The New CAA Surprise Billing Notice
By Brian Gilmore | Published October 17, 2022
Question: When is the employer required to disclose the new Notice Regarding Patient Protections Against Surprise Billing?
Short Answer: Employers that maintain a public website for their group health plan need to post the new version of the Notice on that site by the first day of the plan year beginning on or after January 1, 2023. Employers without a public group health plan website should ensure the insurance carrier or TPA makes the Notice available on the carrier’s or TPA’s public website for the plan.
The CAA Provisions Affecting Group Health Plans
The Consolidated Appropriations Act, 2021 (the “CAA”) made multiple sweeping changes to employee benefits. Although the CAA may not have been intended as a health bill, it has proven to be the most significant set of health care reforms since the ACA.
The most prominent of these CAA provisions for health plans is the No Surprises Act, which prevents surprise emergency, non-emergency, and air ambulance bills, as well as providing for temporary continuity of care rights for certain patients who lose access to network providers.
Also included in the CAA are provisions requiring (with staggered effective dates) the mental health parity comparative analysis, medical ID card cost-sharing information, machine-readable file rates, annual reporting on pharmacy benefits and drug costs, and price transparency, disclosure, and comparison tools.
For full details, see:
The CAA Patient Protection Provisions Under the No Surprises Act
The CAA Prescription Drug Reporting and TiC Participant-Level Disclosures
The CAA Mental Health Parity Comparative Analysis Requirement
The CAA No Surprises Act Patient Protections Against Surprise Billing
The CAA adds an extensive set of patient protections referred to as the “No Surprises Act.” Among those provisions are a series of rights and limitations designed to prevent surprise medical bills. These provisions are effective for plan years beginning on or after January 1, 2022, and they apply to both ACA non-grandfathered and grandfathered plans.
These CAA provisions replace and expand upon the original ACA emergency services coverage patient protections to include both emergency and non-emergency services.
Emergency Services
Medical plans that cover emergency services must generally cover such services:
a) Without any prior authorization requirement;
b) Regardless of whether the provider is in-network;
c) Without imposing any requirement or limitation that is more restrictive for out-of-network emergency providers than in-network emergency providers;
d) Without any greater cost-sharing than would apply for in-network emergency services; and
e) By applying the cost-sharing payments for out-of-network emergency services toward any in-network deductible or out-of-pocket maximum in the same manner as if the services were provided in-network.
“Cost-sharing” for these purposes includes copayments, coinsurance, and (unlike the original ACA protection) deductibles.
Non-Emergency Services Furnished by Out-of-Network Providers at In-Network Facilities
Medical plans that cover out-of-network non-emergency items and services must generally cover such services:
a) Without any cost-sharing requirement that is greater than would apply if provided in-network;
b) By calculating the cost-sharing as if the total amount charged by the provider is the “recognized amount” for such items and services;
c) With initial notice of payment or denial transmitted to the provider within 30 calendar days of the bill for such services;
d) With payment to the provider within 30 days of the determination date for any amounts exceeding the cost-sharing owed by the participant; and
e) By counting the cost-sharing payments toward any in-network deductible and out-of-pocket maximum in the same manner as if the services were provided in-network.
The “recognized amount” is generally an averaging of cost determination, with the specific determination set based the Social Security All-Payer Model Agreement if applicable, or state law if applicable, or otherwise the lesser of the billed charge or the qualifying payment amount (QPA).
The Notice Regarding Patient Protections Against Surprise Billing
The CAA requires that employees and dependents participating in an employer-sponsored group health plan receive notice of their rights and protections against surprise medical bills. The Departments refer to this notice as “The Notice Regarding Patient Protections Against Surprise Billing” (the “Surprise Billing Notice,” or the “Notice”).
The CAA requires that employers post the Surprise Billing Notice on a public website of the group health plan. This begs the questions: Does the group health plan have a website? Is it public?
Does the Employer Maintain a Website for the Group Health Plan?
Many employers have in recent years established a website for their employee benefit plans. These websites typically include plan information such as benefit summaries, SPDs, SBCs, brochures, policy information, glossary of terms, eligibility and enrollment information, permitted election change event procedures, and required legal notices.
Although these benefit sites most often are not limited to just information on the health plan (they also typically include information addressing other offerings such as dental, vision, FSA, EAP, HRA, LSA, STD, LTD, AD&D, GTL, commuter, and 401(k)), it is likely that these sites qualify as the group health plan’s website for compliance purposes.
Note: Tri-Agency ACA/CAA FAQ Part 55 confirms that the employer’s corporate public-facing website for customers is not a public website for the group health plan for these purposes.
Is the Employer’s Group Health Plan Website “Public”?
The preamble to the regulations addressing the Surprise Billing Notice addresses what qualifies as a “public” website. Although this guidance is addressed as the HHS position in the context of providers and facilities providing the Notice (as opposed to group health plans), the discussion appears to indicate the Departments’ view of the “public” standard more broadly.
The guidance provides as follows:
HHS is of the view that the required disclosure information would not be publicly available unless displayed in a manner that is easily accessible, without barriers, and that ensures that the information is accessible to the general public, including that it is findable through public search engines. For example, HHS is of the view that a public website must be accessible free of charge, without having to establish a user account, password, or other credentials, accept any terms or conditions, and without having to submit any personal identifying information such as a name or email address.
To summarize, the main factors for a group health plan website’s “public” status are:
Easily accessible;
Without barriers;
Available to general public;
Findable through public search engines;
Free of charge;
Without the need for a user account, password, or other credentials;
Without the need to accept any terms or conditions; and
Without having to submit any identifying information.
These factors will remove some employers’ group health plans websites from qualifying as “public”. For example, some employers with a group health plan website require employees to enter a company-provided password to access the site. That clearly would not be a “public” website for the group health plan. Additionally, many employers maintain an intranet site available only to employees that addresses the employee benefit plan offerings. This clearly would also not be “public” under these standards.
Summary: Only those group health plan websites that are freely accessible to anyone accessing the internet will qualify as “public” for purposes of the Surprise Billing Notice.
Employer Compliance Strategies for Disclosing the Surprise Billing Notice
The best practice approach for employers to disclose Surprise Billing Notice to employees will depend on whether the plan is fully insured or self-insured, and whether the employer maintains a public website for the group health plan.
Situation #1: Employer Maintains Public Group Health Plan Website
In this situation, the employer must post the Surprise Billing Notice to the public group health plan website.
The Departments recently updated the model Surprise Billing Notice that employers can post to satisfy this disclosure requirement. Tri-Agency ACA/CAA FAQ Part 55 provides that only use of the new “Version 2” will be deemed to qualify as the employer’s good faith compliance with the disclosure for plan years beginning on or after January 1, 2023.
The model Surprise Billing Notice is located within the CMS No Surprises Act website by navigating to the “Overview of rules & fact sheets” section and clicking on the “Model disclosure notice on patient protections against surprise billing for providers, facilities, health plans and insurers” link.
Note: Employers should be careful to ensure that they have scrolled down to the “Version 2” section and are utilizing the notice designed for group health plans and health insurance issuers—not the version for providers and facilities. As of the time of this post, the appropriate model Surprise Billing Notice for employers begins on page 16.
Situation #2: Self-Insured Plan Without a Public Group Health Plan Website
In this situation, the employer will look to the third-party administrator (TPA) of the self-insured medical plan to satisfy the Surprise Billing Notice requirements—because the employer does not maintain a public group health plan website and therefore cannot satisfy the disclosure requirements on its own.
Tri-Agency ACA/CAA FAQ Part 55 provides that the employer may satisfy the requirement to post the Surprise Billing Notice on a public group health plan website by entering into a written agreement with the TPA for the TPA to post the Notice on its public website where information is normally made available to participants, beneficiaries, and enrollees, on the plan’s behalf. However, the employer retains ultimate responsibility for compliance.
Bottom Line: Employers without a public group health plan website for their self-insured plan should ensure inclusion of contractual terms in their TPA agreements providing that the TPA assumes responsibility for posting the Surprise Billing Notice in a manner that protects the employer from potential liability for any failures.
Situation #3: Fully Insured Plan Without a Public Group Health Plan Website
For employers with fully insured medical plans, the insurance carrier is directly responsible for disclosing the Surprise Billing Notice on its public website. While there is no clear employer action item if it does not have a group health plan website, employers should nonetheless confirm with their insurance carriers that they will post the Notice on the carrier’s public website where information is normally made available to participants, beneficiaries, and enrollees, on the plan’s behalf.
Tri-Agency ACA/CAA FAQ Part 55 provides that employers may into a written agreement with the insurance carrier for the carrier to post the Notice on its public website to prevent potential employer liability. Unlike with self-insured plans, this step seems unnecessary given that the CAA directly imposes the obligation on insurance carriers to post the Notice regardless of any contractual obligation.
Bottom Line: Cautious employers looking to take the most conservative approach in this area will consider including contractual terms in their insurance carrier agreements providing that the carrier assumes responsibility for posting the Surprise Billing Notice in a manner that protects the employer from potential liability for any failures.
Potential Penalties
Although not entirely clear, it appears that failures to comply with the Surprise Billing Notice would fall under the civil penalty scheme set forth in Public Health Service Act (PHSA), which are $174/day in 2022.
ERISA Preemption of State Laws Regarding to Surprise Billing
The CMS model Surprise Billing Notice includes areas to enter information regarding applicable state surprise billing protection laws, as well as contract information for entities responsible for enforcing such state surprise billing protection laws. However, ERISA preempts application of such state surprise billing laws for self-insured health plans.
For full details:
Tri-Agency ACA/CAA FAQ Part 55 confirms that “[t]he Departments do not expect a plan or issuer to provide information on state laws that do not apply,” and that “many state laws regarding balance billing and other surprise billing protections do not apply with respect to…coverage provided by a self-insured group health plan….” Accordingly, employers sponsoring self-insured health plans can disregard the areas of the Notice directing entry of such state-based information.
For fully insured plans, the “Savings Clause” saves state insurance mandates (including state surprise billing protection laws) from ERISA preemption. Insurance carriers for fully insured plans will therefore include the state surprise billing protection legal protections and contact information on the Surprise Billing Notice posted on the insurance carrier’s public website for the plan.
Reminder: Similar Employer Approach for Posting Links to Machine-Readable Files
In late 2020, the Departments of Labor, Health and Human Services, and the Treasury issued final Transparency in Coverage (TiC) rules under the ACA.
The TiC rules require employers sponsoring self-insured, non-grandfathered health plans to post machine-readable files on a public website for the group health plan. CMS posted Technical Clarifications guidance that confirms employers without a public website for the group health plan may satisfy these requirements by entering into a written agreement with the TPA to post the files on the TPA’s public website on behalf of the plan.
Tri-Agency ACA/CAA FAQ Part 55 reiterates and elaborates by providing that a plan may satisfy the disclosure requirement by entering into a written agreement under which a service provider (such as a TPA) posts the machine-readable files on its public website on behalf of the plan.
For full details, see:
Summary
Employers with a public group health plan website should post the new “Version 2” model Surprise Billing Notice by the first day of the plan year beginning on or after January 1, 2023 (i.e., by January 1, 2023 for a calendar plan year) to ensure good faith compliance with the new CAA disclosure requirements.
Employers without a public group health plan website for a self-insured group health plan should ensure their TPAs will address disclosure of the Surprise Billing Notice by posting the Notice on the TPA’s public website where information is normally made available to participants, beneficiaries, and enrollees, on the plan’s behalf. As part of this vendor oversight and collaboration process, employers should also take steps to review contractual terms addressing the TPA’s obligation to post the Notice, as well as potential indemnification provisions for any TPA Notice posting failures that could cause liability for the employer.
Relevant Cites:
ERISA §720(c):
(c) Disclosure on patient protections against balance billing. For plan years beginning on or after January 1, 2022, each group health plan and health insurance issuer offering group health insurance coverage shall make publicly available, post on a public website of such plan or issuer, and include on each explanation of benefits for an item or service with respect to which the requirements under section 716 applies—
(1) information in plain language on—
(A) the requirements and prohibitions applied under sections 2799B-1 and 2799B-2 of the Public Health Service Act (relating to prohibitions on balance billing in certain circumstances);
(B) if provided for under applicable State law, any other requirements on providers and facilities regarding the amounts such providers and facilities may, with respect to an item or service, charge a participant or beneficiary of such plan or coverage with respect to which such a provider or facility does not have a contractual relationship for furnishing such item or service under the plan or coverage after receiving payment from the plan or coverage for such item or service and any applicable cost sharing payment from such participant or beneficiary; and
(C) the requirements applied under section 716; and
(2) information on contacting appropriate State and Federal agencies in the case that an individual believes that such a provider or facility has violated any requirement described in paragraph (1) with respect to such individual.
86 Fed. Reg. 36872, 36913 (July 13, 2021):
Section 116 of the No Surprises Act also added section 9820(c) of the Code, section 720(c) of ERISA, and section 2799A-5(c) of the PHS Act, which include similar disclosure requirements applicable to plans and issuers. In general, under these provisions, plans and issuers must make publicly available, post on a public website of the plan or issuer, and include on each explanation of benefits for an item or service with respect to which the requirements under section 9816 of the Code, section 716 of ERISA, and section 2799A-1 of the PHS Act apply, information on the requirements applied under these aforementioned sections, as applicable; on the requirements and prohibitions applied under sections 2799B-1 and 2799B-2 of the PHS Act; on other applicable state laws on out-of-network balance billing; and on contacting appropriate state and federal agencies in the case that an individual believes that such a provider or facility has violated the prohibition against balance billing. These disclosure requirements are applicable for plan years beginning on or after January 1, 2022.
…
HHS is of the view that the required disclosure information would not be publicly available unless displayed in a manner that is easily accessible, without barriers, and that ensures that the information is accessible to the general public, including that it is findable through public search engines. For example, HHS is of the view that a public website must be accessible free of charge, without having to establish a user account, password, or other credentials, accept any terms or conditions, and without having to submit any personal identifying information such as a name or email address.
Tri-Agency ACA/CAA FAQ Part 55:
If a group health plan does not have a website, the plan may satisfy the requirements to post on its public website the information required by section 9820(c) of the Code, section 720(c) of ERISA, and section 2799A-5(c) of the PHS Act, by entering into a written agreement under which a plan’s health insurance issuer or third-party administrator (TPA), as applicable, posts the information on its public website where information is normally made available to participants, beneficiaries, and enrollees, on the plan’s behalf. To the extent a health insurance issuer or TPA posts the required information on its public website on behalf of a plan, the plan satisfies the requirements with respect to posting the information on the plan’s public website if the health insurance issuer or TPA makes the information available in the required manner. The Departments note this guidance applies in instances in which the plan sponsor (for example, an employer) may maintain a public website, but the group health plan sponsored by the employer does not.
Notwithstanding the preceding paragraph, if a plan enters into a written agreement under which a health insurance issuer or TPA agrees to post the required information on its public website on behalf of the plan, and the health insurance issuer or TPA fails to do so, the plan violates the disclosure requirements of section 9820(c) of the Code, section 720(c) of ERISA, and section 2799A-5(c) of the PHS Act.
…
The Departments do not expect a plan or issuer to provide information on state laws that do not apply to a particular participant, beneficiary, or enrollee that is enrolled in the plan or coverage. The Departments note that many state laws regarding balance billing and other surprise billing protections such as limits on cost sharing do not apply with respect to participants, beneficiaries, and enrollees who are enrolled in coverage provided by a self-insured group health plan or out-of-state issuer.
42 U.S.C. §300gg-22(b)(2)(C)(i):
(C) Amount of penalty.
(i) In general. The maximum amount of penalty imposed under this paragraph is $100 for each day for each individual with respect to which such a failure occurs.
87 Fed. Reg. 15100, 15121 (Mar. 17, 2022):
Failure to comply with ACA requirements related to risk adjustment, reinsurance, risk corridors, Exchanges (including QHP standards) and other ACA Subtitle D standards; Penalty for violations of rules or standards of behavior associated with issuer compliance with risk adjustment, reinsurance, risk corridors, Exchanges (including QHP standards) and other ACA Subtitle D standards. 2022: $174
Brian Gilmore
Lead Benefits Counsel, VP, Newfront
Brian Gilmore is the Lead Benefits Counsel at Newfront. He assists clients on a wide variety of employee benefits compliance issues. The primary areas of his practice include ERISA, ACA, COBRA, HIPAA, Section 125 Cafeteria Plans, and 401(k) plans. Brian also presents regularly at trade events and in webinars on current hot topics in employee benefits law.
Connect on LinkedIn