HHS Releases Proposed Rule Implementing Enforcement Provisions of the No Surprises Act

On September 10, 2021, several departments issued a joint notice of proposed rulemaking implementing provisions of the No Surprises Act (NSA). This is the second set of regulations implementing the NSA, but unlike the first set (discussed further here), the departments issued these regulations using notice-and-comment rulemaking rather than an interim final rule. This latest set of regulations include provisions issued by the Department of Health and Human Services (HHS) relating to audits and enforcement actions against issuers and healthcare providers and facilities for violating the NSA.  

Issuer Audits and Enforcement 

The NSA provisions that apply to issuers offering health insurance coverage in individual or group markets have been incorporated into the Public Health Service Act (PHS Act), and HHS’ proposed enforcement processes build on the same procedures that HHS currently uses to investigate and enforce other PHS Act requirements. Each state has primary enforcement authority under the PHS Act with respect to issuers in that state. Only if a state notifies HHS that it does not have the authority to enforce PHS Act requirements, or if HHS determines that a state is not substantially enforcing PHS Act requirements, can HHS step in and enforce. This regime now applies to compliance with the NSA, except for certain provisions of the NSA requiring issuers to report information or data directly to HHS. Because states would not have access to the submissions, HHS proposes that it would take on direct enforcement authority. HHS would also continue to directly enforce all PHS Act requirements with respect to non-federal-governmental plans in all states.  

HHS has delegated enforcement in this space to the Centers for Medicare & Medicaid Services (CMS). Currently, four states (Missouri, Oklahoma, Texas, and Wyoming) have notified CMS that they are not enforcing PHS Act requirements. Existing processes at 45 CFR Subpart B, with relatively minor updates, would govern CMS’s inquiry into whether a state is failing to substantially enforce PHS Act requirements, including the NSA requirements. Under this process, CMS’s receipt of information from sources such as complaints, the news media, or relevant state actors could serve as the basis for CMS’ investigating the sufficiency of a state’s enforcement.

When CMS is responsible for enforcement, it uses the processes at 45 CFR Subpart C, which can culminate in the imposition of civil monetary penalties (CMPs). The amended regulations would make clear that any information indicating a potential violation of PHS Act requirements by an issuer or group health plan “may warrant an investigation or market conduct examination at CMS’s discretion.” The amendments would also add a new paragraph stating that “CMS may conduct random or targeted investigations or market conduct examinations to ensure” compliance with PHS Act requirements. CMS intends to focus these investigations and examinations on confirming payor compliance with just two discrete areas of the No Surprises Act: adhering to the methodology for calculating qualifying payment amounts (QPAs), which are used to calculate patient cost-sharing and can affect out-of-network provider reimbursement, and the outcomes of payor comparative analyses of the design and application of their nonquantitative treatment limitations.

This audit provision is designed at least in part to implement the NSA requirement that by October 1, HHS establish a process under which plans and issuers are audited to ensure that they are in compliance with the rules for calculating QPAs. However, HHS’s implementation approach demonstrates a more hands-off strategy than the Department could have adopted. The NSA directs HHS to audit at least some, but no more than 25, plans and issuers each year, plus an unlimited number of additional plans and issuers in response to complaints of noncompliance. This provision is not, on its face, limited to directing HHS to audit only plans and issuers for which HHS has direct enforcement authority. Nonetheless, HHS has decided that the Department will only audit plans and issuers subject to federal enforcement authority, which may significantly diminish CMS’s oversight of whether plans and issuers are accurately calculating QPAs. 

The preamble explains that when considering whether to undertake an investigation or examination, CMS can consider various factors, including “the facts and circumstances surrounding the potential violation, the potential number of impacted consumers, an issuer or non-Federal governmental plan’s past history of substantiated complaints, the effect of the alleged violation on a consumer, [and] the deterrent effect that knowledge of the investigation or examination may have on others who may consider committing similar violations.” Among other things, HHS proposes to clarify that when conducting an investigation or examination, CMS can review “any information CMS identifies as relevant to determine if a violation of the PHS Act has occurred.”

Violations of PHS Act requirements currently carry a penalty of up to $162 (updated periodically for inflation) for each day “for each responsible entity, for each individual affected by the violation.” CMS takes into account mitigating and aggravating circumstances, and the proposed regulations would add as an aggravating factor the plan or issuer’s failure to cooperate with an investigation or examination.

Healthcare Provider and Facility Audits and Enforcement 

With respect to enforcement of the NSA requirements applicable to providers and facilities, the NSA largely mirrors CMS’s current enforcement structure for issuers, in that states have primary enforcement authority, with CMS enforcing only where a state declines or is unable to do so. The preamble to the proposed regulations explains that “a state would be the primary enforcer of the PHS Act requirements against providers or facilities that furnish services via telehealth to individuals located in the state, even in circumstances where the provider or facility is located in a different state.” 

To “maximize efficiency,” HHS is proposing an investigation process very similar to the one that applies to plans and issuers. In particular, HHS is proposing that CMS can “conduct random or targeted investigations of providers and facilities” subject to its enforcement authority, “to proactively identify and address issues of non-compliance.” While the NSA requires HHS to conduct at least some affirmative audits of payors, there is no similar statutory requirement with respect to providers. HHS’s decision nonetheless to incorporate this provision in its implementing regulations demonstrates that the Department is potentially interested in proactively monitoring provider NSA compliance.

Because the NSA specifically mandates that HHS impose CMPs on providers and facilities consistent with Social Security Act Section 1128A, the process for imposing CMPs on providers and facilities differs from that used against plans and issuers. Pursuant to these procedures, HHS can not only impose CMPs but can also bring an action to prevent a provider or facility from engaging in an activity that would make the provider or facility subject to a CMP.

When deciding whether to impose CMPs, the proposed regulations authorize CMS to consider various factors, including “evidence documenting the development and implementation of internal policies and procedures … to ensure compliance with PHS Act requirements” and “evidence documenting the provider’s or facility’s record of previous compliance with PHS Act requirements.” The proposed regulations would make clear that “a principal is liable for penalties for the actions of his or her agent acting within the scope of his or her agency.” In light of the recent demonstrated interest by the federal government (particularly the Department of Justice) in holding private equity funds responsible for regulatory violations committed by their portfolio companies, this statement could foretell risk for private equity investors as well.  

The NSA authorizes CMPs of up to $10,000 per violation (adjusted periodically for inflation) of any of the requirements in the statute’s Part E, which includes the balance billing limitations and certain disclosure requirements. The proposed regulations suggest that CMS would consider several factors when assessing the size of the CMP to impose, including the provider or facility’s “history of prior violations,” the frequency of violations, and the financial impact to affected individuals. CMS would also survey potential mitigating factors, including the provider’s compliance plan for adhering to NSA requirements and efforts to correct erroneous billing, such as working to identify and reverse the charges for all individuals wrongly billed. CMS is clearly prepared to give significant credit to providers with robust compliance programs designed to prevent and as necessary quickly remediate any erroneous balance billing, reinforcing the importance to providers of establishing or shoring up such programs in advance of the January 1, 2022, implementation date.

The regulatory impact analysis offers some clues as to CMS’s enforcement plans for providers. HHS estimates that on average, CMS will conduct 200 provider investigations per month, or approximately 2,400 per year. The average cost of responding to such an investigation is estimated to be $354, which seems likely to underestimate actual future costs imposed on providers. HHS estimates that its own enforcement costs will be approximately $20 million per year and that this work will include not only reviewing complaints but “conducting compliance reviews of provider and facility websites” to assess compliance with disclosure requirements.

Comments are due 30 days after the proposed rule’s publication in the Federal Register.