Here is a summary of legislative and regulatory developments and challenges for the second quarter of 2022 and their practical implications:

Maryland Cybersecurity Law: In June, Maryland enacted legislation that sets cybersecurity standards for insurers, TPAs and their third-party service providers. According to the National Association of Insurance Commissioners, Maryland becomes the 18^th state to adopt a version of the NAIC Insurance Data Security Model Law (#668). Along with the New York regulation “Cybersecurity Requirements for Financial Services Companies” (addressing the same issues but following a different model), the legislation establishes generally accepted data security standards for workers’ compensation payers and their trading partners.

Implications:  The provisions of the model act offer a guidepost for payers’ internally developed cybersecurity standards, since they are now broadly required by state law. Fortunately, they are reasonable, requiring payers to develop and implement a data security program to identify and protect against risks, respond to data incidents and investigate and disclose cybersecurity events to regulatory authorities and affected consumers and trading partners. Payers are also required to oversee compliance of their third-party service providers using or accessing the payer’s confidential information.

New York WCB Clarification regarding Payer Objection Notices: The Workers’ Compensation Board has clarified its earlier guidance, stating that Form C-8.4 notices to providers and the Board need not be sent if the reasons for lower payment are standard bill review adjustments, including PPO network reductions. Specifically, the bulletin states:

Payments may be appropriately reduced, but objections should not be submitted by the insurer to the Board in the following scenarios:

• The amount billed for the particular CPT code is in excess of the amount designated by the applicable medical fee schedule and the insurer pays the bill at the appropriate medical fee schedule amount.
• The insurer reduces the amount of the bill to 12, 15 or 18 relative value units for evaluation services and modalities, as set forth in the applicable medical fee schedule.
• The insurer reduces the amount of the bill pursuant to a contractual agreement with the provider (e.g., network or PPO discount).
• There is a duplicate bill.

Implications: This revision should greatly reduce the voluminous paperwork burdening claim organizations doing business in New York. On a related topic, the WCB is in the midst of a multiple-year move to electronic submission of filings, a key feature of which is the OnBoard application.  For more information go to the Payers section of the Medical Portal here:  http://www.wcb.ny.gov/medicalportal/.

Telehealth Compliance with HIPAA: The Office of Civil Rights (OCR) within the US Department of Health and Human Services has recently issued guidance broadly endorsing the use of audio-only telehealth services to increase access to health services by patients who have limited financial resources or who live in rural areas with limited broadband availability. The guidance can be found here: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html.

Implications: OCR enforces federal privacy regulations (e.g., HIPAA) that generally don’t apply to WC payers, but health care providers and payers’ third-party service providers don’t enjoy those same exemptions, so this clarification comes as a welcome relaxation of regulatory constraints.

On a related telehealth topic, a new study from physical therapy quality analytics firm Focus on Therapeutic Outcomes (FOTO) found that, for telerehabilitation for low back pain, telerehab (a) was equally effective in improving functional status outcomes for patients with low back pain compared to traditional in-person office visits, (b) usually involved significantly fewer visits, and (c) had roughly equal patient satisfaction ratings (82% for telerehab versus 86% for in-person office visits.