2026 DOL Employee Benefit Plan Enforcement Priorities

00:00:01.450 - 00:00:09.910
Amber Posthauer: Good afternoon, everyone. Thank you for joining us today. We're going to get started here in 60 seconds to allow for everyone to get connected. We'll get started shortly.

00:00:47.450 - 00:00:56.189
Amber Posthauer: Welcome, everyone, to the 2026 DOL Employee Benefit Plan Enforcement Priorities webinar. Thank you all so much for joining us.

00:00:56.350 - 00:01:08.550
Amber Posthauer: The Benefits Compliance Team will be answering the questions you send through the Q&A today. We'll try our best to answer all of your questions, but if for whatever reason we are unable to get to your question today, please follow up with your advisor for further assistance.

00:01:09.040 - 00:01:23.009
Amber Posthauer: Today's presentation is being recorded. We'll be sharing the recording in the follow-up email and on the NFP website. If there are any portions of this call that you missed, by Monday you'll receive an email with a link to the full recording. The PowerPoint slides used during this presentation will be shared in the same email.

00:01:23.470 - 00:01:34.859
Amber Posthauer: At this time, I'll hand it over to Carol Wood, Vice President and Counsel of NFP Benefits Compliance, and Benjamin Mary, Vice President and Council of NFP Benefits Compliance. Carol, the floor is yours.

00:01:35.600 - 00:01:48.629
Carol Wood: Thank you so much, Amber, and good afternoon, everybody. Thanks for joining us today. We're here to discuss the DOL 2026 Employee Benefit Plan Enforcement Priorities.

00:01:49.000 - 00:01:50.790
Carol Wood: It's an important topic.

00:01:52.060 - 00:01:57.389
Carol Wood: And I'm here presenting with my colleague, Benjamin Mary. I'm Carol Wood.

00:01:58.680 - 00:02:10.620
Carol Wood: There's smiling faces. Before we begin, I just want to remind everybody that the presentation is intended to be used for general guidance purposes only. It's not intended as tax or legal advice.

00:02:10.669 - 00:02:23.049
Carol Wood: Any questions regarding the specific application of the law should always be addressed to your legal or tax counsel. The information is current as of today, April 15th, 2026.

00:02:25.980 - 00:02:31.590
Carol Wood: I just want to begin by explaining why we chose to discuss this topic at this time.

00:02:31.890 - 00:02:38.819
Carol Wood: In January, the DOL announced the overhaul of its national enforcement projects for employee benefit plans.

00:02:38.960 - 00:02:56.899
Carol Wood: And it was both retirement and health and welfare plans, and that's for fiscal year 2026. The changes were significant and signal where the DOL will focus its enforcement resources to increase employee benefit plan compliance, curb any abusive practices.

00:02:56.990 - 00:03:15.230
Carol Wood: and ultimately protect participants and beneficiaries. For plan sponsors, the update really provides a very helpful roadmap for where they can consider proactively reviewing their plan's compliance to reduce any risks, particularly in the case of a DOL inquiry.

00:03:17.600 - 00:03:34.970
Carol Wood: So, the DOL enforcement priorities will really inform our agenda today. We're going to start out with just an overview of the DOL enforcement approaches and audit triggers. You know, I think for many employers, you know, a question they often ask…

00:03:35.090 - 00:03:40.750
Carol Wood: ask you, how do we end up on the DOL's… how does our plan end up on the DOL's radar in the first place?

00:03:40.800 - 00:03:56.289
Carol Wood: And if we do, you know, what should we expect? And then we're going to go on to the specific, health and welfare topics that they do all cited. The No Surprises Act, and specifically the Surprise Billing Protections.

00:03:56.330 - 00:04:01.669
Carol Wood: Mental health parity and access to mental health benefits.

00:04:01.780 - 00:04:06.060
Carol Wood: Cyber security, protecting participant data.

00:04:06.740 - 00:04:19.110
Carol Wood: ERISA contributory Benefit Plan Abuse. And we'll concentrate mostly on the surprise billing protections, and the mental health parity.

00:04:19.110 - 00:04:27.370
Carol Wood: But throughout the presentation, we'll provide key takeaways for employers, and indicate our available resources.

00:04:30.700 - 00:04:32.899
Carol Wood: Okay, and I'm gonna start out by…

00:04:32.920 - 00:04:47.899
Carol Wood: handing the presentation over to my colleague, Benjamin, who I think really has a unique background, to discuss DOL enforcement approaches and audit triggers. So, Ben, I'll turn it over to you, and perhaps…

00:04:47.900 - 00:04:53.119
Carol Wood: You know, in case some of our audience isn't aware, maybe you can explain a little of your background.

00:04:55.500 - 00:05:10.590
Benjamin Merry: Yeah, well, thanks, Carol, and good afternoon, everyone. Yeah, so before I joined NFP, I was an attorney at the DOL. I served under both President Biden and President Trump. I was at the Employee Benefits Security Administration, or EBSA.

00:05:10.810 - 00:05:16.539
Benjamin Merry: In the office that wrote regulations on the No Surprises Act and MAPIA, which we'll be discussing today.

00:05:16.700 - 00:05:19.870
Benjamin Merry: The office also advises DOL's investigators.

00:05:20.150 - 00:05:30.199
Benjamin Merry: So, I thought before we talk about how an employer gets on the DOL's radar screen, it might be helpful to understand, you know, who the people are who are looking at those radar screens.

00:05:30.600 - 00:05:42.490
Benjamin Merry: Most folks, if they've never experienced a DOL investigation, first of all, congrats, good, I hope it stays that way. But if you do, it's helpful to know who it is you'll be dealing with.

00:05:43.260 - 00:05:58.009
Benjamin Merry: So any investigations of a group health plan are handled by EBSA, and I like to think of EBSA as a small but mighty agency. They oversee millions and millions of plans covering, 155 million Americans.

00:05:58.270 - 00:06:04.550
Benjamin Merry: Ebsa only has a few hundred investigators, which may seem like a lot, maybe it doesn't.

00:06:04.710 - 00:06:12.459
Benjamin Merry: But the reality is that EBSA only has about one investigator for every 17,500 plans or so.

00:06:12.700 - 00:06:17.670
Benjamin Merry: And those investigators are spread out across the country in 12 different regional offices.

00:06:17.820 - 00:06:26.290
Benjamin Merry: So EBSA really doesn't have the resources to go and knock on every business's door to make sure they're doing all their compliance activities by the book.

00:06:26.810 - 00:06:35.340
Benjamin Merry: Which isn't to say that EBSA isn't effective or isn't policing plans, because really it's the opposite. They're just very, very efficient about it.

00:06:35.730 - 00:06:47.080
Benjamin Merry: Just last year, EPSA reported recovering $1.4 billion, with a B, in recoveries for plans, participants, and beneficiaries through all of their enforcement activities.

00:06:47.410 - 00:06:59.009
Benjamin Merry: And typically, this isn't money that's going into the DOL's pockets, this is going to employees, or it's going to pay for benefits, or it's going back to, employers from rogue service providers.

00:07:00.860 - 00:07:07.579
Benjamin Merry: There are two main ways that an employer gets on EPSA's radar. The first is participant complaints.

00:07:07.770 - 00:07:11.569
Benjamin Merry: These are really the primary driver of DOL investigations.

00:07:11.760 - 00:07:18.639
Benjamin Merry: They, received about 220,000 complaints last year. They follow up on every single one of them.

00:07:19.170 - 00:07:27.499
Benjamin Merry: An employee has a claim denied that they think should be covered, they pick up the phone, they call DOL, so what does DOL do? Dol calls the employer.

00:07:28.070 - 00:07:42.229
Benjamin Merry: The second avenue is that the DOL pulls threads. I said that they're efficient. I've heard of situations where the DOL will investigate a complaint, and they're pretty sure the violation stems from a TPA's off-the-shelf plan design.

00:07:42.540 - 00:07:47.949
Benjamin Merry: So then the DOL might ask the TPA, hey, who are your other clients? Give us your client list.

00:07:48.150 - 00:07:53.280
Benjamin Merry: So then the DOL might sniff around those other plans to see just how widespread the problem is.

00:07:53.910 - 00:08:00.680
Benjamin Merry: So on the one hand, if you're an employer, take your employees' concerns seriously. That's gonna be the theme today.

00:08:00.910 - 00:08:07.680
Benjamin Merry: If an employee's complaining about their health coverage or the way it's working, that generally tells you that the employee thinks something isn't right.

00:08:07.800 - 00:08:11.920
Benjamin Merry: And most employees aren't gonna go straight to the DOL if they have a problem.

00:08:12.330 - 00:08:18.830
Benjamin Merry: Usually they go to the DOL only after they've raised their concerns internally and don't feel like they've been listened to.

00:08:19.260 - 00:08:32.720
Benjamin Merry: The other takeaway here is that the DOL chases down leads. They love to explore leads they get from other investigations. So sometimes the DOL might call you because of the way your carrier or your TPA administered another employer's plan.

00:08:35.309 - 00:08:43.080
Benjamin Merry: The DOL pursues their enforcement in, two different avenues, informal resolution and formal investigations.

00:08:43.309 - 00:08:50.889
Benjamin Merry: Informal resolutions are just what they sound like. The DOL receives a complaint, they reach out to the employer, see if there's anything there.

00:08:51.250 - 00:09:01.229
Benjamin Merry: There's no formal investigation, the DOL just secures the employer's agreement to make a change, and then everyone moves on. This is how the DOL does most of their enforcement.

00:09:01.660 - 00:09:14.509
Benjamin Merry: And then there's formal investigations. These are really resource-intensive. The DOL sends a letter to a plan sponsor requesting documents. They might determine a violation occurred. If they do, they issue a letter laying out their findings.

00:09:14.630 - 00:09:19.910
Benjamin Merry: They give the employer instructions on how to provide additional info to change their mind.

00:09:20.300 - 00:09:23.419
Benjamin Merry: Eventually the DOL makes a final determination.

00:09:23.760 - 00:09:32.300
Benjamin Merry: These investigations are… they can be really complex. They can take, months or even years to complete. Sometimes they lead to lawsuits.

00:09:32.980 - 00:09:46.489
Benjamin Merry: The DOL released a statement of their priorities just yesterday, which suggests they're going to lean even further toward voluntary compliance, and reserve their formal investigations for really egregious cases and really clear violations of the law.

00:09:46.810 - 00:09:55.750
Benjamin Merry: They indicated they don't plan to break new ground through their enforcement activities, so I would expect we'll see a lot more of the informal resolutions going forward.

00:09:56.180 - 00:10:03.360
Benjamin Merry: Carol, I think that's all I want to say about DOL investigations, so I'll hand it back to you to discuss our first priority area.

00:10:03.500 - 00:10:14.409
Carol Wood: Okay. Thank you so much for that overview. So the first main topic we're going to discuss is, No Surprises Act Surprise Billing Protections.

00:10:15.350 - 00:10:28.460
Carol Wood: Hi, and just a quick, overview refresher. The surprise billing protections are designed to prohibit balanced billing for certain out-of-network services that are not foreseeable.

00:10:28.720 - 00:10:46.690
Carol Wood: So these protections apply to emergency services, and that's defined very broadly under the NSA. It would include not just the screening, let's say, in an ER, but certain services to stabilize the patient, and even beyond.

00:10:48.000 - 00:10:50.610
Carol Wood: Applies to air ambulance services.

00:10:50.810 - 00:10:59.529
Carol Wood: Not, unfortunately, ground ambulance services. That was a disappointment, when the NSA rules were enacted.

00:10:59.710 - 00:11:14.010
Carol Wood: And also certain non-emergency, out-of-network services at in-network facilities. So this would be a situation, for example, where a participant scheduled a surgery at an in-network facility.

00:11:14.010 - 00:11:28.699
Carol Wood: But they were unaware at the time that the, you know, out-of-network anesthesiology services were out of network, so they would be protected from being balance billed against those non-emergency services as well.

00:11:28.950 - 00:11:38.869
Carol Wood: Just to provide an example, prior to the NSA, let's say an out-of-network provider billed $10,000 for NSA-protected services.

00:11:39.100 - 00:11:45.509
Carol Wood: The plan paid $5,000, that's the allowed amount for the plan, and the participant made $2,000.

00:11:45.770 - 00:11:48.159
Carol Wood: That was their out-of-network cost sharing.

00:11:48.300 - 00:11:58.640
Carol Wood: Then we'd still have this $3,000 that the healthcare provider may still be expecting, and the participant could be balance billed for that amount.

00:11:58.820 - 00:12:08.099
Carol Wood: Now, post-NSA, the participant cost sharing for protected services is limited to in-network levels.

00:12:08.240 - 00:12:26.360
Carol Wood: And it's the plan and the provider, not the participant, that has to resolve the remaining balance, either by agreement, negotiation, or through the NSA's independent dispute resolution process, which we can look at as a form of arbitration.

00:12:29.110 - 00:12:47.390
Carol Wood: Now, the NSA Surprise Billing Rules took effect back in 2022, so plans, you know, and insurers have had time to, to implement those provisions. The DOL is now going to verify if protected claims are processed correctly.

00:12:47.410 - 00:12:58.759
Carol Wood: And we don't really know what the scope of their review is in terms of timeframe. Are they going to look back? Are they just going to look currently and go forward? Hopefully the latter, but we just don't know at this point.

00:12:59.170 - 00:13:13.690
Carol Wood: So what's the employer's role here? As I realize, many of you, when we start talking about claims review and adjudication, say, hey, you know, it's my insurer or TPA that's handling that, you know, that's what I hired them for.

00:13:13.690 - 00:13:26.559
Carol Wood: I'm not really involved in these details, and of course that's true. They are largely handling, claim and claim review services for you, but as the fiduciary for the plan.

00:13:26.870 - 00:13:43.210
Carol Wood: You have an obligation to monitor their activities, and this responsibility is, of course, heightened for self-insured plans, since the self-insured plan sponsor's really ultimately responsible for making sure the plan is in compliance.

00:13:43.490 - 00:13:54.979
Carol Wood: Therefore, employers should understand the surprise billing rules, in order to effectively oversee their service providers and also respond to related questions.

00:13:56.090 - 00:14:14.020
Carol Wood: Now, the provisions of the NSA that I'm going to focus on today are the ones that the DOL cited that they intend to review. So, you know, fortunately, they kind of did give us an outline of the particular aspects of the surprise billing rule.

00:14:14.060 - 00:14:20.619
Carol Wood: they were concerned with. Specifically, the DOL intends to review whether plans and insurers

00:14:20.750 - 00:14:26.650
Carol Wood: Follow the prudent layperson standard for identifying covered emergency services.

00:14:27.440 - 00:14:34.759
Carol Wood: Deny emergency… don't deny emergency service benefits improperly based on plan exclusions.

00:14:35.060 - 00:14:38.789
Carol Wood: comply with other NSA protections.

00:14:39.170 - 00:14:48.259
Carol Wood: Apply in-network cost sharing to NSA-protected services, timely pay providers, and provide the proper notices and disclosures.

00:14:52.020 - 00:14:52.970
Carol Wood: Okay, now…

00:14:53.850 - 00:15:03.830
Carol Wood: I'm going to start by explaining the prudent layperson standard. We've said that the balance billing protections apply to

00:15:03.870 - 00:15:15.169
Carol Wood: services to treat an emergency medical condition. So then the question really becomes, you know, how are we determining what's an emergency medical condition?

00:15:15.490 - 00:15:17.979
Carol Wood: And this standard…

00:15:18.100 - 00:15:32.780
Carol Wood: makes the determination from the perspective of a prudent layperson, rather than a medical professional. So the question that would be asked is, would a reasonable person with average medical knowledge

00:15:32.980 - 00:15:43.799
Carol Wood: Such as you and me, assuming you're not a medical professional, believe that immediate care is needed to avoid serious jeopardy to their health.

00:15:43.970 - 00:15:47.360
Carol Wood: Or if the individual's pregnant, their unborn child's health.

00:15:47.500 - 00:15:53.060
Carol Wood: Or serious impairment or dysfunction to a bodily function, organ, or part.

00:15:53.640 - 00:16:05.569
Carol Wood: And the reason for adopting this standard was to prevent plans from denying coverage for emergency services based solely on the final diagnosis code.

00:16:05.770 - 00:16:14.770
Carol Wood: So this standard says, no, the determination must be made focusing on the presenting symptoms and all relevant documentation.

00:16:14.910 - 00:16:16.719
Carol Wood: Let's look at an example.

00:16:16.920 - 00:16:22.070
Carol Wood: A participant rushes to the emergency room with sharp chest pain.

00:16:22.220 - 00:16:27.239
Carol Wood: And it's later diagnosed as gastric reflux and non-cardiac related.

00:16:27.460 - 00:16:39.729
Carol Wood: While out-of-network care may still be treated as for an emergency medical condition, it may still be protected by the NSA if the prudent layperson standard is met.

00:16:43.210 - 00:16:58.059
Carol Wood: The next item that the DOL wanted to review is whether plans were denying claims improperly, based on plan exclusions that applied to non-emergency care.

00:16:58.910 - 00:17:03.359
Carol Wood: An example, a participant has cosmetic surgery.

00:17:03.490 - 00:17:10.849
Carol Wood: Experiences a serious and unexpected complication for which they seek treatment in the emergency room.

00:17:11.170 - 00:17:20.029
Carol Wood: Now, under the NSA, the plan can't deny emergency services, based on a plan… the plan exclusion for cosmetic surgery.

00:17:22.250 - 00:17:31.570
Carol Wood: The DOL is also going to look generally to make sure, that plans are covering emergency care. They're not requiring prior authorization.

00:17:31.760 - 00:17:38.119
Carol Wood: Providing coverage regardless of whether the healthcare provider or facility is in-network.

00:17:38.520 - 00:17:50.580
Carol Wood: And that they're not… the plans aren't imposing any administrative requirements or limitations on out-of-network coverage. That's more restrictive than those imposed upon in-network coverage.

00:17:55.160 - 00:18:01.409
Carol Wood: Again, this, this, is, I think, going to be a big focus of the DOL, you know, whether…

00:18:01.730 - 00:18:08.480
Carol Wood: Plans and insurers are applying in-network cost sharing correctly to NSA-protected services.

00:18:09.090 - 00:18:17.280
Carol Wood: And just bear with me, I think this may appear a little more complicated than it is. We've said that

00:18:17.450 - 00:18:24.030
Carol Wood: Participant cost sharing for NSA Protected services is limited to in-network levels.

00:18:24.460 - 00:18:29.690
Carol Wood: And it's based upon what's in NSA parlance called the recognized amount.

00:18:30.320 - 00:18:36.799
Carol Wood: So… Let's just say… You know, the in-network cost sharing.

00:18:36.960 - 00:18:51.240
Carol Wood: level, the percent required is 20%. Well, it's 20% of the recognized amount, and we determine that, you know, by following, you know, these steps, in descending order here.

00:18:51.880 - 00:18:55.859
Carol Wood: We'd ask, is there an all-payer model agreement

00:18:56.030 - 00:19:03.289
Carol Wood: In effect. Now, this would normally just apply to a fully insured plan, or possibly a

00:19:04.110 - 00:19:11.309
Carol Wood: a non-ERISA self-insured plan, and that's where… this is where the state has an agreement with the federal government

00:19:11.640 - 00:19:14.939
Carol Wood: That would set, the amount.

00:19:15.090 - 00:19:18.889
Carol Wood: On which the cost sharing would be based.

00:19:19.390 - 00:19:34.830
Carol Wood: The second step, let's say there's no all-payer model agreement in place for that particular state, we look for a fully insured plan to see if there's a state balance billing law in effect.

00:19:35.440 - 00:19:40.730
Carol Wood: There's no… state balanced billing law, in effect, then…

00:19:41.240 - 00:19:52.299
Carol Wood: The amount would be determined to be either the lesser of the bill charge, what the healthcare provider is charging, or what's termed the qualifying payment amount.

00:19:52.450 - 00:19:55.110
Carol Wood: And that's the median contracted rate

00:19:55.210 - 00:19:58.299
Carol Wood: For the item or service in a geographic region.

00:19:59.000 - 00:20:05.139
Carol Wood: Now, if you're a self-insured ERISA plan, you're just going to go to the third bullet point, because

00:20:05.180 - 00:20:20.069
Carol Wood: There isn't going to be an all-payer model agreement or a state balance billing law that applies, so you're normally just going to look and say, hey, it's 20% of the lesser of the bill charge, or that qualifying payment amount.

00:20:20.440 - 00:20:27.349
Carol Wood: Let's look at an example, I think it's easier to see that way. We have Joy, she's enrolled in a high-deductible health plan.

00:20:27.480 - 00:20:38.020
Carol Wood: With a $1,700 deductible, and she's met that deductible, but not her out-of-pocket maximum. Her in-network coinsurance is 20%.

00:20:38.610 - 00:20:47.219
Carol Wood: She receives emergency care at an out-of-network hospital in State A, that is billed at $1,800.

00:20:47.480 - 00:20:52.560
Carol Wood: State aid does not have an all-payer model agreement or a state balance billing law.

00:20:52.900 - 00:21:02.230
Carol Wood: And the qualifying payment amount is $1,000. So, Joyce's cost sharing is going to be based on the lesser of the bill charge.

00:21:02.370 - 00:21:09.280
Carol Wood: The healthcare provider billed $1,800, or their qualifying payment amount, which is $1,000.

00:21:09.560 - 00:21:17.270
Carol Wood: So Joy's gonna pay 20% of $1,000, or $200, and that's going to be applied to her out-of-pocket maximum.

00:21:17.600 - 00:21:29.179
Carol Wood: And now it's the plan that's going to have to address with the provider the remainder of that bill, which is $1,600. And Joy, the participant, cannot be balance billed.

00:21:31.830 - 00:21:38.200
Carol Wood: So… You know, how is the payment to that provider actually going to be determined?

00:21:38.480 - 00:21:40.900
Carol Wood: Well, again, we're going to go through our

00:21:41.020 - 00:21:53.450
Carol Wood: our hierarchy of choices here in descending order. Is there an all-payer model agreement? We said there wasn't in our example. Is there a state balance billing law? No.

00:21:53.940 - 00:21:59.959
Carol Wood: And then it's going to be in an amount agreed upon, or that's negotiated between the plan and the provider.

00:22:00.240 - 00:22:18.390
Carol Wood: or an amount that's decided by an entity during the independent dispute resolution process. Now, I just mentioned, and you may be aware of this, that the NSA Independent Dispute Resolution Process

00:22:18.590 - 00:22:27.399
Carol Wood: has been fraught with issues from the get-go. There has been more claims than ever… there have been more claims than ever anticipated.

00:22:27.470 - 00:22:38.879
Carol Wood: There have been inefficiencies in processing. There has been a lot of litigation brought by healthcare providers, successfully.

00:22:39.020 - 00:22:44.549
Carol Wood: And all of this has resulted in extreme delays.

00:22:44.710 - 00:23:00.139
Carol Wood: In cases, being reviewed. And also, unfortunately for plans, much higher payment amounts that they need to make to the out-of-network providers than was anticipated.

00:23:00.710 - 00:23:07.349
Carol Wood: But regardless, Of the amount that the plan ends up having to pay.

00:23:07.600 - 00:23:24.350
Carol Wood: I just need to really emphasize here that in no event should the participant's cost sharing ever be adjusted based on the outcome, you know, of the independent dispute resolution process, and

00:23:24.620 - 00:23:42.280
Carol Wood: the DOL, the agencies, they've actually issued guidance on this particular issue, because they apparently learned, that some plans were doing just that, that they were, adjusting the participant cost sharing, sending out new POBs.

00:23:42.280 - 00:23:57.159
Carol Wood: After they, had to make a payment, you know, after an IDR decision, that, that was larger than they expected it to be to the out-of-network provider. So, you want to steer clear, clearly away from doing that.

00:23:57.280 - 00:24:04.569
Carol Wood: What are the payment timelines for the plan? The NSA sets specific timelines for plans to pay healthcare providers.

00:24:04.910 - 00:24:06.150
Carol Wood: if… if…

00:24:06.470 - 00:24:21.400
Carol Wood: The provider submits a claim, the out-of-network provider, to the plan. If it's not denied, the plan is supposed to send an initial payment within 30 days of receipt, even if the final amount is going to differ.

00:24:21.430 - 00:24:30.190
Carol Wood: If the initial payments or denial notice doesn't resolve the claim, then a 30-day negotiation period begins.

00:24:30.310 - 00:24:46.459
Carol Wood: So the plan and the provider would negotiate, and if they don't, that doesn't result in an agreement on the amount to be paid to that provider. It's at that point that the independent dispute resolution process could be initiated.

00:24:46.580 - 00:24:53.259
Carol Wood: If the IDR process resolves the payment amount, then the provider has to be paid within 30 days.

00:24:56.480 - 00:25:04.230
Carol Wood: And finally, the DOL is going to verify that proper notices and disclosures are being provided.

00:25:04.260 - 00:25:16.890
Carol Wood: The most important one for plans and insurers is to be posting a notice on a public website to inform participants of the NSA Surprise Billing Protections.

00:25:17.030 - 00:25:29.290
Carol Wood: any state law protections that may apply, and also the federal agency context to report violations. Fortunately, CMS has provided a model notice for this purpose.

00:25:29.350 - 00:25:43.099
Carol Wood: If plan… the plan itself lacks a public website, they can enter an agreement to have their insurer or TPA post the notice on its website, where information is normally made available to participants.

00:25:43.320 - 00:25:53.649
Carol Wood: This language, this same language, should also be included in each explanation of benefits, the ELB, where the NSA protections apply.

00:25:53.930 - 00:26:02.999
Carol Wood: And although not directly applicable to our employers, be aware that healthcare providers are also subject to numerous notice requirements.

00:26:03.040 - 00:26:21.790
Carol Wood: Generally, we said that providers can't balance bill for NSA-protected services, even if the participant consents. There are some very limited exceptions, for example, with certain non-emergency out-of-network services, if strict conditions are met, including notice and consent requirements.

00:26:24.210 - 00:26:44.150
Carol Wood: And just takeaways, you know, from all that we've covered. I realize I went through it quickly. As Benjamin said, pay attention to participant complaints, ensure these are properly addressed. Understand that although carriers and TPAs adjudicate plan claims, employers have an obligation to monitor their activities.

00:26:44.220 - 00:26:54.390
Carol Wood: Ask the carrier GPA how they are addressing potential NSA-protected claims, and applying that prudent layperson standard to emergency services.

00:26:54.520 - 00:27:01.009
Carol Wood: Ensure that participants are assessed in network cost sharing, for NSA-protected services.

00:27:01.350 - 00:27:20.910
Carol Wood: Verify how claims subject to the IDR process are addressed. And for a self-insured plan, you may want to inquire if there's any reports available, status updates on any pending cases. Understand that participant cost sharing should never be adjusted based on the outcome of the IDR process.

00:27:21.180 - 00:27:25.419
Carol Wood: Always respond promptly to related requests from TBAs or carriers.

00:27:25.470 - 00:27:38.450
Carol Wood: We said the DOL intends to address issues at a service provider level. That TPA or carrier, if they've been contacted by the DOL, they may not tell you, in our experience, you know, why they're reaching out to ask you a question.

00:27:38.460 - 00:27:50.550
Carol Wood: So just be aware of that. Recognize that claims not properly addressed may need to be reprocessed, and ensure the surprise billing notice is posted on a public website available to participants.

00:27:50.820 - 00:28:05.749
Carol Wood: Thank you for listening to all that, and with that, I'm going to turn it back over to you, Ben, to discuss mental health parity. Oh, just a reminder here, we do have a transparency publication, that addresses the surprise billing protections, if you'd like more information.

00:28:07.330 - 00:28:10.539
Benjamin Merry: Hey, thanks, Carol. Yeah, we're really seeing…

00:28:11.230 - 00:28:28.219
Benjamin Merry: We're really seeing that the DOL is moving into a new stage of enforcement with the NSA. TPAs and carriers have had a few years to digest the rules, and so now it seems that the DOL is going to get more involved to make sure folks aren't getting those surprise bills, when they receive these covered services.

00:28:28.930 - 00:28:39.879
Benjamin Merry: So let's talk about another major enforcement priority, MAPIA. That's the Mental Health Parity and Addiction Equity Act. It's a bit of a mouthful to say, so we tend to shorten it to MAPIA.

00:28:40.290 - 00:28:52.099
Benjamin Merry: MAPEA was enacted in 2008. It's been amended a couple of times, most notably in 2010 with the ACA, and then again in 2020 with the Consolidated Appropriations Act of 2021.

00:28:52.690 - 00:29:06.280
Benjamin Merry: And Mapia is a big deal. Prior to Mapia, plans could do a lot of things to restrict coverage for mental health conditions and substance use disorders. They could put visit limits on mental health benefits, they could charge higher copays.

00:29:06.480 - 00:29:20.799
Benjamin Merry: Frequently, plans would impose separate annual and lifetime caps on mental health benefits that were much, much lower than the caps that applied to medical and surgical benefits. And so these really discouraged participants from seeking mental health benefits.

00:29:21.300 - 00:29:29.709
Benjamin Merry: Now MAPEA isn't a benefits mandate. It doesn't require group health plans to provide mental health or substance use disorder benefits.

00:29:30.080 - 00:29:43.600
Benjamin Merry: But it does say that if a plan does provide those benefits, then Mapia, says that those benefits must be offered in parity with medical and surgical benefits, with respect to any aggregate lifetime and annual dollar limits.

00:29:43.880 - 00:29:47.750
Benjamin Merry: Any financial requirements, and any treatment limitations.

00:29:48.350 - 00:29:59.199
Benjamin Merry: Lifetime and annual limits aren't as big of a focus anymore. It's pretty rare in practice to see those issues come up anymore, since the ACA did away with most limits.

00:29:59.580 - 00:30:04.000
Benjamin Merry: Financial requirements, these are things like co-pays and coinsurance.

00:30:04.210 - 00:30:13.880
Benjamin Merry: The general rule here is that the co-pay or coinsurance that applies to mental health or substance use disorder benefits can't be higher than the copay or coinsurance.

00:30:14.070 - 00:30:17.740
Benjamin Merry: That applies to most medical or surgical benefits in a classification.

00:30:18.410 - 00:30:30.070
Benjamin Merry: So, for example, if the copay for most outpatient in-network medical services is $25, the plan can't charge a $50 copay for outpatient in-network mental health services.

00:30:31.100 - 00:30:36.599
Benjamin Merry: And then the last category, treatment limitations, really breaks down into two subcategories.

00:30:36.890 - 00:30:40.620
Benjamin Merry: There's quantitative treatment limitations, or QTLs.

00:30:40.820 - 00:30:44.840
Benjamin Merry: and non-quantitative treatment limitations, or NQTLs.

00:30:45.120 - 00:30:50.510
Benjamin Merry: Qtls are treatment limitations that can be expressed with numbers.

00:30:50.850 - 00:30:58.830
Benjamin Merry: Nqtls are limitations that generally can't be expressed with numbers, and we'll talk more about those limitations here in a couple slides.

00:30:59.230 - 00:31:07.579
Benjamin Merry: But, MAPIA prohibits treatment limitations that apply more stringently to mental health and substance use disorder benefits compared to medical and surgical benefits.

00:31:07.880 - 00:31:18.849
Benjamin Merry: And it also prohibits limitations that apply only to mental health and substance use disorder benefits. So you couldn't have, like, prior authorization that applies only to mental health benefits, but not to medical benefits.

00:31:19.920 - 00:31:28.760
Benjamin Merry: Mapia applies broadly. It applies to fully insured plans and self-insured plans. Insurance carriers are directly subject to MAPIA.

00:31:29.210 - 00:31:35.730
Benjamin Merry: Third-party administrators are not subject to MAPIA. It's kind of a quirk in the way that Congress wrote the law.

00:31:36.060 - 00:31:44.669
Benjamin Merry: So even though it's usually the third-party administrators that come up with plan design and supply the treatment limitations for self-insured plans.

00:31:44.780 - 00:31:50.730
Benjamin Merry: It's actually the plan sponsor that is ultimately responsible for MAPIA compliance for self-insured plans.

00:31:51.440 - 00:31:58.499
Benjamin Merry: There's no exception for church plans or state and local governments. Really, the only exemptions

00:31:58.820 - 00:32:07.570
Benjamin Merry: are gonna be for, retiree-only plans, and for small employers. Small employers are generally those with under 50 employees.

00:32:07.960 - 00:32:17.740
Benjamin Merry: But even then, small employers with fully insured plans will indirectly be subject to MAPIA, because the carrier of that coverage is going to be subject to MAPIA.

00:32:18.140 - 00:32:25.070
Benjamin Merry: So really, it's just gonna be those small employers with, with self-insured plans that are gonna be fully exempt from APEA.

00:32:25.780 - 00:32:32.780
Benjamin Merry: Enforcement jurisdiction is shared between three different federal agencies, the DOL, HHS, and Treasury.

00:32:33.080 - 00:32:37.380
Benjamin Merry: DOL enforces MAPIA, for plans sponsored by private employers.

00:32:37.680 - 00:32:41.860
Benjamin Merry: HHS enforces against public employers and against carriers.

00:32:42.080 - 00:32:44.990
Benjamin Merry: And then Treasury enforces against church plans.

00:32:45.840 - 00:32:53.550
Benjamin Merry: For enforcement involving fully insured plans, it's pretty standard for DOL and HHS to team up to work together.

00:32:53.710 - 00:32:59.249
Benjamin Merry: Since BOL is gonna have jurisdiction over the fiduciaries of the plan, and

00:32:59.420 - 00:33:06.520
Benjamin Merry: of the plan as a legal entity, and then HHS having jurisdiction over the carrier. So it's really a team effort in that case.

00:33:09.150 - 00:33:13.549
Benjamin Merry: We said MAPIA requires parity, but what is… what does that look like?

00:33:13.860 - 00:33:24.619
Benjamin Merry: Specifically, any financial limitations, any quantitative treatment limitations, and any non-quantitative treatment limitations that apply to mental health or substance use disorder benefits.

00:33:24.890 - 00:33:34.539
Benjamin Merry: must be no more restrictive than the predominant financial limitations, QTLs or NQTLs that apply to medical and surgical benefits.

00:33:35.220 - 00:33:41.510
Benjamin Merry: So on this slide, your financial requirements are up top. Those are things like co-pays and coinsurance.

00:33:41.970 - 00:33:51.050
Benjamin Merry: That second, that middle bucket, those are your quantitative treatment limitations. So think visit limits, covered days of hospitalization.

00:33:51.280 - 00:33:55.370
Benjamin Merry: These are, again, they're treatment limitations that can be expressed with numbers.

00:33:55.960 - 00:34:02.870
Benjamin Merry: And then the third category on the bottom, that's NQTLs, and these are treatment limitations that generally can't be expressed with numbers.

00:34:03.020 - 00:34:11.329
Benjamin Merry: So, these are things like prior authorization requirements, medical necessity determinations, experimental treatment exclusions, and so on.

00:34:12.440 - 00:34:23.790
Benjamin Merry: And NQTLs have been the DOL's big focus for the last, probably 5 years or so. Under MAPIA, every plan is required to perform and document what's called a comparative analysis.

00:34:24.370 - 00:34:35.169
Benjamin Merry: And this comparative analysis must demonstrate the comparable design and application of NQTLs to mental health and substance use disorder benefits as compared to medical and surgical benefits.

00:34:35.889 - 00:34:43.950
Benjamin Merry: So it's not just an apples-to-apples look at, you know, does prior authorization apply to mental health benefits and to medical benefits, for example?

00:34:44.139 - 00:34:58.939
Benjamin Merry: Instead, it's a look at whether the design and the application of that prior authorization requirement to mental health benefits is the same as it is for medical benefits. It really requires insight into the inner workings of the plan.

00:35:00.540 - 00:35:03.309
Benjamin Merry: Here are some common NQTLs.

00:35:03.530 - 00:35:09.359
Benjamin Merry: Prior authorization requirements, I've said, those are NQTLs. Medical necessity criteria.

00:35:09.820 - 00:35:13.180
Benjamin Merry: Provider admission and network adequacy standards.

00:35:13.290 - 00:35:25.219
Benjamin Merry: These look more at how a carrier or a TPA builds its network. Things like reimbursement rates paid to providers, licensure and accreditation requirements for providers to be admitted to a network.

00:35:25.660 - 00:35:34.610
Benjamin Merry: Time and distance benchmarks, as far as, you know, how far is the average employee or average enrollee to the nearest medical professional?

00:35:34.720 - 00:35:37.830
Benjamin Merry: And provider to enrollee ratios.

00:35:38.460 - 00:35:52.649
Benjamin Merry: Other NQTLs might be fail-first policies or step therapy protocols, where the plan requires certain treatments or medications to be trialed and shown to be ineffective before the prescribed treatment or medication will be covered.

00:35:53.320 - 00:35:59.250
Benjamin Merry: Exclusions can also be NQTLs, when they apply to certain conditions, but not others.

00:35:59.760 - 00:36:07.380
Benjamin Merry: So, I've got an example up here. Think, like, when a plan covers nutrition counseling for diabetes, which is a medical condition.

00:36:07.550 - 00:36:14.459
Benjamin Merry: but they don't cover, nutrition counseling for an eating disorder, which is a mental health condition, that's an NQTL.

00:36:17.490 - 00:36:31.979
Benjamin Merry: There have been a lot of recent developments, though, that have caused some confusion with MAPIA, so I wanted to highlight those really quick before we go into more detail on what a comparative analysis requires and what the DOL is looking for.

00:36:32.250 - 00:36:35.739
Benjamin Merry: The Consolidated Appropriations Act of 2021

00:36:35.960 - 00:36:41.120
Benjamin Merry: introduced this comparative analysis requirement for all NQTLs.

00:36:41.480 - 00:36:48.550
Benjamin Merry: A few years went by. In 2024, the DOL, HHS, and Treasury issued regulations.

00:36:48.900 - 00:36:54.750
Benjamin Merry: I worked on those regulations. I think it's fair to say that they were not received well by employers.

00:36:55.300 - 00:37:07.019
Benjamin Merry: The regulations defined the terms that must be discussed in the comparative analyses. They imposed a meaningful benefits requirement, which functioned as kind of a coverage mandate.

00:37:07.440 - 00:37:12.029
Benjamin Merry: And they required a fiduciary certification that the fiduciary had

00:37:12.300 - 00:37:20.430
Benjamin Merry: undergone a prudent process of monitoring its service providers, the folks who are actually producing those comparative analyses.

00:37:21.100 - 00:37:30.850
Benjamin Merry: An industry group called ERIC sued to invalidate the regulations, and then President Trump took office, last January, 2025.

00:37:31.390 - 00:37:42.559
Benjamin Merry: The regulations had been issued under the Biden administration, and so the federal regulators decided to pump the brakes on enforcing the regulations, which is… which is fairly common when there's a change in administrations.

00:37:43.260 - 00:37:51.699
Benjamin Merry: So then about a year ago, the departments announced they would pause enforcement of those 2024 MAPEA regulations while the lawsuit plays out.

00:37:52.180 - 00:38:00.729
Benjamin Merry: But there was a lot of nuance to this non-enforcement policy. It applies only to the 2024 MAPEA regulations.

00:38:01.510 - 00:38:07.050
Benjamin Merry: Which means that the prior regulations, issued in, 2013, I believe, would still be enforced.

00:38:07.410 - 00:38:12.479
Benjamin Merry: And the departments also said that they would continue to enforce the statutory provisions of MAPIA.

00:38:12.610 - 00:38:21.369
Benjamin Merry: So the requirement for plans to have a comparative analysis is a statutory requirement. So plans are still required to have that comparative analysis available.

00:38:22.060 - 00:38:37.580
Benjamin Merry: And then about 2 weeks ago, the departments told the court in this lawsuit that they were no longer going to defend the 2024 regulations, which is great news to, I'm sure, a lot of folks on this call. Instead, the departments said that they were going to revisit the regulations.

00:38:37.720 - 00:38:42.420
Benjamin Merry: And their goal is to propose new MAPIA regulations by the end of 2026.

00:38:42.760 - 00:38:52.599
Benjamin Merry: So for now, the comparative analysis requirement is going to remain in effect, but without regulations to clarify the finer details of what those comparative analyses should look like.

00:38:52.790 - 00:38:57.550
Benjamin Merry: So hopefully more clarity is coming, later this year, on those requirements.

00:38:58.310 - 00:39:04.459
Benjamin Merry: But for now, each plan is required to have a comparative analysis available on demand.

00:39:05.040 - 00:39:11.540
Benjamin Merry: These may be requested by federal or state regulators, or by plan participants. Your employees can request these.

00:39:11.740 - 00:39:24.800
Benjamin Merry: And, these really aren't something that can be whipped up real easily or quickly the first time someone asks for it, so best practice is to have these available ahead of time, or any time you implement a new NQTL.

00:39:25.120 - 00:39:34.149
Benjamin Merry: A comparative analysis must be documented, for each NQTL that applies to mental health or substance use disorder benefits.

00:39:34.780 - 00:39:43.620
Benjamin Merry: There's no requirement to have a comparative analysis for your QTLs or for any financial requirements. It's only for NQTLs.

00:39:43.870 - 00:39:50.080
Benjamin Merry: So if a vendor tries to charge you thousands and thousands of dollars for a comparative analysis of your QTLs,

00:39:50.290 - 00:39:52.669
Benjamin Merry: Save your money. Not… not required.

00:39:53.540 - 00:40:01.249
Benjamin Merry: A comparative analysis must show the comparable design and application, both in writing and in operation.

00:40:01.580 - 00:40:06.700
Benjamin Merry: of each NQTL has applied to mental health and substance use disorders.

00:40:06.850 - 00:40:10.590
Benjamin Merry: Benefits as compared to medical and surgical benefits.

00:40:11.530 - 00:40:23.890
Benjamin Merry: The DOL is required to request at least 20 comparative analyses each year, and then they also have to submit a report to Congress every year summarizing their enforcement activity and their results.

00:40:24.490 - 00:40:30.360
Benjamin Merry: Corrective action that they may order includes, reprocessing claims.

00:40:30.600 - 00:40:33.799
Benjamin Merry: Removing any non-compliant NQTLs.

00:40:33.940 - 00:40:39.019
Benjamin Merry: Changing plan document language, and changing claims processing procedures.

00:40:39.530 - 00:40:47.190
Benjamin Merry: And then the DOL also may refer non-compliant plans to the IRS to levy excise taxes. That's a relatively recent development.

00:40:47.380 - 00:40:56.019
Benjamin Merry: I would expect they would only do that in, in rather egregious cases, or, or in cases where a, where an employer isn't, or, or a…

00:40:56.140 - 00:40:58.959
Benjamin Merry: Carrier doesn't really play ball with the investigation.

00:40:59.170 - 00:41:02.129
Benjamin Merry: But, but, you know, stay tuned there.

00:41:03.650 - 00:41:07.710
Benjamin Merry: Here is the content that is required in a comparative analysis.

00:41:08.020 - 00:41:11.650
Benjamin Merry: So for each NQTL that a plan applies.

00:41:11.810 - 00:41:17.070
Benjamin Merry: The comparative analysis must demonstrate that the processes, strategies.

00:41:17.300 - 00:41:22.569
Benjamin Merry: evidentiary standards, and other factors that are used to apply that NQTL

00:41:22.730 - 00:41:38.839
Benjamin Merry: to mental health or substance use disorder benefits, that they're comparable to and not applied more stringently than the processes, strategies, evidentiary standards, and other factors used to apply that same NQTL to any medical and surgical benefits.

00:41:39.480 - 00:41:51.190
Benjamin Merry: The regulations defined all of these terms on the screen, but they're, like I said, they're no longer being enforced, so it's generally up to plans to determine what these terms mean, how to explain these.

00:41:51.370 - 00:41:55.310
Benjamin Merry: But necessarily, this is gonna be a pretty complex analysis.

00:41:58.050 - 00:42:09.279
Benjamin Merry: So, with all of that, background on what MAPEA requires, the DOL is prioritizing removing barriers to accessing mental health and substance use disorder benefits this year.

00:42:09.470 - 00:42:16.429
Benjamin Merry: So, specifically, they've said that they're digging into burdensome claims processes, unjustified treatment exclusions.

00:42:16.600 - 00:42:20.629
Benjamin Merry: Inaccurate provider lists, and unreasonable limits on care.

00:42:21.170 - 00:42:31.150
Benjamin Merry: So that… that tells me that NQTLs will continue to be the DOL's main focus. Employers can expect prior authorization, I think, to be a heavy focus.

00:42:31.540 - 00:42:36.749
Benjamin Merry: Same goes for medical necessity criteria and exclusions for experimental treatments.

00:42:37.240 - 00:42:45.830
Benjamin Merry: The DOL tends to be wary of efforts to deny mental health treatment as experimental, based on really strict definitions of what's experimental.

00:42:46.500 - 00:42:53.190
Benjamin Merry: Exclusions that are targeted at mental health conditions and substance use disorders are also likely to be a big focus.

00:42:53.710 - 00:43:00.930
Benjamin Merry: And provider networks will also be a big focus. The DOL is likely to look at standards for provider admission to a network.

00:43:01.080 - 00:43:03.739
Benjamin Merry: As well as so-called ghost networks.

00:43:04.410 - 00:43:19.220
Benjamin Merry: There's been a rise recently in complaints where a network might have a lot of mental health professionals, but none of them are taking new patients. And obviously, enrollees can't benefit from a robust mental health network if there's no one to take new patients.

00:43:19.420 - 00:43:28.729
Benjamin Merry: The DOL is likely to review how provider networks are being built out, and what carriers and TPAs are doing to ensure that enrollees can actually see a provider if they need to.

00:43:31.040 - 00:43:46.639
Benjamin Merry: It may be difficult to identify NQTLs that impose barriers to access, because often these problematic NQTLs, they might not be evident from a review of the plan terms. Instead, the differences might appear only in operation.

00:43:47.150 - 00:43:54.229
Benjamin Merry: So, for example, prior authorization might be required more often for mental health benefits than for medical benefits.

00:43:54.730 - 00:44:01.730
Benjamin Merry: Or TPAs or carriers may have different targets for the number of medical specialists and mental health specialists admitted to the network.

00:44:02.100 - 00:44:10.709
Benjamin Merry: Or they may have different benchmarks for geography of where those providers are located in relation to enrollees. Those may be problematic.

00:44:11.220 - 00:44:20.869
Benjamin Merry: Ghost networks I mentioned before, they may have different standards for ensuring that medical providers are accepting new patients as compared to, mental health providers.

00:44:22.000 - 00:44:29.739
Benjamin Merry: Likewise, network admission standards, those can be tough to identify from reviewing plan, plan documents alone.

00:44:30.150 - 00:44:44.450
Benjamin Merry: Carriers or TPAs may require mental health professionals to obtain additional education or training beyond their licenses, but they don't require those same standards, that same additional education of medical professionals. That can be problematic.

00:44:45.280 - 00:44:54.169
Benjamin Merry: Mental health claims getting denied more frequently than medical claims may signal a disparity in how medical necessity standards are being applied.

00:44:54.540 - 00:45:02.039
Benjamin Merry: And exclusions or exceptions can violate MAPIA when a treatment is covered for medical conditions, but not for mental health conditions.

00:45:04.660 - 00:45:07.750
Benjamin Merry: Which brings us to our employer action items.

00:45:08.430 - 00:45:09.760
Benjamin Merry: So first.

00:45:09.950 - 00:45:20.920
Benjamin Merry: pay attention to employee complaints. I cannot stress this enough. Employees are the ones that are out there trying to use their coverage, so they're the ones who experience the effects of NQTLs firsthand.

00:45:21.210 - 00:45:29.150
Benjamin Merry: Employee complaints can signal that NQTLs that may appear to be written even-handedly are being applied more stringently in operation.

00:45:29.280 - 00:45:32.280
Benjamin Merry: So if you're hearing complaints from employees, take them seriously.

00:45:32.760 - 00:45:43.420
Benjamin Merry: Second, have regular conversations with your carrier or your TPA about mental health parity, particularly about the comparative analysis requirement for your NQTLs.

00:45:43.800 - 00:45:50.669
Benjamin Merry: Comparative analyses are the… are the roadmaps to MAPEA compliance. It's the first thing the DOL is going to ask for if they audit your plan.

00:45:50.860 - 00:46:00.249
Benjamin Merry: So if you don't have a comparative analysis, you're not going to be able to demonstrate that your plan is compliant. You can say everything is… everything operates the same for mental health and medical.

00:46:00.440 - 00:46:06.390
Benjamin Merry: benefits, but the DOL's gonna say, alright, prove it, let's see that comparative analysis. So that's… that's crucial to have.

00:46:08.200 - 00:46:18.330
Benjamin Merry: And employers have a fiduciary duty to monitor their service providers, so ask questions. If you're fully insured, your carrier is required to produce the comparative analysis.

00:46:18.460 - 00:46:25.719
Benjamin Merry: Ask them for a copy of it, review it, and then ask questions. If you've heard employee complaints, raise those with your carrier.

00:46:26.150 - 00:46:42.039
Benjamin Merry: If you're self-insured, compliance is trickier. It's a lot trickier. I'm not gonna sugarcoat it. You have a duty to review your current plan designs for problematic NQTLs, so ask your TPA about any access NQTLs, things like network design.

00:46:42.120 - 00:46:47.929
Benjamin Merry: Prior authorization, any exclusions that apply differently to mental health benefits than to medical benefits?00:46:48.290 - 00:46:51.600
Benjamin Merry: Request a comparative analysis from your TPA

00:46:51.990 - 00:47:05.769
Benjamin Merry: EPAs often use the same or a similar plan design to their fully insured model, so especially if you have an off-the-shelf design for your self-insured plan, see if the TPA will provide you a copy of their comparative analysis for the fully insured model.

00:47:05.920 - 00:47:13.310
Benjamin Merry: If nothing else, if you can get your hands on that, that might provide a good roadmap to determine if there are any red flags in your self-insured plan design.

00:47:14.010 - 00:47:25.949
Benjamin Merry: And discuss any participant complaints you've received with your TPA. Since those can indicate red flags or possible noncompliance, they're really going to be a powerful tool to discuss changes with your TPA.

00:47:26.560 - 00:47:43.640
Benjamin Merry: You can also ask your NFP broker or consultant for a copy of our publications on MAPEA. You can see those on the left of the screen. We have a guide to the comparative analysis. We also have a guide to identifying common red flag NQTLs that might require greater scrutiny.

00:47:44.020 - 00:47:53.470
Benjamin Merry: Our publications also have communication templates for requesting information from your TPA, as well as a host of questions that you can ask your TPA to help guide your compliance.

00:47:55.180 - 00:48:03.519
Benjamin Merry: But ultimately, expect a lot of pushback. Since TPAs aren't directly subject to MAPIA, some of them don't offer support on comparative analyses.

00:48:03.760 - 00:48:14.439
Benjamin Merry: which puts you, the employer, in a really tough spot. So you may wish to consider asking about comparative analysis support the next time you put your TPA out to an RFP.

00:48:15.480 - 00:48:26.749
Benjamin Merry: If your TPA will not provide a comparative analysis, then you're going to want to consider whether to engage a specialized vendor, or legal counsel to create a comparative analysis for you.

00:48:27.080 - 00:48:40.679
Benjamin Merry: The DOL didn't set out to create a cottage industry of vendors to create comparative analyses for plans, since these outside vendors aren't involved in designing treatment limitations and don't have that specialized insight that a TPA has.

00:48:41.040 - 00:48:51.120
Benjamin Merry: But, you know, nevertheless, if your TPA won't help you create a comparative analysis, and they won't give you one, you may need to weigh the considerations and determine whether to hire an outside vendor.

00:48:51.400 - 00:48:57.470
Benjamin Merry: But one thing I'll note is that we're increasingly seeing vendors that are marketing red flag reviews.

00:48:57.660 - 00:49:12.880
Benjamin Merry: where they'll identify potentially problematic NQTLs, but these reviews don't independently satisfy the comparative analysis requirements to describe the processes, strategies, evidentiary standards, and other factors that go into the design and application.

00:49:13.020 - 00:49:25.670
Benjamin Merry: So there's not necessarily anything wrong with getting one of these reviews, but employers who go this route should be prepared to address any recommendations, and then still produce that comparative analysis that demonstrates your compliance with MAPIA.

00:49:26.670 - 00:49:37.870
Benjamin Merry: So okay, that was a lot of Mapia to fit into a very short time period. Carol, I'm gonna hand it back to you, and let's talk about cybersecurity and our time we've got remaining.

00:49:38.930 - 00:49:56.539
Carol Wood: Thanks so much, Ben, and that was a great and a comprehensive review in a short amount of time, so thank you for that. Yes, we're going to discuss another DOL enforcement priority. This is cyber security addressing risks of cyberattacks, so…

00:49:56.540 - 00:50:04.999
Carol Wood: The DOL is going to review how plans protect their systems and sensitive data from cyber threats, and this project builds on

00:50:05.320 - 00:50:21.379
Carol Wood: guidance that they updated in 2024 for employers. And I would just mention that the guidance that was issued was intended for both retirement plans and health and welfare plans, so it is general in that sense.

00:50:21.380 - 00:50:41.139
Carol Wood: The DOL at the time made the point, though, to… to state that, to make clear that it was intended to apply to health and welfare, plans, as well as retirement plans. So, just be aware of that. The… there was a focus, the focus of the guidance was in three key areas.

00:50:41.160 - 00:50:45.560
Carol Wood: First with service provider selection and oversight.

00:50:45.640 - 00:50:46.690
Carol Wood: And I've…

00:50:47.470 - 00:51:07.080
Carol Wood: cited a few examples of suggestions in the guidance for an employer when they're selecting or monitoring a vendor. They want to look for strong cybersecurity practices, for example, by verifying and benchmarking the vendor's security standards and policies.

00:51:07.600 - 00:51:27.509
Carol Wood: negotiating contracts with privacy and security safeguards, and confirming appropriate insurance, including cyber liability insurance. Now, the guidance, you know, is… has many bullet points and elaborates on each of them, so you might want to take a look at that.

00:51:27.510 - 00:51:34.009
Carol Wood: The next area with cybersecurity program best practices, and this…

00:51:34.010 - 00:51:48.349
Carol Wood: Could apply to both vendors and employers themselves. Making sure, for example, they have a formal, well-documented cybersecurity program, conduct annual risk assessments and third-party audits.

00:51:48.350 - 00:51:57.879
Carol Wood: Of security controls. That would be, for example, maybe you've ever heard of, like, a SOC 2 report. A third party is reviewing.

00:51:57.920 - 00:52:00.370
Carol Wood: Your security system.

00:52:00.810 - 00:52:05.409
Carol Wood: Encrypting sensitive data, whether stored or in transit.

00:52:05.540 - 00:52:10.040
Carol Wood: And training employees periodically on cybersecurity awareness.

00:52:10.980 - 00:52:29.390
Carol Wood: And then the final… the final, area was participant online security education, just making sure, you know, participants are brought into the loop on online security, for example, by promoting strong passwords, use of multi-factor authentication.

00:52:31.860 - 00:52:46.840
Carol Wood: Now, of course, in our world of group health plans, they generally must comply with the HIPAA privacy and security rules, and it's actually HSS that's the main enforcer of HIPAA and audits covered entities that include group health plans.

00:52:46.910 - 00:52:55.989
Carol Wood: Nhs reports to Congress annually on their audit results, and compliance deficiencies of covered entities.

00:52:55.990 - 00:53:11.950
Carol Wood: These reports have shown, in recent years, consistently, gaps in cybersecurity readiness, even though hacking is considered to be the biggest threat to protecting electronic PHI, protected health information.

00:53:12.100 - 00:53:20.150
Carol Wood: In January of 2025, HHS proposed a HIPAA security rule to better protect

00:53:20.190 - 00:53:33.479
Carol Wood: EPHI, and the rule, the security rule, had not been updated, for cybersecurity, changes since 2013, so it was well overdue for an update.

00:53:33.500 - 00:53:45.690
Carol Wood: The rule would require covered entities to significantly upgrade their cybersecurity practices and implement many new policies and procedures

00:53:45.690 - 00:54:04.909
Carol Wood: The status is pending. The rule was issued by the Biden administration as they were leaving. It's another one of those rules, as Ben mentioned, that, you know, the Trump administration, when they came in, said they'd review, and we really haven't heard an update since then, so we can consider that status to be pending.

00:54:06.060 - 00:54:21.540
Carol Wood: employer takeaways here, just make sure you review compliance, particularly your HIPAA security policies and practices for cybersecurity readiness. We do have a new guide, if you haven't received it, ask for a copy of our HIPAA Privacy and Security

00:54:22.040 - 00:54:35.369
Carol Wood: For group health plans publication, evaluate cybersecurity practices of vendors and business associates, and monitor for updates on that proposed cybersecurity rule.

00:54:35.740 - 00:54:43.899
Carol Wood: And with that, in the few minutes we have, Ben, I'm going to turn it back over to you to discuss our last topic, ERISA contributory Benefit Plan Abuse.

00:54:45.240 - 00:54:52.619
Benjamin Merry: Alright, thanks, Carol. Yeah, this is an interesting one. You may be surprised to know that the DOL can bring criminal charges.

00:54:53.020 - 00:55:00.090
Benjamin Merry: Historically, they've used this authority sparingly, reserving it for egregious violations of ERISA.

00:55:00.230 - 00:55:07.170
Benjamin Merry: They can bring charges against employers, fiduciaries, and service providers for certain abusive practices.

00:55:07.520 - 00:55:15.040
Benjamin Merry: The Trump administration has indicated that egregious violations will continue to be the standard for when they bring criminal charges.

00:55:15.840 - 00:55:32.069
Benjamin Merry: But the DOL's criminal prosecutions typically target plans that mishandle employee contributions. So these are things like contributory health plans, health FSAs, COBRA premiums, premiums for voluntary benefits, and possibly HSA contributions.

00:55:32.570 - 00:55:44.030
Benjamin Merry: To the extent that past prosecutions inform future ones, the DOL can be expected to target cases where a fiduciary redirects employee contributions for their personal use.

00:55:44.310 - 00:55:53.079
Benjamin Merry: So don't go and buy a speedboat with employee premium contributions, which has really happened. That was really a prosecution that they led a few years ago.

00:55:53.620 - 00:56:00.259
Benjamin Merry: Distressed employers are a big area of focus. Sometimes a business is having trouble paying its bills.

00:56:00.390 - 00:56:08.339
Benjamin Merry: Then they'll use employee contributions to pay off bills while they wait for other cash to roll in. That's been known to trigger criminal charges before.

00:56:08.620 - 00:56:16.099
Benjamin Merry: And, service providers that receive employee contributions and then fail to deliver benefits have also been prosecuted.

00:56:18.430 - 00:56:33.110
Benjamin Merry: So, things employers should know. Distressed employers still have fiduciary duties to safeguard plan assets. Things happen, interest rates increase, contracts fall through, no one goes into business planning to fail.

00:56:33.360 - 00:56:48.789
Benjamin Merry: But don't compound the problem by using employee contributions to keep the business afloat. It's a violation of ERISA to use employee contributions for business purposes, regardless of whether the money gets replenished quickly, so don't risk criminal charges to keep the business afloat.

00:56:49.030 - 00:56:54.039
Benjamin Merry: Especially, you know, if the business fails, the DOL is gonna look

00:56:54.300 - 00:57:01.630
Benjamin Merry: to someone to kind of make those employees as whole as they can. And so, that's a prime area of criminal charges.

00:57:01.810 - 00:57:12.219
Benjamin Merry: But it's not just distressed employers that run into problems here. So review your processes for collecting and forwarding employee contributions so you can avoid innocent mistakes.

00:57:12.600 - 00:57:19.749
Benjamin Merry: Employee contributions become plan assets as soon as they can reasonably be segregated from an employer's general assets.

00:57:20.020 - 00:57:25.380
Benjamin Merry: And the employer has a duty to forward employee contributions to their next destination promptly.

00:57:25.630 - 00:57:32.369
Benjamin Merry: So, if an employer collects premiums to send onto the carrier, the employer shouldn't hang on to those contributions any longer than necessary.

00:57:32.800 - 00:57:43.879
Benjamin Merry: One big pain point that we often see is HSA contributions. We hear all the time about employees who elect to make contributions to an HSA, but then fail to open an account for whatever reason.

00:57:44.160 - 00:57:53.539
Benjamin Merry: Employers might deduct contributions from an employee's paycheck for a couple months, and then they ask us, you know, hey, what should we do with these contributions we've been collecting? We don't have anywhere to put them.

00:57:53.960 - 00:57:59.630
Benjamin Merry: And there aren't any great answers on what to do at that point. Usually we have to say, you know, call your lawyer.

00:57:59.840 - 00:58:10.590
Benjamin Merry: The best way to avoid that problem is to put procedures in place so you're not taking contributions until an employee establishes that HSA. I'd encourage you to review your processes now.

00:58:10.740 - 00:58:19.840
Benjamin Merry: Instead of waiting for an employee to reach out and ask where their HSA funds are, writing policies isn't fun. I say that even as a lawyer who enjoys that stuff.

00:58:20.000 - 00:58:30.169
Benjamin Merry: But it's not always top of mind, but having those places, these policies in place ahead of time can save you so much heartburn by avoiding these compliance headaches later.

00:58:33.340 - 00:58:37.399
Benjamin Merry: So there we have it. We covered a lot of material over the last hour.

00:58:37.540 - 00:58:45.310
Benjamin Merry: I think we're running up against the hour, so, on behalf of Carol, and myself, and NFP's benefits compliance team.

00:58:45.570 - 00:58:47.799
Benjamin Merry: Thank you so much for joining us today.

00:58:48.140 - 00:58:51.289
Benjamin Merry: And Amber, I'll, I'll hand it off to you to close us out.

00:58:53.950 - 00:59:12.070
Amber Posthauer: Great, thank you. Thank you to our speakers for sharing your valuable time and expertise with us today. To reiterate, today's presentation was recorded. We'll be sharing the recording in the coming days and on the NFP website. If there are any portions of this call that you missed, by Monday, you'll receive an email with a link to the full recording.

00:59:12.070 - 00:59:15.509
Amber Posthauer: The PowerPoint slides used during this presentation will be shared in the same email.

00:59:15.780 - 00:59:32.450
Amber Posthauer: At the end of this call, a survey will populate in a new window. Please take a brief moment to complete the survey, as it lets us know what topics are important to our listeners and helps make our education program as current and relevant as possible. That concludes our webinar for today. Thank you, everyone, for joining us, and have a great day.