Q2 2023 Legislative Updates

Here is a summary of legislative and regulatory developments and challenges for the second quarter of 2023 and their practical implications:

State Consumer Privacy Laws:

Several states (CO, CT, FL, IA, IN, MT, OR, TN, TX & UT) enacted consumer privacy laws, joining California and Virginia, whose legislation was described in earlier Legislative Updates. These statutes follow a pattern:

Requirements:

Adoption of reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

Effective notice to consumers plus consumer consent regarding non-transactional uses of consumers’ personal data, including selling to third parties.

Prompt compliance with consumers’ requests to review or delete personal data.

Applicability thresholds: Applies to companies that annually control or process data of a large number (typically 100,000) state residents or annually sell data of a large number (typically (25,000) state residents and derive a significant part of their revenue (typically 50%) from these sales.

Protected class: Applies only to “consumers” who are natural persons acting in their individual or household context, excluding natural persons acting in a commercial or employment context.

Exemptions: Not subject to the laws are financial institutions that are regulated by the Gramm-Leach-Bliley Act and sensitive personal information that is subject to HIPAA

Implications: Recent statutes have been enacted in both conservative and progressive states, suggesting that these measures may have bipartisan support for adoption of similar laws in additional states. And while these statutes have similarities, there are a few that are distinctly different. For example, the Florida Digital Bill of Rights, while targeting large companies engaging in automated consumer marketing or software app sales, requires a broad range of companies that collect information from Florida residents to obtain consumers’ consent before selling sensitive data. The Texas Data Privacy and Security Act, as another example, broadly applies to all for-profit companies that process or sell personal data and which are not classified as a “small business.”

Relaxation of Nevada In-State Records & Claim Administration Requirements:

In what must be a relief to claim managers, the Nevada legislature recently removed a statutory requirement that WC insurers and TPAs maintain an in-state claim office in order to provide access to claim files, which must be physically maintained at that office. Senate Bill 274, signed by Governor Joe Lombardo on June 16, permits claim handlers to make claim files available for inspection and reproduction by electronic means and to keep physical claim records at a location outside Nevada if those records are made available electronically for inspection and reproduction.

Implications: The new law makes clear that claim office accessibility requirements have not been relaxed:  adjusters who are permitted to work from an-out-of-state location must maintain their availability “to communicate in real time with the claimant or a representative of the claimant Monday through Friday, 9 a.m. to 5 p.m. local time in this State” excluding legal holidays. Further, the measure empowers the Insurance Commissioner to discipline TPAs who don’t comply with the new out-of-state access requirements. The statute takes effect January 1, 2024, except that rulemaking entities can adopt rules for implementation immediately.

Q1 2023 Legislative Updates

Here is a summary of legislative and regulatory developments and challenges for the first quarter of 2023 and their practical implications:

Pennsylvania Court Decision on BWC Fee Review Authority:

The Commonwealth Court of Pennsylvania ruled that the Bureau of Workers’ Compensation Fee Review Hearing Office does not have the statutory authority to order reimbursement for overpayment of medical services. In its opinion in Philadelphia Surgery Center v. Excalibur Insurance Management Services LLC, the Court reversed the BWC’s Fee Review Section’s order compelling the provider to reimburse the payer over $54,000 in overpayments. The Court found that, although the subject matter was within the hearing officer’s purview, the fee review statute doesn’t authorize the Hearing Office to require reimbursement of an overpayment.

In support of its determination, the Court explained that the fee review process permits providers to challenge underpayments or denials of payment, but does not give insurers the reciprocal right to use the fee review process to obtain reimbursement of an overpayment. As a result, “an insurer is simply stuck with its own improvidence when it pays too much in the first instance during the billing process.”

Implications: The Court noted that any balancing of payers’ remedies is in the hands of the Pennsylvania General Assembly, and legislators have been reluctant to act on these matters in the past. In the absence of legislative relief, payers and their agents need to be very careful adjudicating Pennsylvania provider bills.

Impact of the End of the Covid Emergency on WC Telehealth: 

The Biden administration has announced its intent to end the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) on May 11, 2023. During the pandemic, many state governments relaxed existing impediments to the delivery of telehealth within their borders to patients within the general health care sector. Sometimes the loosening of telehealth regulation was the result of statutory enactment, but often it was the result of executive orders from the governor’s office, with expiration dates dependent upon current NE or PHE designation.

According to the federal CARES Act passed in 2020, many forms of telehealth, including physical therapy, were granted waivers to bill for services delivered via telehealth under Medicare for as long as the PHE was in place. In 2022, Congress extended telehealth flexibilities through 151 days after the PHE ends, and the U.S. Centers for Medicare & Medicaid Services (CMS) followed through with the change in the 2023 Medicare Physician Fee Schedule. Then late last year, Congress extended that ability again to Dec. 31, 2024.

Implications: The reason that CMS telehealth regulations are important to the continuing delivery of telehealth to injured workers is that many WC regulatory agencies follow CMS reimbursement rules in approving services eligible for payment by WC payers. In fact, two important jurisdictions, California and Texas, have adopted CMS telehealth guidelines and can be expected to follow them at least for the near future.

Nevertheless, other key jurisdictions such as New York appear to be following a more restrictive approach to telehealth delivery to their residents in general, including injured workers. This means that the prospects of WC telehealth into the intermediate future are unsettled.

Q4 2022 Legislative Updates

Here is a summary of legislative and regulatory developments and challenges for the fourth quarter of 2022 and their practical implications:

Major State Privacy Legislation: On January 2, 2023, the Wall Street Journal reported that many new state laws in the coming year would focus on consumer data privacy. Nearly two years ago we noted that California and Virginia had enacted new and comprehensive privacy statutes, both becoming effective on January 1, 2023.

The California Privacy Rights and Enforcement Act (CPRA) expands upon the current California privacy statute, the California Consumer Privacy Act (CCPA), by regulating not only the buying and selling of consumer information, but also its “sharing.” This term, while appearing to be broad, actually is narrowly defined as targeted advertising based on the consumer’s personal information.  The focus of California’s privacy protection measures was and continues to be on commercial use of consumers’ personal information for sales and marketing purposes.

The Virginia Consumer Data Protection Act (CDPA) takes a different approach to consumer privacy, following many of the concepts found in the European Union’s General Data Protection Regulation (GDPR). A business that determines the purpose and means of processing personal data (a “controller”) may collect and use this information for only specific purposes, must allow a consumer to access and in many cases to delete the data, and is responsible for compliance of third party “processors” acting on its behalf.

There are a number of thresholds and exemptions that will relieve most workers’ compensation payers and their service providers from CDPA compliance obligations.  Of more relevance to the workers’ compensation industry is the NAIC Insurance Data Security Model Law, which has now been enacted, in whole or part, in 21 jurisdictions.

Similar in many ways to the New York’s Cybersecurity Requirements for Financial Services Companies (NYCCR §500), the Model Law establishes a comprehensive regulatory framework applying to claim payers and protecting the non-public data of insurance “consumers,” including claimants.  Key features of the Model Law include the following:

  • Defines “consumers” to include claimants as well as applicants, policyholders and insureds.
  • Defines a “cybersecurity event” to include both data loss or misuse and access to, disruption or misuse of, an information system.
  • Defines “licensees” subject to the law to include all entities licensed or registered under the state’s insurance laws.
  • Defines protected “nonpublic information” to include both personally identifiable information and licensees’ sensitive business information.
  • Requires licensees to develop and implement a comprehensive information security program, including a written incident response plan, which identifies and mitigates against reasonably foreseeable internal or external threats.
  • Requires licensees to annually certify their compliance to their domiciliary insurance regulator.
  • Requires licensees to promptly investigate and, if confirmed, remediate any suspected cybersecurity event, notifying regulatory authorities within 72 hours of discovery.
  • Requires licensees to follow applicable state data breach laws notifying consumers of an incident.
  • Requires licensees to oversee their third party service providers’ compliance with information security laws and to take responsibility for managing their third party service providers’ cybersecurity events.

Implications: All business entities participating in adopting states’ workers’ compensation systems are either directly or indirectly subject to the Model Law, so it is important that payers and their trading partners establish a comprehensive information security program complying with the Model Law. Further, because the Model Law has not been enacted in every jurisdiction and has been enacted with important revisions in others, it is important to review the relevant statute for key variances. For example, the Maryland statute, effective October 1, 2022, applies specifically to third party administrators as well as insurers, but this clarifying provision does not appear in the NAIC Model Law.

Q3 2022 Legislative Updates

Here is a summary of legislative and regulatory developments and challenges for the third quarter of 2022 and their practical implications:

Revisions to Texas HCN Regulations: The Texas Department of Insurance has adopted many revisions to the regulations governing WC Health Care Networks (HCNs). Many of these changes are more administrative than substantive, as TDI noted in July 29, 2022, issue of the Texas Register, but there are a number of amendments that will require compliance efforts by Texas WC stakeholders.

Among the material revisions are those that:

  • require HCNs to provide detailed information about telehealth providers in their provider rosters
  • require HCNs seeking certification to provide provider location maps for 21 specialties
  • require TDI prior approval before HCNs change their service areas or merge with other networks
  • add newly mandated language to HCN provider contracts
  • tighten requirements for notifying employees they are subject to HCN rules
  • require HCNs to show evidence of their provider recruitment efforts in non-qualifying geographic areas
  • increase HCN recordkeeping requirements relating to provider complaints and appeals

Implications: The new HCN regulations recognize the growing prominence of telehealth services and represent an increased commitment by TDI to the proper functioning of HCNs.  Nevertheless, Texas WC stakeholders will need to work diligently to ensure their compliance by the January 1, 2023 deadline, at which point HCNs are required to attest to their compliance.

Ohio Statute Defining Compensability of Work-From-Home Injuries: Ohio has enacted HB 447, which sets standards for WC compensability for injuries incurred by work-from-home employees.

Three criteria must be met:

  1. The employee’s injury or disability arises out of the employee’s employment.
  2. The employee’s employment necessarily exposes the employee to conditions that substantially contribute to the risk of injury.
  3. The injury or disability is sustained in the course of activity that is taken on by the employee for the exclusive benefit of the employer.

Implications: With a substantial proportion of the workforce working remotely and likely not returning to the office fulltime, legislatures are grappling with work-relatedness issues that at one time were self-evident, or at least settled law. WC stakeholders can expect lawmakers, regulators and jurists to continue to address these questions for the foreseeable future. The Ohio statute became effective on September 23, 2022.

California Study Law on Prompt Medical Treatment:  California Governor Gavin Newsom has signed into law AB 2848, which requires the Division of Workers’ Compensation to contract with an outside independent research organization to evaluate and report on the impact of the delivery of medical treatment within the first 30 days after a claim is filed. The measure requires the report to be provided to the DWC Administrative Director, the Senate Committee on Labor and Industrial Relations and the Assembly Committee on Insurance before July 1, 2023.

Implications: This legislation can be seen as part of a continuing discussion in California regarding the function and value of registered Medical Provider Networks (MPNs) in delivering timely and accessible health care to injured workers. It is generally recognized in the workers’ compensation community that prompt delivery of health care services improves work-related injury outcomes and independent research has shown this to be the case.

Q2 2022 Legislative Updates for providers

Here is a summary of legislative and regulatory developments and challenges for the second quarter of 2022 and their practical implications:

New York WCB Clarification regarding Payer Objection Notices: The Workers’ Compensation Board has clarified its earlier guidance, stating that Form C-8.4 notices to providers and the Board need not be sent if the reasons for lower payment are standard bill review adjustments, including PPO network reductions. Specifically, the bulletin states:

Payments may be appropriately reduced, but objections should not be submitted by the insurer to the Board in the following scenarios:

  • The amount billed for the particular CPT code is in excess of the amount designated by the applicable medical fee schedule and the insurer pays the bill at the appropriate medical fee schedule amount.
  • The insurer reduces the amount of the bill to 12, 15 or 18 relative value units for evaluation services and modalities, as set forth in the applicable medical fee schedule.
  • The insurer reduces the amount of the bill pursuant to a contractual agreement with the provider (e.g., network or PPO discount).
  • There is a duplicate bill.

Implications: This revision should greatly reduce the voluminous paperwork burdening claim organizations doing business in New York. On a related topic, the WCB is in the midst of a multiple-year move to electronic submission of filings, a key feature of which is the OnBoard application.

Telehealth Compliance with HIPAA: The Office of Civil Rights (OCR) within the US Department of Health and Human Services has recently issued guidance broadly endorsing the use of audio-only telehealth services to increase access to health services by patients who have limited financial resources or who live in rural areas with limited broadband availability. The guidance can be found here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html.

Implications: OCR enforces federal privacy regulations (e.g., HIPAA) that generally don’t apply to WC payers, but health care providers and payers’ third-party service providers don’t enjoy those same exemptions, so this clarification comes as a welcome relaxation of regulatory constraints.

On a related telehealth topic, a new study from physical therapy quality analytics firm Focus on Therapeutic Outcomes (FOTO) found that, for telerehabilitation for low back pain, telerehab (a) was equally effective in improving functional status outcomes for patients with low back pain compared to traditional in-person office visits, (b) usually involved significantly fewer visits, and (c) had roughly equal patient satisfaction ratings (82% for telerehab versus 86% for in-person office visits.

Q2 2022 Legislative Updates

Here is a summary of legislative and regulatory developments and challenges for the second quarter of 2022 and their practical implications:

Maryland Cybersecurity Law: In June, Maryland enacted legislation that sets cybersecurity standards for insurers, TPAs and their third-party service providers. According to the National Association of Insurance Commissioners, Maryland becomes the 18th state to adopt a version of the NAIC Insurance Data Security Model Law (#668). Along with the New York regulation “Cybersecurity Requirements for Financial Services Companies” (addressing the same issues but following a different model), the legislation establishes generally accepted data security standards for workers’ compensation payers and their trading partners.

 

Implications:  The provisions of the model act offer a guidepost for payers’ internally developed cybersecurity standards, since they are now broadly required by state law. Fortunately, they are reasonable, requiring payers to develop and implement a data security program to identify and protect against risks, respond to data incidents and investigate and disclose cybersecurity events to regulatory authorities and affected consumers and trading partners. Payers are also required to oversee compliance of their third-party service providers using or accessing the payer’s confidential information.

 

New York WCB Clarification regarding Payer Objection Notices: The Workers’ Compensation Board has clarified its earlier guidance, stating that Form C-8.4 notices to providers and the Board need not be sent if the reasons for lower payment are standard bill review adjustments, including PPO network reductions. Specifically, the bulletin states:

 

Payments may be appropriately reduced, but objections should not be submitted by the insurer to the Board in the following scenarios:

  • The amount billed for the particular CPT code is in excess of the amount designated by the applicable medical fee schedule and the insurer pays the bill at the appropriate medical fee schedule amount.
  • The insurer reduces the amount of the bill to 12, 15 or 18 relative value units for evaluation services and modalities, as set forth in the applicable medical fee schedule.
  • The insurer reduces the amount of the bill pursuant to a contractual agreement with the provider (e.g., network or PPO discount).
  • There is a duplicate bill.

 

Implications: This revision should greatly reduce the voluminous paperwork burdening claim organizations doing business in New York. On a related topic, the WCB is in the midst of a multiple-year move to electronic submission of filings, a key feature of which is the OnBoard application.  For more information go to the Payers section of the Medical Portal here:  http://www.wcb.ny.gov/medicalportal/.

 

Telehealth Compliance with HIPAA: The Office of Civil Rights (OCR) within the US Department of Health and Human Services has recently issued guidance broadly endorsing the use of audio-only telehealth services to increase access to health services by patients who have limited financial resources or who live in rural areas with limited broadband availability. The guidance can be found here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html.

 

Implications: OCR enforces federal privacy regulations (e.g., HIPAA) that generally don’t apply to WC payers, but health care providers and payers’ third-party service providers don’t enjoy those same exemptions, so this clarification comes as a welcome relaxation of regulatory constraints.

On a related telehealth topic, a new study from physical therapy quality analytics firm Focus on Therapeutic Outcomes (FOTO) found that, for telerehabilitation for low back pain, telerehab (a) was equally effective in improving functional status outcomes for patients with low back pain compared to traditional in-person office visits, (b) usually involved significantly fewer visits, and (c) had roughly equal patient satisfaction ratings (82% for telerehab versus 86% for in-person office visits.