration U.S. Department of Labor’s” Best Practices” for cybersecurity and fraud protection. See below for an overview of the recommendations for plan-related I.T. systems and data, as well as for plan fiduciaries making judicious decisions on the service providers they should hire. Visit this URL for a complete document: https://www.dol.gov/sites/dolgov/files/ebsa/key-topics/ retirement-benefits/cybersecurity/best-practices.pdf.
1. Have a formal, well-documented cybersecurity program.
2. Conduct prudent annual risk assessments.
3. Have a reliable annual third-party audit of security controls.
4. Clearly define and assign information security roles and responsibilities.
5. Have strong access control procedures.
6. Ensure that any assets or data stored in a cloud or managed by a third-party service provider are subject to appropriate security reviews and independent security assessments.
8. Implement and manage a secure system development life cycle (SDLC) program.
9. Have an effective business resiliency program addressing business continuity, disaster recovery, and incident response.
10. Encrypt sensitive data, stored and in transit. 11. Implement strong technical controls in accordance with best security practices.
12. Appropriately respond to any past cybersecurity incidents.
On an annual basis, plan sponsors should also consider asking their providers for information about their cybersecurity practices. A simple step is to review and document that data and store it in a fiduciary file. With increased utilization of personal digital solutions, plan sponsors can collaborate with their recordkeepers to distribute participant-focused communications that improve “digital hygiene.”
Fuller suggests, “There are some things about cyber security that are common sense, and there are issues that simply require education, a framework and some accountability. Think of the Weight Watchers model, where people know how to lose weight but need to be accountable, so they are not embarrassed during the
weekly weigh-in. To ensure fraud protection, having that accountability with an independent cybersecurity check-up every week or month accelerates progress for moving onto a security framework. It’s like coaching an athlete to optimize the best performance.”
Analysts also warn that a company’s third-party vendors are bringing vulnerabilities to the table, especially with self-insured employers now relying heavily upon digital solutions, telehealth and remote patient monitoring. This can also include a payroll service, creating customer portals that give administrative access to everyone in the organization and the ability to see home addresses, Social Security numbers, wages, and other personal information. Someone could get that information and sell it, suddenly creating the HR-related headaches of having everybody know what everybody else earns.
“That’s considered an internal breach, but it’s still a breach of trust since employees provide employers personal information that they assume will be handled correctly,“ counsels Fuller. “That’s why many organizations are starting to introduce third-party risk management with more checks and balances to ensure that there are adequate sign-offs about who gets access to this information.”
Thompson says he thinks it inevitable that every organization will have a data breach, adding, “It’s easy to think that an attack of this sort will never happen to you, but if it did, do you have a crisis response plan, so you know how to respond? Which stakeholders are notified first? What resources do you have available to manage the crisis? Do your insurance policies cover cyber liability? To what extent? These are the questions we recommend asking now before you experience a breach.”
He advises that a complete risk assessment can help you understand where the risks are in your technology, which can be patched and made more secure, and what the scope of an attack might entail.
a great step, it’s one that many companies have taken, only to be disappointed when they file a claim at how much isn’t covered. This is also a vulnerability.”
Jakki Lynch RN, CCM, CMAS, CCFA, director cost containment, Sequoia Reinsurance Services, explains, “Beyond firewalls and multi-factor authentication, organizations should have a strategic preventative risk management and recovery plan for business continuity that includes alternative means of performing the operational services required for patient care delivery, revenue cycle management and claims adjudication. Awareness and focus on preventing data breaches should be a top priority for health care providers and payers.”
She says that many unresolved downstream concerns for organizations remain, recommending consideration of these issues to address and mitigate risk exposure for potential future breaches:
“Working with an actuary can help you put numbers around the probability of an incident and the potential costs of a cyber-attack, as well as check your current policies for gaps in coverage,” says Thompson.
He further counsels organizations to work with a vendor to secure their data, noting, “Technical and security vendors are a great place to start to identify your technical vulnerabilities. Those vulnerabilities can then be secured or insured. While ensuring your cyber liability is
• How patient care will be impacted due to the economic harm to healthcare providers and how major privacy breaches of healthcare information can be prevented and detected
• Address claim reimbursement concerns, including interest
Medical Stop Loss from Berkshire Hathaway Specialty Insurance comes with a professional claims team committed to doing the right thing for our customers – and doing it fast. Our customers know they will be reimbursed rapidly and accurately – with the certainty you would expect from our formidable balance sheet and trusted brand. That’s a policy you can rely on.
www.bhspecialty.com/msl
and penalties due to late claim filing and delayed claim processing – and how providers and plan payers validate that the claim billing and payments processed subsequently by Change HealthCare (or others) are correct.
• How potential breach fines or reduced Medicare payments will impact hospitals and health systems and healthcare costs for payers, as well as access to care for patients.
• How platform organizations can provide a level of assurance that the incident has been contained as well as prevented in the future.
Kurt Smith, Corporate Information Security Officer, Valenz Health, offers this guidance, “Defense-in-depth uses multiple lines of defense to protect against potential threats. Think of a bank’s physical security: a lobby where customers can enter, a teller who proxies customer requests for the bank, and a secured vault with controlled entry. The entire bank has security protections. Last but not least, bank policies and protocols enhance a bank’s security. I.T. Security’s job is to implement the digital equivalent of that kind of security.
Smith itemizes some of the top basic actions an I.T. security team should take:
• Implement multi-factor authentication, especially for Internet-facing resources and privileged access. If you can land on a webpage online, so can a bad actor.
• Separate corporate and production environments—physically and virtually—in terms of network infrastructure, systems, applications, and credentials. Corporate systems allow staff to conduct day-to-day business. Production systems are the products and services the company provides -- they’re the engine that keeps a company in business. Separation reduces the attack surface.
• Implement next-generation security tools -- heuristic antivirus doesn’t cut it these days. There are too many solutions to list, but the key is visibility in monitoring, containing, and responding to threats. Vulnerability management is also a big part of this, not just patch management but code and application scanning.
• Monthly security awareness training is critical -- e-crime is the top threat. Social engineering attacks are more straightforward and require less effort to compromise a company than by hacking in. Why hack when you can trick someone into giving you their credentials?
• A strong identity management program is imperative because social engineering attacks are so prevalent. Helpdesks remotely support staff, vendors, and customers. You must be able to verify who is on the other end before rendering assistance.
ADDRESSING COMPLIANCE ISSUES
Healthcare systems were put on notice in February to address potential HIPAA compliance issues before they experience a breach or receive notice of an OCR investigation. OCR released two Congressional Reports concerning compliance and enforcement under HIPAA, offering key insights for entities regulated by HIPAA that aim to bolster their compliance strategies. OCR suggests that covered entities and business associates focus on improving compliance with the security management process standard, the audit controls standard and response and reporting requirements.
This includes safeguarding against prevalent attack methods such as phishing emails, the exploitation of existing vulnerabilities, and the use of weak authentication measures. In the event of a successful breach, attackers frequently encrypt electronic Protected Health Information (ePHI) for ransom purposes or steal the data for future malicious activities, including identity theft or extortion.
Attorneys at Bradley Arant Boult Cummings LLP advise that by prioritizing preparedness, resilience, and a culture of cybersecurity awareness, healthcare organizations can not only protect themselves against the financial and reputational damage of cyberattacks but also, and most importantly, safeguard the well-being and privacy of the patients they serve.
Here are OCR recommendations for best practices and strong reminders for healthcare organizations to enhance cybersecurity preparedness, especially with increased utilization of digital solutions.
• Ensuring all partnerships with vendors and contractors are secured by appropriate business associate agreements that clearly outline responsibilities in case of a breach or security incident.
• Embedding risk analysis and management into the core business practices, with regular assessments, particularly when adopting new technologies or altering business operations.
• Establishing robust audit controls to document and scrutinize activity within information systems.
• Conducting periodic reviews of information system activities to identify and mitigate potential risks.
• Adopting multi-factor authentication measures to verify that only authorized individuals access protected health information.
• Securing protected health information through encryption to prevent unauthorized access.
• Learning from past security incidents to improve the overall security management strategy.
• Offering targeted training that aligns with organizational and specific job requirements, emphasizing the essential role of all staff in upholding privacy and security standards, and ensuring such training is refreshed regularly.
U.S. GOVERNMENT AND TRADE ASSOCIATIONS STEP IN
In Q1, U.S. Senator Bill Cassidy, M.D. (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, released a report outlining ways to improve privacy protections for Americans’ crucial health data. Including various recommendations to update the HIPAA framework, protect health data not currently covered by HIPAA, and address data that blurs the lines between health and non-health categories, the report points to the value of HIPAA in safeguarding patient information,
The Biden administration has announced a plan to improve cybersecurity at hospitals, beginning with incentives but eventually imposing penalties on hospitals that do not adopt measures to protect patient
corporatesolutions.swissre.com/esl
data. The Department of Health and Human Services (HHS) research funding agency is promising more than $50 million to developers who can build a scalable cybersecurity platform able to keep hospitals’ complex digital ecosystems up to speed. The Advanced Research Projects Agency for Health (ARPA-H), the Universal PatchinG and Remediation for Autonomous DEfense, or UPGRADE, program will offer “multiple awards” to those with the best pitches on ways to detect weaknesses and implement fixes with minimal interruptions to care delivery.
In May 2024, the Federal Trade Commission issued a revised Health Breach Notification Rule aimed at protecting consumer medical information on digital health and wellness apps and requiring them to notify consumers of a breach. According to the announcement, the rule requires vendors that manage digital health records that are not covered by HIPAA to notify individuals, the FTC and, in some cases, the media of a breach of unsecured personally identifiable health data. The agency defines this type of data as traditional health information such as diagnoses and medications, as well as data collected from fitness trackers and “emergent health data.”
Organizations throughout the healthcare ecosystem are lining up to advocate for better protection against cyberattacks. The Medical Group Management Association sent a letter to the DHHS OCR seeking clarity on whether providers are responsible for alerting affected patients that their personal health information may have been compromised. Additionally, the Workgroup for Electronic Data Interchange (WEDI) requested that the Department of Health and Human Services (HHS) create an Office of National Cybersecurity Policy led by a “cyber policy czar.”
Most recently, the College of Healthcare Information Management Executives (CHIME), the American Health Information Management Association (AHIMA) AHIMA, the American Medical Association, and most state medical associations have sent a letter to OCR to request more clarity around reporting responsibilities related to the Change Healthcare data breach, emphasizing that OCR should publicly state that its breach investigation and immediate efforts at remediation will be focused on Change Healthcare, and not the providers affected by Change Healthcare’s breach.
CAPTIVES & REINSURANCE: CONSULTANTS WEIGH IN ON SOLUTIONS FOR MITIGATING CYBER RISK
As healthcare cyber threats accelerate, there is an increased need for self-insured companies to have the ability to assess, manage and transfer the risks associated with a cyberattack. Cybersecurity firm CYE cautions that the protection afforded by cyber insurance may fall significantly short of the actual costs incurred during cyber incidents. In a recent report, they expose critical coverage gaps that threaten organizational stability in the wake of cyberattacks, revealing that a staggering 80% of insured companies that suffered a data breach did not have sufficient coverage to meet the costs of a breach.
Axa Advisors says captives are a well-established part of the risk management landscape and can give sophisticated clients additional tools to assess, mitigate, retain and transfer both traditional risks and evolving, critically important risks like cyber. They believe that captives will play an increasingly important role in this process, helping businesses to gain not only greater cyber security resilience but greater confidence in their ability to recover from cyberattacks.
They also cite the value of structured reinsurance, which can help captive clients manage cyber risk, giving clients a degree of certainty about the maximum premium payable in any one year while limiting the level of retention on the balance sheet.
Actuaries at AmerRisk Consulting advise that in response to the significant losses of cyber insurers resulting from several high-profile wins for policyholders, companies are either declining to cover cyber risk or have chosen to severely restrict coverage. They say that policies have become so costly that many business owners can’t afford to consider meaningful coverage. Plus, cybercriminals innovate more rapidly than the technical solutions to the threats they pose and much faster than any insurer can keep up with.
Thompson points out, “A thorough risk assessment isn’t complete without an underwriter/ actuary reviewing your market cyber policy and identifying any gaps in coverage. They can make recommendations about how to insure those gaps through selfinsurance or by putting them in a captive.”
However, the consultants say there may be ways to add cyber risk to an existing captive to solve the problems since a captive can change and respond faster than the traditional insurance market, pivoting to quickly adapt to the emerging risks that cyber
criminals pose. While they also point to a limited loss history which makes coverage difficult to price accurately and potential losses difficult to quantify, they advise independent analysis of individual companies and losses that are publicly available can create a blueprint for the types of losses a business may experience.
By adding cyber risk to your captive, these analysts advise an extensive internal audit of the cyber risks of a company and a plan to manage those risks internally. As the company learns more about its own risk to cover it in a captive, it can improve loss control and create a position of risk ownership within the leadership of the company.
Furthermore, since a cyberattack is an immediate threat that requires rapid access to capital, captive coverage can be written to ensure that resources are immediately available to respond. Captive policy language can also be broad and tailored to the benefit of the captive owner, providing better coverage of all the risks associated with a cyber-attack -- including reputational harm, media responses, legal fees, potential ransom payouts and other costs that aren’t physical damage to the company as a result of the attack.
Milliman says there are significant advantages to adding cyber insurance to a captive, noting one benefit of adding cyber insurance to a captive is having insurance coverage where coverage may not exist in the commercial market or may be too expensive. They say captives provide their parents with an option to consider when looking for alternatives to the commercial market, and while some cyber policies may have exclusions, like ransomware losses, a captive can help fill the gap in coverage through a difference in conditions policy.
Finally, MarshMcLennan Captive Advisors admit that while a captive is not a silver bullet, using a captive insurer provides organizations with flexibility and options for their cyber risk management strategy. Since the cyber insurance market has become challenging over the past few years, they say risk retention vehicles are helping clients to manage their total cost of risk and increasingly are using existing captives and cells, or establishing new ones, as an integral component of their cyber risk management and insurance strategy.
CYBERSECURITY – AN ONGOING CHALLENGE
Attackers are working overtime to be successful, and security teams must be more aggressive than ever before in assessing their own defenses. While legacy security control investments cost millions in controls, systems and staffing, these traditional fixes often leave gaps in the form of misconfigurations and insufficient protocols.
Tom Kellermann, head of cybersecurity strategy for VMware, who serves as the Wilson Center’s Global Fellow for Cybersecurity Policy and sits on the U.S. Secret Service Cybercrime Investigations Advisory Board, explains, “Healthcare security teams are typically overwhelmed with huge lists of potential issues, so they can’t easily identify the practical risks in a “pile of theoretical vulnerabilities. Every healthcare organization faces a wide array of potential weaknesses and security flaws that may exist within their systems and networks — such as vulnerable medical devices, unencrypted data transmission or outdated software.”
He says organizations often identify these vulnerabilities through cybersecurity tools like security assessments or penetration testing, but due to the sheer volume of these possible vulnerabilities, it can be difficult for healthcare cybersecurity teams to prioritize which weaknesses pose the most practical and immediate risk to the organization’s security posture.
Kellerman points to the long recovery time from a cyber-attack, indicating a potentially poor business continuity plan (BCP), which every healthcare organization needs in case of a potential cybersecurity event. The plan must address business continuity in case of crisis or disaster, including technical backups, alternative payment and collection routes and the ability to restore systems in a timely fashion.
One final indication of the demand for vigilance: Blackwell Security, a cybersecurity company, announced in May that it had received $13 million in an undisclosed funding round.
Laura Carabello holds a degree in Journalism from the Newhouse School of Communications at Syracuse University, is a recognized expert in medical travel and is a widely published writer on
Healthcare issues. She is a principal at CPR Strategic Marketing Communications. www. cpronline.com
CAPTIVES REDUCE THE STING OF P&C HARD MARKET
Written By Caroline McDonald
AAmarket hardened by increased losses and claims ultimately leads to higher premiums for insurance buyers. When the rate of claims continues to rise due to factors such as environmental damage and legal issues, it can appear that there is no end in sight.
Global pricing for property insurance rose 7 percent in the third quarter of 2023 and 10 percent in each of the prior two quarters, according to Marsh’s Global Insurance Market Index. In the US, property insurance pricing, on average, has risen for 24 consecutive quarters.
Marsh said several trends are influencing the property market. They include the high cost of reinsurance, which typically is passed on to policyholders by primary insurers, strong demand for limited capacity, ongoing losses and inflation of property values. Marsh noted:
In addition to raising their pricing, insurers are scrutinizing their property loss exposures and taking actions that include tightening terms and conditions, raising deductibles, and withdrawing capacity for loss-prone geographies. Capacity is particularly constrained in areas such as California, Florida, and Louisiana, but demand is growing as property owners continue to build facilities in the central US, where severe convective storm activity and other perils are increasing.
INSURANCE BUYERS SEEK RELIEF
Unable to foresee their premium expenses, property insurance buyers are left holding the bag. More and more organizations are entering the captive insurance market to protect themselves over the long term.
Also feeling the heat is the automotive market. According to Marsh, “The US automotive industry is now facing one of the most unpredictable and volatile trading environments in its history.”
“The hard market is an area where performance by the insurance marketplace has not been great,” said Jim DeWulf, executive vice president and captive executive at Captive Resources. “You’re seeing price increases across the different layers of coverage. What we’ve tried to communicate to our groups is that inflation is a big piece of that – wages are up, and the cost of vehicles has risen.”
Marsh said the auto industry is facing “pressure from federal and state regulators, growing concerns about vehicle emissions, domestic and overseas competition, competition in the mobility space, and the changing demands and expectations of consumers everywhere.”
MAXIMIZING IMPACT
John Capasso, Chairman and CEO at Captive Planning Associates pointed out that a positive impact is that “Earnings on surplus are enhancing surplus because of higher rates of return. They are having better rates occurring on safe dollars, like bonds and CDs and money markets,” he said.
The other side, he added, is that “You’re seeing premium creep, even for programs that have been successful from claims and frequency perspectives. Everyone is getting hit. You’re seeing markets hardening, especially property. That’s been the case for the past two years or so.”
Rate inflation, Capasso noted, “seems to affect everyone. It’s incentivizing the CFOs of the C-suite and owners of businesses to be more aggressive with their captives, as far as taking on more risk.”
To do this, Capasso said, they are raising deductibles “and taking on
more layers within the towers, whether it’s workers’ comp, auto liability or specifically property.”
Businesses, he said, more than ever have recognized the importance of minimizing risk. “We’re seeing owners of businesses, CFOs of larger companies and even businesses with no risk management experience, turning to us to help them customize and take on risk management.”
Capasso said they are also seeing people either terminating their micro captives or using them to write more commercial risks. “In some instances, they terminate them and start a new one for traditional P&C risk. They will shut down one and use the surplus to seed the new captive,” he said.
DEALING WITH INFLATION
In some situations, Capasso said, “certain commercial carriers may have high claims and frequency and raise rates across the board to make up for the losses they are seeing in one particular book.”
This is big, he said. “What impacts insurers will impact captives because, in many cases, captives are taking the first layer of insurance.
Rate inflation, Capasso said, is causing some self-insured groups, like group captives, to shut down. “We have two situations where these groups are being shut down because of regulators, leaving people scrambling.”
They are being shut down because they are undercapitalized due to rate inflation, Capasso explained. “The rates go so high, and they don’t have enough capital to backstop the premium and the risk the backstop is assuming,” he said.
The goal is to strengthen captives, to help organizations deal with inflation. “If a car costs $25,000 today and it cost $20,000 last year, we have to make sure the captives have the appropriate funding to pay future losses,” DeWulf said.
On the claims side, Capasso said, is auto liability inflation. “The cost of vehicle repairs has skyrocketed because of labor costs and
certain parts,” he said. “Today’s vehicles have electronic components and specialty metals. This is all leading to a significant price creep in inflation on repairs. It’s a domino effect and it forces carriers to increase rates.”
Capasso added, “We’ve actually seen some clients acquire auto body shops. That helps control costs because they can then do the repairs in-house.”
Over the past two to three years, DeWulf said, captives also have been able to raise their primary limit. “Our primary limit in the group used to be $1 million for auto and $1 million for general liability,” DeWulf said. “We have a significant number of captives now that used their size and the diversification of the captive portfolio to quote $2 million primary limits on auto and $2-$4 million on general liability.”
The advantage of a group, he said, is a vested interest in controlling losses. The result is much higher engagement in the group captive, “because you’re seeing all of the money, where it goes and how the spend is,” DeWulf said.
STRENGTHS OF A CAPTIVE
As insurance companies, captives are as vulnerable to the effects of inflation as traditional insurers and reinsurers, said Robert P. Hartwig, clinical associate professor, Finance Department and director at the Center for Risk and Uncertainty Management at the Darla Moore School of Business, University of South Carolina.
Those vulnerabilities, Hartwig said, are:
Underinsurance: The replacement and repair costs for commercial properties may rise sharply during periods of unexpectedly high inflation. If captive managers have failed to appropriately account for higher property valuations, the captive can be exposed to great loss. This same problem has plagued traditional commercial property insurers over the past few years. Sometimes this is referred to as an insurance-to-value (ITV) problem. A similar situation can arise in commercial auto, with the separate problem of “social inflation” compounding the issue.
Reserve Inadequacy: Inflation can easily result in claim reserves established years ago becoming inadequate. Medical inflation was much lower than the overall inflation rate when inflation first took off in 2021-2022 but is now catching up. This trend could pressure workers’ comp, general liability, medical professional liability, and other medical cost-sensitive exposures.
Reinsurance: Captives may find that their reinsurance limits are inadequate in an inflationary environment and should consider adjusting those limits appropriately based on an analysis of inflation’s impact on the underlying exposures.
Hartwig explained that knowing these vulnerabilities, “can help organizations mitigate, though not avoid entirely, the issues arising from a sustained spike in inflation.” This is the case, he said, “because the inflation was unanticipated, hence unknowable in advance, irrespective of whether you’re a carrier or captive. But understanding the impacts on your captive can help you mitigate the consequences.”
He concluded that the attractiveness of captives is enhanced during hard markets. “The current hard market has been in existence for some five years now, and many organizations have availed themselves of the captive structure over that time,” Hartig explained. He added that a well-managed captive “can help an organization keep a lid on the cost of managing risk in the years ahead, which will likely continue to see a period of sustained rate increases.”
Caroline McDonald is an award-winning journalist who has reported on a wide variety of insurance topics. Her beat includes in-depth coverage of risk management and captives.
The power to get it done
AmeriHealth Administrators is one of the largest national third-party administrators. We provide innovative, value-based health benefits programs and outsourcing services for self-funded health plans and other organizations.
Whether locally focused or on a national level, our scalable capabilities allow us to service many unique customers, including self-funded employers, Tribal nations, international travelers, and labor organizations.
Learn how we can help you successfully navigate and thrive in today’s complex health care environment. Visit amerihealth.com/tpa .
COMBATING SOPHISTICATED HEALTHCARE FRAUD SCHEMES: LESSONS FOR SELF-INSURED HEALTH PLANS
Written By Greg Lyon
OOver the course of 2021, 2022, and 2023, malicious actors perpetrated a massive fraud scheme, defrauding Medicare, and the United States healthcare system of up to $2 billion through the submission of phantom claims for intermittent urinary catheters. There are valuable lessons to be learned from this scheme for self-insured plan administrators.
LESSONS FOR SELF-INSURED HEALTH PLAN ADMINISTRATORS
Healthcare fraud is a massive and growing problem fueled by a technology arms race. The fraud and abuse problem costs selfinsured employers billions of dollars annually. It is estimated in various government and private sector reports that healthcare fraud and abuse represent between three and ten percent (3-10%) of total annual healthcare spending.
While much of the attention has been focused on fraud perpetrated against government programs like Medicare, self-insured health plans are not immune from the same types of complex dynamic, multiprovider fraud and collusion schemes often associated with CMS program and large commercial health plans. And, where the risk pool of a self-insured population is smaller, these types of schemes can be catastrophic if not detected early.
The recent multi-billion-dollar catheter fraud scheme highlighted in this article serves as a prime example of the sophisticated and costly tactics employed by bad actors to rapidly exploit payer vulnerabilities and get paid for fraudulent claims. This scheme is cautionary for self-insured plans because very few are deploying advanced fraud prevention technologies today due to the historical costs and barebones nature of self-insured plan administration. An advanced artificial intelligence-powered provider-centric FWA approach can solve both the risk and cost challenges for self-insured plans.
By understanding the intricacies of the catheter fraud scheme and the technology strategies that could have prevented it, self-insured plan administrators can gain valuable insights into the evolving nature of fraud. They can also learn about the proactive measures necessary to safeguard their plans from similar exploitation.
THE SCHEME: OWNERSHIP CHANGE, TEST & SPIKE
Seven legitimate Durable Medical Equipment companies (DMEs) were purchased by fraudulent individuals. Once the ownership had been transferred, new owners validated their ability to bill Medicare and receive payments. With the ability to
bill and get paid confirmed, the fraudsters proceeded to spike large volumes of claims to Medicare for intermittent urinary catheters. The claim volumes were:
• 2023 – 406,000
• 2022 – 20,000
• 2021-21
PHANTOM BILLING
“The catheter scheme had red flags that, in retrospect, look obvious.”
The spike from claims submitted by the seven DME companies was so extreme that it caused a noticeable national spike in intermittent urinary catheter claims. This was a ‘phantom’ billing scheme, where the catheters were not medically necessary and were not physically shipped to the Medicare members.
To perpetrate this fraud, the seven DME companies exploited legitimate Medicare member names and IDs to submit the fraudulent claims. It is highly probable that the member data was illicitly obtained, either purchased on the dark web following a data breach or gathered through deceptive cold calls from fraudulent telemarketers. These telemarketers preyed on unsuspecting Medicare members. Once this phantom billing fraud scheme was detected, the seven DME owners stopped submitting claims and closed the DME businesses.
RED FLAGS
The catheter scheme had red flags that, in retrospect, look obvious. Further, many Special Investigation Units (SIUs) remain challenged with the limitations of claims data-centric, rules-based analytics and periodic (not continuous) provider integrity monitoring. The following red flags could be easily missed when reviewing each claim and each provider in isolation:
MANAGE SPECIALTY COSTS
Targeted strategies maximize co-pay assistance programs and discounts that reduce up to 40% of specialty drug spend.
PROACTIVE TECHNOLOGY
Real-time review of claim adjudication results in savings of 5% to 25%.
BEST-IN-CLASS NETWORK
Ensure members have access to care with 65K retail pharmacies across the U.S. through powerful network contracting.
• Rapid increases in intermittent urinary catheter claims for seven DME companies (14 to 20,000 to 406,000).
• No history of significant urinary catheter claims for any of the seven DME companies.
• Sudden spikes in claims (or claim type) shortly after an ownership change.
• Suspicious business locations like strip malls, residences, offices with windows covered, etc.
• Common demographic information shared among the seven DME’s (matching addresses, officers, or ownership).
• Numerous negative social media reviews from Medicare members detailing suspicious behaviors.
TECHNOLOGY TIPS TO STOP THE NEXT FRAUD SCHEME
Stopping the catheter fraud scheme or future schemes of a similar nature requires a fundamental shift in how fraud detection and prevention is accomplished. Healthcare payors can no longer afford to depend solely on claims data-centric analytic models to detect potential fraudulent behaviors and relationships fast enough. We must be able to assess each provider’s integrity, relationships with other providers, and claims activity in the context of all historical and near real-time claim behaviors. In short, we need to change our mindset and leverage available technology to solve this problem.
There are two technology-forward approaches within reach of any healthcare payor, including large health plans, third-party administrators (TPAs), and self-insured, self-administrated plans. These approaches include:
1. Know Your Provider on Every Claim
Start with a provider-centric approach.
Take a ‘Know Your Provider’ (KYP) mindset, just like financial services companies employ a ‘Know Your Customer’ (KYC) approach to anti-fraud work. To detect fraud early, you need to continuously gather and analyze provider data in near real-time to understand their integrity, behaviors, and relationships with other providers on every single claim submitted. Provider-centric data such as licensing, sanctions, address, phone number, social media reviews, bankruptcies, criminal offenses, ownership interests, shared addresses and phone numbers, taxonomy, and other data elements help to continuously flag potential problematic providers around each and every claim on in-network, and out-of-network providers.
For self-insured plans, this can sound costly and technically out of reach. That was true in the past, but with the combination of structured and unstructured artificial intelligence technology combined with a continuously credentialed provider database, this provider-centric approach is not accessible to selfinsured plans with a documented return-on-investment.
2. Be Comprehensive & Dynamic
The second step is to continuously integrate KYP data with historical and real-time claims data to understand the context around every claim. Combining KYP data with historical and current claims data
Benchmarking
empowers healthcare payors to analyze provider behaviors in near real-time and stop potentially fraudulent or abusive payments by enabling:
• Every claim submitted to be analyzed in near real-time against that provider’s individual historical and current-claims submission behavior, their integrity, and their qualification to be submitting a claim,
• Every provider’s relationship with other providers (referring, rendering, billing) to be analyzed around every claim submitted for potential referral or ownership collusion,
• An analysis of each individual provider’s historical and current claims submission behaviors vis-avis all other providers’ claims submission behaviors to detect suspicious behaviors, including outlier billings, billing spikes, and collusion networks.
Like the KYP approach noted above, this a-claim-and-all-claims approach to fraud and abuse detection is all doable today with a combination of the right provider data and provider-centric artificial intelligence technology incorporating supervised and unsupervised machine learning to detect anomalies beyond what rules-based systems can ever detect.
BEING EQUIPPED FOR EARLY DETECTION REDUCES FRAUD SCHEME RISK
Deploying the technology tips mentioned on the previous page would have had a major impact on the catheter scheme or a scheme with similar characteristics. Let’s assume that fraudsters were attempting a similar scheme today on a self-insured health plan that employed a KYP solution and integrated providercentric artificial intelligence technology solution like the one described in this article. And let’s assume that the advanced FWA technology combination is affordable for all self-insured plans.
What is likely to happen if a similar scheme was attempted today with advanced FWA prevention technology?
• The payor would be alerted to claim volume spikes in near real-time pre-payment while the scheme is in its initial stages.
• The DMEs responsible for the catheter claims spike would have been identified.
• Current and future payments for the suspicious providers and related parties could be stopped pending investigation.
• Plan investigators would automatically receive pre-packaged, comprehensive KYP integrity data on the submitting DMEs, including data showing the lack of catheter claims history, shared ownership, officers and addresses, Google Earth images of office locations, social media reviews and catheter claims data.
• The integrated, contextual data picture would enable plan administrators to conduct investigations and act in accordance with their organization’s policies.
ADVANCED FWA TECHNOLOGY
IS ACCESSIBLE, AFFORDABLE, AND ACTIONABLE
The ongoing battle against healthcare fraud and abuse requires the adoption of advanced FWA technology that enables a provider-centric approach to analyzing every claim and every provider in near real time. This technology is accessible today, affordable for self-insured plans, and actionable in everyday claims adjudication workflows. Most importantly, an integrated KYP and advanced artificial intelligence technology solution can reduce the cost of healthcare for companies, administrators, and employees.
Greg Lyon is a recognized anti-fraud expert with over 25 years of experience in the Financial Services and Healthcare industries, most recently serving as Director of Fraud Prevention at United Healthcare. He can be reached at glyon.lyon@gmail.com
Power of the Pen
LETTER TO THE EDITOR
Written By Jack Towarnicky
DDear
Editor:
I read with interest Bruce Shutan’s recent, excellent article “Healthcare Priced Right?” I offer the following perspectives in response and believe it is well past time for plan sponsors to consider or re-consider Reference Based Pricing (RBP).
ERISA §408(b)(2) now applies to health plans and, no surprise (pun intended), the plaintiff’s bar noticed. The initial fights are focused on cost. One suit uses an interesting, more comprehensive definition of cost that befits health coverage within a total rewards context. Plaintiffs argue it isn’t only higher out-ofpocket expense or higher cost sharing, such as contributions and deductibles. The complaint also alleges that higher costs reduced wages (a “crowd-out” effect)!
HCIQ’s SaaS platform helps self-insured entities to gain access to critical insights:
Uncover high-cost medical and Rx claims, encounters, and utilization patterns
Track past, current, and future member and group risk status
Identify claims payment irregularities, fraud, abuse, and costly inefficiencies The cornerstone of effective health plan management is a data-driven approach. Armed with the tools and data insights available through HCIQ, organizations can engage in evidence-based decision-making.
ERISA requires plans pay only “reasonable” expenses. But, ERISA doesn’t define “reasonable” as lowest cost. Regardless of who prevails in current litigation, when a plan administrator selects a network or foregoes interventions like RBP, there is now an added exposure from participants who believe fiduciary duties should include pursuing the lowest cost each provider will accept for each service provided.
Network/Direct contract negotiation has not achieved the lowest possible cost. Participants frequently blame benefits staff when their doctor won’t accept network pricing or when a provider group or hospital threatens to leave the network over reimbursement rates -- especially when participants receive letters asserting networks aren’t negotiating in good faith.
Most networks cave in order to maintain a broad network, and many networks can be compared to rivers that are a mile wide, with discounts that are an inch deep.
Clearly, network providers won’t agree to reimbursement rates comparable to those they accept for Medicare and Medicaid beneficiaries.
Studies show self-insured employer sponsored plans pay the most for the same services – followed, in order, by insured employer-sponsored plans, Medicare, Veterans Administration and Medicaid. Rand and other studies confirm employer sponsored plans reimbursements are 220+% of Medicare allowables and 300+% of Medicaid allowables.
The questions remain: Why must participants in employer-sponsored plans pay more? Why should the cost for the same service be double for individuals who are over age 65 just because they continued participation in an employer-sponsored plan? Why shouldn’t the plan sponsor/plan administrator seek, in both settlor and plan administrator/fiduciary roles, to identify and obtain the best deal possible?
Achieving the lowest attainable price is possible through Reference Based Pricing “done right” – where negotiation starts by leveraging knowledge of what providers accept for others, coupled with deploying the very best negotiation/participant representation tactics.
Sincerely,
Jack Towarnicky, ERISA Counsel and member of aequum
HERE WE GO AGAIN: AGENCIES REVISE
AND REVAMP ACA § 1557 NONDISCRIMINATION REQUIREMENTS
Written By Alston & Byrd Health Benefits Practice
OnOMay 6, 2024, the Department of Health and Human Services (“HHS”) finalized the latest rule for Nondiscrimination in Health Programs and Activities (“2024 Rule”) under §1557 of the Affordable Care Act (“ACA”). Section 1557 prohibits a “health program or activity” that receives Federal financial assistance (“FFA”) from discriminating against an individual on the basis of race, color, national origin, sex, age, or disability. The mandate also applies to a program or activity that is administered by an executive agency or by an entity established by Title I of the ACA. HHS has issued final regulations under §1557 twice before—once in 2016 (“2016 Rule”) and again in 2020 (“2020 Rule”).
The 2024 Rule resurrects and revises several concepts and policies from the 2016 Rule that the 2020 Rule had repealed or amended (e.g., notices and grievance procedures). HHS also revised its interpretation of Medicare as constituting FFA (and
thus triggering §1557) and provisions related to discrimination on the basis of sex. The 2024 Rule is complex and far-reaching; in this article, we focus only on its applicability to self-insured group health plans. We also discuss briefly §1557’s impact but will delve further into that topic in a subsequent article.
§ 1557 OVERVIEW
Section 1557 incorporates into the ACA a prohibition of discrimination based on any of the grounds found in each of the following four statutes: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, the Age Discrimination Act of 1975, and Section 504 of the Rehabilitation Act of 1973 (i.e., race, color, national origin, sex, age, or disability). This prohibition applies to any health program or activity that receives FFA or is administered by an executive agency or entity established under Title I of the ACA.
Congress also incorporated the enforcement mechanisms for each of these statutes into the ACA, and the Supreme Court has held that an implied private right of action is available under §1557. HHS’s Office of Civil Rights (“OCR”) enforces the 2024 Rule. Since the 2016 Rule, regulations promulgated under §1557 have been the subject of litigation, and the 2024 Rule is no different, with at least one lawsuit already filed the day the 2024 Rule was published in the Federal Register (State of Florida et al. v. Department of Health and Human Services et al.).
WHO’S COVERED—AND NOT COVERED--UNDER THE 2024 RULE
Generally, any health program or activity that receives FFA from HHS is covered by the 2024 Rule (although there is a limited exemption for Federal religious freedom and conscience protections). FFA includes credits, subsidies, and other types of assistance from HHS. HHS provides a new definition for “health program or activity” that is quite broad and includes a non-exhaustive list of the entities that HHS considers to be a health program or activity. Group health plans are notably absent from the list.
Does this mean that §1557 will never apply to a group health plan? No. A group health plan--even a grandfathered group health plan-would be subject to §1557 if it were a recipient of FFA, but, as discussed below in Self-insured Group Health Plans and Retiree Drug Subsidies, the employer or plan sponsor is more likely to be the actual recipient of FFA. Whether and how an employer’s or plan sponsor’s receipt of FFA may be imputed to the group health plan is not clear.
The 2024 Rule does not apply to any employer or other plan sponsor of a group health plan with regard to its employment practices,
including the provision of employee health benefits. This is in contrast to the 2016 Rule, which, for example, applied to employee health benefit programs of a §1557-covered entity if that covered entity were principally engaged in providing or administering health services or health insurance coverage. HHS now excludes employers and plan sponsors--including but not limited to a board of trustees (or similar body), association or other group--from the scope of §1557 with respect to providing employee health benefits. HHS believes that limiting the scope §1557 in this way will minimize confusion for employees seeking relief under Federal equal opportunity laws.
Health insurance issuers are included in the list of entities that HHS considers to be a health program or activity, which is a complete reversal of the 2020 Rule. Under the 2024 Rule, if any line of an insurer’s book of business is a recipient of FFA (e.g., participation in Medicare Advantage or Medicaid Managed Care) or if the insurer offers qualified health plans on an exchange, then the 2024 Rule applies to all lines of business, even the insurer’s activities as a third party administrator (“TPA”).
As discussed below, the inclusion of insurers in this definition is consequential for self-insured group health plans because even if the group health plan is not subject to §1557, the 2024 Rule prohibits a covered TPA from
administering any discriminatory provisions of the self-insured plan. Even if the plan has no discriminatory provisions, it is unclear to what extent the TPA’s other compliance burdens (e.g., notices, language assistance, grievance procedures) could carry over to the self-insured plans that the TPA administers.
SELF-INSURED GROUP HEALTH PLANS AND RETIREE DRUG SUBSIDIES
The 2024 Rule applies when a health program or activity receives FFA from HHS, either directly or indirectly. FFA includes any grant, loan, credit, subsidy, contract, or any other arrangement. Although employer group health plans generally are not the recipients of FFA, entities that receive a subsidy, such as a retiree drug subsidy (“RDS”), are subject to §1557. Under the RDS rules, the plan sponsor is technically the recipient of the RDS funds, not the plan. Does §1557 apply to a self-insured retiree group health plan if the plan sponsor applies for and receives RDS? And would receipt of RDS by the employer/plan sponsor cause the employer’s self-insured group health plan for active employees to be subject to §1557 as well?
HHS tiptoed around these questions. First, HHS states clearly in the preamble that entities that receive RDS are subject to the 2024 Rule and that a group health plan that receives FFA itself is distinct from other
entities that might separately receive FFA, such as the plan sponsor or the TPA. If OCR were to receive a complaint about a plan, OCR would conduct a fact-specific analysis to determine if the group health plan is a recipient or subrecipient of FFA. Even though this explanation sounds like OCR could, at the very least, conduct an inquiry, HHS goes on in this same discussion to reiterate the 2024 Rule, stating that “employers and other plan sponsors are not subject to this rule with regard to their employment practices,” which “includes when the Federal financial assistance received is for their employee health benefits.” HHS seems to be signaling that receipt of RDS by an employer/plan sponsor does not necessarily subject the employer’s retiree group health plan to §1557. But would the existence of a trust for the retiree plan into which the RDS funds are deposited complicate the analysis? Additional guidance on HHS’s position regarding RDS would be welcome.
THIRD-PARTY ADMINISTRATORS
Even if neither the self-insured plan nor the employer/plan sponsor receives FFA from HHS, the TPA administering the plan may be (and likely is, if an insurer) subject to §1557 under the 2024 Rule. The 2024 Rule prohibits a covered TPA from administering any discriminatory terms of a group health plan that would violate §1557 and the 2024 Rule. The requirement to administer a plan according
Expect
to its terms under the Employee Retirement Income Security Act (“ERISA”) provides no cover here because, as HHS points out, ERISA expressly provides that it is not to be construed to invalidate or impair Federal laws like §1557.
If OCR receives a complaint about a discriminatory provision in a selfinsured group health plan, OCR will determine whether the provision originated with the TPA or with the plan. If the provision originated with the plan, OCR likely will refer the matter to the EEOC. If the provision originated with the TPA, OCR may use its enforcement authority to compel the TPA to comply.
However, if the provision originates with the plan, it is unclear which entity—the plan or the TPA--is ultimately responsible for remediation. For example, if a self-insured group health plan that is not subject to §1557 were to exclude gender-affirming care, OCR may refer the matter to the EEOC, but the 2024 Rule would still prohibit a TPA from denying the claim. If the plan does not cover gender-affirming care, OCR does not appear to have any authority to compel a plan not otherwise subject to §1557 to pay the claim. Additional guidance in this area would be welcome. A case with similar facts (and brought by the plaintiff through the implied right of action) is currently on appeal in the 9th Circuit (C.P. v. Blue Cross Blue Shield of Ill).
SELF-INSURED RELIGIOUS EMPLOYERS
The 2024 Rule does include a process for covered entities to receive an assurance from HHS that the entity can rely on Federal religious freedom and conscience protections. This exemption, if granted, would be limited in scope to the aspect of the 2024 Rule from which the entity believes it is exempt. Note, however, that this exemption is available only to entities covered by §1557, and recall that employers, plan sponsors, and group health plans are each viewed as separate entities by HHS.
What is clear is that this exemption likely would not, for example, be available in a situation in which a covered TPA administers a selfinsured plan group health for a religious employer that receives no FFA whatsoever (either for its group health plan or as an employer or plan sponsor). Would religious employers with self-insured group health plans that include discriminatory provisions then be limited to only those TPAs that are not covered under §1557? HHS addressed this in the preamble, stating that a “religious employer is able to obtain health insurance coverage or administration of its self-insured group health plan coverage from any entity not subject to section 1557, which would fall outside of the application of this rule.”
WHAT DOES A COVERED ENTITY NEED TO DO TO COMPLY WITH THE 2024 RULE?
Carefully review benefit provisions in any covered health plan. There are a number of benefits-specific provisions and limitations that should be carefully examined to ensure compliance with ACA §1557’s nondiscrimination requirements. A careful examination (with counsel) should be undertaken of any provision(s) that could be considered to discriminate based on race, color, national origin, sex, age, or disability. In this regard, the 2024 Rule clarifies that “discrimination on the basis of sex” specifically includes discrimination based on sexual orientation, gender identity, sex characteristics, pregnancy or related conditions, and sex stereotypes, gender, or because of pregnancy.
Comply with Notice and procedure requirements. Within 120 days of July 5, 2024, covered entities must begin providing an annual notice of nondiscrimination along with a notice of the availability of language assistance services and auxiliary aids at no cost to participants, beneficiaries, enrollees, and applicants. This information must be provided in English and 15 of the most common languages spoken by people with limited English proficiency in the state where the covered entity operates and also be posted on the covered entity’s website. The covered
Strong relationships. More solutions.
Partner with Nationwide® to simplify Medical Stop Loss for you and your clients. Save time and effort with easy access to experienced underwriters who offer a broad range of solutions. Our flexible plans are tailored to fit your clients’ needs and reduce future risk. Plus, claims are backed by a carrier with A+ financial ratings.*
As a leader in Medical Stop Loss coverage for 20 years, and in the health business for more than 80 years, you can trust Nationwide to take care of you and your clients.
To learn why top Medical Stop Loss producers and underwriters choose Nationwide, email stoploss@nationwide.com or visit nationwidefinancial.com/stoploss.
ranking from AM Best received 10/17/02, affirmed 12/7/23, and A+ ranking from Standard & Poor’s received 12/22/08, affirmed 5/16/23.
entity must also ensure that any services available telephonically are accessible to those with disabilities and limited English proficiency. HHS has prepared sample notices in multiple languages to assist with this requirement. The 2024 Rule also requires that policies and training be implemented by the covered entity and that a “Section 1557 Coordinator” be designated to ensure compliance with the §1557 requirements.
ENFORCEMENT
The 2024 Rule incorporates the enforcement mechanisms available for and provided under all the nondiscrimination statutes incorporated into §1557, as well as the procedural provisions applicable to Title VI that apply with respect to administrative enforcement actions. These Title VI procedures allow OCR to attempt cooperative voluntary compliance, and if that fails, then OCR can obtain compliance by (1) suspension or termination of or refusal to grant or to continue FFA or (2) by any other means authorized by law.
Upon receiving a complaint OCR will determine whether it has jurisdiction over the matter, and if it does not, then OCR may refer the complaint to the appropriate Federal government entity (e.g., the EEOC if the discrimination originates with the terms of a self-insured group health plan). If OCR does have jurisdiction, then it has the authority to investigate the alleged violation.
What may be more consequential for a self-insured group health plan (which may not fall within OCR’s jurisdiction) is the implied right of action in §1557. The 2016 Rule specifically allowed for a private right of action; however, the 2020 Rule repealed that right under the regulations and acknowledged that an implied right of action exists under the statute. In the preamble to the 2024 Rule, HHS announced that it would not be reinstating the 2016 private right of action under the regulations, instead acknowledging the implied private right of action under §1557 itself.
Although the Supreme Court has already determined that damages for emotional distress are not available under this implied right, other types of compensatory damages and injunctive relief may be available. Also, courts have not always been in alignment with HHS’s interpretation of §1557. See, for example, T.S. v. Heart of CarDon, in which the 7th Circuit did not rely on HHS’s reading of §1557 and applied §1557 to the employee benefit plan of a skilled nursing facility that received FFA, even though the skilled nursing facility’s employee plan did not receive FFA.
EFFECTIVE DATES
Although the 2024 Rule is generally effective on July 5, 2024 (60 days after its May 6th publication in the Federal Register), the complexities of this rule require separate effective dates for various provisions:
Advocacy in Action
Legal services and innovative technology combined to defend health plans, plan sponsors and member participants nationwide
aequum advocacy programs & services successfully resolve surprise billing and unreasonable out-of-network and balance billings
Efficient Claim Resolution
On average, aequum resolves claims within just 244 days of placement. Unmatched Savings
aequum has achieved a remarkable 95.6% savings off disputed charges for self-funded plans. National Expertise
aequum has successfully handled claims in all 50 states.
Section 1557 Requirement Date by which covered entities must comply
Designate a §1557 Coordinator
§1557 Policies and Procedures
§1557 Training
Within 120 days of July 5, 2024.
Within one year of July 5, 2024.
Following a covered entity’s implementation of the policies and procedures, and no later than 300 days of July 5, 2024.
Notice of Nondiscrimination Within 120 days of July 5, 2024.
Notice of Availability of Language Assistance Services and Auxiliary Aids and Services
Nondiscrimination in health insurance coverage and other health-related coverage (benefit design changes)
Within one year of July 5, 2024.
For health insurance coverage or other health-related coverage that was not subject to the 2024 Rule as of May 6, 2024, by the first day of the first plan year beginning on or after January 1, 2025.
Attorneys John R. Hickman, Ashley Gillihan, Steven Mindy, Ken Johnson, Amy Heppner, and Laurie Kirkwood provide the answers in this column. John is partner in charge of the Health Benefits Practice with Alston & Bird, LLP, an Atlanta, New York, Los Angeles, Charlotte, Dallas and Washington, D.C. law firm. Ashley and Steven are partners in the practice, and Ken, Amy, and Laurie are senior members in the Health Benefits Practice. Answers are provided as general guidance on the subjects covered in the question and are not provided as legal advice to the questioner’s situation. Any legal issues should be reviewed by your legal counsel to apply the law to the particular facts of your situation. Readers are encouraged to send questions by E-MAIL to John at john.hickman@alston.com.
NEWS FROM SIIA MEMBERS
2024 JULY MEMBER NEWS
SIIA Diamond, Gold, and Silver member companies are leaders in the self-insurance/captive insurance marketplace. Provided below are news highlights from these upgraded members. News items should be submitted to membernews@siia.org.
All submissions are subject to editing for brevity. Information about upgraded memberships can be accessed online at www.siia.org.
If you would like to learn more about the benefits of SIIA’s premium memberships, please contact Jennifer Ivy at jivy@siia.org.
Five Decades of Excellence
Growing with confidence. We continue to expand and diversify, with over 100 classes of speciality insurance provided through approximately 4,000 experts around the world, contributing to our global success. TMHCC is a leader within our industry and trailblazer in the specialty insurance landscape. After half a century of successful expansion, we now have a presence in over 180 countries. We want to express our deepest gratitude to all of our employees, clients, brokers, and agents who have contributed to these five decades of excellence. To be prepared for what tomorrow brings, contact us for all your medical stop loss and organ transplant needs.
SIIA MEMBER NEWS
SIIA boasts a very active and dynamic membership. Here are some of the latest developments from the companies powering the self-insurance industry.
Emerging Therapy Solutions
Names Ashley Hume as New President
Leading provider of solutions for managing high-cost therapies, Emerging Therapy Solutions® (ETS), announced that Ashley Hume has been promoted to President. This strategic move strengthens ETS’s focus on deepening and expanding services to meet evolving client needs in the rapidly growing
cell and gene therapy market.
Hume’s proven track record positions her perfectly to lead ETS into the future. As Chief Commercial Officer, she spearheaded strategic partnerships, client relationships, product innovation, and team development. These efforts have ensured continued best-in-class service delivery for ETS clients and rapid growth in lives leveraging ETS.
Ashley Hume President Emerging Therapy Solutions®
“Ashley’s leadership has been instrumental in ETS’s growth,” says Matt Mackowski, Chairman, Managing Director, Telegraph Hill Partners & ETS Board Chairman. “Her deep industry knowledge and vision will keep us laser-focused on providing unparalleled solutions and support to our clients in the highly complex and costly areas of cell and gene therapy and transplant.”
As President, Hume will prioritize strengthening ETS’s ability to support clients navigating the complex landscape of highcost therapies. This aligns with ETS’s commitment to helping payers make informed pricing and risk management decisions regarding treatments for rare genetic diseases.
Madelyn Peterman Vice President of Partnerships
Insurance Group
HM Insurance Adds New Position to its Executive Team
Madelyn Peterman has been named Vice President of Partnerships for HM Insurance Group. In this role, Maddy is responsible for leading the operations of HM Insurance Group’s partnership programs and reinsurance initiatives.
“This new position is vital as we continue to grow and diversify our business,” Eric Berg, Chief Operating Officer, HM Insurance Group, said. “Maddy’s experience and expertise will help us to ensure that we offer a more holistic approach to servicing our partner clients and their unique needs.”
Before advancing to the Partnerships position in 2024, Maddy served as Director, Market Segment Finance. In that role, she had oversight of operating results in terms of costs, forecasting, operational policies and trends and also provided financial support and guidance to drive achievement of HM’s strategic initiatives. She joined HM in 2015 as a supervisor and has held roles of increasing responsibility over the years. Prior to HM, she was an assurance manager at the accounting firm Urish Popeck & Co.
ClearPoint Health Announces New Center of Excellence
ClearPoint Health is establishing a medical stop loss Center of Excellence (COE) focused on satisfying the “full spectrum” of alternative risk structures, according to Phil Giles, Chief Growth Officer at ClearPoint Health.
ClearPoint develops and scales clinically integrated captives, including clinical providers, in the sponsorship of medical stop-loss captives. Giles said ClearPoint has created a COE panel for traditional stoploss and level funded business with a strong grouping of highly rated carrier partnerships.
“We’ve got tremendous growth trajectory and have incepted enterprise-level agreements with several major brokers to be their stop loss COE,” he said.
“One of the things that really appeals to me is not only the capabilities that we’re building on a holistic level as a COE but also the level of talent and expertise that we’re bringing in to be able to service our stop-loss and captive clients,” Giles added.
The ClearPoint platform covers aspects from level-funded structures to traditional medical stop-loss for standalone selfinsurers and extending to group and single parent captive structures.
MacroHealth Appoints Kristin Weir to Key Product Position
MacroHealth, a leading healthcare fintech company, announced the appointment of Kristin Weir as Senior Vice President of Product Management. In this role, Weir will be responsible for leading product management teams focused on new and emerging solutions to help Payers and Health Market Partners buy and sell healthcare services more intelligently.
HM
“I am so excited to join MacroHealth as the SVP of Product Management for two key reasons: first, our culture is amazing, everyone is treated like family while valuing one another, and second, our strategy is something I truly believe in,” said Weir. “I have been working in healthcare IT for 15 years in the provider, payer and pharma spaces, and I love that the MacroHealth Intelligent Exchange platform will help seamlessly stitch together all sides of the healthcare industry and provide payers with network access no
matter where their members live.”
Weir brings over 15 years of experience in healthcare IT to her role at MacroHealth, having previously held product leadership positions at Real Chemistry and MedeAnalytics. Most recently, she served as Chief Product Officer at Medecision. Weir’s extensive knowledge of the healthcare industry, combined with her expertise in technical analytic systems, engagement tools, and digital care management, makes her uniquely qualified for this new role.
“I am excited for Kristin to join the MacroHealth product management team,” said MacroHealth’s Chief Technology Officer, Ryan Hamilton. “She brings with her a wealth of knowledge and experience in scaling product innovation and delivering customer value. Her ability to apply information technology and data intelligence to help organizations optimize and connect across their health ecosystems will be an asset to the team.”
Treading Water with Healthcare Transparency Legislation?
Stay Afloat with IPS’s Key Insights on NSA, TiC, and LCMTA
In our turbulent industry, staying up to date with the latest regulations is a must. Connect with Integrated Payor Solutions CEO Shawn Evans this July, and dive into critical NSA, TiC, and LCMTA updates. Plus, discover how IPS’s cloud-based Transparency+ solution streamlines compliance processes, ensuring you stay ahead of regulatory demands.
Technology that Actually Makes Life Easier
Full stack, fully secure.
Welcome to cloud-powered claims administration made user-friendly and secure.
NO barriers to entry
NO additional IT resources or costs
Salesforce-powered
No strings attached, no extra costs.
Compliance is changing quickly, but Transparency+ is your future-proof solution, checking off every NSA and ACA box.
Fully scalable
NO fees or strings attached
Salesforce-powered
Sail into the future of compliance with IPS this July.
Shawn Evans CEO sevans@integratedpayorsolutions.com
Vālenz® Health Strengthens Capabilities with New Hire
Vālenz® Health announced that Heather Wiehe, Esq. has joined the leadership team as Vice President, Legal and Compliance.
Previously, Wiehe was Director, Regulatory and Product Counsel for Collective Health, where she addressed state and federal regulatory issues, including the corporate practice of medicine, Stark/antikickback statutes, privacy/data security, intellectual property, third-party administration, coordination of benefits, and proprietary claims system lifecycles. She offers a strong background in claims processing and health stacks, documenting legal implications and enhancing operational growth.
“For more than 15 years, Heather has leveraged her deep understanding of healthcare operations and her legal expertise to support business, risk and compliance partners in proactively addressing legal challenges,” said Rob Gelb, Chief Executive Officer of Vālenz. “From the very beginning of her law career, she has shown her dedication to addressing the complexity of healthcare and being part of that solution. She’s a perfect fit for our team, and we are thrilled to have her.”
“At Vālenz, the entire team joins together in challenging the status quo, which creates an exceptional environment for growth and innovation,” Wiehe said. “The passion for excellence and the commitment to upholding the highest standards are already in place here. I look forward to being a part of that culture.”
Validation Institute
Recognizes Nova Healthcare AdministratorS
Nova Healthcare Administrators, Inc. (Nova) was recently revalidated through the Validation Institute for 2024 in the common chronic condition management category. The validation comes
after a thorough data analysis that confirms Nova’s clinical protocols drive measurable improvements in health plan trends.
“This award is important to Nova because of its external confirmation of the efficacy of Nova’s programs for clients and their plan participants,” said Jim Walleshauser, President of Nova. “It stands as a testament to the dedicated efforts and collaborative spirit of our team members across medical management, care navigation, data analytics, and client services. At Nova, our overarching goal is to simplify the complexities of the healthcare system for insurance brokers, clients, and their members. This validation unequivocally reaffirms our commitment to delivering on our promises within the industry.”
Nova creates a cost and risk management strategy tailored to our clients’ goals. Our approach includes analyzing medical, behavioral and pharmacy claims, plus operational observations and clinical data. Using this data, Nova works with clients to develop strategies that address preventive care, early detection of illness, improving treatment compliance and appropriateness of services. Based on 2023 data, Nova has once again achieved below-average admissions and emergency room visits for common chronic diseases (asthma, coronary artery disease, congestive heart failure, hypertension, COPD, and diabetes) compared to a national benchmark.
“While all event rates fell in 2020-2021, Nova’s declined more than most and did not increase as much in 2023 and 2024,” noted Al
Lewis, co-founder of Validation Institute and CEO of Quizzify. “A nice performance as usual!”
Glenn Strecker to Lead Sales Team at zakipoint Health
zakipoint Health has tapped Glenn Strecker to lead its sales team.
Having managed large regional territories, Glenn has developed a profound understanding of the US healthcare landscape. His experience spans across all lines of business, with solutions that have addressed issues for Commercial, Medicare, and Medicaid (Medi-Cal in California). Glenn’s portfolio of “best in class” solutions includes evidence-based guidelines, care management software, digital health, and over five years of specific analytic methodology selling expertise.
Glenn Strecker Sales Director zakipoint Health
Glenn has worked extensively with Medical Management, Strategy & Innovation, and most recently, Analytic & Informatics executive leaders. Known for developing integrity-based relationships through clear and straightforward communication,
Glenn has a knack for understanding his clients’ unique business challenges and solving their most pressing issues.
Tonya Crawford Joins Crumdale Partners
Crumdale Partners has appointed Tonya Crawford as Sales Director, Captives. Based in Pennsylvania, Crumdale Partners offers custom, self-funded healthcare solutions to a bespoke set of brokers, consultants, and agents across the US.
The firm described Crawford as an expert in the development and ongoing management of medical stop-loss captives, self-funded health plans, commercial health plans, and government health plans.
“She has spent her entire career in healthcare and is passionate about making healthcare more efficient and affordable for employers and patients,” said Crumdale Partners in a company statement. “She is active in CICA and SIIA and was named Highly Commended Individual by Captive International [in its] 2023 US Awards.”Crawford was previously Regional Vice President, Captives at Summit Reinsurance Services, which she joined in April 2023. She was Vice President at True Captive Insurance from April 2021 to March 2023.
Centivo Announces Strategic Acquisition
Centivo, a pioneering healthcare company built to make quality healthcare more affordable for employers and their employees, announced the acquisition of Eden Health, an employercentered virtual-first medical provider, effective immediately. This strategic move enables Centivo to accelerate its plans to scale its primary carecentered health plans to more working families and employers nationwide.
“We are witnessing primary care access problems unlike anything we’ve experienced in our lifetimes. Our system is plagued by chronic shortages in primary care access due to decades of under-investment and misaligned incentives,” said Ashok Subramanian, Founder and CEO of Centivo. “Our partnership with Eden Health – and its
Gray King Senior Vice President and Chief Financial Officer
cutting-edge, technology-centered capabilities in primary care, mental health and urgent care –aligns seamlessly with Centivo’s mission to achieve radical affordability and enhanced patient access for American workers.”
Through this acquisition, Centivo now serves more than 160 employers ranging from Fortune 100 companies to small businesses, with market reach in all 50 US states to remove barriers to healthcare. Eden Health’s clinical services will be fully integrated into Centivo, enhancing the company’s virtual advanced primary care practice while broadening its clinical services to include mental health care, urgent care and workplace pop-up clinics.
The acquisition will also integrate Eden Health’s technology, which interweaves its clinicians’ Electronic Medical Records system with its proprietary member app, enabling data-driven engagement and collaborative care through omnichannel interactions. Eden Health has also proven the ability to deliver a solution that patients love, with a customer satisfaction rating of 4.97 out of 5.00.
Health Plans, Inc. Names New Chief Financial Officer
Health Plans Inc. (HPI), a leading national third-party administrator (TPA) of self-funded benefits, has tapped Gray King as their new Senior Vice President and Chief Financial Officer. Gray joins the senior leadership team to drive the advancement of corporate accounting, financial reporting, and planning and analysis. He brings over 25 years of experience in the industry, specializing in profitability improvement, business growth, and enhancing operations through achievements in expense and revenue management and strategic business plan development.
“Along with his proven track record working for a TPA, Gray brings a wealth of healthcare industry expertise to HPI and is the perfect fit to support HPI’s development,” said Deb Hodges, President and CEO. “Gray is an incredible addition to the team as we continue to show tremendous growth.” Gray most recently served as Vice President of Finance at MedCost, where he provided strategic and financial management and was responsible for a multi-million-dollar annual increase in operating income.
“It’s an honor and a privilege to join an incredible team at HPI,” said Gray King. “It takes great people to make a company great, and HPI’s decades of success and recent emergence as one of the fastestgrowing TPAs in the country are a testament to the people and the culture they’ve created. I’m excited to collaborate with teams across the company to continue reaching ambitious goals.”
Captive Resources Announces Key Executive Hires.
With its increased focus on medical stop loss group captives, Captive Resources, Inc (CRI) has created two separate business units: property & casualty (P&C) and health solutions. In addition to these business units, CRI also has two subsidiaries: Kensington Management Group and Edgewater Actuarial Insights.
HPI
In December 2023, three key CRI senior leaders with proven track records of success within the organization were asked to take on expanded responsibilities: JP Boulus as President, P&C, Donna Dreuth as Chief Financial Officer and Chief Administrative Officer and John Pontin as Chief Growth Officer.
CRI has also recently hired several additional senior executives: Steven Gransbury as President, Health Solutions; Mark Knipfer as Chief Strategy Officer; and Terry McCafferty as Chief Underwriting Officer, P&C.
Gransbury joined CRI in April. Prior to joining CRI, he was Head of Specialty for QBE North America. Knipfer joined CRI in January. Prior to joining CRI, he was Chief Operations Officer at Zurich North America. Finally, McCafferty joined CRI in December 2023. Prior to joining CRI, he was President and Chief Executive Officer of Falls Lake National Insurance Company at James River Holdings.
Hentges commented: “I am very excited about the recent changes and additions to our leadership team. These changes position Captive Resources for the continuing robust growth we’re seeing in both our property & casualty and health solutions businesses.
“We spend a great deal of time thinking strategically about the future and ensuring we have a management team that will continue moving Captive Resources forward. The key to our success is providing outstanding service to our clients and their brokers. Building our management team and remaining focused on hiring the very best talent is critical to giving our clients the exceptional captive experience that has become a hallmark of our company.”
2024 SELF-INSURANCE INSTITUTE OF AMERICA
BOARD OF DIRECTORS
CHAIRMAN OF THE BOARD*
John Capasso
President & CEO
Captive Planning Associates, LLC
CHAIRMAN ELECT*
Matt Kirk
President
The Benecon Group
TREASURER AND CORPORATE SECRETARY*
Amy Gasbarro
DIRECTOR
Stacy Borans
Founder/Chief Medical Officer
Advanced Medical Strategies
DIRECTOR
Mark Combs
CEO/President
Self-Insured Reporting
DIRECTOR
Orlo “Spike” Dietrich Operating Partner
Ansley Capital Group
DIRECTOR
Deborah Hodges President & CEO Health Plans, Inc.
DIRECTOR
Mark Lawrence President
HM Insurance Group
DIRECTOR
Adam Russo CEO
The Phia Group, LLC
DIRECTOR
Beth Turbitt
Managing Director
Aon Re, Inc.
VOLUNTEER COMMITTEE CHAIRS
Captive Insurance Committee
Jeffrey Fitzgerald
Managing Director, SRS Benefit Partners
Strategic Risk Solutions, Inc.
Future Leaders Committee
Erin Duffy Director of Business Development
Imagine360
Price Transparency Committee
Christine Cooper CEO
aequum LLC
Cell and Gene Task Force
Shaun Peterson
VP Head of Worksite Solution
Pricing & Stop Loss Product
Voya Financial
* Also serves as Director
SIIA NEW MEMBERS
JULY 2024
CORPORATE MEMBERS
Jon Peiffer Chief Operating Officer Administrative Concepts, Inc. Collegeville, PA
Alex Soria Principal AITo Brokers and Consultants Coral Gables, FL
Richard Hunter VP-Controller
BLIS Insurance Services, LLC Sandy, UT
Paul Merrell Vice President of Marketing FAIRCO
New York, NY
Rob LaHayne Co-Founder & CEO Leap Health New York, NY
David Steigerwalt Director Sales Development VersusRx Lake Mary, FL
EMPLOYEE MEMBERS
Greg Wilson President Guy Yocom Construction Norco, CA
Streamline, balance, and clarify the healthcare financial experience.
Doesn’t sound possible. But Zelis is delivering. We’ve saved over $27B in network and claim costs while helping healthcare carriers, TPAs, and self-insured employers modernize the healthcare financial experience.
Zelis is your trusted partner to optimize financial performance for your clients.
Connect with Zelis today at 888.311.3505 or visit zelis.com to get started.
