New CMS Regulation Meant to Protect, Could Harm 60+ Million Medicare Beneficiaries
Starting October 1st, 2022 all Medicare-related calls must be recorded by health insurance agents and brokers. At face value, having a recording of a call sounds like a great way to catch bad actors who misinform seniors about their options pertaining to medicare.
Here is my question to you though: if I were to ask you to start recording all calls tomorrow, and do so securely as well as store the calls for 10 years securely how would you do it? If your answer is, "i'm not sure" then we have a problem. Because that is exactly what the government is doing. They have advised the insurance agent and broker community, of which there are 100,000 self-employed mom and pop agencies across the country helping Americans, to record all calls but provided no guidance or support to do so.
WHY IS THIS COMING ABOUT?
Whether an individual is nearing age 65, or is well into medicare, there is no denying the onslaught of information they receive every day about medicare, the plans they have access to, and the push for them to "ACT NOW." According to the Federal Registry, in 2022, CMS reported 39,617 "complaints to Medicare" related to misinformation. This is out of 29 million enrollments. This represents only 0.0013661% of the total enrollments made during the most recent open enrollment period.
Even though the complaints represent such a small number of overall seniors, CMS is trying to make strides toward fixing two things:
1. Seniors regularly receive letters in the mail, they see websites providing "medicare education," and they see TV commercials with renowned celebrities touting medicare advantage options. When a senior calls a company or fills out a form on a website, there is no disclosure to the senior as to whether they are getting direct help, or being referred to another agent. The problem is that the senior may just be giving their information to a third-party company whose sole purpose is to generate leads, and then sell someone's information to an insurance company or agent for a fee. Obviously, a consumer looking for help wants to speak to an expert that can solve their problem, not someone who is selling their data.
2. Consumers do not know the scope of the options considered when a plan recommendation is made. In comparison, if you walk onto a car dealership lot, you can very easily see what the dealer has available by taking a look around the lot. For health insurance, and medicare, this can be less clear. The licensed professional you work with can range from: 1. A captive insurance agent who only recommends one company, 2. A captive insurance agent who has a few companies available to them, but a primary insurer that pays them and owns limits the agent's options, or 3. An insurance broker who has a broad spectrum of plans and options that they have carefully compared against your specific needs that are untethered from any one carrier or solution.
All that is to say, consumers want to know WHO will receive their information upon filling out a form online or calling a 1-800 number. And, consumers want to be confident that the broadest amount of plans are considered before a recommendation is made.
CMS SOLUTION - Proactive Disclosure
In an effort to address concern number one, CMS is requiring ALL marketing companies, and agents, and brokers to state on their website and in the first 60 seconds of each phone call that "We do not offer every plan available in your area. Any information we provide is limited to those plans we do offer in your area. Please contact Medicare.gov or 1-800-MEDICARE to get information on all of your options."
When a senior wants a local representative that is both licensed in their state, certified to talk about medicare, and understands the nuances of the local health systems and insurance plan options, they are looking for a resource beyond medicare.gov and/or 1-800-medicare. This disclosure does not address their underlying concerns.
Another issue with this disclosure is that it doesn't tell the consumer whether the person on the line is a tethered/captive insurance agent, marketing/lead generation company, or an untethered independent broker. Nor, does it tell consumers the scope of options available to the consumer. If a given county has 70 plans available, and the person on the other end of the line has access to 3 plans, I think that there is a cause for disclosure. That said, some plans tied to special needs, or only available to captive agents might cause someone to have 65 plans available. Both scenarios require the same disclosure, and while the former (3 plans) is alarming, the latter (65 plans) is understandable.
CMS SOLUTION - Call Recording
While CMS is hopeful that disclosure will inform individuals about their options, they are also requiring all tethered, untethered, and lead generation companies to record calls. Actually, tethered agents tied to insurance company call centers, and lead generation companies already have this requirement. The May 9, 2022 rule added independent, untethered brokers to this recording requirement.
As we have discussed, independent brokers are untethered insurance brokers who have the broadest plans to make recommendations from, are licensed to interpret insurance laws, and do not operate as middlemen who sell your information like lead generators for other tethered or insurance companies. Untethered brokers are small businesses entrenched in their communities whose clients come from many sources, such as current clients, other insurance brokers, financial advisors, employers, and HR Directors.
ISSUE 1: SMALL BUSINESS REQUIREMENTS
According to the Bureau of Labor Statistics, a broker's average(Median) wage is $49,840 per year. They aren't the upper crust of the insurance industry where CEOs can see seven-figure salaries. Rather, as an individual in their community, they are being required to seek and deploy software to record ALL calls related to medicare.
The government failed to consider the limited resources of these individuals, and neither larger agencies, nor insurance companies are tasked with providing support. Instead, the burden falls on the individual broker who must find software, set it up, record all calls, store all calls, and make them available to regulators at a moment's notice, all while being secure in the process.
When laws are passed by government agencies, if they are a burden to small businesses, they must make accommodations for those entities that are impacted the most. Not only are they adding a burden for the broker community to add compliant software, but they are also requiring that same agent or broker to tell every person they speak to on the phone to get their needs met elsewhere (medicare.gov and 1-800-Medicare).
ISSUE 2: RISKING SENIOR DATA
In addition to the impact on the agent and broker community, is the likelihood of compromised senior data.
Alissa Knight, a partner at Knight Ink Media, is a CISO and cybersecurity expert. She was a keynote speaker at a national Health Information and Management Systems (HIMSS) conference. So, to say she knows her stuff is an understatement. She was on a podcast we listened to recently where she was talking about health data and digital systems that could be leaking medical data. That said, her comments are true when it comes to us storing medical data via this recording requirement.
"electronic health records are worth 1,000 times more than a US credit card number."
She goes on to explain, anecdotally, that if your credit card is stolen, your bank can send you a new card and you're fine. If your health history is compromised(accessed from one of these storage sites) and put on the dark web to sell,
"how easy it is to get new health history sent to you in the mail? You can't....it's gone...If I want to figure out how to kill larry, I find his PHI, and I find out he is allergic to bee stings... I go after him with some bumble bees."
She continues to say (she is an ethical hacker hired by health systems by the way) that there is a treasure trove of data.
In a phone call, not only might a recording include information about the individual on the phone, but seniors routinely talk about their spouses, kids, grandkids, and other individuals. All of which could open up calls to not one, but multiple data points being at risk. She indicates health data is "such a lucrative business to be in." Obviously, she is looking at ransomware attacks.
She goes on to state, that if a hacker is "targeting something like a Cerner EHR system [like data stored by a hospital or insurance company], that may be very well protected and very secure." If there is a less secure system outside of these secure programs,
"where do you think I'm going to target as a hacker? I'm going to target the less secure... I'm going after the path of least resistance."
Medicare represents over 60 million seniors. Without defined policy and infrastructure in place, brokers are the path of least resistance. With 100,000 agents and brokers trying to figure out how to comply, this risk for anyone is dangerous. The current requirement to record calls is in the spirit of helping beneficiaries. We worry that the risk of senior data being exposed egregiously outweighs the risks of not recording calls.
First, we'd like to address the spirit of the law. As independent brokers who have more than 50 insurance company contracts, and are entrenched in our community, we stand by regulations that serve the best interest of the consumer. At the end of the day, we often must address the same misinformation and complaints that Medicare deals with directly, and work on the front lines to get Medicare right. This is why we are commenting on this rule. And, rather than pointing fingers, we offer real-world solutions:
Defer Recording Requirements - Since this burden is being placed squarely on the shoulders of independent brokers who are focused on consumers, we need to suspend the expansion of including independents until either: 1) Infrastructure is put in place by insurers or CMS to compliantly record calls without financial or security risks to small independent brokers and the senior community.
The Department of Health and Human Services, via CMS, should conduct a Regulatory Flexibility Act assessment for NAICS 524210 - Insurance Agencies and Brokerages. While it may be prudent for larger agencies, insurance companies, and marketing firms to record all inbound, and outbound calls, there is a significant impact on untethered brokers who do not have the resources to safely store call data per the spirit of this rule. As such, there should be a carve out for agents that fall under the Small Business Administration(SBA) definition of a small business to be exempt from this requirement.
Carriers should be required to monitor complaints and coordinate with CMS to address Fraud, Waste, and Abuse attached to agents who show a trend of complaints without ever having recorded data stored at the agent level with varying security and compliance.
Disclosure Rework - Instead of a blanket statement with a referral to 1-800-Medicare, or medicare.gov, we propose institutions who discuss medicare disclose whether they are a TPMO(Lead Generation Company), Tethered Agent working for an insurance company, or an Untethered Broker who holds appointments with many carriers. Each of these three classes can be further defined, where say, a broker must have 50% or more of the available plans in a given market available to them. Some Tethered contracts require the agent to not get appointed to plans not available through the insurer, or their dedicated system. These clauses should be known to help identify tethered entities. This rework would tell the consumer who is receiving their data, and which options the company is presenting against the total options of the market.