New Rule Specifies Medicare Secondary Payer Penalties for Failure To Report Insurance Coverage or Settlements

On October 10, the Centers for Medicare & Medicaid Services (CMS) issued a final rule, “Medicare Secondary Payer and Certain Civil Money Penalties” (Final Rule), which was published in the Federal Register on October 11 (available here). 1 The effective date of the Final Rule is December 11, and the provisions of the Final Rule are applicable on or after October 11, 2024. This rule provides useful clarity about the reporting requirements imposed on entities that are required to pay primary to Medicare for health services furnished to Medicare beneficiaries pursuant to the Medicare Secondary Payer (MSP) provisions of the Social Security Act (the Act), in particular about the circumstances under which these entities may be subject to civil monetary penalties (CMPs) for inadequate reporting. In the Final Rule, CMS backed away from several more rigorous provisions the agency had proposed and adds detail with respect to other provisions.

Background

Section 1862 of the Act defines circumstances in which Medicare is the secondary payer to group health plans (GHPs) and non-group health plans (NGHPs), which include worker’s compensation plans, liability insurance (including self-insurance), and no-fault insurance. These entities, referred to as responsible reporting entities (RREs), are required to report to CMS on situations where they must pay primary to Medicare: on health insurance coverage for Medicare beneficiaries (such as when coverage begins or ends) or on instances a judgment, award, settlement, or other payment is made, or payment responsibility is otherwise assumed. CMS may impose CMPs against RREs that fail to comply with these reporting requirements. The Act specifies that GHPs and NGHPs are subject to CMPs of $1,000 or up to $1,000, respectively, for each calendar day of non-compliance. 2

CMS Scales Back the Bases for Imposing CMPs

The Final Rule establishes that the only basis for the imposition of a CMP is for untimely reporting of the required information.

• For GHE RREs, untimely reporting means a failure to report any beneficiary record within one year (365 days) from the GHP coverage effective date or the Medicare beneficiary’s entitlement date, whichever is later. 3
• For NGHP RREs, untimely reporting is a failure to report any beneficiary record within one year from the date of settlement, judgment, award, or other payment, or the effective date on which ongoing responsibility for payment of medical care has been assumed by the entity. 4

Accordingly, penalties will not be imposed for other causes, such as in relation to the quality of reporting.

This policy departs from that in the proposed rule, which included two additional proposed scenarios in which a CMP could be imposed on RREs: (1) where the RRE reported but exceeds an error rate tolerance threshold established by the agency during certain consecutive reporting periods and (2) where an RRE’s response to CMS recovery efforts contradicts the entity’s reporting (e.g., the RRE reported primary payment responsibility for a given beneficiary, then responded to the recovery effort that coverage terminated two years prior). 5 CMS declines to finalize imposition of penalties in these scenarios, agreeing with commenters that the goal should be to motivate proper reporting and compliance and not to be overly punitive.

The Final Rule Outlines an Audit Methodology and Informal Notice and Dispute Process

CMS establishes an audit methodology in the Final Rule in response to commenters’ concerns that CMPs should not apply to entities making “good faith efforts” to comply or occasionally reporting with errors. The agency had proposed to conduct an automated review of all RRE records submitted, but instead CMS will audit a random sample of new beneficiary records received quarterly, as explained below. CMS expects that smaller entities “are inherently much less likely to have their records audited for compliance” under this approach (as opposed to an automated review of all records). 6 The agency also indicates that random auditing with manual review, as opposed to using a computer-based algorithm, will enable CMS to better monitor trends in reporting and discover areas that present challenges for RREs, without resorting to penalties that are disproportionate to the level of noncompliance.

The Final Rule further clarifies how CMS will identify noncompliance, which was not addressed in the proposed rule. 7 CMS will use the following process for auditing a random sample of recently added beneficiary records:

• Audit 250 individual beneficiary records per quarter across all RRE submissions. GHP and NGHP records will be evaluated proportionately based on the numbers of recently added records for both types.
• At the end of each quarter, randomly select the applicable number of records and analyze for noncompliance:
  • Noncompliance is defined as “any time CMS identifies a new beneficiary record that was not reported to CMS timely.”
  • Timeliness is defined as “reporting to CMS within one year of the date GHP coverage became effective, the date a settlement, judgment, award, or other payment determination was made (or the funding of a settlement, judgment, award, or other payment, if delayed), or the date when an entity’s Ongoing Responsibility for Medicals (ORM) became effective.”

  Penalties will be imposed as follows:

  • For GHP entities, impose a penalty (see below) for any selected record that is more than one year (365 calendar days) late.
  • For NGHP entities, impose a penalty (see below) for any selected record determined to be noncompliant.
  • Calculate the penalty to be imposed by multiplying the number of audited records found to be noncompliant by the number of days that each record was late and then multiply the resulting product by the appropriate penalty amount (described below).

  CMS also intends to implement a “pre-notice” process to communicate with RREs that might be subject to a CMP informally before a formal enforcement action is taken. The RRE will thus have an opportunity to examine its records and identify any discrepancies or mistakes that could eliminate the potential CMP. The RRE will have 30 calendar days to respond to the informal notice with mitigating evidence for CMS’ review. CMS leaves the process open to any reasonable mitigating factors, specifying that RREs can clarify, mitigate, or explain any errors that were the result of a technical issue or due to an error or system issue caused by CMS or its contractors.

  If CMS decides to impose a CMP after this informal process, CMS will provide formal notice to the RRE in writing in accordance with 42 C.F.R. § 402.7, which will include information on the event that has triggered the proposed CMP, the amount of the proposed CMP, and next steps for the RRE, including a right to a hearing in accordance with 42 C.F.R. § 402.19 and part 1005.

  Final Applicable CMP Amounts

  In the Final Rule, CMS responds to commenters’ concerns about the potential magnitude of CMPs for untimely reporting and suggestions for a “sliding scale” or “tiered” approach to CMPs. Exercising its discretion to impose “up to $1,000” per day on NGHP RREs, 8 CMS finalizes an alternative “tiered approach” for such entities. This approach is based on the length of time that an NGHP entity has failed to timely report the required information, and the following daily CMP amounts apply:

  • $250 for each calendar day of noncompliance where the record was reported one year or more, but less than two years after the required reporting date
  • $500 for each calendar day of noncompliance where the record was reported two years or more, but less than three years after the required reporting date
  • $1,000 for each calendar day of noncompliance where the record was reported three years or more after the required reporting date 9

  These amounts are adjusted annually under 45 C.F.R. part 102, and the maximum (total) penalty that CMS will impose on an NGHP entity for any one instance of noncompliance for a given record is $365,000 (as adjusted annually under 45 C.F.R. part 102). 10

  With regard to GHPs, however, CMS notes that it does not have authority to alter the penalty amounts under section 1862(b)(7) of the Act, which specifies $1,000 per day of noncompliance. Therefore, the CMP amount for GHPs under the Final Rule is $1,000 (as adjusted annually under 45 C.F.R. part 102) per day per reportable individual. 11

  CMS Recognizes Two Safe Harbors; Identifies When CMPs Do Not Apply

  In the Final Rule, CMS recognizes two safe harbors that would preclude imposition of a CMP, but acknowledges that “other situations may exist where it is inappropriate to penalize an entity for noncompliance.” 12 The first encompasses untimely reporting that is the result of a technical or system issue outside of the control of the RRE, or that is the result of an error caused by CMS or one of its contractors. The second covers untimely reporting by an NGHP that is the result of a failure to acquire all necessary reporting information due to a lack of cooperation by the beneficiary, provided that certain standards are met. Untimely reporting as a result of either scenario would not be considered noncompliance under the Final Rule.

  In relation to the second safe harbor, CMS proposed an exemption for an NGHP entity that fails to report required information because it is unable to obtain the necessary information after good faith efforts (proposed § 402.1(c)(22)(ii)(A)). CMS expands on this circumstance in the Final Rule given NGHP entities’ concerns about the type and number of communication attempts an RRE must make to obtain information and the required documentation of express refusal by individuals (or their attorneys or representatives) to provide the necessary information. Although CMS finalizes its proposal to require the RRE to make a total of three attempts, the Final Rule permits the third attempt to be via telephone, electronic mail, or some other reasonable method. Additionally, no further attempts by the RRE are required if the individual (or attorney/representative) unambiguously declines to furnish the requested information.

  In summary, as finalized, to avoid a penalty for failure to report, an NGHP must (1) communicate the need for the required information to the reportable individual and his or her attorney, or other representative, if applicable, or both; (2) request the information from the reportable individual and his or her attorney, or other representative (if applicable), at least three times: once in writing, at least once by mail, and at least once by phone or other means of contact if there is no response to the mailings; (3) not have received a response or have received a written response explicitly stating that the reportable individual refuses to provide the required information; and (4) have documented its efforts to obtain the reportable individual’s Medicare Beneficiary Identifier or Social Security Number (SSN) (or the last five digits of the SSN). 13 NGHPs also must keep relevant documentation for at least five years. 14

  The Final Rule also provides that CMS will not impose CMPs on NGHP entities for instances of noncompliance that are related to a specific reporting policy or procedural change by CMS that has been effective for less than six months. 15 CMPs also will not be imposed if GHP and NGHP RREs comply with any reporting thresholds or any reporting exclusions. 16

  CMS Clarifies the Statute of Limitations; Prospective Application of the Rule and CMPs

  CMS also clarifies that it will apply the standard five-year statute of limitations required under 28 U.S.C. § 2462. Although commenters advocated for a three-year statute of limitations, citing section 1886(b)(2)(B)(iii) of the Act, CMS explains in the Final Rule that the provision is inapplicable because it relates to legal actions CMS may take for recovery of MSP debts (overpayments), which are distinguishable from the imposition of CMPs. Accordingly, a five-year statute of limitations applies. 17

  CMS also affirms that enforcement of the Final Rule is prospective, noting that it will evaluate compliance based only upon files submitted by the RRE on or after the effective date of the Final Rule (December 11, 2023). Moreover, the basis for triggering CMPs will only be for instances of noncompliance based on settlement dates, coverage effective dates, or other operative dates that occur after the effective date of the Final Rule. As such, CMS states “there will be no instances of inadvertent or de facto retroactivity of CMPs.” 18 CMS also makes clear that the one-year period to report the required information before CMPs would potentially be imposed would begin on the later of the rule’s effective date or the settlement or coverage effective dates which an RRE is required to report in accordance with sections 1862(b)(7) and (b)(8) of the Act.

  As for the imposition of CMPs after the rule is effective, the Final Rule provides that no CMP will be imposed until at least one year (365) days after the later of: (1) the applicability date of the Final Rule (October 11, 2024) or (2) the coverage effective date or settlement date that an RRE is required to report. CMS notes that “[t]his is a minor change from the proposed rule which seeks to clarify that RREs will have at least 1 year from the rule applicability date before any CMP is contemplated.” 19

  © Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

  1. 88 Fed. Reg. 70363 (Oct. 11, 2023).
  2. Sections 1862(b)(7) and (b)(8) of the Act. Note that these dollar amounts are subject to inflation adjustments; for 2023, the amounts are $1,428. 45 C.F.R. § 102.3.
  3. Codified at 42 C.F.R. § 402.1(c)(21)(i).
  4. Codified at 42 C.F.R. § 402.1(c)(22)(i).
  5. 85 Fed. Reg. 8793, 8798 (Feb. 18, 2020).
  6. 88 Fed. Reg. 70370.
  7. 88 Fed. Reg. 70369-70370.
  8. Section 1862(b)(8) of the Act.
  9. 42 C.F.R. § 402.105(b)(3)(i).
  10. 42 C.F.R. § 402.105(b)(3)(ii). Note that the 2023 value associated with a nominal penalty of $1,000 is $1,428. 45 C.F.R. § 102.3.
  11. 42 C.F.R. § 402.105(b)(2).
  12. 88 Fed. Reg. 70368. CMS does not further expand on such other scenarios, directing RREs to utilize the appeals process if a situation arises that an RRE believes make a CMP inappropriate.
  13. 42 C.F.R. § 402.1(c)(22)(ii)(A).
  14. 42 C.F.R. § 402.1(c)(22)(ii)(A)(4). CMS also reassures NGHP RREs that communications with beneficiaries where the sole attempt is to comply with federal requirements would preempt any privacy or anti-harassment laws.
  15. Or for one year, if CMS is unable to provide a minimum of six months’ prior notice before implementing such change). See 42 C.F.R. § 402.1(c)(22)(ii)(C).
  16. 42 C.F.R. § 402.1(c)(21)(ii)(B) and (22)(ii)(B).
  17. See 88 Fed. Reg. 70368.
  18. Id.
  19. 88 Fed. Reg. 70369.