In an interesting new case out of Rhode Island, the United States District Court in Ruiz v. Rhode Island, 2020 WL 1989266 (D. Rhode Island, April 27, 2020) was called upon to address whether a personal injury settlement should be enforced even though the defendant was unable to obtain the plaintiff’s social security number (SSN), or the last five digits of his SSN, to determine his Medicare status through CMS’s Section 111 Query Process. The court ultimately enforced the settlement and found that the defendant had “fully complied” with its MMSEA Section 111 reporting requirements.
Concerning this personal injury settlement, the defendant, State of Rhode Island, refused to tender payment until the plaintiff provided his SSN, or the last five digits of his SSN so it could determine his Medicare status. The plaintiff refused to provide this information. The defendant, who had secured the last four digits of the SSN through documents received in discovery, ended up entering 110 different variations of the plaintiff’s possible SSN into CMS’s Query Process using the last four digits of his SSN and appending 0-9 in each instance which did not yield any positive hits.
The plaintiff moved to enforce the settlement and claimed that the State’s delay in tendering payment entitled him to punitive damages and attorneys’ fees. The court enforced the settlement but denied the punitive damages and fees. As part of its ruling, the court found that the defendant had “fully complied” with its MMSEA Section 111 reporting requirements given its query submissions and its other efforts to obtain the necessary information to determine the plaintiff’s Medicare status.
In the bigger picture, this case is the latest example of the challenges an RRE can face in obtaining a plaintiff’s SSN information necessary for it to determine an individual’s Medicare status to meet its potential Section 111 reporting obligations. On this point, it is interesting to note that this decision comes on the heels of the Centers for Medicare and Medicaid (CMS’s) recent Section 111 Civil Money Penalties (CMP) proposal which, in part, contains a proposal to provide RREs with a compliance safe harbor when it is unable to obtain a plaintiff’s SSN information despite “good faith” efforts to do so. While the comment period on CMS’s CMP proposals closed just seven days before this decision, the court considered CMS’s proposal as part of its analysis and ruling in this case. It is hoped that CMS’s current efforts to provide a compliance safe harbor will help alleviate the type of situations presented in Ruiz going forward.
For those interested in a more detailed analysis of this lengthy court decision, along with a review of CMS’s proposed SSN “good faith” compliance safe harbor, the authors present the following:
The plaintiff alleged he sustained injuries as the result of excessive force during an arrest and wrongful detention in 2013 for which he was treated at a local hospital. The plaintiff was noted to be “approximately sixty years old” at the time of the incident which reflects some factual “inconsistencies” on this point based on the plaintiff’s representations and discovery materials.
In June 2019, the parties settled for $55,000. While the claimant in the settlement release agreed to be responsible for and resolve “any Medicare claim” to the extent he was a Medicare beneficiary, the parties never discussed how the defendants would obtain closure regarding any possible Medicare claim as part of the settlement negotiations. Further, at the mediation, the defendant never advised the plaintiff that the submission of his SSN (or any part of it) for MMSEA compliance purposes was a precondition to tendering the settlement proceeds. The plaintiff never advised the defendant that he would refuse to supply his SSN to help the defendant ascertain his Medicare status for MMSEA purposes.
Plaintiff refuses to provide his SSN (or the last five digits of his SSN)
Following the mediation, a dispute developed when the plaintiff refused to provide his social security number (SSN), or the last five digits of his SSN, to the defendant so the defendant could determine his Medicare beneficiary status through CMS’s Section 111 Query Process system. Amongst the plaintiff’s arguments, he took the position that he was not required to provide his SSN (or the last five digits of his SSN) under the MMSEA on grounds per the 2013 SMART Act revisions to the law through which CMS was required to modify the reporting requirements so that an RRE was “permitted” but not “required” to access or report SSNs. Further, the claimant represented that he had never been enrolled in Medicare and had personally paid his medical expenses.
Outside of the MMSEA, the plaintiff argued that the defendant’s request for his SSN violated the Privacy Act. This Act, in pertinent part, states that it “shall be unlawful for any Federal, State or local government agency to deny … any right, benefit, or privilege provided by law because of [an] individual’s refusal to disclose his [SSN].”
Defendant makes several attempts to determine Medicare status
Notwithstanding the plaintiff’s position, the defendant made several attempts to obtain the plaintiff’s SSN (or the last five digits of his SSN), including sending him a specific questionnaire prepared by the State of Rhode Island entitled “Medicare Reporting Form for RI State Agencies.” All of these attempts were rebuffed by the plaintiff.
Also, the defendant attempted to determine Medicare status through CMS’s Query Process given incomplete information it had. Specifically, the defendant had the last four digits of the plaintiff’s SSN which it gleaned from certain documents it received as part of discovery. After the plaintiff refused to provide the necessary 5th digit of his SSN, the defendant entered every iteration of the plaintiff’s birth date and 110 different variations of the plaintiff’s possible SSN using the last four digits and appending 0-9 in each instance into CMS’s Query Process tool. None of these attempts yielded a positive return.
Plaintiff moves to enforce the settlement
Given the plaintiff’s refusal to provide the necessary information for Query purposes, the defendant refused to release the agreed-upon settlement funds citing its obligation to determine the plaintiff’s Medicare status to comply with the MMSEA Section 111 reporting requirements. In response, the plaintiff filed his motion to enforce the settlement, along with a request for punitive damages and attorney’s fees. The defendant moved to compel the plaintiff to comply with what they interpreted as a post mediation consented to Order requiring him either to provide his SSN or an affidavit stating he did not have an SSN.
Court enforces the settlement and finds the defendant’s actions compliant with the MMSEA
As part of determining whether to enforce the settlement, the court found that the defendant’s efforts to determine the plaintiff’s Medicare status complied with the MMSEA stating:
Based on the State’s extraordinary efforts to comply with its MMSEA reporting obligations, the Court finds that Plaintiff’s intransigence in refusing to provide either his full SSN or the last five digits of his SSN is well established and that the State, as a self-insured entity subject to the mandatory federal reporting requirement, has both fully complied with the reporting requirement (by submitting queries based on every possible iteration of the five digit SSN built using information Plaintiff provided in discovery with Plaintiff’s knowledge and consent that it was to be used for MMSEA reporting) and has made far more than adequate “good faith efforts to identify a beneficiary.” (Emphasis Added). Ruiz, 2020 WL 1989266 at *9.
Further, the court found that the defendant had “made significant (and successful) efforts to comply fully with the letter and spirit of MMSEA,” and these efforts align with CMS’s recently proposed compliance safe harbor when RREs cannot obtain the SSN (or last five digits of the SSN). Id.
Accordingly, the court ruled that “both Defendants’ opposition to Plaintiff’s motion to enforce and their motion to enforce are moot and Plaintiff’s motion to enforce – solely [regarding] consummation of the Settlement Agreement – may be and hereby is granted. There is no further need for Plaintiff to disclose his SSN or any part of it as a prerequisite to receiving the Settlement Proceeds.” Id. at *10.
Court denies the claim for punitive damages
The court also denied the plaintiff’s request for punitive damages under R.I. Gen. Laws § 9-1-50. As explained by the court, this statute creates a rebuttable presumption that “failure of an insurance company to pay a settlement within thirty days of the plaintiff’s sending the release is ‘a willful and wanton disregard for the rights of the claimant’, giving rise to a claim for punitive damages and interest at 12%.” However, the court noted that Section 9-1-50 “does not apply because the State is not an insurance company.” Also, the court further noted that the presumption under this section is rebutted once circumstances occasioning the delay are explained by the insurance company, and the plaintiff must show conduct bordering on criminality to recover based on the Rhode Island Supreme Court ruling in Maciszewski v. Flatley, 814 A.2d 342, 345 & n.3 (R.I. 2003).
Based on this authority, the court denied the claim for punitive damages finding that the defendant’s actions in delaying payment of the settlement did not “conceivably amount to ‘willful and wanton disregard’ for Plaintiff’s rights bordering on criminality as defined in Maciszewski.” Rather, to the contrary, the court found the defendant “acted in good faith for the purpose of complying with MMSEA consistent with long-standing State policy and in seeking compliance with the assented-to Order to which the State, like the Court, understood Plaintiff had agreed.”
Court denies the claim for attorneys’ fees
The plaintiff was seeking attorneys’ fees based on the defendant’s alleged violation of the Privacy Act which, as noted above, bars a State from denying “any right, benefit, or privilege” due to an individual’s refusal to disclose his SSN. 5 U.S.C. § 552a(a)(1). However, the court noted the Privacy Act did “not apply with respect to…any disclosure which is required by Federal statute.” 5 U.S.C. 552a(a)(2). In this regard, the court found that the Privacy Act’s prohibition on SSN disclosure was not applicable in this instance “because [the] MMSEA is a ‘Federal statute’ requiring preferably full, but at least, partial SSN disclosure.”
From the other angle, the court rejected the plaintiff’s argument that the defendant should have accepted his sworn statement that he was not a Medicare beneficiary and his production of documents purportedly showing he paid for his medical expenses given what the court noted as “troubling inconsistencies” on certain points in the record and authority from other jurisdictions where courts permitted insurers to seek SSN information even in situations where it was “extremely unlikely” that the claimant was a Medicare beneficiary. Further, the plaintiff argued that absent an overt agreement between the parties he was not contractually obliged to act consistently “with the State’s goal of achieving finality by complying with the MMSEA.” However, the court rejected this position, in part, as ignoring “the implied covenant of good faith and fair dealing.”
Based on its analysis, the court rejected the plaintiff’s motion finding that defendant’s conduct was “impeccable [and] fully consistent with the express and implied terms of the Settlement Agreement; they have done nothing even approaching the type of vexatious conduct and bad faith required for sanctions to be seriously considered (citation omitted). Further, they have been put to extreme expense as a result of Plaintiff’s refusal to disclose any part of his SSN, in breach of his implied duty of good faith and fair dealing.”
CMS’s SSN “good faith” compliance safe harbor proposal
The Ruiz case is the latest example of the challenges RREs (especially liability RREs) can face in obtaining a plaintiff’s SSN information to determine Medicare status. On this point, several courts in other jurisdictions have been called upon to address similar issues since the implementation of the MMSEA requirements. Given the significant penalties that could be assessed for non-compliance, this has been an issue that has concerned many RREs for years.
To address this concern, CMS as part of its current Section 111 civil money penalties (CMP) proposals, is proposing not to impose Section 111 CMPs when the NGHP RRE fails to report under Section 111 because it was unable to obtain information necessary for reporting from an individual, including his/her name, DOB, gender, MBI, SSN, or last 5 of the SSN, and the entity has made and maintained records of its good faith efforts to obtain this information by taking ALL of the following steps:
- RRE has communicated the need for the information to the individual and his/her attorney or another representative at least twice by mail and at least once by phone or other means of contact such as electronic mail in the absence of a response to mailings;
- RRE certifies that it has not received a response in writing; or has received a response in writing that the individual will not provide MBI, SSN, or last 5 of SSN; and
- RRE has documented in its records to show its efforts to get the MBI, SSN, or last 5 of SSN and the reason for the failure to collect this information.
Also, CMS indicates the NGHP RRE should maintain records of these good-faith efforts (such as dates and types of communications with the individual) to be produced as mitigating evidence should CMS contemplate CMP imposition and that such records should be maintained for 5 years.
While this proposal is currently being scrutinized by the industry, it is at least a start toward establishing the types of safe harbors necessary to avoid the types of issues, delays, and expenses highlighted in Ruiz and other cases. As part of the comment period, it is expected that CMS has received several comments on modifying its proposals to make them more workable. While a complete critique of the above proposal is beyond the scope of this article, one modification CMS should consider considering #1 is changing the word “and” to “and/or” since NGHP RREs are often legally restricted from communicating with an individual who has retained counsel and/or representation. Another helpful modification would involve CMS providing protections to the RRE when it does not have an individual’s mailing address, phone number, or other means of contact. Also, CMS should provide better direction on specific timelines regarding the RREs contact attempts and documenting a lack of response.
Looking ahead, CMS is now reviewing the received Comments and will at some point issue its Final Rule. It is unknown whether CMS’s current SSN safe harbor compliance proposal will be finalized in its current state or will be modified. ISO Claims Partners is closely monitoring developments related to CMS’s CMP proposals and will provide updates as warranted. For a complete review of all of CMS’s Section 111 CMP proposals and ISO Claims Partners’ Commentary Response, click here.
On a final note, until CMS’s final regulations on this point are issued, NGHP RREs must have processes in place to request the necessary information to determine an individual’s Medicare status and to document its efforts when an individual refuses to provide this information. Also, the NGHP RRE should assure that its position and expectations regarding the information it needs from the plaintiff to determine his/her Medicare status is communicated as part of the claims handling and settlement process.
Please do not hesitate to contact the authors if you have any questions about the court’s decision in Ruiz, CMS’s Section 111 CMP proposals, or general Section 111 compliance issues.
 CMS’s Query Process is an electronic tool CMS has established to help RREs determine an individual’s Medicare status as part of MMSEA Section 111 reporting. In general, to use this tool the individual’s SSN, or the last five digits of the SNN are required data elements. Other data elements include the first initial of the first name, the first six characters of the last name, date of birth, and gender (male/female). See generally, CMS’s NGHP Section 111 User Guide (Version 5.8 January 31, 2020) Chapter IV Technical Information, Chapter 8 Query Files, and CMS’s published Alerts dated September 10, 2014, and November 25, 2014.
 MMSEA is the acronym commonly used for Medicare, Medicaid, and SCHIP Extension Act codified at 42 U.S.C. 1395y(b)(8). In general, under the MMSEA, parties known as Responsible Reporting Entities (RREs) are required to (i) determine whether a claimant (including an individual whose claim is unresolved) is entitled to benefits under the program under this subchapter on any basis; and (ii) if the claimant is determined to be so entitled, submit the information described in subparagraph (B) with respect to the claimant to the Secretary in a form and manner (including frequency) specified by the Secretary. 42 U.S.C. § 1395y(b)(8)(A). Under the MMSEA, an RRE may be subject to a civil money penalty of up to $1,000 for each day of noncompliance with respect to each claimant. 42 U.S.C. § 1395y(b)(8)(E)(i).
 CMS released its long-awaited Section 111 CMP proposals for non-group health plans (NGHP), as well as group health plans (GHP), as contained in 85 Fed. Reg. No. 32 8793 (February 18, 2020). References to the CMP proposals in the Ruiz case, and this article, relate to NGHPs. In general, CMS’s proposals are aimed at implementing the Section 111 penalty provision which allows CMS to impose CMPs against NGHP RREs of “up to $1,000 for each day of noncompliance with respect to each claimant.” As part of its NPRM, CMS outlines proposed situations when it could impose a CMP, along with specific instances when it would not impose a CMP. Once finalized, CMS’s CMP rules will be added to the already existing Codes of Federal Regulations sections governing CMPs in general as contained at 42 C.F.R. Part 402 (Civil Money Penalties, Assessments, and Exclusions) and 42 C.F.R. § 102 (Adjustment of Civil Money Penalties for Inflation). CMS opened a public comment period to allow for feedback on its proposals which closed on April 20, 2020. As more fully discussed in the article, CMS is proposing not to impose CMPS when the RRE, despite good faith efforts, the RRE is unable to report, because it was unable to obtain necessary info to report, including name, DOB, gender, MBI, SSN, or last 5 of the SSN, and the entity has made and maintained records of its good faith effort to obtain this information. For a detailed overview of CMS’s specific proposals, see our recent article. These resources provide an excellent breakdown and discussion of the CMP proposals.
 Ruiz, 2020 WL 1989266 at *1 and n. 4.
 SMART Act, Public Law 112-242, H.R. 1845 (112th Cong. Jn. 10, 2013), Section 204, codified at 42 U.S.C. § 1395y(b)(8)(B)(ii). However, the court interpreted this statutory revision, along with post-SMART Act CMS policy Alerts to effectuate this provision and a currently proposed CMS compliance safe harbor for RREs who cannot obtain SSN information, as modifying the “information necessary for reporting from the reportable individual” from the full SSN to at least “the last 5 digits of the SSN.” Ruiz, 2020 WL 1989266 at *6.
 Ruiz, 2020 WL 1989266 at *2.
 Ruiz, 2020 WL 1989266 at 6. The court noted that the plaintiff sent back this form with the requested SSN information left blank “without comment on the omission of the SSN” and then remained silent on this item after the defendant sent the form to the court mediator expressing that the form had been completed and was ready to be submitted “for Medicare inquiry.”
 Ruiz, 2020 WL 1989266 at *9.
 Regarding this argument, the court noted while the Privacy Act does not confer the right to recover attorneys’ fees, the court acknowledged that the plaintiff was seeking fees based on this statute as a sanction for the defendant’s alleged “totally frivolous conduct and misrepresentation to [the] Court as to the current state of the law.” Ruiz, 2020 WL 1989266 at *10.
 Ruiz, 2020 WL 1989266 at *12 On this point, the court noted, as examples, the case of Bey v. City of New York, 2013 WL 439090 (E.D. N.Y. Feb. 2013) where the court indicated obtaining the SSN is a “required, legitimate and necessary use of the SSN under federal law…even where a plaintiff has a reasonable argument that he would not qualify for benefits;” while the court noted the Connecticut case of Hackley v. Garafano, 2010 WL 3025597 (Conn. Super. Ct. July 1, 2010) in which the court found it appropriate for an insurer to request the SSN from a 16-year-old plaintiff and his uninjured father as part of Section 111 reporting.
 Id. at *13.
 As examples, in Seger v. Tank Connection, LLC, 2010 WL 1665253 (D. Neb. 2010) the court found the production of the plaintiff’s SSN prior to settlement relevant and permitted under the federal rules of discovery. While acknowledging the MMSEA did not require “this information be submitted to CMS until after a final settlement or judgment is issued,” the court reasoned there was no “harm to the plaintiffs in providing the information sooner…[as the plaintiff] will be required to provide the requested information eventually [and this information] could reasonably bear on the issues in the case.” Accordingly, the court ordered the plaintiff in that case “to provide identifying information along with either his Medicare Health Insurance Claim Number or his Social Security Number.” In Smith v. Sound Breeze of Groton Condominium Ass’n, 2011 WL 803067 (Conn. Super. Ct. 2011) the court allowed the filing of supplemental discovery aimed at obtaining the plaintiff’s SSN prior to settlement. While the court in Silver v. Milford Medical Center Associates, 2017 WL 2452551 (Conn. Super. Ct. May 11, 2017), disagreed with Sound Breeze and denied the defendant’s motion to file supplemental discovery requests to procure Medicare related information. Further, as noted by the court in Ruiz, the court addressed the issue in Hackey V. Garafano, 2010 WL 3025597 (Conn. Super CT. July 1, 2010) finding that it was appropriate to ask for the SSN of a sixteen-year-old plaintiff and his uninjured father to comply with Section 111 reporting.
 85 Federal Register. No. 32, p. 8800 (February 18, 2020).