The March Monthly Minute digs into an Ohio district court ruling that rejected application of a medical plan exclusion, missing participant guidance and related audit concerns, and responses to the Change Healthcare cyberattack.
District Court Has Beef with Benefit Denial
An Ohio district court refused to apply a medical plan’s exclusion of benefits for occupational injury where an HVAC division manager sustained injuries from a bull on his cattle farm. In Stover v. Carefactor, the plan maintained that the injury was the result of the HVAC division manager working a second job at “Buckeye Country Angus,” a business registered to the participant at the same address as the accident. The participant countered by submitting evidence that he was, in fact, “weaning a bull calf that he owned personally and was separating it to feed it to eat it personally.” The participant further provided an invoice from Corner Stone Genetics for a single bull calf costing $500 and a receipt from Delaware Meats reflecting $445 in beef butchering costs. The court applied a de novo standard of review due to the fact that the plan’s broker and third party administrator decided the claim, and not the plan administrator which was the only party entitled to discretionary authority. The court explained that when an ERISA plan relies on an exclusion to deny benefits, the plan has the burden of proving that the exclusion applies. In this case, the defendants “shrugged off evidence” that the bull was for personal consumption and failed to develop any evidence to the contrary. As a result, the court found the participant was entitled to benefits for medical expenses resulting from his bull-related injury.
KMK Comment: This case highlights the importance of ensuring that the party handling benefit determinations is granted discretionary authority to determine eligibility for benefits, otherwise, a court may apply a de novo standard of review. In this case, the de novo review’s fresh factual analysis was enough, in the court’s opinion, to override application of the plan’s occupational injury exclusion. A word to the wise: don’t butcher claim and appeal procedures with plan language that gives discretionary authority to a party that is not actually handling adverse benefit determinations.
Where’s Waldo? Tracking Down Missing Participants
Over the last few years, retirement plans have seen an uptick in DOL missing participant investigations. To protect against lengthy and costly investigations, now is a good time for retirement plan fiduciaries to familiarize themselves with the Departments’ detailed guidance on locating missing participants, including:
- Missing Participants – Best Practices for Pension Plans — Outlining best practices that defined benefit and defined contribution plan fiduciaries can follow to ensure that participants and beneficiaries receive benefits when they reach retirement age.
- Compliance Assistance Release No. 2021-01 — Includes discussion of best practices for missing participant searches.
- FAB 2021-01 — Announcing the Department of Labor’s temporary enforcement policy on terminating defined contribution plans’ (e.g., 401(k) plans) use of the Pension Benefit Guaranty Corporation’s (PBGC) expanded Missing Participants Program.
- FAB 2014-01 — Providing general guidance as to how fiduciaries of terminated defined contribution plans fulfill their obligations under ERISA to locate missing participants and properly distribute the participants’ account balances.
KMK Comment: Plan fiduciaries should also put best practices into action and take practical steps towards limiting the number of missing plan participants. For example, annually ask participants to provide current contact information, cross check plan records with employment records (or any related plans of the employer), request current contact information when onboarding new employees and during exit interviews, and follow up on undeliverable mailings. Taking proactive steps now can prevent prolonged DOL scrutiny later.
Cyberattack Blame Game
Change Healthcare, owned by UnitedHealth Group (UHG), experienced a cyberattack for which the BlackCat/ALPHV ransomware group (a Russian-linked cybercrime organization) has taken responsibility. The attack impacted individuals’ ability to access health care services all across the country. On March 10, 2024, HHS released a “Letter to Health Care Leaders on Cyberattack on Change Healthcare.” The HHS letter urges the private sector to quickly identify and carry out solutions and calls on UHG, insurance companies, clearinghouses, and health care entities to mitigate the harms that the attack placed on patients and providers. Two days later, the Congressional Research Service (CRS) released a white paper also addressing this healthcare cyberattack. The CRS white paper examined the policy considerations incident to the Change Healthcare cyberattack and highlights concerns over the outdated and incomplete federal response. For example, the white paper cites “an almost decade old domestic cyber response policy,” a cyber-incident response plan “which is now over seven years old,” and a possible lack of collaboration among federal agencies in coordinating offensive and defensive actions. What’s more, the impact of the Change Healthcare cyberattack is still being investigated – on March 13, 2024, HHS released a letter announcing its investigation to determine whether a breach of protected health information occurred in connection with the cyberattack and Change Healthcare’s and UHG’s corresponding HIPAA compliance.
KMK Comment: These news releases appear to show key players in the health care industry engaging in finger pointing. Accordingly, plan sponsors should take action against the impact of an inevitable cyberattack. Examples include working closely with service providers to ensure plan participants have access to health care in the wake of cyberattacks, requiring vendors to maintain adequate insurance to cover liabilities that may flow from cyberattacks, and firming up the breach notification processes to ensure notice to participants is provided in a timely manner and harm is mitigated.
