Employers confuse CMS data request for phishing scam

When Megan Furrer received her letter from the Centers for Medicare and Medicaid Services, she thought it was a scam at first.

The HR generalist for construction consortium IEA Renewable Energy Inc. was not aware that she had received a legitimate inquiry, what has come to be known as a “CMS data match letter” from the CMS, Internal Revenue Service and Social Security Adminstration. In short, the letters aim to inform employers that one or more of their employee’s ID numbers have been found on the CMS database for taking Medicare or Medicaid benefits. If they are covered by a company health plan, this is illegal.

CMS HQ

The letters, which started arriving at US employers’ office this spring, demand that the employers clarify this discrepancy or suffer a $1,000 per employee fine.

Unfortunately, the importance of this letter sent through the US Postal Service was far from clear to Furer.

Junk mail?
“We had never seen anything like this. Hadn't heard anything about it. Didn’t understand what they were referring to in the letter when I read it. I reached out to Lockton for advisement because I didn't know if this was something to take care of or not,” she says.

“I didn't know if it was junk mail,” Furer recalls of receiving her letter in April.

Furer’s reaction was not unique. According to benefit advisers and attorneys, a number of U.S. employers have received a wave of CMS letters sent this spring and early summer. They say that the first response among HR and benefit professionals is confusion and the suspicion that this is a phishing scam.

“They know that this is a notice from the government that they will have to do some work to pull together. They want to know ‘Do I need to reply?’” says Ed Fensholt, senior vice president, director of compliance services for Lockton Companies. He estimates that “several dozen” of his employer clients have received such letters since April.

Furer says that the CMS letter she received inquired about 42 employees who worked for the firm from Jan. 1, 2011 and Jan. 1, 2014. The letter prompted her to visit the CMS website and enter in the employee’s ID numbers and answer a series of questions.

Employers wonder if the information should come from the employer’s HR or benefit departments or from the insurance plan administrator. Also, employers tend to confuse the CMS data match letter with the annual Medicare Part D filing for insurance and prescription drug coverage, according to benefit plan professionals.

“‘What should I do with this? Is this something that the group health plan is addressing?’” says Erin Shick, a junior associate with law firm Ledbetter Parisi, as she lists off the employer’s responses. “There was some confusion.”

Once Furer’s initial confusion was assuaged, she had to begin to provide the details for the CMS’ inquiries. Furer handles benefits for 600 employees among a number of different construction companies, some of which are union and and non-union. The CMS inquiry asked about two of her companies, a union shop with 23 CMS employee inquiries and a non-union ship with 19 CMS employee inquiries.

“The one company we did report on was actually a union company because we don’t provide them benefits — we pay in their union,” she says. The non-union company with 19 employee inquiries was acquired in 2013 and Furer says her company doesn’t have the records for their previous employment.

“I had to reach out to the CMS data match system for the information. In the middle of 2013 we had a change so we did not handle their benefits in the beginning part of the year. We did not have benefit information on hand or electronically so we could not say for the first half of the year that, ‘Yes they were in insurance plan,’” she says.

Lockton helped Furer draft a letter to CMS to inform them of this situation and ask for information on how to report on these workers. “We never received a response back,” she says.

Don’t ignore
Employers are not advised to sit on the letters and ignore the matter.

David Smith is vice president of Ebenconcepts, one of the Southeast's largest benefits consulting firms, and he has seen the same reaction among his clients. One of his clients was asked about an employee who hadn’t worked for the company since 2011. By the time they determined this fact, CMS sent a more threatening letter, according to Smith.

Plus, when employers factor in the regular turnover of employees, including HR staffers, and the introduction of new health insurance plans, employers are struggling to find answers for CMS.

“There is a lot of stuff on there like, ‘Do you know your PCN for your carrier today?’ They are asking employers, ‘What was your PCN on your health plan since 2013?’ And they [employers] are asking us, ‘What is a PCN?’” says Smith.

Furer contacted her Lockton adviser right away. After describing her situation, they set a plan of action and she called her Lockton rep’s work “exceptional.”

“We had one of the brokers who worked with us directly. She got on the call and we did a screen share and she walked me through everything. She answered questions and there were questions she couldn't answer, they went to their legal compliance team and asked for help in getting us the answers.”

Furer is awaiting the CMS’ response.

For reprint and licensing requests for this article, click here.
Obamacare ACA reporting Law and regulation Employee benefits CMS HHS Social Security Administration
MORE FROM EMPLOYEE BENEFIT NEWS