#511: The Compliance Circus Continues – Carol Taylor | ShiftShapers Artwork

The ShiftShapers Podcast

Change either paralyzes or energizes - the choice is yours. Hear from businesses and entrepreneurs who have become energized and who have profited by shaping the shifts in their markets and practices. Become a SHIFTSHAPERS INSIDER and get our latest download, advance notice of all podcasts, podcast summaries, and special INSIDER-ONLY content. INSIDER SIGN UP

All Episodes

The ShiftShapers Podcast

#511: The Compliance Circus Continues – Carol Taylor | ShiftShapers

April 15, 2025 • David Saltzman • Episode 511

In this episode of ShiftShapers, host David A. Saltzman welcomes compliance expert Carol Taylor, JM, of BenefitMall, for a deep dive into the rapidly evolving world of employer compliance. From court rulings and legislative penalties to HIPAA security updates and AI-driven benefit denials, Carol offers critical insights for anyone navigating today’s tangled regulatory landscape.

She unpacks the latest on ERISA preemption battles, mental health parity lawsuits, and the real-world impact of complex compliance rules on small agencies and employers. With rising penalties and tech-driven claim denials making headlines, Carol arms listeners with strategies to stay compliant—and stay out of court.

🤖 Sponsored by BenePower
BenePower is an AI-powered platform helping advisors build high-impact, self-insured health plans quickly and seamlessly. By integrating best-in-class point solutions and eliminating inefficiencies, BenePower reduces costs, improves member outcomes, and positions advisors as industry leaders.
🔗 Learn more at BenePower.com

🔑 Key Takeaways from This Episode

📌 Penalties Are Rising—And Enforcement Is Too
Missing a CHIP notice or 5500 filing? That could cost thousands per day. Carol outlines the latest penalty increases and why the IRS is stepping up enforcement.

📌 HIPAA Security Changes Are Coming
From encryption rules to breach simulations, the proposed HIPAA security updates raise the bar—especially for small agencies who now face enterprise-level expectations.

📌 Compliance Risks from AI-Powered Claim Denials
Carol explains how AI is being used inappropriately by some carriers—and why plan sponsors need to examine how these tools align with ERISA.

📌 ERISA, MIA, and Legal Landmines
With court cases mounting over PBM regulation and mental health parity, Carol breaks down what’s at stake and how employers can avoid becoming the next headline.

📌 Future-Proofing Your Compliance Strategy
From updated plan docs to tighter internal protocols, Carol shares best practices that can help advisors and agencies stay ahead of evolving rules.

⏱️ In This Episode

00:00 – Introduction to Compliance Challenges
02:01 – Legislative Updates and Penalties
09:25 – HIPAA Security Rule Changes
18:11 – Court Cases and Legal Battles
23:20 – Mental Health Parity and Addiction Equity Act
27:00 – Future of Compliance and Final Thoughts

Speaker 1: 0:00

If keeping up with compliance and legislation takes a gallon of coffee, a law degree and maybe a licensed therapist on speed dial, how do you know what actually matters and what you need to know? Today, We'll find out on this episode of Shift Shapers.

Speaker 2: 0:16

Change either energizes or paralyzes. The choice is yours. This is the Shift Shapers podcast, bringing the employee benefits industry interviews with individuals and companies who are shaping the industry shifts. And now here's your host, david Saltzman.

Speaker 1: 0:38

And to help us answer those questions, we have invited Carol Taylor JM, who is a compliance specialist at BenefitMall and, in full disclosure, an old, dear friend of mine. Welcome, Carol.

Speaker 3: 0:49

Thank you.

Speaker 1: 0:50

And Ayla is in the background. If you see ears and a dog, that's Carol's assistant. Yes, lots of stuff going on, but I got a question Does it just seem as though it's getting like thicker and weirder and more stuff is coming at us faster, or is that reality?

Speaker 3: 1:08

That's actually reality. So, while we're not seeing as much legislation come through right now because DC is more zoned in on budget and other larger issues, we're seeing a lot in the courts is actually where a lot of this stuff is playing out. You know there's so many moving pieces and parts and you know it seems like every part of the you know every part of the government deals with what we do. So it's kind of a fast and furious and sometimes you don't know oh wait, is that the right thing now or is that the right thing? And you have to remember to even go look at what the courts are doing, because there's been so many lawsuits.

Speaker 1: 1:58

Yeah, and we'll talk about that as we get into this a little bit more. Let's start with some legislative stuff. Now. There are some updated penalties that have been floating around and I'm not sure everybody's aware of them, so can you bring us up to date on what that's all about?

Speaker 3: 2:13

Absolutely so. Every year there's an inflation adjustment on penalties. So your 5,500 filings those are now up to $2,739 per day that you don't file. Now remember there is a delinquent filer option which can help save a business money, especially if you've got multiple years of delinquent filings. So don't forget about that. But yes, it's still a pretty hefty price tag on that. Um, if you are a MIWA multiple employer welfare arrangement those are now up to $1,992 per day for the schedule M1, if those are supposed to be filed.

Speaker 3: 3:00

And one thing that a lot of people don't understand is a MIWA can be as simple. As you're an employer and your state allows 1099 subcontractors to come onto your policy as being eligible, you've just created a MIWA if you bring them on because they're another employer. So I kind of always like to throw that out there. You know, when looking at all of these rules we also have if you don't send out the CHIP notices to your employees, that's $145 per day per affected person. So you got mom, dad, couple of kids that's not just one person, that could be two, three, four. Um, if you don't file or uh provide a summary of benefits and coverages, you know the thing that the ACA made uh a requirement that is $1,443 per affected person, $7,443 per affected person and then, of course, if you have unintentional failures to provide or meet the GINA requirements, the Genetic Information Nondisclosure Act, the cap on that is now up to $728,764.

Speaker 1: 4:31

Yikes.

Speaker 3: 4:33

What would be an unintentional failure? Basically not keeping the genetic information separate from your HR and or other files. So something as simple as you know. Somebody gave you a copy of a lab test for some reason. You know the results. For some reason because that would contain genetic information potentially on it, because not everybody's numbers are the same. So something simple like that could cause a problem.

Speaker 1: 5:07

Fun and games.

Speaker 3: 5:10

Yeah, it's a lot.

Speaker 1: 5:12

Well, it's a lot and it's getting expensive because you know its employers don't just have liability on one of these items, they have liability on some subset of them and so you start adding it up and pretty soon it's serious money it is, and is the government really going tooth and nail at trying to collect this stuff?

Speaker 3: 5:32

Absolutely. One other item in that is the 1095s your failure to file For 2025, it's $330 per form and that's for A not filing with the IRS and B also not distributing those. So they charge twice that amount. Which kind of leads me into a major issue that we've been seeing lately is that a lot of employers have not done those 1094-1095 filings with the IRS and it is absolutely imperative that if you get a 5699 letter from the IRS which is what those, the little numbers you'll see somewhere over on the top right side, are going to indicate, you have got to respond to that and it, you know, could be that, hey, we need an extension to figure out because you might have had personnel changes and you don't know if somebody, maybe if the IRS, messed up, because you know they're not perfect as much as they may try to claim to be.

Speaker 3: 6:36

But I've even seen where the filings have been done and the IRS claims that, oh no, we didn't get it. The filings have been done and the IRS claims that, oh no, we didn't get it. Well, here's the you know the acceptance confirmation number that you sent back on this date, this time, and then they go oops, we goofed. But those penalty letters, you know, at the very minimum get an extension on them. Because what we're seeing and I've seen more than one of these, I've actually seen quite a few of them where employers are not responding on those quickly enough and they're getting a seizure notice to seize assets letter from the IRS. And that's actually very recent as of last month, so it's pretty scary.

Speaker 1: 7:33

And now a word from our sponsor. You're not just an advisor, you're a game changer. Forget cookie cutter off the shelf solutions. That's yesterday's news. It's 2025, and it's all about delivering bold, custom-crafted plans that truly make a difference. At the core is a razor-sharp self-insured framework, but the real magic that's in the high-impact point solutions. You strategically layer in to slash costs and supercharge member outcomes. But let's be real, that's where the headaches start. Hours wasted sifting through endless options, wrestling with integration issues and fighting data-sharing roadblocks. It's a time suck and it's holding you back Not anymore.

Speaker 1: 8:20

Meet Benapower, the AI-powered game changer that builds killer plans in minutes, not hours. Benapower doesn't just curate the best point solutions. It makes them work together seamlessly, streamlining communication and driving collaboration like never before. With Benapower, you're armed with an end-to-end AI-enabled solution that makes you unstoppable. Spend less time piecing together a patchwork plan and more time selling your clients. Get unmatched ROI and you become the go-to advisor that everyone's talking about. Want to take your game to the next level? Visit benapowerai or schedule a demo at info at benapowercom. Find your power with Benapower.

Speaker 1: 9:09

And now back to our conversation. So the beast needs to be fed on a regular basis, and if you don't, they're going to come for you. We'll talk about the lawsuits that are going on in a little while, but there's loads of other ways to get in trouble too, apparently, moving on to regulatory stuff, because you and I have talked for years that sometimes it's not the legal stuff that gets you, it's the regulatory stuff gets you. It's the regulatory stuff. Congress will pass A, b, c or D, but then the agencies start making regulations, and some of them do it better than others. Some of them don't understand every little facet of the marketplaces that they're regulating, and so it becomes a challenge. But I know there's some new HIPAA security rule changes, and since HIPAA stands for helping irritate practically all Americans, let's talk about those.

Speaker 3: 10:00

I love that one. I've also heard it as health insurance paying all attorneys, which is another lovely.

Speaker 1: 10:07

I was trying not to be mean to a person. Yeah, I know.

Speaker 3: 10:10

But, yeah, it does irritate all of us. So, as we know that, there's a number of proposed regs that came out, uh, towards the end of last year, first part of this year, and, of course, these are still in a comment period, or no, it actually just ended, uh, last week, I believe. Um. So the government is, of course, going to go through and read through those comments and make sure, see what, um, you know, changes they might want to do or not. But these new proposed HIPAA regs actually bring business associates into these higher security requirements and it would require annual training which, although HIPAA already does that, it brings it down to the BAA level. So you would have to train these people within 30 days of hiring them. You would have to shut off their access within five hours of their termination, and actually it's probably better to do it within about five minutes of it, because you never know.

Speaker 3: 11:18

You know it's not hard to have a HIPAA breach. You have to have real-time system monitoring. So if you're a small agency, you've got to hire an IT department basically to monitor this stuff for you. You have to have, of course, is multi-factor authentication, so either using you know the text code or going into another system to get a code to somehow, you know, keep that. You know, keep that other authentication there, stronger passwords. Gone are the days of password 123, like so many people way back in the day did. Now you need to use some kind of phrase to really make it work. Numbers, special characters, those things you have to do, testing on their systems, and you also have to test the response to it. So you basically should be doing some form of a mock breach and testing what happens, who's going to do what, and make sure that your response, you know comes in, you know is at the appropriate level. You need backups of your data and being able to move that over to another system because, let's say, you get a virus on your computer. Well that's, you're going to have to get that entire computer basically wiped and then the information put back on. Same thing, you might have to go get a brand new computer because you know that could have done something. You never know what happens. Making sure that you're able to recover quickly.

Speaker 3: 13:15

The electronic PHI must be encrypted, even when it's resting. So if it's just sitting out on a cloud server, you have to make sure that it's encrypted, the data itself, um, and if it's in transit. So you've got PHI on your laptop, you better make sure that it's always locked up because that and it's got to be encrypted sitting on that hard drive. There's expanded documentation requirements, so you have to show so.

Speaker 3: 13:48

If an auditor comes knocking on your door, you've got to show that, yes, we've done all of this testing, this training. This person did this this time. Best to try to do it online because then you can date and timestamp that stuff. You have to conduct annual security audits, which means review and test those policies, and one of the other items here is the business associate agreements. Once this rule is finalized, all BAAs are going to have to be updated with this new policies within one year of the final rules being released. So it's a lot really need to take this into heart and make sure that they're, you know, putting their you know, getting their data somewhere where it is secure.

Speaker 1: 14:47

Well, that was kind of one of my follow-up questions and it's really not so much a legal or a compliance question. Just, you know, you work for a good-sized organization and they're fortunate to have a couple of folks who deal with compliance stuff, but do you see this as a drag on sole practitioners? Or I mean, what is a sole practitioner or even a small agency? They can't afford to do all this stuff. What are they doing?

Speaker 3: 15:10

A lot of small agencies that I know are not really doing much. They haven't, and, you know, even when HIPAA came in, very few did it. Now, even having two people and networking together, you're likely going to have to get somebody to work on your network, and in which case it's best to go ahead and get you know an outsourced IT company that can come in monitor. Even that doesn't necessarily protect you against a breach. Former client it was actually a medical lab and they got breached. They had a ransomware attack. Their 24-7 monitoring system shut it down. So they actually did not lose any data, they did not need to deal with the ransom, they basically just ignored it.

Speaker 3: 16:02

But what that did is it opened up kind of the back doors where the system had some issues and they had a second breach or a second attempt, and that one. It took them two weeks. They were totally shut down. They could not even make a phone call because they used internet for their phone lines, and that's actually how it came in. Um, scary stuff, yes, and they ended up going out of business. It was that expensive for them to recover.

Speaker 1: 16:38

Not totally surprising.

Speaker 3: 16:40

Yeah, and that was even with an outstanding HIPAA breach penalty, which I have not gone back to look to see if that ever got resolved or not, because I know it takes the DOL a bit of time for that but it's expensive for that to happen. And actually 23andMe is actually in bankruptcy court because of a data breach and guess what? That's all genetic information. So even though they're not a health plan, you know I don't know about you, but I don't want my genetic information out there somewhere for somebody to go get.

Speaker 1: 17:22

Yeah, it's, it's, it's. So, before we move off of this, you mentioned that the comment period closed Once these rules and regs get finalized. What are you looking for as an implementation date?

Speaker 3: 17:35

It could be 90 days, 180 days out. It just depends on how quickly the regulatory agencies put out the final Charming yeah, we don't ever know, sometimes they sit on these things for years. We're still operating under proposed regulations for Section 125 plans from 2007 or 8, I believe.

Speaker 1: 18:05

Wow, yeah. So let's move on to something that's a lot more fun and that's what's going on in the courts, because a lot of people thought that it started and ended with the J&J lawsuit, but there's been a lot more stuff going on and what's interesting is and maybe you can comment on it as we go through some of the court cases is that A what people don't realize is that this hauls them into federal court and that in a lot of instances and that's a ton of money just in and of itself it's not like you know going down and paying a parking ticket and you know being sentenced to take some driver's ed or you know, or some remanding courses. What's going on with the courts and what do people need to know about?

Speaker 3: 18:50

So there are a ton, and when I say a ton I'm talking about basically almost every state. I'm talking about basically almost every state. There's something going on from PBM laws which are in, you know, arkansas, florida, michigan, you name it. There's some PBM law that's trying to be overwrite ERISA, which remember ERISA. There's a preemption out there. Now what the courts are basically coming out and stating on those is that the network feasibility would be something that the state could basically govern or pull under their jurisdiction, but the actual contract and other types of things that would fall under the federal ERISA. And that's kind of been the case in most of them we do have.

Speaker 3: 19:52

In some of this the lawsuits are not just so much directed at the PBM but they're directed at the fiduciary responsibility. And that's where we got that J&J lawsuit. The Wells Fargo lawsuit was actually dismissed I love that little word dismissed because there was actually a settlement. So basically they paid the class action people employees, former employees an amount of money to basically stop the suit. The J&J suit was basically dismissed for not having enough, shall we say, proof. But we've already got an amended filing in that, so that lawsuit's back up and running again.

Speaker 3: 20:40

There's a bunch of other suits out there. One that is something that I think a lot of people need to understand, that they need to be watching on, is AI-based benefit denials. So a lot of the carriers, the claim systems, they're using programs that have AI algorithms based in them and they're not looking for medical necessity, they're just looking at oh well, that's not always done. Under this particular diagnosis code, they may not be looking at, you know, a secondary diagnosis code, because it's literally within 1.2 seconds that that claim may be getting denied. And so a district court and this one's actually running out in California where they're throwing out the claim denials, so to speak. But they did allow the fiduciary responsibility portion of it to go forward, and that's solely based on the carrier ASO, tpa, using this type of program system process, whatever you want to call it.

Speaker 3: 21:59

Yeah, so they're allowing it to go forward on the fiduciary side, because using that does not meet the plan documents. So you need to always look inside of your summary plan descriptions, summary plan documents, to see if something like this is even allowed. Well, remember, when SPD is are part of ERISA, this isn't defined. Ai is nowhere in ERISA. I mean, it wasn't until just a few years ago that they actually put in a definition for a pharmacy benefit manager, because all of these things did not exist 51 years ago when ERISA was first introduced and became law. So we really do need a lot of, shall we say, improvements to ERISA.

Speaker 1: 22:52

And there's also a lot of action with AI on pre-auths.

Speaker 3: 22:56

Yes, and that could also end up in a similar type of lawsuit. So it's something where employers end up in a similar type of lawsuit. So it's something where employers whoever the plan sponsor is and if you're consulting, you need to be checking those plan documents to make sure that there's not an issue somewhere that is going to cause one of these lawsuits.

Speaker 1: 23:21

Let's move on to the gift that keeps on giving, which is mapia the mental health parity addiction equity act. It wasn't enough to just have all the new regs and all that craziness. What? What else is going on now?

Speaker 3: 23:34

so there's also lawsuits with mapia, um and um. This was all brought up under the, the prior administration, where eric, which is the ERISA Council, of course, or coalition, excuse me of employers, and you can go in there and search their databases. It's got a lot of great information out there on the ERIC website. So the new administration we don't know yet if they're going to defend that MAPEA lawsuit that was filed Um, it was originally had a deadline of March 17th which came and went Um, the courts then allowed it to get moved back to March the 28th, 28th. But right before that there was a filing by the government to hey, we need 90 days, and the court said, nah, we're going to give you 45. So hopefully sometime in the next 45 days we're going to know if those final 2024 rules are actually going to be in place or if they're going to revert back to a prior set of final rules, the pre-2024 final rules.

Speaker 3: 24:53

Um, we don't know that the administration is looking into whether they want to even keep those 2024 rules um, which had some you know pretty specific things in them that you know. It's just it's a very much a problem to compare like a desk lamp to a banana, and that's a lot of what some of that stuff is trying to do. You know if you need a surgery. It's typically very easy to see that. Oh, you know, we took an X-ray, we did an MRI, we did a CT scan or there's, you know this, you know. So we know that there's, you know, cancer in the blood or something. So they know that they would need to do a surgery. Not so when you're dealing with mental health or substance abuse disorders, just because you can't. There's not a simple test for that, so it's difficult.

Speaker 1: 25:57

Well, and in addition to that, I mean a lot of the problems that people are having with their filings is around access, and that's not a problem an employer can solve. I mean, it's a nationwide problem. It's getting worse and yet employers who fail that section just go ballistic because they know they can't do anything about it, but they're being held responsible for it. It's just. This is what we talked about early on in our conversation about some of the agencies get it, some of the agencies don't. Some of them get part of it. You know, it's like that old joke about the five blind people who touch an elephant and everybody touches a different part and thinks it's a different thing and they react differently.

Speaker 3: 26:41

Right.

Speaker 1: 26:43

So you know, after everybody who's doing, everybody who's helping employers and brokers do this regulatory work, they may just roll them all back anyway.

Speaker 3: 26:52

Right Charming. Yes, here go do all this stuff. Oh wait, we were kidding, never mind.

Speaker 1: 27:00

So we've got about four or five minutes left. Gaze into your crystal ball and let's talk about you know, like if you had a genie in a lamp and you could just rub the lamp three times and get some things done. What's on your mind?

Speaker 3: 27:15

One of the things would be basically updating ERISA. You know, getting rid of, you know, we know that there's, you know, doges out there in the news under the, you know, basically the mission of cutting waste, fraud and abuse. Well, there's a lot of waste, fraud and abuse, even in disclosure notices. So how about we update ERISA to, I don't know, even last century would be good, but this century would be better. Even last century would be good, but this century would be better. You know, being able to have those definitions, getting rid of notices that no longer really are valid. Michelle's Law, great law, but it's moot with the ACA and they could have put something in the ACA to get rid of that, you know. But of course they use interns sitting in offices to write those laws and they don't know about all of these other things that have to be done. So that would be a great thing for employers.

Speaker 3: 28:18

Some of the other things that you know. If I had a genie and a lamp and I could, you know, make that, one wish would be there's got to be something done with bad actors out there. We know that the Department of Justice uses a law, a lot that was actually passed during the Civil War and it's known as the False Claims Act, and they sue for anything and everything. So if you build a government and you've got a wrong code, you are likely going to get a False Claims Act. They're going to call it fraud, even though it could just be somebody's finger slipped, you know. But a lot of these judgments and we're talking in 2022, which is the latest report that's come out 2022, which is the latest report that's come out there were $2.2 billion in settlements and judgments from the government on entities for filing fraudulent, wasteful, abuseful claims of some sort, and it could be an airplane manufacturer. However, we know that $1.7 billion of that was actually in the healthcare industry and if we read through who they're going after, such as the drug manufacturers, the device manufacturers, hospitals, durable medical equipment, hospitals, durable medical equipment, home health care agencies, pharmacies, hospice organizations and even physicians you know what I don't see in that list Insurance carriers, but they're made out to be the bad people in a lot of this stuff, when it's not them.

Speaker 3: 30:01

It's the people that can actually bill for a service and you know the penalties, the judgments, et cetera don't seem to be working. We need some other form of punishment and I don't know. Can we bring back public shaming with the stocks and everything or something for these people and make the news go report on hey, this provider did x? Um because it's costing us all. That's taxpayer dollars number one. But it also all they're going to do is raise their rates and charge it on the other side. So it's really a mixed up, messed up up issue out there and a lot of it all boils down to. Some of these people are just greedy and they think they can get away with it and you know how. About some partial penalties for some of that? Something's got to be done.

Speaker 1: 31:01

Somebody once said that a camel is a horse that was designed by a committee. This whole universe of ours is starting to look like the biggest camel. Maybe the camel has five humps. I mean, it's just, it's insane and it's getting for lack of a better word insaner as it goes along, and I'm glad that we have you to come join us every now and again and tell us what's going on and answer questions, and that's a great place to end our conversation for today. Carol Taylor, Compliance Specialist at Benefit Mall. Carol, thank you so much for sharing your expertise with us. We hope you'll come back.

Speaker 3: 31:35

I'm happy to.

Speaker 1: 31:45

Talk to you soon. I want to give a quick shout out to our sponsor and our producer, hatcher Media. Hey, if you need podcast production or professional graphic design, josh Hatcher is the expert to contact. For more information, visit him at hatchermedianet.

Speaker 2: 31:57

That's h-a-t-c-h-e-r medianet this shift shapers podcast is copyrighted content and may not be reproduced in whole or in part without the express written permission of Shift Shapers Solutions LLC. Copyright 2024.