RISE is pleased to bring you the latest Medicare Minutes blog post by industry expert Rafael Gonzalez that features news of interest to the Medicare Secondary Payer industry. Learn more at RISE’s upcoming virtual event, The 4th Annual Medicare Secondary Payer Conditional Payment Forum, July 27-28.

In no-fault and workers compensation claims, employers, carriers, and third party administrators generally have access to the claimant’s Social Security Number (SSN) for purposes of Mandatory Insurer Reporting (MIR). But in auto, med mal, products, nursing home, or other general liability matter, the corporate defendant, insurer, or third party administrator does not generally have access to plaintiff’s SSN. Unless the plaintiff volunteers such information, the payer may never know, have access to, or be in possession of plaintiff’s SSN. So how in the world is a payer supposed to comply with Medicare Secondary Payer (MSP) MIR requirements? And with potential Civil Money Penalties (CMP) pending, what should payers do if the plaintiff does not voluntarily provide his or her SSN?

On April 27, 2020, the United States District Court for Rhode Island published Ruiz v. Rhode Island, which decided this very same issue, concluding that given the Plaintiff's refusal to provide either his full SSN or the last five digits of his SSN, the State complied with the reporting requirement and made "good faith effort to identify a beneficiary." The Court found that the State made significant (and successful) efforts to comply fully with the letter and spirit of the Medicare, Medicaid, and SCHIP Extension Act (MMSEA). The Court further found that the State's actions also complied with the not-yet-established safe harbor CMP proposed rule, so that the penalties and sanctions for non-compliance, should that somehow be suggested, may not be imposed.

The facts

Based on a 2013 incident, the plaintiff alleged excessive force during arrest and wrongful detention resulting in serious injuries requiring medical treatment in a hospital. At a mediation held on April 29, 2019, the plaintiff and all defendants, including the State of Rhode Island (State), entered into a binding agreement to settle this case arising under 42 U.S.C. § 1983 (Settlement Agreement). The Settlement Agreement resulted in a Release of All Claims (Release) that Plaintiff executed on June 7, 2019, reciting that, in consideration for $55,000, all claims against all Defendants would be fully and finally released forever and the case would be dismissed with prejudice.

In the Release, Plaintiff acknowledged that, to the extent that he was a Medicare beneficiary, it was his responsibility to resolve any Medicare claim. However, during the negotiations, the parties did not discuss how Defendants would obtain closure with respect to any possible Medicare claim or lien. In particular, during the mediation, Plaintiff never advised Defendants that he would refuse to supply his SSN, or any part of it, to facilitate implementation of the Settlement Agreement by allowing the State to ascertain whether Plaintiff was a Medicare beneficiary or to comply with the federal reporting requirement imposed by 42 U.S.C. § 1395y(b)(8)(A-B). Similarly, during the mediation, Defendants never advised Plaintiff that the submission of his SSN, or any part of it, for the purpose of compliance with the Medicare statutory reporting requirement, was a precondition to paying the Settlement Proceeds.

After the parties reached the agreement in principle to settle the case on April 29, 2019, Defendants' counsel prepared and forwarded to Plaintiff's counsel the documents that the State would require to be completed or executed before issuing a check in the agreed amount. First, Defendants required Plaintiff to sign the Release, which he did on June 7, 2019; in it, he acknowledged that, to the extent that he had received Medicare benefits, it was his responsibility to pay them. Second, Plaintiff's attorneys approved the electronically signed stipulation of dismissal with prejudice and filled in the W-9 form for the law firm. And third, on July 5, 2019, Plaintiff returned the RI Medicare Reporting Form, seemingly filled in, except that he marked "n/a" on the line where the SSN was called for.

After Plaintiff finally clearly articulated his position that he would never supply his SSN, or any part of it, the State refused to pay the Settlement Proceeds and the parties turned to the Court for assistance in getting the Settlement Agreement consummated. Plaintiff moved to enforce the Settlement Agreement and for an award of attorneys' fees, punitive damages, and interest. Defendants moved to compel Plaintiff to comply with what they interpreted as a consented-to Order of the Court requiring Plaintiff either to provide his SSN or to provide an affidavit averring that he does not have an SSN.

The law

Since 2007, pursuant to the MMSEA, specifically 42 U.S.C. § 1395y(b)(8)(A-B), any self-insured entity paying a liability settlement must submit "information as HHS shall specify," § 1395y(b)(8)(B)(ii), regarding the beneficiary of the settlement or judgment into a CMS portal to determine the Medicare status of the injured party. The failure to make such a query within a specified time period potentially exposes the entity paying the settlement or judgment to a fine of $1,000 per day, as well as, by offset or by direct collection, up to double any amounts paid by Medicare on behalf of the injured party. 42 U.S.C. § 1395y(b)(8)(E)(i); 42 C.F.R. § 411.24(c). Such reimbursement to Medicare must be made even though the self-insured entity has already paid the settlement proceeds to the beneficiary. 42 C.F.R. § 411.24(i).

Until 2013, the specified information required by CMS to make this query, as mandated by MMSEA, unambiguously included the injured party's full SSN. However, in 2013, Congress amended § 1395y(b)(8)(B)(ii) with the passage of § 204 of the SMART Act, Public Law 112-242, H.R. 1845, (112th Cong. Jan. 10, 2013) (SMART Act), codified at 42 U.S.C. § 1395y(b)(8)(B)(ii). Importantly, while the SMART Act directed HHS to modify its requirements to permit MMSEA compliance without requiring "Social Security account numbers" to be reported, it did not alter § 1395y(b)(8)(A)(i-ii), which requires that any self-insured entity paying a liability settlement must submit specified information to determine the Medicare status of the injured party or risk payment of a fine.

In recognition that it may be difficult, sometimes impossible, for insurers to obtain the specified information, § 203 of the SMART Act adjusted the fine for non-compliance by self-insured entities from a mandatory fine to one that "may be" imposed; it required HHS to adopt rules creating a safe harbor for any self- insured entity that has made "good faith efforts to identify a beneficiary" but has been unable to procure the specified information. SMART Act § 203.

The proposed rule

Since 2013, HHS has struggled to comply with the SMART Act. In December 2013, it published an advanced notice of proposed rulemaking, but no rules followed. More than five years passed before HHS took further steps toward implementing § 203 of the SMART Act. On February 18, 2020, HHS finally published the long-awaited proposed rule, which makes clear that such a failure to comply will not result in a fine, as long as the self-insured entity made "good faith efforts" sufficient to qualify for the safe harbor.

As proposed, the safe harbor provision in 42 C.F.R. pt. 402 provides:

If a self-insured entity fails to report required information because the self-insured entity was unable to obtain information necessary for reporting from the reportable individual, including an individual's last name, first name, date of birth, gender, SSN (or the last five digits of the SSN), and the responsible applicable plan has made and maintained records of its good faith effort to obtain this information by taking all of the following steps:

  • The self-insured entity has communicated the need for this information to the individual and his or her attorney or other representative and requested the information from the individual and his or her attorney or other representative at least twice by mail and at least once by phone or other means of contact such as electronic mail in the absence of a response to the mailings
  • The self-insured entity certifies that it has not received a response in writing, or has received a response in writing that the individual will not provide his or her SSN (or last five digits of his or her SSN)
  • The self-insured entity has documented its records to reflect its efforts to obtain the SSN (or the last five digits of the SSN) and the reason for the failure to collect this information

The self-insured entity entity should maintain records of these good faith efforts (such as dates and types of communications with the individual) in order to be produced as mitigating evidence should CMS contemplate the imposition of a penalty. Such records must be maintained for a period of five years. Medicare Program: Medicare Secondary Payer and Certain Civil Money Penalties, 85 Fed. Reg. 8793-02, 2020 WL 764618, at *8794-8800 (proposed Feb. 18, 2020) (to be codified at 42 C.F.R. pt. 402) (Proposed Rule).

The court’s findings

As the responsible party under the Settlement Agreement in this case, the State is a "self-insured" entity covered by MMSEA, subject to the federal reporting requirement in 42 U.S.C. § 1395y(b)(8)(A-B) and vulnerable to fines and other consequences if it fails to comply. The State interprets this federal law to require it to try to use the full SSN and, if the full SSN is not available, to submit the last five digits of the SSN.

Based on the State's extraordinary efforts to comply with its MMSEA reporting obligations, the Court finds that Plaintiff's intransigence in refusing to provide either his full SSN or the last five digits of his SSN is well established and that the State, as a self-insured entity subject to the mandatory federal reporting requirement, has both fully complied with the reporting requirement (by submitting queries based on every possible iteration of the five digit SSN built using information Plaintiff provided in discovery with Plaintiff's knowledge and consent that it was to be used for MMSEA reporting) and has made far more than adequate "good faith efforts to identify a beneficiary." SMART Act § 203. To be clear, the Court finds that the State has made significant (and successful) efforts to comply fully with the letter and spirit of MMSEA, and that it has complied in that it made the requisite query using at least a five-digit iteration of Plaintiff's SSN. The Court further finds that the State's actions fit neatly into the not-yet-established safe harbor limned by the proposed rule, so that the penalties and sanctions for non-compliance, should that somehow be suggested, may not be imposed.

Defendants' prerequisite to "processing the settlement check," and paying Plaintiff the Settlement Proceeds has been accomplished, albeit at great and potentially inappropriate expense to the State and to CMS (which had to process 110 queries). Accordingly, both Defendants' opposition to Plaintiff's motion to enforce and their own motion to enforce are moot and Plaintiff's motion to enforce—solely with regard to consummation of the Settlement Agreement—may be and hereby is granted. There is no further need for Plaintiff to disclose his SSN or any part of it as a prerequisite to receiving the Settlement Proceeds.

About the author
Rafael Gonzalez is president of Medicare and Medicaid Compliance, an entity dedicated to providing Medicare and Medicaid education to the liability, no-fault, and work comp industries. He is an attorney with extensive expertise in auto, medical malpractice, products liability, nursing home, med-pay, and workers compensation claims, as well as Social Security, Medicare, Medicaid, and affordable care compliance. He can be reached at rgonz@tampabay.rr.com or 813.967.7598. He is active on LinkedIn, Twitter, Facebook, Instagram, and YouTube.