Providers should not seek consent to waive protections from patients who are impaired or otherwise limited in their ability to make informed decisions. The waiver form must also be provided in the 15 most common languages in the geographic region where consent is sought; and if the patient’s own language is not among those, qualified interpreter services must be provided. The patient’s signature is required to give consent; no provider signature is required. Consent can be revoked prior to services being provided. The out-of-network provider or facility is required to notify the health plan that patient consent to waive balance billing protections for the claim(s) was appropriately given.
The Departments express the view that consent to waive NSA protections should be obtained only in limited circumstances – where the patient knowingly and purposefully seeks care from an out-of-network provider – and not to circumvent the law’s consumer protections. Even so, the regulation estimates that consumers will give consent to waive NSA protections in 50% of post-stabilization claims and for 95% of non-emergency services provided at in-network facilities. The regulations do not require any data reporting to regulators on the number of consent waivers given or for what services or providers. Agencies asked for comment on whether further limits on the notice-and-consent waivers are advisable.
Some state laws either do not allow waiver of protections or requiring greater advanced notice.
How will enforcement work?
For consumers to be protected, both the health plan and the surprise billing provider will need to comply with the law. If problems arise, consumers might need to seek help from more than one enforcing agency. And, though the NSA is a federal law, states will also have a role in enforcement.
Enforcement against health plans and insurers – The federal government has exclusive enforcement responsibility for most private health plans, though different federal agencies may be involved. States will lead enforcement for state-regulated plans.
- Most Americans under age 65 are covered by private employer-sponsored health plans, with nearly 2/3 of covered workers in self-insured plans that states are preempted from regulating. Enforcement authority over private self-insured employer-sponsored group plans rests with the U.S. Department of Labor (DOL) and Department of Treasury. Fully-insured group plans will be primarily regulated by states
- For fully insured group health plans and individual health insurance, states have primary enforcement authority, with federal fallback enforcement by HHS triggered when states do not substantially enforce. Any information (e.g., complaints, news stories) can serve as the basis for HHS investigating state enforcement.
- For self-insured plans sponsored by non-federal public employers, the U.S. Department of Health and Human Services (HHS) has primary enforcement authority. Agencies estimate 3 million people are enrolled in these plans.
- For the Federal Employees Health Benefits Program (FEHBP), enforcement authority rests with the U.S. Office of Personnel Management (OPM). The FEHBP is the largest employer-sponsored group health plan, coving nearly 9 million federal employees, annuitants and family members.
The NSA requires DOL to conduct audits of claims data from up to 25 group health plans annually to monitor employer-sponsored plan compliance with the NSA and to report to Congress annually on audit findings. HHS also will conduct up to 9 audits annually of compliance by state and local government employer plans and other issuers in states that are not substantially enforcing the NSA. These annual audits will focus primarily on whether plans are following the methodology for calculating QPAs.9
Enforcement against providers – States have a primary role in enforcing NSA rules against health providers, with federal enforcement as back up. This is true even when the consumer is covered by a federally-regulated health plan. It is yet to be determined which agency(ies) in each state will enforce NSA provider requirements, for example, the attorney general, department of health, hospital commission, or medical licensing boards. In addition, to “proactively identify and address issues of noncompliance,” HHS has proposed that it will conduct on average 200 random or targeted investigations per month into potential violations of NSA requirements by providers, starting in 2022.
Federal vs. state enforcement – This fall, the federal government surveyed states to learn about their authority and intention to enforce each of the major provisions under the NSA. The survey asked states if they will elect or decline to assume enforcement authority on a provision-by-provision basis. States can also enter into a collaborative enforcement agreement with the federal government, under which the state would seek voluntary compliance from health plans or providers and, when it cannot obtain that, refer cases to the federal government for enforcement action. Many states have already enacted some surprise billing protections for consumers in state-regulated plans. Depending on limits of their laws and authority, it is possible some states might decline to enforce NSA protections for certain services (e.g., post-stabilization) or for certain types of health plans (e.g., PPOs vs. HMOs), or with respect to certain providers (e.g., air ambulance). In addition, state laws may be more protective than the NSA in certain respects (for example, a state law might apply to ground ambulance services) in which case a state would enforce its own stronger protections, at least with respect to state-regulated health plans.
It is expected that HHS will make survey results public or otherwise publish a directory of applicable state and federal enforcement agencies. Health plans and providers must give consumers a disclosure notice summarizing protections under the NSA and state laws, and this must include the name and contact information for applicable enforcement agencies. (Appendix 1)
If problems do arise, it is conceivable that a patient might need the help of multiple agencies – federal, state, or both. For example:
- If a US DOL-regulated group health plan incorrectly denies a claim for an out-of-network service to which the NSA applies, and as a result, if the provider then incorrectly bills the patient for the entire charge, the consumer might need to rely on US DOL to enforce against the group health plan and on a state agency to enforce against the provider.
- If a patient requires post-stabilization care following an emergency visit and her state surprise billing law covers emergency services only, she might need to rely on the state to enforce protections for the emergency claims and on the federal government for claims involving the post-stabilization care.
- If a patient receives an out-of-network emergency surprise bill while traveling in another state, he might need to request help from the federal government if his home state, which would otherwise enforce NSA rules on providers, declines to enforce against out-of-state providers.
What can consumers do in case of problems?
Health plans, providers and facilities will most likely work in good faith to comply with NSA requirements. Even if compliance rates are high, with 10 million surprise medical bills annually, hundreds of thousands of problems could nonetheless arise. In such cases, it could fall to the consumer to recognize when surprise billing protections should apply and to seek help.