Over the last several weeks, our Health and Welfare Plan Fiduciary Governance Series has touched on a number of key responsibilities for plan fiduciaries. From establishing fiduciary committees to monitoring service providers to ensuring compliance with HIPAA and claims and appeals procedures, fiduciary responsibility under health and welfare plans is far-reaching. With litigation risks increasing, health and welfare plan fiduciaries cannot afford to take a reactive approach to plan administration. Rather, fiduciaries should strive to mitigate fiduciary risks proactively. This final article in our Fiduciary Governance Series brings it all together and provides a fiduciary compliance review blueprint that fiduciaries can follow when assessing risks.
Summarizing key fiduciary responsibilities
But before getting to the fiduciary compliance review blueprint, it is helpful to take a step back and summarize the key fiduciary responsibilities we discussed in prior articles.
Form health and welfare fiduciary committees
In the retirement plan context, establishing fiduciary committees and holding periodic meetings is the standard practice. However, that has not historically been the case with respect to health and welfare plans. Given the growing litigation risks associated with health and welfare plans, plan administrators should consider forming health and welfare fiduciary committees, either on a stand-alone basis or as part of an overall employee benefits committee that covers retirement and health and welfare plans. A health and welfare committee could be tasked with several fiduciary responsibilities, including, among other things, selecting and monitoring service provider performance and fees, establishing and maintaining cybersecurity policies, and reviewing escalated claims and appeals-related issues. As with retirement plan committees, the health and welfare committee should include internal personnel—those who are familiar with the plans and have some relevant expertise—and outside experts as needed, and clearly document all committee activities. This written documentation is the first line of defense against a claim that fiduciaries have failed to follow their fiduciary duties.
Select and monitor service providers
It is well-established that selecting and monitoring plan service providers is a fiduciary function. A prudent service provider selection process involves issuing requests for proposals from several prospective service providers and evaluating various components of the bid (i.e., fees, services, performance guarantees, etc.). Once a service provider is selected, fiduciaries (and their Employment Retirement Income Security Act (ERISA) counsel) should negotiate a contract that accurately reflects the winning bid specifications and includes commercially appropriate terms and conditions. A fiduciary’s responsibility does not end with service provider selection.
Although some fiduciary functions will be delegated to the service provider, the plan fiduciary is still required to monitor performance and fees. The primary method of monitoring service providers is through an annual audit conducted by a qualified and independent auditor. In the medical plan context, the audit will examine claims to ensure accurate processing, eligibility, performance guarantees, and general adherence to the contract terms. In the prescription drug context, the audit will cover, in particular, ingredient cost, dispensing fee, and rebate guarantees, as well as other contract compliance checks.
In recent years, the Department of Labor (DOL) has made cybersecurity an enforcement priority. Although health plans are subject to strict requirements under the Health Insurance Portability and Accountability Act (HIPAA), health plan fiduciaries should nevertheless take steps to ensure that service providers have sufficient cybersecurity protocols in place. Additionally, health plan fiduciaries should consider developing cybersecurity policies and procedures that set minimum requirements for plan service providers and govern what happens when a security incident occurs.
Navigate claims and appeals
Claims and appeals are typically handled by a third-party claims administrator, and the claims administrator is the primary fiduciary when making claims and appeals determinations. Nevertheless, situations often arise that can have fiduciary implications for health and welfare plan fiduciaries. For example, participants who have had a claim denied may, from time to time, seek an exception. Overriding a claims administrator’s decision and plan documentation can be problematic, so when those requests come in, fiduciaries should consult with ERISA counsel. Additionally, healthcare providers often dispute plan reimbursements and issue letters demanding additional payment. Healthcare providers generally have no statutory rights under ERISA; however, plan participants can assign their rights to a healthcare provider or designate a healthcare provider to act on the participant’s behalf as an authorized representative. Health plans can expressly prohibit assignment but may not preclude the designation of a representative. Plan fiduciaries should consult legal counsel when assignment and representative designation issues arise.
Conducting a Fiduciary Compliance Review
With that recap, it is clear that health and welfare fiduciaries face several sources of risk. Formalizing fiduciary governance within a fiduciary committee and using that committee to monitor fiduciary compliance is an important first step toward compliance and risk mitigation. A second step may be for the fiduciary committee to work with ERISA counsel and conduct a comprehensive fiduciary compliance review. This review will evaluate plan documents, participant communications, service provider agreements, and service provider performance to identify potential risks.
There is no “one size fits all” method to conduct one of these reviews, but by way of example, the review blueprint provided below is based on the several compliance reviews conducted by Nixon Peabody’s Health and Welfare team.
Fiduciary Questionnaire and Document Request
The fiduciary compliance review commences with a questionnaire and document request. The questionnaire requests information related to plan design, health plan fiduciary governance, service providers, request for proposal (RFP) history, claims and appeals practices, special enrollment practices, participant communication practices, HIPAA and cybersecurity, audit history, government investigation history, and various other compliance matters. The documents requested include the wrap plan document and summary plan description, summaries of material modifications, component benefit plan documents, cafeteria plan document, summaries of benefits and coverage, service provider agreements, mental health parity comparative analysis, Consolidated Omnibus Budget Reconciliation Act (COBRA) notices, and HIPAA and cybersecurity policies and procedures.
Service Provider Questionnaires
The fiduciary compliance review also includes a service provider questionnaire to assess administrative practices. The content of these questionnaires varies based on the services performed.
Plan Document Review
All plan documents, participant communications, policies, and procedures will be reviewed to identify areas of noncompliance and potential sources of fiduciary risks. For example, the review will assess compliance with the Affordable Care Act, federal mental health parity laws, COBRA, HIPAA, and other laws that require disclosures within plan documents and claims and appeals procedure requirements. The review will also consider key areas of fiduciary risk, such as bulk recovery disclosures and out-of-network reimbursement methodology.
Service Provider Agreement Review
Service provider agreements will be reviewed to determine whether market standard provisions are included in the agreement. For instance, the review will assess the scope of services description and standard commercial provisions, such as termination timing and procedures, confidentiality and data security, indemnification, limitations on liability, audit rights, and dispute resolution. Allocation and acceptance of fiduciary responsibility will also be evaluated. Finally, the review will evaluate fee transparency and identify potential hidden revenue streams.
Plan Communications Review
Routine plan communications will be reviewed to address content requirements and potential fiduciary risks. These communications include annual disclosures, such as notices pertaining to the Women’s Health Care Act, Medicare creditable coverage, Children’s Health Insurance Program Reauthorization Act (CHIPRA), and wellness programs. Periodic notices, such as COBRA initial and election notices and HIPAA notices of privacy practices, are also reviewed. This review may also identify and correct inconsistencies between communications and governing plan documents.
As part of the compliance review, internal HIPAA policies and procedures will be evaluated, and business associate agreements will be reviewed. Cybersecurity protocols will also be evaluated based on recent DOL guidance. Involvement of the IT department is recommended.
At the conclusion of the fiduciary compliance review, several recommendations will be provided to the health and welfare plan fiduciary. Some could be implemented immediately by changing administrative practices, revising policies or procedures, or updating plan documents and participant communications. Others, particularly those recommendations to amend service provider agreements, may need to wait until the next contract renewal.
Conducting a comprehensive fiduciary compliance review for health and welfare plans is not a small undertaking. But it also should not be so burdensome that its costs outweigh its benefits. In fact, in our experience, compliance reviews almost always identify compliance and fiduciary risks. Making corrections and taking steps to mitigate against identified risks can help reduce the chance of costly litigation in the future. A well-documented compliance review could be a key defense against fiduciary litigation. Additionally, many of the recommendations, either to administrative practices or service provider agreements, directly reduce plan costs.