April 15, 2025 • 30 mins
In this episode of ShiftShapers, host David A. Saltzman welcomes compliance expert Carol Taylor, JM, of BenefitMall, for a deep dive into the rapidly evolving world of employer compliance. From court rulings and legislative penalties to HIPAA security updates and AI-driven benefit denials, Carol offers critical insights for anyone navigating today’s tangled regulatory landscape.
She unpacks the latest on ERISA preemption battles, mental health parity lawsuits, and the real-world impact of complex compliance rules on small agencies and employers. With rising penalties and tech-driven claim denials making headlines, Carol arms listeners with strategies to stay compliant—and stay out of court.
🤖 Sponsored by BenePower
BenePower is an AI-powered platform helping advisors build high-impact, self-insured health plans quickly and seamlessly. By integrating best-in-class point solutions and eliminating inefficiencies, BenePower reduces costs, improves member outcomes, and positions advisors as industry leaders.
🔗 Learn more at BenePower.com
🔑 Key Takeaways from This Episode
📌 Penalties Are Rising—And Enforcement Is Too
Missing a CHIP notice or 5500 filing? That could cost thousands per day. Carol outlines the latest penalty increases and why the IRS is stepping up enforcement.
📌 HIPAA Security Changes Are Coming
From encryption rules to breach simulations, the proposed HIPAA security updates raise the bar—especially for small agencies who now face enterprise-level expectations.
📌 Compliance Risks from AI-Powered Claim Denials
Carol explains how AI is being used inappropriately by some carriers—and why plan sponsors need to examine how these tools align with ERISA.
📌 ERISA, MIA, and Legal Landmines
With court cases mounting over PBM regulation and mental health parity, Carol breaks down what’s at stake and how employers can avoid becoming the next headline.
📌 Future-Proofing Your Compliance Strategy
From updated plan docs to tighter internal protocols, Carol shares best practices that can help advisors and agencies stay ahead of evolving rules.
⏱️ In This Episode
00:00 – Introduction to Compliance Challenges
02:01 – Legislative Updates and Penalties
09:25 – HIPAA Security Rule Changes
18:11 – Court Cases and Legal Battles
23:20 – Mental Health Parity and Addiction Equity Act
27:00 – Future of Compliance and Final Thoughts
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
If keeping up with compliance and legislation takes
a gallon of coffee, a lawdegree and maybe a licensed
therapist on speed dial, how doyou know what actually matters
and what you need to know?
Today, We'll find out on thisepisode of Shift Shapers.
Speaker 2 (00:16):
Change either energizes or paralyzes.
The choice is yours.
This is the Shift Shaperspodcast, bringing the employee
benefits industry interviewswith individuals and companies
who are shaping the industryshifts.
And now here's your host, davidSaltzman.
Speaker 1 (00:38):
And to help us answer those questions, we have
invited Carol Taylor JM, who isa compliance specialist at
BenefitMall and, in fulldisclosure, an old, dear friend
of mine.
Welcome, Carol.
Speaker 3 (00:49):
Thank you.
Speaker 1 (00:50):
And Ayla is in the background.
If you see ears and a dog,that's Carol's assistant.
Yes, lots of stuff going on,but I got a question Does it
just seem as though it's gettinglike thicker and weirder and
more stuff is coming at usfaster, or is that reality?
Speaker 3 (01:08):
That's actually reality.
So, while we're not seeing asmuch legislation come through
right now because DC is morezoned in on budget and other
larger issues, we're seeing alot in the courts is actually
where a lot of this stuff isplaying out.
(01:30):
You know there's so many movingpieces and parts and you know
it seems like every part of theyou know every part of the
government deals with what we do.
So it's kind of a fast andfurious and sometimes you don't
know oh wait, is that the rightthing now or is that the right
(01:51):
thing?
And you have to remember toeven go look at what the courts
are doing, because there's beenso many lawsuits.
Speaker 1 (01:58):
Yeah, and we'll talk about that as we get into this a
little bit more.
Let's start with somelegislative stuff.
Now.
There are some updatedpenalties that have been
floating around and I'm not sureeverybody's aware of them, so
can you bring us up to date onwhat that's all about?
Speaker 3 (02:13):
Absolutely so.
Every year there's an inflationadjustment on penalties.
So your 5,500 filings those arenow up to $2,739 per day that
you don't file.
Now remember there is adelinquent filer option which
(02:34):
can help save a business money,especially if you've got
multiple years of delinquentfilings.
So don't forget about that.
But yes, it's still a prettyhefty price tag on that.
Um, if you are a MIWA multipleemployer welfare arrangement
those are now up to $1,992 perday for the schedule M1, if
(02:58):
those are supposed to be filed.
And one thing that a lot ofpeople don't understand is a
MIWA can be as simple.
As you're an employer and yourstate allows 1099 subcontractors
to come onto your policy asbeing eligible, you've just
created a MIWA if you bring themon because they're another
(03:21):
employer.
So I kind of always like tothrow that out there.
You know, when looking at allof these rules we also have if
you don't send out the CHIPnotices to your employees,
that's $145 per day per affectedperson.
So you got mom, dad, couple ofkids that's not just one person,
(03:48):
that could be two, three, four.
Um, if you don't file or uhprovide a summary of benefits
and coverages, you know thething that the ACA made uh a
requirement that is $1,443 peraffected person, $7,443 per
affected person and then, ofcourse, if you have
(04:11):
unintentional failures toprovide or meet the GINA
requirements, the GeneticInformation Nondisclosure Act,
the cap on that is now up to$728,764.
Speaker 1 (04:31):
Yikes.
Speaker 3 (04:33):
What would be an unintentional failure?
Basically not keeping thegenetic information separate
from your HR and or other files.
So something as simple as youknow.
Somebody gave you a copy of alab test for some reason.
(04:55):
You know the results.
For some reason because thatwould contain genetic
information potentially on it,because not everybody's numbers
are the same.
So something simple like thatcould cause a problem.
Speaker 1 (05:07):
Fun and games.
Speaker 3 (05:10):
Yeah, it's a lot.
Speaker 1 (05:12):
Well, it's a lot and it's getting expensive because
you know its employers don'tjust have liability on one of
these items, they have liabilityon some subset of them and so
you start adding it up andpretty soon it's serious money
it is, and is the governmentreally going tooth and nail at
trying to collect this stuff?
Speaker 3 (05:32):
Absolutely.
One other item in that is the1095s your failure to file For
2025, it's $330 per form andthat's for A not filing with the
IRS and B also not distributingthose.
So they charge twice thatamount.
Which kind of leads me into amajor issue that we've been
(05:56):
seeing lately is that a lot ofemployers have not done those
1094-1095 filings with the IRSand it is absolutely imperative
that if you get a 5699 letterfrom the IRS which is what those
, the little numbers you'll seesomewhere over on the top right
side, are going to indicate, youhave got to respond to that and
(06:20):
it, you know, could be that,hey, we need an extension to
figure out because you mighthave had personnel changes and
you don't know if somebody,maybe if the IRS, messed up,
because you know they're notperfect as much as they may try
to claim to be.
But I've even seen where thefilings have been done and the
IRS claims that, oh no, wedidn't get it.
The filings have been done andthe IRS claims that, oh no, we
(06:43):
didn't get it.
Well, here's the you know theacceptance confirmation number
that you sent back on this date,this time, and then they go
oops, we goofed.
But those penalty letters, youknow, at the very minimum get an
(07:05):
extension on them.
Because what we're seeing andI've seen more than one of these
, I've actually seen quite a fewof them where employers are not
responding on those quicklyenough and they're getting a
seizure notice to seize assetsletter from the IRS.
(07:26):
And that's actually very recentas of last month, so it's
pretty scary.
Speaker 1 (07:33):
And now a word from our sponsor.
You're not just an advisor,you're a game changer.
Forget cookie cutter off theshelf solutions.
That's yesterday's news.
It's 2025, and it's all aboutdelivering bold, custom-crafted
plans that truly make adifference.
At the core is a razor-sharpself-insured framework, but the
(07:55):
real magic that's in thehigh-impact point solutions.
You strategically layer in toslash costs and supercharge
member outcomes.
But let's be real, that's wherethe headaches start.
Hours wasted sifting throughendless options, wrestling with
integration issues and fightingdata-sharing roadblocks.
It's a time suck and it'sholding you back Not anymore.
(08:20):
Meet Benapower, the AI-poweredgame changer that builds killer
plans in minutes, not hours.
Benapower doesn't just curatethe best point solutions.
It makes them work togetherseamlessly, streamlining
communication and drivingcollaboration like never before.
With Benapower, you're armedwith an end-to-end AI-enabled
(08:41):
solution that makes youunstoppable.
Spend less time piecingtogether a patchwork plan and
more time selling your clients.
Get unmatched ROI and youbecome the go-to advisor that
everyone's talking about.
Want to take your game to thenext level?
Visit benapowerai or schedule ademo at info at benapowercom.
(09:05):
Find your power with Benapower.
And now back to our conversation.
So the beast needs to be fed ona regular basis, and if you
don't, they're going to come foryou.
We'll talk about the lawsuitsthat are going on in a little
while, but there's loads ofother ways to get in trouble too
(09:25):
, apparently, moving on toregulatory stuff, because you
and I have talked for years thatsometimes it's not the legal
stuff that gets you, it's theregulatory stuff gets you.
It's the regulatory stuff.
Congress will pass A, b, c or D, but then the agencies start
making regulations, and some ofthem do it better than others.
Some of them don't understandevery little facet of the
(09:46):
marketplaces that they'reregulating, and so it becomes a
challenge.
But I know there's some newHIPAA security rule changes, and
since HIPAA stands for helpingirritate practically all
Americans, let's talk aboutthose.
Speaker 3 (10:00):
I love that one.
I've also heard it as healthinsurance paying all attorneys,
which is another lovely.
Speaker 1 (10:07):
I was trying not to be mean to a person.
Yeah, I know.
Speaker 3 (10:10):
But, yeah, it does irritate all of us.
So, as we know that, there's anumber of proposed regs that
came out, uh, towards the end oflast year, first part of this
year, and, of course, these arestill in a comment period, or no
, it actually just ended, uh,last week, I believe.
Um.
So the government is, of course, going to go through and read
(10:34):
through those comments and makesure, see what, um, you know,
changes they might want to do ornot.
But these new proposed HIPAAregs actually bring business
associates into these highersecurity requirements and it
would require annual trainingwhich, although HIPAA already
(10:55):
does that, it brings it down tothe BAA level.
So you would have to trainthese people within 30 days of
hiring them.
You would have to shut offtheir access within five hours
of their termination, andactually it's probably better to
do it within about five minutesof it, because you never know.
(11:18):
You know it's not hard to have aHIPAA breach.
You have to have real-timesystem monitoring.
So if you're a small agency,you've got to hire an IT
department basically to monitorthis stuff for you.
You have to have, of course, ismulti-factor authentication, so
(11:40):
either using you know the textcode or going into another
system to get a code to somehow,you know, keep that.
You know, keep that otherauthentication there, stronger
passwords.
Gone are the days of password123, like so many people way
(12:03):
back in the day did.
Now you need to use some kindof phrase to really make it work
.
Numbers, special characters,those things you have to do,
testing on their systems, andyou also have to test the
response to it.
So you basically should bedoing some form of a mock breach
(12:30):
and testing what happens, who'sgoing to do what, and make sure
that your response, you knowcomes in, you know is at the
appropriate level.
You need backups of your dataand being able to move that over
to another system because,let's say, you get a virus on
(12:50):
your computer.
Well that's, you're going tohave to get that entire computer
basically wiped and then theinformation put back on.
Same thing, you might have togo get a brand new computer
because you know that could havedone something.
You never know what happens.
Making sure that you're able torecover quickly.
(13:15):
The electronic PHI must beencrypted, even when it's
resting.
So if it's just sitting out ona cloud server, you have to make
sure that it's encrypted, thedata itself, um, and if it's in
transit.
So you've got PHI on yourlaptop, you better make sure
(13:36):
that it's always locked upbecause that and it's got to be
encrypted sitting on that harddrive.
There's expanded documentationrequirements, so you have to
show so.
If an auditor comes knocking onyour door, you've got to show
that, yes, we've done all ofthis testing, this training.
This person did this this time.
(13:58):
Best to try to do it onlinebecause then you can date and
timestamp that stuff.
You have to conduct annualsecurity audits, which means
review and test those policies,and one of the other items here
is the business associateagreements.
Once this rule is finalized,all BAAs are going to have to be
(14:21):
updated with this new policieswithin one year of the final
rules being released.
So it's a lot really need totake this into heart and make
(14:42):
sure that they're, you know,putting their you know, getting
their data somewhere where it issecure.
Speaker 1 (14:47):
Well, that was kind of one of my follow-up questions
and it's really not so much alegal or a compliance question.
Just, you know, you work for agood-sized organization and
they're fortunate to have acouple of folks who deal with
compliance stuff, but do you seethis as a drag on sole
practitioners?
Or I mean, what is a solepractitioner or even a small
agency?
They can't afford to do allthis stuff.
What are they doing?
Speaker 3 (15:10):
A lot of small agencies that I know are not
really doing much.
They haven't, and, you know,even when HIPAA came in, very
few did it.
Now, even having two people andnetworking together, you're
likely going to have to getsomebody to work on your network
, and in which case it's best togo ahead and get you know an
(15:31):
outsourced IT company that cancome in monitor.
Even that doesn't necessarilyprotect you against a breach.
Former client it was actually amedical lab and they got
breached.
They had a ransomware attack.
Their 24-7 monitoring systemshut it down.
(15:52):
So they actually did not loseany data, they did not need to
deal with the ransom, theybasically just ignored it.
But what that did is it openedup kind of the back doors where
the system had some issues andthey had a second breach or a
(16:14):
second attempt, and that one.
It took them two weeks.
They were totally shut down.
They could not even make aphone call because they used
internet for their phone lines,and that's actually how it came
in.
Um, scary stuff, yes, and theyended up going out of business.
(16:35):
It was that expensive for themto recover.
Speaker 1 (16:38):
Not totally surprising.
Speaker 3 (16:40):
Yeah, and that was even with an outstanding HIPAA
breach penalty, which I have notgone back to look to see if
that ever got resolved or not,because I know it takes the DOL
a bit of time for that but it'sexpensive for that to happen.
(17:02):
And actually 23andMe isactually in bankruptcy court
because of a data breach andguess what?
That's all genetic information.
So even though they're not ahealth plan, you know I don't
know about you, but I don't wantmy genetic information out
there somewhere for somebody togo get.
Speaker 1 (17:22):
Yeah, it's, it's, it's.
So, before we move off of this,you mentioned that the comment
period closed Once these rulesand regs get finalized.
What are you looking for as animplementation date?
Speaker 3 (17:35):
It could be 90 days, 180 days out.
It just depends on how quicklythe regulatory agencies put out
the final Charming yeah, wedon't ever know, sometimes they
sit on these things for years.
We're still operating underproposed regulations for Section
(17:58):
125 plans from 2007 or 8, Ibelieve.
Speaker 1 (18:05):
Wow, yeah.
So let's move on to somethingthat's a lot more fun and that's
what's going on in the courts,because a lot of people thought
that it started and ended withthe J&J lawsuit, but there's
been a lot more stuff going onand what's interesting is and
maybe you can comment on it aswe go through some of the court
(18:25):
cases is that A what peopledon't realize is that this hauls
them into federal court andthat in a lot of instances and
that's a ton of money just inand of itself it's not like you
know going down and paying aparking ticket and you know
being sentenced to take somedriver's ed or you know, or some
remanding courses.
What's going on with the courtsand what do people need to know
(18:49):
about?
Speaker 3 (18:50):
So there are a ton, and when I say a ton I'm talking
about basically almost everystate.
I'm talking about basicallyalmost every state.
There's something going on fromPBM laws which are in, you know
, arkansas, florida, michigan,you name it.
There's some PBM law that'strying to be overwrite ERISA,
(19:20):
which remember ERISA.
There's a preemption out there.
Now what the courts arebasically coming out and stating
on those is that the networkfeasibility would be something
that the state could basicallygovern or pull under their
jurisdiction, but the actualcontract and other types of
(19:42):
things that would fall under thefederal ERISA.
And that's kind of been thecase in most of them we do have.
In some of this the lawsuits arenot just so much directed at
the PBM but they're directed atthe fiduciary responsibility.
And that's where we got thatJ&J lawsuit.
(20:03):
The Wells Fargo lawsuit wasactually dismissed I love that
little word dismissed becausethere was actually a settlement.
So basically they paid theclass action people employees,
former employees an amount ofmoney to basically stop the suit
.
The J&J suit was basicallydismissed for not having enough,
(20:27):
shall we say, proof.
But we've already got anamended filing in that, so that
lawsuit's back up and runningagain.
There's a bunch of other suitsout there.
One that is something that Ithink a lot of people need to
understand, that they need to bewatching on, is AI-based
(20:50):
benefit denials.
So a lot of the carriers, theclaim systems, they're using
programs that have AI algorithmsbased in them and they're not
looking for medical necessity,they're just looking at oh well,
that's not always done.
Under this particular diagnosiscode, they may not be looking
at, you know, a secondarydiagnosis code, because it's
(21:13):
literally within 1.2 secondsthat that claim may be getting
denied.
And so a district court andthis one's actually running out
in California where they'rethrowing out the claim denials,
so to speak.
But they did allow thefiduciary responsibility portion
(21:38):
of it to go forward, and that'ssolely based on the carrier ASO
, tpa, using this type ofprogram system process, whatever
you want to call it.
(21:59):
Yeah, so they're allowing it togo forward on the fiduciary side
, because using that does notmeet the plan documents.
So you need to always lookinside of your summary plan
descriptions, summary plandocuments, to see if something
like this is even allowed.
Well, remember, when SPD is arepart of ERISA, this isn't
(22:26):
defined.
Ai is nowhere in ERISA.
I mean, it wasn't until just afew years ago that they actually
put in a definition for apharmacy benefit manager,
because all of these things didnot exist 51 years ago when
ERISA was first introduced andbecame law.
So we really do need a lot of,shall we say, improvements to
(22:51):
ERISA.
Speaker 1 (22:52):
And there's also a lot of action with AI on
pre-auths.
Speaker 3 (22:56):
Yes, and that could also end up in a similar type of
lawsuit.
So it's something whereemployers end up in a similar
type of lawsuit.
So it's something whereemployers whoever the plan
sponsor is and if you'reconsulting, you need to be
checking those plan documents tomake sure that there's not an
issue somewhere that is going tocause one of these lawsuits.
Speaker 1 (23:21):
Let's move on to the gift that keeps on giving, which
is mapia the mental healthparity addiction equity act.
It wasn't enough to just haveall the new regs and all that
craziness.
What?
What else is going on now?
Speaker 3 (23:34):
so there's also lawsuits with mapia, um and um.
This was all brought up underthe, the prior administration,
where eric, which is the ERISACouncil, of course, or coalition
, excuse me of employers, andyou can go in there and search
(23:54):
their databases.
It's got a lot of greatinformation out there on the
ERIC website.
So the new administration wedon't know yet if they're going
to defend that MAPEA lawsuitthat was filed Um, it was
originally had a deadline ofMarch 17th which came and went
(24:15):
Um, the courts then allowed itto get moved back to March the
28th, 28th.
But right before that there wasa filing by the government to
hey, we need 90 days, and thecourt said, nah, we're going to
(24:39):
give you 45.
So hopefully sometime in thenext 45 days we're going to know
if those final 2024 rules areactually going to be in place or
if they're going to revert backto a prior set of final rules,
the pre-2024 final rules.
Um, we don't know that theadministration is looking into
whether they want to even keepthose 2024 rules um, which had
(25:05):
some you know pretty specificthings in them that you know.
It's just it's a very much aproblem to compare like a desk
lamp to a banana, and that's alot of what some of that stuff
is trying to do.
You know if you need a surgery.
(25:26):
It's typically very easy to seethat.
Oh, you know, we took an X-ray,we did an MRI, we did a CT scan
or there's, you know this, youknow.
So we know that there's, youknow, cancer in the blood or
something.
So they know that they wouldneed to do a surgery.
Not so when you're dealing withmental health or substance
(25:47):
abuse disorders, just becauseyou can't.
There's not a simple test forthat, so it's difficult.
Speaker 1 (25:57):
Well, and in addition to that, I mean a lot of the
problems that people are havingwith their filings is around
access, and that's not a probleman employer can solve.
I mean, it's a nationwideproblem.
It's getting worse and yetemployers who fail that section
just go ballistic because theyknow they can't do anything
(26:19):
about it, but they're being heldresponsible for it.
It's just.
This is what we talked aboutearly on in our conversation
about some of the agencies getit, some of the agencies don't.
Some of them get part of it.
You know, it's like that oldjoke about the five blind people
who touch an elephant andeverybody touches a different
part and thinks it's a differentthing and they react
(26:40):
differently.
Speaker 3 (26:41):
Right.
Speaker 1 (26:43):
So you know, after everybody who's doing, everybody
who's helping employers andbrokers do this regulatory work,
they may just roll them allback anyway.
Speaker 3 (26:52):
Right Charming.
Yes, here go do all this stuff.
Oh wait, we were kidding, nevermind.
Speaker 1 (27:00):
So we've got about four or five minutes left.
Gaze into your crystal ball andlet's talk about you know, like
if you had a genie in a lampand you could just rub the lamp
three times and get some thingsdone.
What's on your mind?
Speaker 3 (27:15):
One of the things would be basically updating
ERISA.
You know, getting rid of, youknow, we know that there's, you
know, doges out there in thenews under the, you know,
basically the mission of cuttingwaste, fraud and abuse.
Well, there's a lot of waste,fraud and abuse, even in
disclosure notices.
(27:35):
So how about we update ERISA to, I don't know, even last
century would be good, but thiscentury would be better.
Even last century would be good, but this century would be
better.
You know, being able to havethose definitions, getting rid
of notices that no longer reallyare valid.
Michelle's Law, great law, butit's moot with the ACA and they
(27:58):
could have put something in theACA to get rid of that, you know
.
But of course they use internssitting in offices to write
those laws and they don't knowabout all of these other things
that have to be done.
So that would be a great thingfor employers.
(28:18):
Some of the other things thatyou know.
If I had a genie and a lamp andI could, you know, make that,
one wish would be there's got tobe something done with bad
actors out there.
We know that the Department ofJustice uses a law, a lot that
was actually passed during theCivil War and it's known as the
(28:38):
False Claims Act, and they suefor anything and everything.
So if you build a governmentand you've got a wrong code, you
are likely going to get a FalseClaims Act.
They're going to call it fraud,even though it could just be
somebody's finger slipped, youknow.
But a lot of these judgmentsand we're talking in 2022, which
(29:01):
is the latest report that'scome out 2022, which is the
latest report that's come outthere were $2.2 billion in
settlements and judgments fromthe government on entities for
filing fraudulent, wasteful,abuseful claims of some sort,
and it could be an airplanemanufacturer.
(29:22):
However, we know that $1.7billion of that was actually in
the healthcare industry and ifwe read through who they're
going after, such as the drugmanufacturers, the device
manufacturers, hospitals,durable medical equipment,
(29:42):
hospitals, durable medicalequipment, home health care
agencies, pharmacies, hospiceorganizations and even
physicians you know what I don'tsee in that list Insurance
carriers, but they're made outto be the bad people in a lot of
this stuff, when it's not them.
It's the people that canactually bill for a service and
(30:05):
you know the penalties, thejudgments, et cetera don't seem
to be working.
We need some other form ofpunishment and I don't know.
Can we bring back publicshaming with the stocks and
everything or something forthese people and make the news
(30:26):
go report on hey, this providerdid x?
Um because it's costing us all.
That's taxpayer dollars numberone.
But it also all they're goingto do is raise their rates and
charge it on the other side.
So it's really a mixed up,messed up up issue out there and
(30:47):
a lot of it all boils down to.
Some of these people are justgreedy and they think they can
get away with it and you knowhow.
About some partial penaltiesfor some of that?
Something's got to be done.
Speaker 1 (31:01):
Somebody once said that a camel is a horse that was
designed by a committee.
This whole universe of ours isstarting to look like the
biggest camel.
Maybe the camel has five humps.
I mean, it's just, it's insaneand it's getting for lack of a
better word insaner as it goesalong, and I'm glad that we have
you to come join us every nowand again and tell us what's
(31:23):
going on and answer questions,and that's a great place to end
our conversation for today.
Carol Taylor, ComplianceSpecialist at Benefit Mall.
Carol, thank you so much forsharing your expertise with us.
We hope you'll come back.
Speaker 3 (31:35):
I'm happy to.
Speaker 1 (31:45):
Talk to you soon.
I want to give a quick shoutout to our sponsor and our
producer, hatcher Media.
Hey, if you need podcastproduction or professional
graphic design, josh Hatcher isthe expert to contact.
For more information, visit himat hatchermedianet.
Speaker 2 (31:57):
That's h-a-t-c-h-e-r medianet this shift shapers
podcast is copyrighted contentand may not be reproduced in
whole or in part without theexpress written permission of
Shift Shapers Solutions LLC.
Copyright 2024.
If keeping up with compliance and legislation takes
a gallon of coffee, a lawdegree and maybe a licensed
therapist on speed dial, how doyou know what actually matters
and what you need to know?
Today, We'll find out on thisepisode of Shift Shapers.
Speaker 2 (00:16):
Change either energizes or paralyzes.
The choice is yours.
This is the Shift Shaperspodcast, bringing the employee
benefits industry interviewswith individuals and companies
who are shaping the industryshifts.
And now here's your host, davidSaltzman.
Speaker 1 (00:38):
And to help us answer those questions, we have
invited Carol Taylor JM, who isa compliance specialist at
BenefitMall and, in fulldisclosure, an old, dear friend
of mine.
Welcome, Carol.
Speaker 3 (00:49):
Thank you.
Speaker 1 (00:50):
And Ayla is in the background.
If you see ears and a dog,that's Carol's assistant.
Yes, lots of stuff going on,but I got a question Does it
just seem as though it's gettinglike thicker and weirder and
more stuff is coming at usfaster, or is that reality?
Speaker 3 (01:08):
That's actually reality.
So, while we're not seeing asmuch legislation come through
right now because DC is morezoned in on budget and other
larger issues, we're seeing alot in the courts is actually
where a lot of this stuff isplaying out.
(01:30):
You know there's so many movingpieces and parts and you know
it seems like every part of theyou know every part of the
government deals with what we do.
So it's kind of a fast andfurious and sometimes you don't
know oh wait, is that the rightthing now or is that the right
(01:51):
thing?
And you have to remember toeven go look at what the courts
are doing, because there's beenso many lawsuits.
Speaker 1 (01:58):
Yeah, and we'll talk about that as we get into this a
little bit more.
Let's start with somelegislative stuff.
Now.
There are some updatedpenalties that have been
floating around and I'm not sureeverybody's aware of them, so
can you bring us up to date onwhat that's all about?
Speaker 3 (02:13):
Absolutely so.
Every year there's an inflationadjustment on penalties.
So your 5,500 filings those arenow up to $2,739 per day that
you don't file.
Now remember there is adelinquent filer option which
(02:34):
can help save a business money,especially if you've got
multiple years of delinquentfilings.
So don't forget about that.
But yes, it's still a prettyhefty price tag on that.
Um, if you are a MIWA multipleemployer welfare arrangement
those are now up to $1,992 perday for the schedule M1, if
(02:58):
those are supposed to be filed.
And one thing that a lot ofpeople don't understand is a
MIWA can be as simple.
As you're an employer and yourstate allows 1099 subcontractors
to come onto your policy asbeing eligible, you've just
created a MIWA if you bring themon because they're another
(03:21):
employer.
So I kind of always like tothrow that out there.
You know, when looking at allof these rules we also have if
you don't send out the CHIPnotices to your employees,
that's $145 per day per affectedperson.
So you got mom, dad, couple ofkids that's not just one person,
(03:48):
that could be two, three, four.
Um, if you don't file or uhprovide a summary of benefits
and coverages, you know thething that the ACA made uh a
requirement that is $1,443 peraffected person, $7,443 per
affected person and then, ofcourse, if you have
(04:11):
unintentional failures toprovide or meet the GINA
requirements, the GeneticInformation Nondisclosure Act,
the cap on that is now up to$728,764.
Speaker 1 (04:31):
Yikes.
Speaker 3 (04:33):
What would be an unintentional failure?
Basically not keeping thegenetic information separate
from your HR and or other files.
So something as simple as youknow.
Somebody gave you a copy of alab test for some reason.
(04:55):
You know the results.
For some reason because thatwould contain genetic
information potentially on it,because not everybody's numbers
are the same.
So something simple like thatcould cause a problem.
Speaker 1 (05:07):
Fun and games.
Speaker 3 (05:10):
Yeah, it's a lot.
Speaker 1 (05:12):
Well, it's a lot and it's getting expensive because
you know its employers don'tjust have liability on one of
these items, they have liabilityon some subset of them and so
you start adding it up andpretty soon it's serious money
it is, and is the governmentreally going tooth and nail at
trying to collect this stuff?
Speaker 3 (05:32):
Absolutely.
One other item in that is the1095s your failure to file For
2025, it's $330 per form andthat's for A not filing with the
IRS and B also not distributingthose.
So they charge twice thatamount.
Which kind of leads me into amajor issue that we've been
(05:56):
seeing lately is that a lot ofemployers have not done those
1094-1095 filings with the IRSand it is absolutely imperative
that if you get a 5699 letterfrom the IRS which is what those
, the little numbers you'll seesomewhere over on the top right
side, are going to indicate, youhave got to respond to that and
(06:20):
it, you know, could be that,hey, we need an extension to
figure out because you mighthave had personnel changes and
you don't know if somebody,maybe if the IRS, messed up,
because you know they're notperfect as much as they may try
to claim to be.
But I've even seen where thefilings have been done and the
IRS claims that, oh no, wedidn't get it.
The filings have been done andthe IRS claims that, oh no, we
(06:43):
didn't get it.
Well, here's the you know theacceptance confirmation number
that you sent back on this date,this time, and then they go
oops, we goofed.
But those penalty letters, youknow, at the very minimum get an
(07:05):
extension on them.
Because what we're seeing andI've seen more than one of these
, I've actually seen quite a fewof them where employers are not
responding on those quicklyenough and they're getting a
seizure notice to seize assetsletter from the IRS.
(07:26):
And that's actually very recentas of last month, so it's
pretty scary.
Speaker 1 (07:33):
And now a word from our sponsor.
You're not just an advisor,you're a game changer.
Forget cookie cutter off theshelf solutions.
That's yesterday's news.
It's 2025, and it's all aboutdelivering bold, custom-crafted
plans that truly make adifference.
At the core is a razor-sharpself-insured framework, but the
(07:55):
real magic that's in thehigh-impact point solutions.
You strategically layer in toslash costs and supercharge
member outcomes.
But let's be real, that's wherethe headaches start.
Hours wasted sifting throughendless options, wrestling with
integration issues and fightingdata-sharing roadblocks.
It's a time suck and it'sholding you back Not anymore.
(08:20):
Meet Benapower, the AI-poweredgame changer that builds killer
plans in minutes, not hours.
Benapower doesn't just curatethe best point solutions.
It makes them work togetherseamlessly, streamlining
communication and drivingcollaboration like never before.
With Benapower, you're armedwith an end-to-end AI-enabled
(08:41):
solution that makes youunstoppable.
Spend less time piecingtogether a patchwork plan and
more time selling your clients.
Get unmatched ROI and youbecome the go-to advisor that
everyone's talking about.
Want to take your game to thenext level?
Visit benapowerai or schedule ademo at info at benapowercom.
(09:05):
Find your power with Benapower.
And now back to our conversation.
So the beast needs to be fed ona regular basis, and if you
don't, they're going to come foryou.
We'll talk about the lawsuitsthat are going on in a little
while, but there's loads ofother ways to get in trouble too
(09:25):
, apparently, moving on toregulatory stuff, because you
and I have talked for years thatsometimes it's not the legal
stuff that gets you, it's theregulatory stuff gets you.
It's the regulatory stuff.
Congress will pass A, b, c or D, but then the agencies start
making regulations, and some ofthem do it better than others.
Some of them don't understandevery little facet of the
(09:46):
marketplaces that they'reregulating, and so it becomes a
challenge.
But I know there's some newHIPAA security rule changes, and
since HIPAA stands for helpingirritate practically all
Americans, let's talk aboutthose.
Speaker 3 (10:00):
I love that one.
I've also heard it as healthinsurance paying all attorneys,
which is another lovely.
Speaker 1 (10:07):
I was trying not to be mean to a person.
Yeah, I know.
Speaker 3 (10:10):
But, yeah, it does irritate all of us.
So, as we know that, there's anumber of proposed regs that
came out, uh, towards the end oflast year, first part of this
year, and, of course, these arestill in a comment period, or no
, it actually just ended, uh,last week, I believe.
Um.
So the government is, of course, going to go through and read
(10:34):
through those comments and makesure, see what, um, you know,
changes they might want to do ornot.
But these new proposed HIPAAregs actually bring business
associates into these highersecurity requirements and it
would require annual trainingwhich, although HIPAA already
(10:55):
does that, it brings it down tothe BAA level.
So you would have to trainthese people within 30 days of
hiring them.
You would have to shut offtheir access within five hours
of their termination, andactually it's probably better to
do it within about five minutesof it, because you never know.
(11:18):
You know it's not hard to have aHIPAA breach.
You have to have real-timesystem monitoring.
So if you're a small agency,you've got to hire an IT
department basically to monitorthis stuff for you.
You have to have, of course, ismulti-factor authentication, so
(11:40):
either using you know the textcode or going into another
system to get a code to somehow,you know, keep that.
You know, keep that otherauthentication there, stronger
passwords.
Gone are the days of password123, like so many people way
(12:03):
back in the day did.
Now you need to use some kindof phrase to really make it work
.
Numbers, special characters,those things you have to do,
testing on their systems, andyou also have to test the
response to it.
So you basically should bedoing some form of a mock breach
(12:30):
and testing what happens, who'sgoing to do what, and make sure
that your response, you knowcomes in, you know is at the
appropriate level.
You need backups of your dataand being able to move that over
to another system because,let's say, you get a virus on
(12:50):
your computer.
Well that's, you're going tohave to get that entire computer
basically wiped and then theinformation put back on.
Same thing, you might have togo get a brand new computer
because you know that could havedone something.
You never know what happens.
Making sure that you're able torecover quickly.
(13:15):
The electronic PHI must beencrypted, even when it's
resting.
So if it's just sitting out ona cloud server, you have to make
sure that it's encrypted, thedata itself, um, and if it's in
transit.
So you've got PHI on yourlaptop, you better make sure
(13:36):
that it's always locked upbecause that and it's got to be
encrypted sitting on that harddrive.
There's expanded documentationrequirements, so you have to
show so.
If an auditor comes knocking onyour door, you've got to show
that, yes, we've done all ofthis testing, this training.
This person did this this time.
(13:58):
Best to try to do it onlinebecause then you can date and
timestamp that stuff.
You have to conduct annualsecurity audits, which means
review and test those policies,and one of the other items here
is the business associateagreements.
Once this rule is finalized,all BAAs are going to have to be
(14:21):
updated with this new policieswithin one year of the final
rules being released.
So it's a lot really need totake this into heart and make
(14:42):
sure that they're, you know,putting their you know, getting
their data somewhere where it issecure.
Speaker 1 (14:47):
Well, that was kind of one of my follow-up questions
and it's really not so much alegal or a compliance question.
Just, you know, you work for agood-sized organization and
they're fortunate to have acouple of folks who deal with
compliance stuff, but do you seethis as a drag on sole
practitioners?
Or I mean, what is a solepractitioner or even a small
agency?
They can't afford to do allthis stuff.
What are they doing?
Speaker 3 (15:10):
A lot of small agencies that I know are not
really doing much.
They haven't, and, you know,even when HIPAA came in, very
few did it.
Now, even having two people andnetworking together, you're
likely going to have to getsomebody to work on your network
, and in which case it's best togo ahead and get you know an
(15:31):
outsourced IT company that cancome in monitor.
Even that doesn't necessarilyprotect you against a breach.
Former client it was actually amedical lab and they got
breached.
They had a ransomware attack.
Their 24-7 monitoring systemshut it down.
(15:52):
So they actually did not loseany data, they did not need to
deal with the ransom, theybasically just ignored it.
But what that did is it openedup kind of the back doors where
the system had some issues andthey had a second breach or a
(16:14):
second attempt, and that one.
It took them two weeks.
They were totally shut down.
They could not even make aphone call because they used
internet for their phone lines,and that's actually how it came
in.
Um, scary stuff, yes, and theyended up going out of business.
(16:35):
It was that expensive for themto recover.
Speaker 1 (16:38):
Not totally surprising.
Speaker 3 (16:40):
Yeah, and that was even with an outstanding HIPAA
breach penalty, which I have notgone back to look to see if
that ever got resolved or not,because I know it takes the DOL
a bit of time for that but it'sexpensive for that to happen.
(17:02):
And actually 23andMe isactually in bankruptcy court
because of a data breach andguess what?
That's all genetic information.
So even though they're not ahealth plan, you know I don't
know about you, but I don't wantmy genetic information out
there somewhere for somebody togo get.
Speaker 1 (17:22):
Yeah, it's, it's, it's.
So, before we move off of this,you mentioned that the comment
period closed Once these rulesand regs get finalized.
What are you looking for as animplementation date?
Speaker 3 (17:35):
It could be 90 days, 180 days out.
It just depends on how quicklythe regulatory agencies put out
the final Charming yeah, wedon't ever know, sometimes they
sit on these things for years.
We're still operating underproposed regulations for Section
(17:58):
125 plans from 2007 or 8, Ibelieve.
Speaker 1 (18:05):
Wow, yeah.
So let's move on to somethingthat's a lot more fun and that's
what's going on in the courts,because a lot of people thought
that it started and ended withthe J&J lawsuit, but there's
been a lot more stuff going onand what's interesting is and
maybe you can comment on it aswe go through some of the court
(18:25):
cases is that A what peopledon't realize is that this hauls
them into federal court andthat in a lot of instances and
that's a ton of money just inand of itself it's not like you
know going down and paying aparking ticket and you know
being sentenced to take somedriver's ed or you know, or some
remanding courses.
What's going on with the courtsand what do people need to know
(18:49):
about?
Speaker 3 (18:50):
So there are a ton, and when I say a ton I'm talking
about basically almost everystate.
I'm talking about basicallyalmost every state.
There's something going on fromPBM laws which are in, you know
, arkansas, florida, michigan,you name it.
There's some PBM law that'strying to be overwrite ERISA,
(19:20):
which remember ERISA.
There's a preemption out there.
Now what the courts arebasically coming out and stating
on those is that the networkfeasibility would be something
that the state could basicallygovern or pull under their
jurisdiction, but the actualcontract and other types of
(19:42):
things that would fall under thefederal ERISA.
And that's kind of been thecase in most of them we do have.
In some of this the lawsuits arenot just so much directed at
the PBM but they're directed atthe fiduciary responsibility.
And that's where we got thatJ&J lawsuit.
(20:03):
The Wells Fargo lawsuit wasactually dismissed I love that
little word dismissed becausethere was actually a settlement.
So basically they paid theclass action people employees,
former employees an amount ofmoney to basically stop the suit
.
The J&J suit was basicallydismissed for not having enough,
(20:27):
shall we say, proof.
But we've already got anamended filing in that, so that
lawsuit's back up and runningagain.
There's a bunch of other suitsout there.
One that is something that Ithink a lot of people need to
understand, that they need to bewatching on, is AI-based
(20:50):
benefit denials.
So a lot of the carriers, theclaim systems, they're using
programs that have AI algorithmsbased in them and they're not
looking for medical necessity,they're just looking at oh well,
that's not always done.
Under this particular diagnosiscode, they may not be looking
at, you know, a secondarydiagnosis code, because it's
(21:13):
literally within 1.2 secondsthat that claim may be getting
denied.
And so a district court andthis one's actually running out
in California where they'rethrowing out the claim denials,
so to speak.
But they did allow thefiduciary responsibility portion
(21:38):
of it to go forward, and that'ssolely based on the carrier ASO
, tpa, using this type ofprogram system process, whatever
you want to call it.
(21:59):
Yeah, so they're allowing it togo forward on the fiduciary side
, because using that does notmeet the plan documents.
So you need to always lookinside of your summary plan
descriptions, summary plandocuments, to see if something
like this is even allowed.
Well, remember, when SPD is arepart of ERISA, this isn't
(22:26):
defined.
Ai is nowhere in ERISA.
I mean, it wasn't until just afew years ago that they actually
put in a definition for apharmacy benefit manager,
because all of these things didnot exist 51 years ago when
ERISA was first introduced andbecame law.
So we really do need a lot of,shall we say, improvements to
(22:51):
ERISA.
Speaker 1 (22:52):
And there's also a lot of action with AI on
pre-auths.
Speaker 3 (22:56):
Yes, and that could also end up in a similar type of
lawsuit.
So it's something whereemployers end up in a similar
type of lawsuit.
So it's something whereemployers whoever the plan
sponsor is and if you'reconsulting, you need to be
checking those plan documents tomake sure that there's not an
issue somewhere that is going tocause one of these lawsuits.
Speaker 1 (23:21):
Let's move on to the gift that keeps on giving, which
is mapia the mental healthparity addiction equity act.
It wasn't enough to just haveall the new regs and all that
craziness.
What?
What else is going on now?
Speaker 3 (23:34):
so there's also lawsuits with mapia, um and um.
This was all brought up underthe, the prior administration,
where eric, which is the ERISACouncil, of course, or coalition
, excuse me of employers, andyou can go in there and search
(23:54):
their databases.
It's got a lot of greatinformation out there on the
ERIC website.
So the new administration wedon't know yet if they're going
to defend that MAPEA lawsuitthat was filed Um, it was
originally had a deadline ofMarch 17th which came and went
(24:15):
Um, the courts then allowed itto get moved back to March the
28th, 28th.
But right before that there wasa filing by the government to
hey, we need 90 days, and thecourt said, nah, we're going to
(24:39):
give you 45.
So hopefully sometime in thenext 45 days we're going to know
if those final 2024 rules areactually going to be in place or
if they're going to revert backto a prior set of final rules,
the pre-2024 final rules.
Um, we don't know that theadministration is looking into
whether they want to even keepthose 2024 rules um, which had
(25:05):
some you know pretty specificthings in them that you know.
It's just it's a very much aproblem to compare like a desk
lamp to a banana, and that's alot of what some of that stuff
is trying to do.
You know if you need a surgery.
(25:26):
It's typically very easy to seethat.
Oh, you know, we took an X-ray,we did an MRI, we did a CT scan
or there's, you know this, youknow.
So we know that there's, youknow, cancer in the blood or
something.
So they know that they wouldneed to do a surgery.
Not so when you're dealing withmental health or substance
(25:47):
abuse disorders, just becauseyou can't.
There's not a simple test forthat, so it's difficult.
Speaker 1 (25:57):
Well, and in addition to that, I mean a lot of the
problems that people are havingwith their filings is around
access, and that's not a probleman employer can solve.
I mean, it's a nationwideproblem.
It's getting worse and yetemployers who fail that section
just go ballistic because theyknow they can't do anything
(26:19):
about it, but they're being heldresponsible for it.
It's just.
This is what we talked aboutearly on in our conversation
about some of the agencies getit, some of the agencies don't.
Some of them get part of it.
You know, it's like that oldjoke about the five blind people
who touch an elephant andeverybody touches a different
part and thinks it's a differentthing and they react
(26:40):
differently.
Speaker 3 (26:41):
Right.
Speaker 1 (26:43):
So you know, after everybody who's doing, everybody
who's helping employers andbrokers do this regulatory work,
they may just roll them allback anyway.
Speaker 3 (26:52):
Right Charming.
Yes, here go do all this stuff.
Oh wait, we were kidding, nevermind.
Speaker 1 (27:00):
So we've got about four or five minutes left.
Gaze into your crystal ball andlet's talk about you know, like
if you had a genie in a lampand you could just rub the lamp
three times and get some thingsdone.
What's on your mind?
Speaker 3 (27:15):
One of the things would be basically updating
ERISA.
You know, getting rid of, youknow, we know that there's, you
know, doges out there in thenews under the, you know,
basically the mission of cuttingwaste, fraud and abuse.
Well, there's a lot of waste,fraud and abuse, even in
disclosure notices.
(27:35):
So how about we update ERISA to, I don't know, even last
century would be good, but thiscentury would be better.
Even last century would be good, but this century would be
better.
You know, being able to havethose definitions, getting rid
of notices that no longer reallyare valid.
Michelle's Law, great law, butit's moot with the ACA and they
(27:58):
could have put something in theACA to get rid of that, you know
.
But of course they use internssitting in offices to write
those laws and they don't knowabout all of these other things
that have to be done.
So that would be a great thingfor employers.
(28:18):
Some of the other things thatyou know.
If I had a genie and a lamp andI could, you know, make that,
one wish would be there's got tobe something done with bad
actors out there.
We know that the Department ofJustice uses a law, a lot that
was actually passed during theCivil War and it's known as the
(28:38):
False Claims Act, and they suefor anything and everything.
So if you build a governmentand you've got a wrong code, you
are likely going to get a FalseClaims Act.
They're going to call it fraud,even though it could just be
somebody's finger slipped, youknow.
But a lot of these judgmentsand we're talking in 2022, which
(29:01):
is the latest report that'scome out 2022, which is the
latest report that's come outthere were $2.2 billion in
settlements and judgments fromthe government on entities for
filing fraudulent, wasteful,abuseful claims of some sort,
and it could be an airplanemanufacturer.
(29:22):
However, we know that $1.7billion of that was actually in
the healthcare industry and ifwe read through who they're
going after, such as the drugmanufacturers, the device
manufacturers, hospitals,durable medical equipment,
(29:42):
hospitals, durable medicalequipment, home health care
agencies, pharmacies, hospiceorganizations and even
physicians you know what I don'tsee in that list Insurance
carriers, but they're made outto be the bad people in a lot of
this stuff, when it's not them.
It's the people that canactually bill for a service and
(30:05):
you know the penalties, thejudgments, et cetera don't seem
to be working.
We need some other form ofpunishment and I don't know.
Can we bring back publicshaming with the stocks and
everything or something forthese people and make the news
(30:26):
go report on hey, this providerdid x?
Um because it's costing us all.
That's taxpayer dollars numberone.
But it also all they're goingto do is raise their rates and
charge it on the other side.
So it's really a mixed up,messed up up issue out there and
(30:47):
a lot of it all boils down to.
Some of these people are justgreedy and they think they can
get away with it and you knowhow.
About some partial penaltiesfor some of that?
Something's got to be done.
Speaker 1 (31:01):
Somebody once said that a camel is a horse that was
designed by a committee.
This whole universe of ours isstarting to look like the
biggest camel.
Maybe the camel has five humps.
I mean, it's just, it's insaneand it's getting for lack of a
better word insaner as it goesalong, and I'm glad that we have
you to come join us every nowand again and tell us what's
(31:23):
going on and answer questions,and that's a great place to end
our conversation for today.
Carol Taylor, ComplianceSpecialist at Benefit Mall.
Carol, thank you so much forsharing your expertise with us.
We hope you'll come back.
Speaker 3 (31:35):
I'm happy to.
Speaker 1 (31:45):
Talk to you soon.
I want to give a quick shoutout to our sponsor and our
producer, hatcher Media.
Hey, if you need podcastproduction or professional
graphic design, josh Hatcher isthe expert to contact.
For more information, visit himat hatchermedianet.
Speaker 2 (31:57):
That's h-a-t-c-h-e-r medianet this shift shapers
podcast is copyrighted contentand may not be reproduced in
whole or in part without theexpress written permission of
Shift Shapers Solutions LLC.
Copyright 2024.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.