Commentary: CMS Medicare recording requirement could risk senior data
Starting Oct. 1, the Centers for Medicare and Medicaid Services will require health insurance agents and brokers to record all Medicare-related phone calls. At face value, having a recording of a call sounds like a great way to catch bad actors who misinform seniors about their options pertaining to Medicare.
Here is my question to you, though: If I were to ask you to start recording all calls tomorrow, and do so securely as well as securely store the calls for 10 years, how would you do it? If your answer is, "I'm not sure," then we have a problem. Because that is exactly what the government is doing. They have advised the insurance agent and broker community, of which there are 100,000 self-employed mom-and-pop agencies across the country helping Americans, to record all calls but provided no guidance or support to do so.
Why is this happening?
Whether an individual is nearing age 65, or already has been on Medicare for years, there is no denying the onslaught of information they receive every day about Medicare, the plans they have access to, and the push for them to "act now.” According to the Federal Registry, in 2022, CMS reported 39,617 "complaints to Medicare" related to misinformation. This is out of 29 million enrollments. This represents only 0.0013661% of the total enrollments made during the most recent open enrollment period.
Even though the complaints represent such a small number of seniors overall, CMS is trying to make strides toward fixing two things:
- Seniors regularly receive letters in the mail, they see websites providing "Medicare education," and they see TV commercials with renowned celebrities touting Medicare Advantage options. When a senior calls a company or fills out a form on a website, there is no disclosure to the senior as to whether they are getting direct help, or whether they are being referred to another agent.
The problem is that the senior may be giving their information to a third-party company whose sole purpose is to generate leads, and then sell someone's information to an insurance company or agent for a fee. Obviously, a consumer looking for help wants to speak to an expert who can solve their problem, not someone who is selling their data.
- Consumers do not know the scope of the options considered when a plan recommendation is made. In comparison, if you walk onto a car dealership lot, you can easily see what the dealer has available by taking a look around the lot. For health insurance and Medicare, this can be less clear.
The licensed professional you work with can range from: 1) A captive insurance agent who only recommends one company, 2). A captive insurance agent who has a few companies available to them, but a primary insurer that pays them and owns limits the agent's options, or 3) An insurance broker who has a broad spectrum of plans and options that they have carefully compared against your specific needs that are untethered from any one carrier or solution.
Consumers want to know who will receive their information upon filling out a form online or calling a toll-free number. Consumers also want to be confident that the broadest amount of plans are considered before a recommendation is made.
CMS solution: proactive disclosure
In an effort to address Concern No. 1, CMS is requiring all marketing companies, as well as agents and brokers to state on their website and in the first 60 seconds of each phone call that "We do not offer every plan available in your area. Any information we provide is limited to those plans we do offer in your area. Please contact Medicare.gov or 1-800-MEDICARE to get information on all of your options."
When a senior wants a local representative who is licensed in their state, certified to talk about Medicare, and understands the nuances of the local health systems and insurance plan options, they are looking for a resource beyond Medicare.gov and/or 1-800-MEDICARE. This disclosure does not address seniors’ underlying concerns.
Another issue with this disclosure is that it doesn't tell the consumer whether the person on the line is a tethered/captive insurance agent, a marketing/lead generation company, or an untethered independent broker. Nor does it tell consumers the scope of options available to the consumer.
If a given county has 70 plans available, and the person on the other end of the line has access to three plans, I think that there is a cause for disclosure. That said, some plans tied to special needs, only available only to captive agents might cause someone to have 65 plans available. Both scenarios require the same disclosure, and while the former (three plans) is alarming, the latter (65 plans) is understandable.
CMS solution: call recording
Although CMS is hopeful that disclosure will inform individuals about their options, the agency also requires all tethered and untethered agents as well as lead generation companies to record calls. Actually, tethered agents tied to insurance company call centers, and lead generation companies already have this requirement. The May 9, 2022, rule added independent, untethered brokers to this recording requirement.
As we have discussed, independent brokers are untethered insurance brokers who have the broadest plans from which to make recommendations, are licensed to interpret insurance laws, and do not operate as middlemen who sell your information like lead generators for other tethered or insurance companies. Untethered brokers are small businesses entrenched in their communities whose clients come from many sources, such as current clients, other insurance brokers, financial advisors, employers and human resource directors.
Issue #1: small business requirements
According to the Bureau of Labor Statistics, a broker's median wage is $49,840 per year. They aren't the upper crust of the insurance industry who can receive seven-figure salaries. Rather, as an individual in their community, they are being required to seek and deploy software to record all calls related to Medicare.
The government failed to consider the limited resources of these individuals, and neither larger agencies nor insurance companies are tasked with providing support. Instead, the burden falls on the individual broker who must find software, set it up, record all calls, store all calls and make them available to regulators at a moment's notice, all while being secure in the process.
When laws are passed by government agencies, if they are a burden to small businesses, they must make accommodations for those entities that are impacted the most. Not only are they adding a burden for the broker community to add compliant software, but they are also requiring that same agent or broker to tell every person they speak to on the phone to get their needs met elsewhere (medicare.gov and 1-800-MEDICARE).
Issue #2: risking senior data
Another issue to consider is the likelihood of compromised senior data.
Alissa Knight, a partner at Knight Ink Media, is a chief information security officer and cybersecurity expert. She was a keynote speaker at a national Health Information and Management Systems conference. On a recent podcast, she said, "Electronic health records are worth 1,000 times more than a U.S. credit card number."
She went on to explain, that if your credit card is stolen, your bank can send you a new card and you're fine. If your health history is compromised (accessed from one of these storage sites) and put on the dark web to sell, "how easy it is to get new health history sent to you in the mail? You can't. It's gone. If I want to figure out how to kill Larry, I find his protected health information, and I find out he is allergic to bee stings, I go after him with some bumblebees."
In a phone call, not only might a recording include information about the individual on the phone, but seniors routinely talk about their spouses, kids, grandkids and other individuals. All of these could open up calls to not one, but multiple data points being at risk. Knight said health data is "such a lucrative business to be in." Obviously, she is looking at ransomware attacks.
She goes on to state, that if a hacker is "targeting something like a Cerner EHR system [like data stored by a hospital or insurance company], that may be very well protected and very secure." If there is a less secure system outside of these secure programs, "where do you think I'm going to target as a hacker? I'm going to target the less secure. I'm going after the path of least resistance."
Medicare represents more than 60 million seniors. Without defined policy and infrastructure in place, brokers are the path of least resistance. With 100,000 agents and brokers trying to figure out how to comply, this risk for anyone is dangerous. The current requirement to record calls is in the spirit of helping beneficiaries. We worry that the risk of senior data being exposed egregiously outweighs the risks of not recording calls.
Recommendations
First, we'd like to address the spirit of the law. As independent brokers who have more than 50 insurance company contracts, and are entrenched in our community, we stand by regulations that serve the consumer’s best interest. At the end of the day, we often must address the same misinformation and complaints that Medicare deals with directly, and we work on the front lines to get Medicare right. This is why we are commenting on this rule. And, rather than pointing fingers, we offer real-world solutions.
- Because this burden is being placed squarely on the shoulders of independent brokers who are focused on consumers, we need to suspend the expansion of including independents until Infrastructure is put in place by insurers or CMS to record calls compliantly without financial or security risks to small independent brokers and the senior community.
- The Department of Health and Human Services, via CMS, should conduct a Regulatory Flexibility Act assessment for NAICS 524210 - Insurance Agencies and Brokerages. While it may be prudent for larger agencies, insurance companies and marketing firms to record all calls, there is a significant impact on untethered brokers who do not have the resources to safely store call data per the spirit of this rule. As such, there should be a carve out for agents that fall under the Small Business Administration definition of a small business to be exempt from this requirement.
- Carriers should be required to monitor complaints and coordinate with CMS to address fraud, waste and abuse attached to agents who show a trend of complaints without ever having recorded data stored at the agent level with varying security and compliance.
- Instead of a blanket statement with a referral to 1-800-MEDICARE, or Medicare.gov, we propose institutions who discuss Medicare disclose whether they are a third-party marketing organization (a lead generation company), a tethered agent working for an insurance company or an untethered broker who holds appointments with many carriers. Each of these three classes can be further defined where, say, a broker must have 50% or more of the available plans in a given market available to them.
Some tethered contracts require the agent to not get appointed to plans not available through the insurer, or their dedicated system. These clauses should be known to help identify tethered entities. This rework would tell the consumer who is receiving their data and which options the company is presenting against the total options of the market.
Joshua Brooker, REBC, ABHP, ASFC, is principal at PA Health Advocates, Lancaster, Pa. He is a member of the National Association of Health Underwriters and Health Agents for America. He may be contacted at [email protected].
© Entire contents copyright 2022 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reprinted without the expressed written consent from InsuranceNewsNet.com.
Inflation Reduction Act contains ‘unprecedented’ health care provisions
Task force weighs ‘limited’ revision of life insurance illustrations model
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News