Healthcare Industry Shifts: Examining Legal, Cybersecurity, and Regulatory Changes

Healthcare Industry Shifts: Examining Legal, Cybersecurity, and Regulatory Changes

March 05, 2024

February saw a potential industry-changing lawsuit against Johnson & Johnson and its plan fiduciaries asserting a breach of fiduciary duties and mismanagement of Johnson & Johnson’s prescription drug benefits program, costing its ERISA plans and employees millions of dollars in the form of higher payments for prescription drugs, as well as higher premiums, deductibles, coinsurance, and copays, resulting in lower wages or limited wage growth. A UnitedHealthcare company, Change Healthcare, was the target of a cyberattack potentially impacting more than 100 million members. Instructions for this June’s RxDC reporting have been updated, moving certain data from vendor aggregating into plan sponsor responsibility. The 2025 Employer Shared Responsibility indexed penalties have been released.

Johnson & Johnson Class Action Lawsuit

In early February, a federal class action lawsuit was filed against Johnson & Johnson (JNJ) and its plan fiduciaries, alleging overpayment for prescription drugs within its prescription drug plan. The complaint alleges that under the Employee Retirement Income Security Act of 1974 (ERISA), JNJ’s plan fiduciaries are obligated to diligently compare service providers, seek cost-effective options, and monitor expenses. It is claimed that the plan fiduciaries failed to act prudently by agreeing to terms with a pharmacy benefit manager (PBM) that resulted in excessive costs for numerous drugs compared to other market options.

The lawsuit highlights the importance of transparency in facilitating comparisons between prescription drug prices across different plans or pharmacies and underscored significant risks faced by health and welfare plan fiduciaries. Publicly available information on drug prices enables individuals – including class action plaintiff attorneys – to scrutinize plan expenses, further emphasizing the need for prudent fiduciary actions.

Employer Considerations

Given the evolving landscape and heightened litigation risks, health plan fiduciaries should take proactive steps to mitigate litigation exposure and safeguard the interests of plan participants:

  • Establish a fiduciary committee dedicated to health and welfare benefits and delegate responsibilities accordingly.
  • Engage qualified consultants to assess PBMs and prescription drug arrangements, ensuring impartiality.
  • Review and negotiate terms of PBM agreements, fee structures, and formularies to ensure reasonability.
  • Collect and analyze benchmark information from various sources to evaluate vendor agreements.
  • Scrutinize compensation arrangements for reasonability and conflicts of interest.
  • Periodically solicit proposals from PBMs and vendors to reassess market competitiveness.
  • Document all policies, procedures, and decisions regarding vendor selection and performance monitoring to demonstrate procedural prudence.

UnitedHealthcare Cyberattack Impacts Millions

Change Healthcare, a division of UnitedHealthcare's Optum, was the target of a cyberattack resulting in significant disruptions to prescription orders at thousands of pharmacies nationwide. The impact in the U.S. has been profound, as parent company Optum provides services to more than 60,000 pharmacies and care for more than 100 million consumers.

While it works to recover, the company has isolated services related to billing, claims management, payment, and data exchanges, forcing some healthcare organizations and systems to revert to manual procedures. Full restoration of services remains pending. The American Hospital Association recommended that companies using Optum services temporarily disconnect from them.

Change Healthcare processes approximately 15 billion transactions annually, impacting a significant portion of U.S. patient records, including prescriptions, dental, clinical, and other medical needs. The disruption has led to difficulties in verifying patients’ insurance coverage for prescriptions, forcing some individuals to pay in cash. While larger pharmacy chains like Walgreens have reported limited effects, smaller pharmacies heavily reliant on Change Healthcare for insurance verification and billing services are facing significant challenges.

The attack highlights the vulnerability of healthcare data, especially patients’ private medical records, in the face of cyber threats. Federal officials are closely monitoring the situation, emphasizing the need to strengthen cybersecurity resilience across the healthcare ecosystem.

Employer Considerations

Given the ongoing disruptions and potential risks to data security, affected employers should:

  • Remain vigilant and communicate any updates or developments to enrollees.
  • Encourage employees to exercise caution regarding any unusual communications or activities related to prescription orders or insurance verification.
  • Stay informed about further updates from Change Healthcare and UnitedHealth Group regarding the restoration of services and any measures to enhance cybersecurity.

Updated Instructions Released for June 1 RxDC Reporting

The No Surprises Act, as part of the Consolidated Appropriations Act, 2021 (CAA), requires employer-sponsored health plans to comply with annual prescription drug data collection (RxDC) reporting to provide transparency in prescription drug and health care spending. Data is reported to the U.S. Department of Labor (DOL), the Department of the Treasury (Treasury), and the Department of Health and Human Services (HHS) to monitor spending trends and facilitate regulatory control measures.

The reporting deadline for the 2023 reference year data is June 1, 2024. The Centers for Medicare & Medicaid Services (CMS) has issued revised instructions and templates for RxDC reporting. The instructions are mostly consistent with prior years; however, one significant change is the new enforcement of the “aggregation restriction” beginning with the 2023 reference year. The restrictions will limit the ability of plan sponsors to have their vendors report certain data on their behalf.

Additional changes in the instructions for the 2023 reference year reporting include prescription exclusions and simplified calculations.

Failure to comply with RxDC reporting requirements may result in penalties under Internal Revenue Code Section 4980D of $100 per day.

Employer Considerations

  • Ensure timely completion of the RxDC reporting for calendar year 2023 by June 1, 2024.
  • Confirm filing status with insurance carriers for fully insured plans or follow up with third party administrators (TPAs), pharmacy benefit managers (PBMs), or administrative services only providers (ASOs) for self-insured plans.
  • Provide necessary information requested by relevant parties for reporting.
  • Determine whether data should be reported on a plan level or aggregated basis.
  • Consider requesting pharmacy data reporting on a plan level basis to access detailed pharmacy benefit spend information.

2025 Employer Shared Responsibility Penalties

The IRS has released the 2025 employer shared responsibility payments under the Affordable Care Act (ACA). Applicable large employers (ALEs) may face penalties for failing to provide minimum essential coverage to 95% of full-time employees, or for offering coverage that is not affordable or does not meet minimum value. The adjusted penalty amounts for 2025 will be $2,900 per full-time employee for Penalty “A” (a $70 decrease from 2024) and $4,350 per full-time employee for Penalty “B” (a $110 decrease from 2024).

Employer Considerations

To avoid penalties, ALEs should consistently ensure full-time employees receive minimum essential coverage that meets affordability and minimum value standards. The IRS uses Letter 226-J to notify ALEs of potential penalties, with a response form included for ALEs to address proposed penalties. Employers and advisors should remain vigilant for this letter to promptly review and respond accordingly.

Question of the Month

  1. What are the time and dollar limits for flexible spending arrangements (FSA) and FSA carryovers?
  2. For 2024, the most that can be deferred to an FSA is $3,200 (a $150 increase from 2023). The amount of a 2024 FSA balance that can be carried over into 2025 is $640 (up from $610 in 2023). A carryover is only available if the FSA does not offer a grace period. The carryover amount can be used all year.

A grace period, on the other hand, is the amount of time in a new year that an employee can incur and be reimbursed for claims from the prior year’s balance. A grace period can be as long as 2 ½ months after the close of the plan year (usually the calendar year). So, if an employee has $1,000 left in the 2023 FSA, that employee could incur $1,000 of reimbursable expense prior to March 15, 2024, and spend that $1,000 if the FSA uses a grace period. An FSA cannot have both a grace period and a carryover.

And finally, most FSAs offer a run-out period. This is a period after the close of the plan year when employees can submit claims incurred in the prior year. There is no maximum run-out period set by the IRS, but most employers (or FSA administrators) will set a limit of 60 to 90 days. The run-out period only allows people to submit claims incurred in the prior year, unlike the grace period, which allows new claims incurred prior to March 15 to be reimbursed.