California MPN Legislation: A once-onerous bill has been brought back to life, but in a much-diminished form. As originally proposed, Assembly Bill 399 would have mandated that MPNs pay participating providers at California’s Official Medical Fee Schedule and would have prohibited negotiated rates below the regulatory fee. The measure would also have restricted MPNs’ ability to review provider bills for mistakes, fraud and abuse. Through intense opposition by WC payers and employers, the bill was held in the Assembly Insurance Committee without being voted on and, consequently, is ineligible for further consideration until the next legislative session. In January 2022, a revised AB 399 was unanimously passed by the Assembly and sent to the Senate. In its current state, the measure merely requires payers to provide employees, within five business days of their request, with the MPN’s name and identification number. The payer may satisfy this requirement by providing the information in writing or an explanation of benefits or by posting the information on a website.

Implications: This legislation can be seen as part of a continuing discussion in California regarding the function and value of registered Medical Provider Networks (MPNs) in delivering timely and accessible health care to injured workers. It is generally recognized in the workers’ compensation community that prompt delivery of health care services improves work-related injury outcomes and independent research has shown this to be the case.

Maryland Cybersecurity Law: In June, Maryland enacted legislation that sets cybersecurity standards for insurers, TPAs and their third-party service providers. According to the National Association of Insurance Commissioners, Maryland becomes the 18th state to adopt a version of the NAIC Insurance Data Security Model Law (#668). Along with the New York regulation “Cybersecurity Requirements for Financial Services Companies” (addressing the same issues but following a different model), the legislation establishes generally accepted data security standards for workers’ compensation payers and their trading partners.

Implications: The provisions of the model act offer a guidepost for payers’ internally developed cybersecurity standards since they are now broadly required by state law. Fortunately, they are reasonable, requiring payers to develop and implement a data security program to identify and protect against risks, respond to data incidents and investigate and disclose cybersecurity events to regulatory authorities and affected consumers and trading partners. Payers are also required to oversee compliance of their third-party service providers using or accessing the payer’s confidential information.

Telehealth
Telehealth Compliance with HIPAA: The Office of Civil Rights (OCR) within the US Department of Health and Services has recently issued guidance broadly endorsing the use of audio-only telehealth services to increase access to health services by patients who have limited financial resources or who live in rural areas with limited broadband availability. The guidance can be found here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html.

Implications: OCR enforces federal privacy regulations (e.g., HIPAA) that generally don’t apply to WC payers, but health care providers and payers’ third-party service providers don’t enjoy those same exemptions, so this clarification comes as a welcome relaxation of regulatory constraints. On a related telehealth topic, a new study from physical therapy quality analytics firm Focus on Therapeutic Outcomes (FOTO) found that, for telerehabilitation for low back pain, telerehab (a) was equally effective in improving functional status outcomes for patients with low back pain compared to traditional in-person office visits, (b) usually involved significantly fewer visits, and (c) had roughly equal patient satisfaction ratings (82% for telerehab versus 86% for in-person office visits.

Ohio Statute Defining Compensability of Work-From-Home Injuries: Ohio has enacted HB 447, which sets standards for WC compensability for injuries incurred by work-from-home employees. Three criteria must be met:

The employee’s injury or disability arises out of the employee’s employment.
The employee’s employment necessarily exposes the employee to conditions that substantially contribute to the risk of injury.
The injury or disability is sustained in the course of activity that is taken on by the employee for the exclusive benefit of the employer.
Implications: With a substantial proportion of the workforce working remotely and likely not returning to the office fulltime, legislatures are grappling with work-relatedness issues that at one time were self-evident, or at least settled law. WC stakeholders can expect lawmakers, regulators and jurists to continue to address these questions for the foreseeable future. The Ohio statute became effective on September 23, 2022.

State Privacy Laws

Major State Privacy Legislation: On January 2, 2023, the Wall Street Journal reported that many new state laws in the coming year would focus on consumer data privacy. Nearly two years ago we noted that California and Virginia had enacted new and comprehensive privacy statutes, both becoming effective on January 1, 2023. The California Privacy Rights and Enforcement Act (CPRA) expands upon the current California privacy statute, the California Consumer Privacy Act (CCPA), by regulating not only the buying and selling of consumer information, but also its “sharing.” This term, while appearing to be broad, actually is narrowly defined as targeted advertising based on the consumer’s personal information. The focus of California’s privacy protection measures was and continues to be on commercial use of consumers’ personal information for sales and marketing purposes. The Virginia Consumer Data Protection Act (CDPA) takes a different approach to consumer privacy, following many of the concepts found in the European Union’s General Data Protection Regulation (GDPR). A business that determines the purpose and means of processing personal data (a “controller”) may collect and use this information for only specific purposes, must allow a consumer to access and in many cases to delete the data, and is responsible for compliance of third party “processors” acting on its behalf. There are a number of thresholds and exemptions that will relieve most workers’ compensation payers and their service providers from CDPA compliance obligations. Of more relevance to the workers’ compensation industry is the NAIC Insurance Data Security Model Law, which has now been enacted, in whole or part, in 21 jurisdictions. Similar in many ways to the New York’s Cybersecurity Requirements for Financial Services Companies (NYCCR §500), the Model Law establishes a comprehensive regulatory framework applying to claim payers and protecting the non-public data of insurance “consumers,” including claimants. Key features of the Model Law include the following:

Defines “consumers” to include claimants as well as applicants, policyholders and insureds.
Defines a “cybersecurity event” to include both data loss or misuse and access to, disruption or misuse of, an information system.
Defines “licensees” subject to the law to include all entities licensed or registered under the state’s insurance laws.
Defines protected “nonpublic information” to include both personally identifiable information and licensees’ sensitive business information.
Requires licensees to develop and implement a comprehensive information security program, including a written incident response plan, which identifies and mitigates against reasonably foreseeable internal or external threats.
Requires licensees to annually certify their compliance to their domiciliary insurance regulator.
Requires licensees to promptly investigate and, if confirmed, remediate any suspected cybersecurity event, notifying regulatory authorities within 72 hours of discovery.
Requires licensees to follow applicable state data breach laws notifying consumers of an incident.
Requires licensees to oversee their third party service providers’ compliance with information security laws and to take responsibility for managing their third party service providers’ cybersecurity events.
Implications: All business entities participating in adopting states’ workers’ compensation systems are either directly or indirectly subject to the Model Law, so it is important that payers and their trading partners establish a comprehensive information security program complying with the Model Law. Further, because the Model Law has not been enacted in every jurisdiction and has been enacted with important revisions in others, it is important to review the relevant statute for key variances. For example, the Maryland statute, effective October 1, 2022, applies specifically to third party administrators as well as insurers, but this clarifying provision does not appear in the NAIC Model Law.