As questions mount over whether health insurer Anthem Inc’s proposed $48 billion purchase of Cigna Corp will win U.S. antitrust approval, an exclusive analysis produced for Reuters suggests the merger could lead to higher costs for large companies offering workplace medical benefits.

More than 154 million people receive health benefits through employers, many of them large national corporations. The large employer market is a top concern for U.S. Department of Justice regulators reviewing the Anthem deal, company officials say. The government could block a deal if it finds evidence it would drive up the cost of such coverage.

Anthem and Cigna, the nation’s No. 2 and No. 5 health insurers, are among a handful of carriers selling national coverage plans to employers with thousands of workers across many states.

Anthem has said the added heft will work for employers, not against them. A bigger Anthem, it emphasizes, could drive better deals from doctors and hospitals and pass savings onto these customers. In addition, Anthem has argued that there still will be plenty of competition: large employers pit smaller, local insurers’ bids against those of large national carriers in regional markets. Anthem officials told an investor conference last month that many employers include health plans from several smaller insurers to cover far-flung employees.

But an Aon Hewitt analysis of benefits data for Reuters found that a majority of large employers buy worker health benefits from just one or two insurers.Among 75 companies representing a cross-section of industries, 54 percent used a single insurer and 26 percent used two. Aon Hewitt, a unit of Aon Plc which helps employers select their benefit plans, based its analysis on data from over 400 customers that participate in healthcare cost research.

Spokeswoman Maurissa Kanter said Aon Hewitt did not conclude “whether or not carrier consolidation would be a competitive issue that could lead to higher prices for employers.” She also said that the data did not “support an argument for or against market consolidation.”

Several human resources directors from large corporations also told Reuters they review potential benefits contracts from only the biggest insurers, rather than regional players. UnitedHealth Group, Anthem, Aetna Inc and Cigna are the only national players in the employer health insurance market.

It is less efficient for companies to hire multiple regional insurers, and the merger could allow the few remaining national insurers to raise their rates, said Peter Carstensen, an antitrust expert and professor emeritus at the University of Wisconsin Law School. “The Aon Hewitt data on its face is bad for the deal and hurts their chances of getting approval,” Carstensen said.

A Justice Department official declined to comment on its review of the deal. It is also considering Aetna’s proposed $34 billion purchase of Humana Inc. If both acquisitions were approved, it would result in an unprecedented consolidation of the top insurers, from five to three.

Anthem has said that buying Cigna would help it drive deeper discounts from hospitals and doctors, holding down the price of medical coverage. “What the Department of Justice will see is that we are going to bring a better focus on managing the cost of care,” Anthem Chief Executive Joseph Swedish told an investor conference last month.

But at least some large U.S. employers fear they will face higher prices if the deal goes through, according to Wall Street analysts. Concerned employers include Detroit automakers, according to a person familiar with the industry’s position.

Other employers found merit in Anthem’s assertion that the deal could benefit customers by eliminating overhead. “There is some chance that consolidation could lower some of those costs,” said Michael D’Ambrose, chief human resources officer for Archer Daniels Midland Co (ADM.N), which buys coverage from Anthem and other Blue Cross Blue Shield plans.

The deal has raised opposition from leading medical groups, California’s insurance commissioner and Democratic lawmakers.

Hospitals are pretty hygienic places — except when it comes to passwords.

That’s the conclusion of a recent study by researchers at Dartmouth College, the University of Pennsylvania and USC, which found that efforts to circumvent password protections are “endemic” in healthcare environments and mostly go unnoticed by hospital IT staff.

The researchers interviewed medical personnel in their workplace settings–nurses, doctors, chief medical officers, chief medical information officers, cybersecurity experts, CIOs, IT workers, everyday users, and managers–to obtain their perceptions of computer security rules. They collected reports from medical discussion lists and other literature. In addition, they shadowed many clinicians as they conducted their work.

The report describes what can only be described as wholesale abandonment of security best practices at hospitals and other clinical environments — with the bad behavior being driven by necessity rather than malice.

And this is certainly not good news for payers of health care services such as workers’ compensation claim administrators. Identity theft is a centerpiece of health care fraud schemes. The health/medical sector has accounted for the highest percent (42.5% in 2014) of total hackings of any industry, according to the Identity Theft Resource Center.

“Cyber security efforts in healthcare settings increasingly confront workarounds and evasions by clinicians and employees who are just trying to do their work in the face of often onerous and irrational computer security rules. These are not terrorists or black hat hackers, but rather clinicians trying to use the computer system for conventional healthcare activities. These “evaders” acknowledge that effective security controls are, at some level, important – especially the case of an essential service, such as healthcare. As we observed, earlier, without such tools, the enterprise cannot protect against adversarial cyber action. Unfortunately, all too often, with these tools, clinicians cannot do their job – and the medical mission trumps the security mission.”

“In hospital after hospital and clinic after clinic, we find users write down passwords everywhere,” the report reads. “Sticky notes form sticky stalagmites on medical devices and in medication preparation rooms. We’ve observed entire hospital units share a password to a medical device, where the password is taped onto the device.”

“We found emergency room supply rooms with locked doors where the lock code was written on the door — no one wanted to prevent a clinician from obtaining emergency supplies because they didn’t remember the code.”

“We find, in fact, that workarounds to cyber security are the norm, rather than the exception. They not only go unpunished, they go unnoticed in most settings – and often are taught as correct practice. In rare exceptions, when the workarounds become obvious to leaders – such as a security breach involving a patient’s record – there may be repercussions. These common forms of ignorance, or willful blindness, or incomprehension allow organizations to continue to deploy security that doesn’t work.”

Competing priorities of clinical staff and information technology staff bear much of the blame. Specifically: IT staff and management are often focused on regulatory compliance and securing healthcare environments. They are excoriated for lapses in security that result in the theft or loss of data.

Clinical staff, on the other hand, are focused on patient care and ensuring good health outcomes, said Ross Koppel, one of the authors of the report, who told The Security Ledger. Those two competing goals often clash. “IT want to be good guys. They’re not out to make life miserable for the clinical staff, but they often do,” he said.

The WCAB has issued a number of panel level decisions eroding the jurisdiction of the UR and IMR process for technical mistakes that were claimed to have “invalidated” the process and the UR/IMR finding.  These cases  favored handing the issue of appropriate medical treatment over to the WCJ to decide. As a result UR/IMR seemed to be subjected to a slow death by a thousand such cuts. However, the trend of erosion of UR/IMR jurisdiction may have suffered a setback at the hands of a new Court of Appeal published decision.

Dorothy Margaris suffered a work-related injury to her left foot and lumbar spine while employed by the California Highway Patrol. The State Compensation Insurance Fund is the adjusting agent for this claim.

On October 16, 2014, her treating physician submitted a request for authorization of medical treatment to SCIF proposing to treat applicant with a lumbar epidural injection. On October 21, 2014, SCIF denied the request.

Applicant timely requested independent medical review. On November 26, 2014, SCIF sent the necessary medical records to Maximus Federal Services, Inc. On January 8, 2015, Maximus issued its IMR determination, upholding SCIF’s denial of the proposed medical treatment. The IMR determination became the final determination of the director as a matter of law. (§ 4610.6, subd. (g).)

Margaris appealed the IMR determination to the appeals board (§ 5300), which directed the matter to an administrative law judge for a hearing (§ 5310). She argued argued that the IMR determination was invalid because Maximus failed to issue it within the 30-day time period provided by section 4610.6, subdivision (d), and the applicable regulation (Cal. Code Regs., tit. 8, § 9792.10.6, subd. (g)). The judge agreed the IMR determination was issued 13 days late, but nevertheless found the determination was valid and binding on the parties, concluding that an untimely IMR determination “does not confer jurisdiction on the [workers’ compensation judge] to decide any medical treatment issues.”

In response to her petition for reconsideration, a majority of the three-member panel agreed with applicant and went on to find, contrary to the IMR determination, that the proposed treatment was supported by substantial medical evidence and was consistent with the treatment schedule promulgated by the director. One member of the panel dissented, and would have found that the IMR determination, though untimely, was valid and binding on the parties.

The Court of Appeal disagreed with the WCAB and reversed in the published case of California Highway Patrol and SCIF v WCAB (Margaris).

The 30-day time limit in section 4610.6, subdivision (d), is directory and, accordingly, an untimely IMR determination is valid and binding upon the parties as the final determination of the director. The Court of Appeal interpretation of the statute in this manner is consistent with long-standing case law regarding the mandatory-directory dichotomy, and implements the Legislature’s stated policy that decisions regarding the necessity and appropriateness of medical treatment should be made by doctors, not judges.

Generally, time limits applicable to government action are deemed to be directory unless the Legislature clearly expresses a contrary intent. By creating IMR, a system in which “medical professionals ultimately determine the necessity of requested treatment,” the Legislature intended to “further[] the social policy of this state in reference to using evidence-based medicine to provide injured workers with the highest quality of medical care.” Further, the Legislature observed that the prior system of dispute resolution, i.e., the “process of appointing qualified medical evaluators to examine patients and resolve treatment disputes,” was not only costly and time-consuming, but “it prolong[ed] disputes and cause[d] delays in medical treatment for injured workers.” (Stats. 2012, ch. 363, § 1(f).)

“The Legislature intended to remove the authority to make decisions about medical necessity of proposed treatment for injured workers from the appeals board and place it in the hands of independent, unbiased medical professionals. Construing section 4610.6, subdivision (d), as directory best furthers the Legislature’s intent in this regard.”

The California Department of Insurance announced its decision in a major insurance case pitting a small business against a Berkshire Hathaway owned workers’ compensation insurer that it said used a complex insurance scheme to circumvent regulatory review of its rates and policy terms to the disadvantage of small and medium sized businesses.

California Insurance Company, a Berkshire Hathaway company, filed one set of rates and insurance policies with the Department of Insurance, which it then sold to Shasta Linen, a small family owned business, and then followed that by having another Berkshire Hathaway company sell Shasta Linen a second insurance policy with different rates and terms that had never been submitted to the department for review as the law requires. California Insurance Company is the seventh largest workers’ compensation insurer in California by premium volume.

The lure for small businesses like Shasta Linen was seemingly attractive lower workers’ compensation premiums, but that attractiveness evaporated when the small business owner realized they were on the hook to pay the cost of workers’ compensation claims which eclipsed its original premium savings.

“This is a case of if it sounds too good to be true, it probably is,” said Insurance Commissioner Dave Jones. “The evidence showed that California Insurance Company filed one set of rates and policies, sold it to a California business, and then had one of its affiliates sell the same business an insurance policy with another set of rates and terms which had not been filed with the department.”

The scheme – Shasta Linen originally purchased a guaranteed cost workers’ compensation policy from California Insurance Company. Guaranteed cost insurance policies have rates based on the average historical losses of the insured business, modified by their own experience with worker injuries as compared to other businesses hiring workers’ of the same type. When a business buys a guaranteed cost policy it knows what its rates will be for the duration of the policy.

The insurance company later had one of its affiliates – another Berkshire Hathaway entity – sell Shasta Linen a second insurance policy called EquityComp, which is not a traditional guaranteed cost workers’ compensation insurance policy. This second insurance policy was a retroactive non-linear insurance policy, which adjusted the rates paid based on current loses and provided no experience modification of rates based on the employers’ claims experience.

Under the EquityComp insurance program, the risk of claims was essentially shifted back to the small business, which would end up paying additional premiums and fees in the policy term if it suffered from increasing claims. The second insurance policy was written by another Berkshire Hathaway company – Applied Underwriters Captive Risk Assurance (“AUCRA”), which is in the same corporate holding group as California Insurance Company and shares the same board of directors and executives.

This new EquityComp insurance program essentially left Shasta Linen self-insured, and also locked it into potentially making various ongoing payments to the insurance company for seven years, well beyond the three-year period of the policy, as well as the one-year period for the typical guaranteed cost policy.

The commissioner’s decision found that in the three years before it introduced EquityComp, California Insurance Company’s profits were $47 million and in the four years since introducing EquityComp the company’s profits were $220 million. The net loss ratio of California Insurance Company has fallen from 77.7 percent to between 19 and 30 percent, since it started offering EquityComp, compared to an industry annual average net loss ratio of over 80 percent.

The EquityComp insurance policy not only changed the rates to be paid by Shasta Linen, it also added new, expensive cancellation and non-renewal penalties. For example, under the guaranteed cost policy a business paying $300,000 in premium that cancels its policy after 100 days is liable for $114,000, while that same business cancelling under the EquityComp policy would be liable for more than $1.1 million. Under the original guaranteed cost policy there was no non-renewal penalty, but when Shasta Linen did not renew the EquityComp policy it was sent a bill for nearly $250,000.

In addition the new EquityComp insurance policy had an additional term that sought to deprive Shasta Linen of its right to appeal to the insurance commissioner and to have its dispute decided under California law — instead, the unfiled EquityComp insurance policy required all disputes to be governed by Nebraska law through arbitration in the British Virgin Islands.

When confronted with demands for higher payments under the EquityComp insurance policy, Shasta Linen brought the case before the insurance commissioner. The commissioner found that California Insurance Company and AUCRA failed to file the EquityComp insurance policy or its rates with the Department of Insurance, contrary to California law.

Commissioner Jones’ decision also found that California Insurance Company, in applying for a patent for EquityComp, stated that its objective was to circumvent regulatory oversight. Jones concluded that the EquityComp insurance scheme was illegal and void as a matter of law, because it was not filed with the Department of Insurance for review. The Commissioner’s order relieved Shasta Linen of having to make the additional payments under the EquityComp insurance policy and ordered California Insurance Company to repay any amounts paid by Shasta Linen in excess of the premium under the guaranteed cost policy.

“California employers should be able to trust that their insurance companies are doing business by the book and not exploiting them in the name of profit,” Jones continued. “Unfiled rates and unfiled major policy terms are void as a matter of law.”

During the hearing process, the department became aware that other state departments of insurance have also taken action to prohibit the sale of EquityComp and similar insurance programs.

As a result of this decision, Commissioner Jones has also directed the Department of Insurance to determine whether other unfiled insurance policies and rates are being sold by other Berkshire Hathaway companies and other workers’ compensation insurers. The outcome of that evaluation will determine what action the commissioner takes next, ranging from market conduct examinations, financial examination, and enforcement actions with potential penalties.

The Department of Health and Human Services Office of the Inspector General (“OIG”) and the Department of Justice (“DOJ”) released the FY 2015 Health Care Fraud and Abuse Control Program Annual Report. The Annual Report details the enforcement actions and the monetary gains from efforts by the OIG and DOJ to fight fraud and abuse throughout the prior fiscal year..

The Annual Report estimated that settlements and judgments resulted in approximately $2.4 billion returned to both the government and private parties in 2015. The Annual Report estimated that from 2013 to 2015, the return on investment for the Program has been $6.10 for every $1.00 expended (down from the previous calculation of $7.70 for every $1.00). Further, the DOJ convicted 613 defendants, and the OIG brought 800 criminal actions against individuals and entities involved in health care fraud and abuse-related crimes. The OIG also excluded 4,112 individuals from participation in federal health care programs in 2015. In Medicare, medical professionals may be banned from seeking money to see patients if they’ve been convicted of defrauding a health care program or fraud-related offenses.

But those banned providers have no problem starting a second career in California’s workers’ compensation system. Recent criticism argues that no such facility vetting occurs on a regular basis for workers’ compensation medical treatment. For example, Medicare banned Dr. Thomas Heric in 2006 after he pleaded guilty to charges related to writing reports based on diagnostic tests that turned out to be fraudulent. Heric then found a new line of work in the workers’ compensation medical system. His job was to review data on injured workers’ sleep patterns and issue reports needed to bill insurers. Five years later, prosecutors accused Heric of fraud again. That case is pending in Orange County Superior Court. Heric’s attorney, Robert Moest, said Heric stands by the reports and is fighting the charges.

There have been numerous successful criminal and civil health care fraud investigations in 2015 by the OIG and DOJ. These included: an $800 million settlement in which a company allegedly paid kickbacks to physicians through selling interests in exchange for referrals; a $54 million settlement by drug companies for knowingly underpaying rebates owed under the Medicaid Drug Rebate Program; a 156-month imprisonment and $1.2 million restitution payment for an individual medical supply company owner for submitting false claims to Medicare for hundreds of medical devices; a $47 million settlement by a laboratory for paying physicians kickbacks for patient referrals and billing for medically unnecessary testing; and the largest national health care fraud takedown in history charging 243 individuals, including 46 medical professionals, for alleged participation in Medicare fraud schemes for approximately $712 million in false billings.

The OIG’s audit and evaluation process found some key emerging issues in the Annual Report, including: Medicaid Home Health services; terminated Medicaid providers; access to Medicaid managed care services; payments to delinquent providers; non-emergency medical transportation services; issues in Medicare Part D; and the skilled nursing facility payment system. CMS reported that the national Medicaid improper payment rate for 2015 was 9.8 percent or $29.1 billion (an increase from the 2014 rate of 6.7 percent or $17.5 billion). Also in 2015, CMS awarded a contract for a pilot program to estimate the possible fraud in the Medicare program, specifically in the Home Health benefit. This pilot program includes a review team of health care clinicians, analysts, policy experts and fraud investigators that will review possible fraud and determine whether law enforcement should be involved.

Health care payers should be aware of the concentrations of the Annual Report, as many of these areas will likely remain a focus in 2016. In 2015, the DOJ Civil Division Fraud Section focused on hospitals and physicians. This trend is one that payers should watch for in the future. The DOJ stated in the Annual Report it was concerned with hospitals and physicians treating patients on an inpatient basis when they could have been treated as outpatients. The DOJ also stated that a key area of concern was in violations of the Stark Law for physicians with ownership interest in health care entities. Further, the DOJ civil division recently has been litigating more cases that would have normally been settled in the past. This trend may continue in upcoming years.

Many of the recent settlements from providers have been in regards to excessive physician compensation. Several large settlements have resulted from findings of physician compensation that was in excess of fair market value, not commercially reasonable and based on the volume or value of referrals. Further, the DOJ has emphasized a recent focus on individual accountability and corporate responsibility. It is likely these trends will continue as well.