In our January 2022 update, we discussed new federal requirements that group health plans should pay close attention to in 2022. The sponsor of a self-funded plan will need to work closely with its legal counsel, benefits consultant, and administrative services only (ASO) provider or other third-party administrator (collectively, TPA) to modify its plan design and administration as needed—particularly, with respect to medical surprise billing and related requirements under the Consolidated Appropriations Act of 2021 (CAA). This update outlines contractual and procurement considerations that we are seeing clients confront as they respond to compliance and implementation challenges from these new requirements.

1. It may be too soon to negotiate new or amended contract terms. Many group health plan issuers and TPAs are still in CAA implementation stages. Enforcement has been delayed for some requirements while we wait for additional federal guidance on other requirements. There is also the potential impact of federal litigation—e.g., the recent Texas district court ruling striking down a subset of interim final regulations relating to medical surprise billing, which may be appealed.
   
   TPAs should be ready to turn to contract terms in the second half of 2022. Consequently, sponsors of self-funded group health plans should insist on addressing contract changes during 2023 renewals, if not already addressed by then.
   
   In the meantime, we believe plan sponsors should consult with legal counsel on whether to request a vendor compliance attestation from the TPA. At a minimum, they should consider requesting less formal documentation covering the specific legal requirements that have been implemented or will be implemented on the plan’s behalf, the anticipated timeline for such implementation, and a commitment to support additional implementation actions as is required by future guidance. This documentation should be checked against the plan sponsor’s own list of legal requirements and can then inform the parties’ contract negotiations.
2. Consider contract terms beyond a general “compliance with applicable law” representation. Many ASO contracts include a general representation that the TPA will perform services in compliance with applicable law. However, these contracts will also provide that the plan sponsor is the plan administrator under the Employee Retirement Income Security Act of 1974 (ERISA) and ultimately responsible for the self-funded plan’s compliance with ERISA and other applicable laws. Accordingly, it is worthwhile to ask for more specific terms, such as the following:
   
   
   • A service addendum or schedule that identifies each new requirement the TPA has agreed to implement on the plan’s behalf.
   • Provisions confirming that the TPA will adjudicate claims and appeals in compliance with the CAA, including medical surprise billing protections and other cost-sharing protections where required for plan members or services.
   • Provisions identifying the new reporting and disclosure requirements the TPA will handle on the plan’s behalf—e.g., air ambulance reporting, prescription drug cost reporting, healthcare transparency disclosures, and advanced explanations of benefits.
3. Review contract terms on plan design and pricing. A current negotiation presents a great opportunity to revisit performance-level guarantees under the ASO contract, as well as design and pricing terms that could be modified or dropped due to the new group health plan requirements, such as the following:
   
   
   • Any cost-savings program previously implemented to mitigate balance billing issues.
   • Any special service fees or costs the plan sponsor currently pays for the TPA to negotiate payments to out-of-network providers.
   • Any rate or pricing terms that currently do not reflect the qualifying payment amount(s) that will apply moving forward pursuant to the medical surprise billing requirements.
4. Review contract terms on plan sponsor reports and audit rights. Many ASO contracts provide for plan sponsor rights to audit TPA performance and to access periodic reports. Consider requesting rights specific to the new group health plan requirements, such as the following:
   
   
   • Reports to confirm TPA compliance with medical surprise billing requirements, including:
     • Claim approval and denial statistic reports.
     • Reports of benefit payments that exceeded the plan’s qualifying payment amount(s).
     • Claims reports identifying services for which the member received notice and consent to balance billing.
   • Copies of data about the plan that the TPA reports to federal agencies on the plan’s behalf (e.g., prescription drug cost reporting).
5. Review and refresh on vendor procurement processes. We believe that RFPs and other aspects of the procurement process for engaging benefit consultants and TPAs should specifically address the extent to which these vendors can support the plan sponsor on the increased compliance and implementation challenges for self-funded group health plans (e.g., medical surprise billing, mental health parity, and healthcare transparency).
   
   Additionally, the U.S. Department of Labor’s (DOL) cybersecurity guidance issued last year is at the forefront of current discussions with clients. As highlighted in our February 2022 update, vendor services agreements, including ASO contracts, may not sufficiently protect plan sponsors against the risk of cybersecurity issues. Plan sponsors could take meaningful steps to mitigate these issues by addressing the DOL cybersecurity “tips” on prudently selecting (procuring) and monitoring service providers, including the following:
   
   
   • Requesting the service provider’s security practices and protocols and comparing these to industry standards adopted by other financial institutions.
   • Inquiring as to how the service provider validates its security controls and securing a contractual right to review security system audit results.
   • Evaluating the service provider’s information security track record, including by reviewing publicly available information on security incidents and related litigation.
   • Confirming any recent security breach issues and related responses by the service provider.
   • Confirming whether the service provider has sufficient cybersecurity and identity theft insurance coverage to meet the needs of the plan and its participants.
   • Incorporating ongoing cybersecurity compliance requirements into service agreements as well as other contractual requirements, such as (1) third-party audit requirements; (2) limitations on use and disclosure of confidential information; (3) prompt notification of cybersecurity breaches; (4) record retention policies in compliance with applicable law; and (5) adequate cybersecurity, identity theft, and breach insurance coverage (whether as a stand-alone policy or as a rider to the service provider’s existing errors and omission liability insurance policies).

© 2022 Perkins Coie LLP