Law360, New York (February 3, 2017, 11:23 AM EST) -- A fast-moving unclaimed property audit campaign is taking place in the healthcare industry, affecting both healthcare providers and health insurance companies across the country. The audits are not only targeting large national healthcare providers and insurance companies but smaller regional healthcare providers as well. Given the potential far-reaching impact, companies within the industry need to understand the nature of these audits, why they are being conducted and their potential financial and operational implications.
As most of us are familiar from our own experience, providers of health and wellness services, such as hospitals, provide services to individuals but receive payment from both third-party insurance companies (assuming the patient is covered) and, for certain services, the individuals. Payments from insurance companies can make up a majority of the receipts. Insurance companies contract with both the individual patients and with the providers. At a very high level, the contracts generally outline the provider reimbursement terms, which can vary by service type, the extent of coverage, timeframe and, of course, provider. Accounting for these payments is extremely complicated, in particular on the provider side. For example, payment discrepancies may result from errors by the provider in its interpretation of the contract and the determination of the amount it expects to be paid; or a discrepancy may result from errors by the insurance company in the calculation of the amount due the provider under their contract. Determining the existence and amount of unclaimed property in this complicated accounting/payment environment from the provider perspective involves a detailed accounting and legal review of contracts, accounting entries and state and federal law.
It is not enough to simply understand one aspect of these payment transactions; therefore, a diverse team is critical to defending an audit. Further, focusing solely on technical compliance and review of the traditional unclaimed property types (A/R, A/P and payroll) may not be enough. There are other related factors besides healthcare accounting practices and governing laws that must be considered when analyzing the existence of potential unclaimed property, and industry audits tend to a take on a life of their own, often blazing new trails. Recently, audits have increasingly become less about whether a company has technically adhered to a state’s unclaimed property law as written and more about the state attempting to dictate certain conduct or enforce previously unenforced standards (see the insurance and financial services industry audits, for example). Such efforts often have the effect of complicating contractual terms and industry-specific practices. In this regard, companies should consider claims payments, premium refunds and marketplace reimbursement issues, among other areas of potential focus. In addition, the intersections of liability that exist between the Affordable Care Act’s 60-day overpayment rule and the federal recoupment provisions for reimbursements of Medicare and Medicaid claims paid to healthcare providers bear some attention.
Another issue of particular relevance to the healthcare industry’s defense of state unclaimed property audits is the extent to which state unclaimed property laws are, in fact, subject to federal preemption. Federal law may either expressly preempt state unclaimed property laws (a relatively rare occurrence) or impliedly preempt those laws (e.g., federal law can “occupy the field” if such laws are sweeping in their effect and do not leave room for further regulation by a state agency; similarly, if a party cannot simultaneously satisfy a federal and a state law, federal law trumps state law). An easy-to-understand example of express preemption is found in ERISA, which preempts “any and all State laws insofar as they may now or hereafter relate to any employee benefit plan.” Courts have held that ERISA preemption applies to unclaimed property laws when they directly affect the assets of an ERISA plan, as well as the administration of the plan when the state is attempting to substitute itself for the plan in holding the unclaimed amounts on behalf of their owners.
Consistent with ERISA’s express statutory language, the U.S. Department of Labor has concluded that state unclaimed property laws are preempted by ERISA when they interfere with the ERISA plan’s assets or administrative provisions. However, two cases involving the applicability of state unclaimed property laws to unclaimed benefits checks issued by an insurance company that provides benefits for employees covered by an ERISA plan, if such benefits will not revert to the ERISA plan if unclaimed, have held that ERISA does not preempt state unclaimed property laws.
In the healthcare industry, the potential for federal preemption defenses to be raised is significant, and both insurers and providers must take care to identify instances of express and implied preemption where the dictates of federal law appear to override or run counter to the policies informing state unclaimed property law. We expect that such opportunities may arise when federal law either establishes or abrogates property rights, claims obligations and limitations periods, and there may well be additional defenses that are specific to the type of obligation that is under review.
Defending these audits is not only about defending against an assessment of liability. In the context of healthcare, data privacy and security are paramount. Suffice it to say, state unclaimed property audits will involve a review of a vast amount of personally identifiable information, including information protected under the Health Insurance Portability & Accountability Act of 1996 and regulations promulgated under that act. That’s why the execution of an effective confidentiality and nondisclosure agreement by the company and its audit firm is critical. We operate in an age where data privacy and security are highly regulated at both the federal and state levels, and any security incident touching on a company’s confidential and personal data could result in catastrophic damage — both to the employees, shareholders, customers and other individuals whose PII is being sought by auditing states and their contract firms and to the company’s reputation and financial interests. In addition, a company should consider conducting some due diligence with the audit firm’s ability to protect the information, whether pursuant to a full-fledged security audit or through some base-level data security questionnaire.
Health care insurers and providers that conduct internal compliance reviews (either as a consequence of, or in advance of, receipt of audit notices) will gauge current levels of escheat compliance and identify sources of exposure, which in turn can yield effective risk management strategies. One such strategy entails the pursuit of voluntary disclosure agreements with states where the level of exposure is deemed to be material. Numerous states offer voluntary disclosure programs that allow a company that has not yet been contacted by the state for examination purposes to voluntarily come forward and self-identify any liabilities. Payment of such liabilities pursuant to a formal VDA program (i.e., implemented by statute or regulation) or an informal program (negotiated on an ad hoc basis with a willing administrator) should result in a partial or complete waiver of any interest and penalties that might otherwise have been assessed against the value of the past-due property. Many companies have combined a VDA initiative with audit defense to limit the number of states that elect to participate in an audit performed by a contract audit firm, given that interest and penalty assessments are a hit to the company’s own bottom line.
The sophisticated company should prepare to undertake a careful review of its business models, accounting practices, contractual provisions, basic multistate unclaimed property compliance program and issues of related concern in light of the current enforcement landscape. Each of these components interacts with the others to establish an effective set of internal controls for a company, and implementation of changes in accounting policies and procedures, as well as in business models (contracts, customer terms and conditions, and the like), may optimize compliance and mitigate risk.
 29 U.S.C. § 1144(a).
 See Commonwealth Edison Co. v. Vega, 174 F.3d 870 (7th Cir. 1999); Manufacturers Life Insurance Company v. East Bay Restaurant and Tavern Retirement Plan, 57 F. Supp. 2d 921 (N.D. Cal. 1999).
 See, e.g., DOL Advisory Op. No. 94-41A, Dec. 7, 1994.
 Aetna Life Insurance Company v. Borges, 869 F.2d 142 (2nd Cir. 1999); Attorney General v. Blue Cross & Blue Shield of Michigan, 168 Mich. App. 372 (1988).