Page 1 of 1
On April 29, 2020, the Department of Labor (DOL) and the Internal Revenue Service (IRS) announced in a Notice a “pause” in the timelines that affect many COBRA and HIPAA Special Enrollment Period timelines during the National Emergency due to the COVID-19 pandemic.
The National Emergency declaration for COVID-19 was issued on March 13, 2020, and as of the date of this writing, is still in effect. However, for purposes of COBRA in the eyes of the DOL, the “pause” date is set to begin on March 1, 2020. According to the Notice, the period from March 1 through 60 days after the date the National Emergency is declared ended is known as the “Outbreak Period.”
Normally, group health plan Qualified Beneficiaries (QBs) have 60 days from the date of a COBRA qualifying event to elect COBRA coverage, or in the case of a second COBRA qualifying event, to make a new COBRA election. Once a COBRA election is made, the first payment (going back to the date of the COBRA qualifying event) is due no more than 45 days later. After that, plan sponsors must allow at least a 30 day grace period for late COBRA payments.
According to the Notice, all of these timelines are affected. The 60-day election “clock” is paused beginning March 1, 2020 or later until the the end of the Outbreak Period. Similarly, the 45-day first payment “clock” is also paused during the Outbreak Period, as is the 30-day grace period for making COBRA payments.
ABC Company’s group health plan is subject to COBRA continuation coverage. Jane Jetson and her family are covered under ABC’s group health plan. On February 1, 2020 Jane terminates employment at ABC, and on February 5th, Jane receives her COBRA election notice informing her she has 60 days from February 1st to make an election. Normally, that election period would end on April 1, 2020, 60 days from February 1st.
However, with the new DOL/IRS Notice, the “pause” button on the 60 day election period was hit on March 1st, the beginning of the Outbreak Period, so the 60 day clock stops at 29 days and doesn’t resume until the end of the Outbreak Period. For sake of this example, let’s assume the National Emergency declaration is lifted on May 31, 2020. On July 30, 2020, 60 days after May 31st and thus the end of the Outbreak Period, the “pause” button is lifted and the COBRA election clock restarts for another 31 days to complete the 60 day COBRA election period, which now would end on August 30, 2020.
Continuing with the example and assumptions, if Jane did make her COBRA election to continue coverage on August 30th (the last day to do so), the 45 day clock to make the first payments back to February 1st would begin, and she would have to make all seven months’ payments by October 14, 2020. Of course, by that date she’d also owe payments for September and October as well, although she’d be in the middle of the grace period for October.
Similarly, the 30 day HIPAA Special Enrollment Period (SEP) for qualified changes of status that impacts group health plan enrollment changes is also “paused” until after the end of the Outbreak Period.
Homer Simpson also works for ABC Company, and has elected not to participate in ABC’s group health plan since he has coverage through his spouse Marge’s employer’s group health plan at XYZ Company. On March 15, 2020, Homer and Marge have a baby named Bart, and decide that Homer would like to cover his entire family under ABC’s plan. In normal times, Homer would have 30 days from the date of Bart’s birth to enroll in ABC’s group health plan utilizing the HIPAA SEP.
However, under the DOL/IRS Notice, that 30-day clock is on “pause” until the end of the Outbreak Period. Using the same assumption in the example above, that clock would start on July 30th, and Homer would have until August 30th to enroll his entire family.
Plan sponsors will need to pay close attention to this Notice and make proper adjustments in their established COBRA and HIPAA procedures to accommodate it.
The U.S. Equal Employment Opportunity Commission (EEOC) recently issued proposed new rules clarifying its stance on the interplay between the Americans with Disabilities Act (ADA) and employer wellness programs. Officially called a “notice of proposed rulemaking” or NPRM, the new rules propose changes to the text of the EEOC’s ADA regulations and to the interpretive guidance explaining them.
If adopted, the NPRM will provide employers guidance on how they can use financial incentives or penalties to encourage employees to participate in wellness programs without violating the ADA, even if the programs include disability-related inquiries or medical examinations. This should be welcome news for employers, having spent nearly the past six years in limbo as a result of the EEOC’s virtual radio silence on this question.
A Brief History: How
Did We Get Here?
In 1990, the ADA was enacted to protect individuals with ADA-qualifying disabilities from discrimination in the workplace. Under the ADA, employers may conduct medical examinations and obtain medical histories as part of their wellness programs so long as employee participation in them is voluntary. The EEOC confirmed in 2000 that it considers a wellness program voluntary, and therefore legal, where employees are neither required to participate in it nor penalized for non-participation.
Then, in 2006, regulations were issued that exempted wellness programs from the nondiscrimination requirements of the Health Insurance Portability and Accountability Act (HIPAA) so long as they met certain requirements. These regulations also authorized employers for the first time to offer financial incentives of up to 20% of the cost of coverage to employees to encourage them to participate in wellness programs.
But between 2006 and 2009 the EEOC waffled on the legality of these financial incentives, stating that “the HIPAA rule is appropriate because the ADA lacks specific standards on financial incentives” in one instance, and that the EEOC was “continuing to examine what level, if any, of financial inducement to participate in a wellness program would be permissible under the ADA” in another.
Shortly thereafter, the 2010 enactment of President Obama’s Patient Protection and Affordable Care Act (ACA), which regulates corporate wellness programs, appeared to put this debate to rest. The ACA authorized employers to offer certain types of financial incentives to employees so long as the incentives did not exceed 30% of the cost of coverage to employees.
But in the years following the ACA’s enactment, the EEOC restated that it had not in fact taken any position on the legality of financial incentives. In the wake of this pronouncement, employers were left understandably confused and uncertain. To alleviate these sentiments, several federal agencies banded together and jointly issued regulations that authorized employers to reward employees for participating in wellness programs, including programs that involved medical examinations or questionnaires. These regulations also confirmed the previously set 30%–of-coverage ceiling and even provided for incentives of up to 50%of coverage for programs related to preventing or reducing the use of tobacco products.
After remaining silent about employer wellness programs for nearly five years, in August 2014, the EEOC awoke from its slumber and filed its very first lawsuit targeting wellness programs, EEOC v. Orion Energy Systems, alleging that they violate the ADA. In the following months, it filed similar suits against Flambeau, Inc., and Honeywell International, Inc. In EEOC v. Honeywell International, Inc., the EEOC took probably its most alarming position on the subject to date, asserting that a wellness program violates the ADA even if it fully complies with the ACA.
What’s In The NPRM?
According to EEOC Chair Jenny Yang, the purpose of the EEOC’s NPRM is to reconcile HIPAA’s authorization of financial incentives to encourage participation in wellness programs with the ADA’s requirement that medical examinations and inquiries that are part of them be voluntary. To that end, the NPRM explains:
Each of these parts of the NPRM is briefly discussed below.
What is an employee
In general, the term “wellness program” refers to a program or activity offered by an employer to encourage its employees to improve their health and to reduce overall health care costs. For instance, one program might encourage employees to engage in healthier lifestyles, such as exercising daily, making healthier diet choices, or quitting smoking. Another might obtain medical information from them by asking them to complete health risk assessments or undergo a screening for risk factors.
The NPRM defines wellness programs as programs that are reasonably designed to promote health or prevent disease. To meet this standard, programs must have a reasonable chance of improving the health of, or preventing disease in, its participating employees. The programs also must not be overly burdensome, a pretext for violating anti-discrimination laws, or highly suspect in the method chosen to promote health or prevent disease.
How is voluntary
The NPRM contains several requirements that must be met in order for participation in wellness programs to be voluntary. Specifically, employers may not:
Additionally, for wellness programs that are part of a group health plan, employers must provide a notice to employees clearly explaining what medical information will be obtained, how it will be used, who will receive it, restrictions on its disclosure, and the protections in place to prevent its improper disclosure.
What incentives may
The NPRM clarifies that the offer of limited incentives is permitted and will not render wellness programs involuntary. Under the NPRM, the maximum allowable incentive employers can offer employees for participation in a wellness program or for achieving certain health results is 30% of the total cost of coverage to employees who participate in it. The total cost of coverage is the amount that the employer and the employee pay, not just the employee’s share of the cost. The maximum allowable penalty employers may impose on employees who do not participate in the wellness program is the same.
The NPRM does not change any of the exceptions to the confidentiality provisions in the EEOC’s existing ADA regulations. It does, however, add a new subsection that explains that employers may only receive information collected by wellness programs in aggregate form that does not disclose, and is not likely to disclose, the identity of the employees participating in it, except as may be necessary to administer the plan.
Additionally, for a wellness program that is part of a group health plan, the health information that identifies an individual is “protected health information” and therefore subject to HIPAA. HIPAA mandates that employers maintain certain safeguards to protect the privacy of such personal health information and limits the uses and disclosure of it.
Keep in mind that the NPRM revisions discussed above only clarify the EEOC’s stance regarding how employers can use financial incentives to encourage their employees to participate in employer wellness programs without violating the ADA. It does not relieve employers of their obligation to ensure that their wellness programs comply with other anti-discrimination laws as well.
Is This The Law?
The NPRM is just a notice that alerts the public that the EEOC intends to revise its ADA regulations and interpretive guidance as they relate to employer wellness programs. It is also an open invitation for comments regarding the proposed revisions. Anyone who would like to comment on the NPRM must do so by June 19, 2015. After that, the EEOC will evaluate all of the comments that it receives and may make revisions to the NPRM in response to them. The EEOC then votes on a final rule, and once it is approved, it will be published in the Federal Register.
Since the NPRM is just a proposed rule, you do not have to comply with it just yet. But our advice is that you bring your wellness program into compliance with the NPRM for a few reasons. For one, it is very unlikely that the EEOC, or a court, would fault you for complying with the NPRM until the final rule is published. Additionally, many of the requirements that are set forth in the NPRM are already required under currently existing law. Thus, while waiting for the EEOC to issue its final rule, in the very least, you should make sure that you do not:
In addition you should provide reasonable accommodations to employees with disabilities to enable them to participate in wellness programs and obtain any incentives offered (e.g., if an employer has a deaf employee and attending a diet and exercise class is part of its wellness program, then the employer should provide a sign language interpreter to enable the deaf employee to participate in the class); and ensure that any medical information is maintained in a confidential manner.
During this year, businesses will be hearing a lot about the Affordable Care Act’s (ACA’s) information reporting requirements under Code Sections 6055 and 6056. Information gathering will be critical to successful reporting, and there is one aspect of that information gathering which employers might want to take action on sooner rather than later – collecting Social Security numbers (SSNs), particularly when required to do so from the spouses and dependents of their employees. There are, of course, ACA implications for not taking this step, as well as data privacy and security risks for employer and their vendors.
Under the ACA, providers of “minimum essential coverage” (MEC) must report certain information about that coverage to the Internal Revenue Service (IRS), as well as to persons receiving that MEC. Employers that sponsor self-insured group health plans are providers of MEC for this purpose, and in the course of meeting the reporting requirements, must collect and report SSNs to the IRS. However, this reporting mandate requires those employers (or vendors acting on their behalf) to transmit to the IRS the SSNs of employee and their spouses and dependents covered under the plan, unless the employers either (i) exhaust reasonable collection efforts described below, (ii) or meet certain requirements for limited reporting overall.
Obviously, employers are familiar with collecting, using and disclosing employee SSNs for legitimate business and benefit plan purposes. Collecting SSNs from spouses and dependents will be an increased burden, creating more risk on employers given the increased amount of sensitive data they will be handling, and possibly from vendors working on their behalf. The reporting rules permit an employer to use a dependent’s date of birth, only if the employer was not able to obtain the SSN after “reasonable efforts.” For this purpose, reasonable efforts means the employer was not able to obtain the SSN after an initial attempt, and two subsequent attempts.
From an ACA standpoint, employers with self-insured plans that have not collected this information should be engaged in these efforts during the year (2015) to ensure they are ready either to report the SSNs, or the DOBs. At the same time, collecting more sensitive information about individuals raises data privacy and security risks for an organization regarding the likelihood and scope of a breach. Some of those risks, and steps employers could take to mitigate those risks, are described below.
Employers navigating through ACA compliance and reporting requirements have many issues to be considered. How personal information or protected health information is safeguarded in the course of those efforts is one more important consideration.
The rush for group health plan administrators to navigate the Centers for Medicare & Medicaid Services (CMS) website and obtain a Health Plan Identifier (HPID) ahead of the November 5th deadline is over. On October 31, 2014, the CMS Office of e-Health Standards and Services (OESS), the division of the Department of Health & Human Services (HHS) that is responsible for enforcement of the HIPAA standard transaction requirements, announced a “delay, until further notice,” of the HPID requirements. The regulatory obligations of plan administrators delayed by this notice are the: (i) obtaining of a HPID, and (ii) the use of the HPID in HIPAA transactions.
This delay comes on the heels of a recommendation by the National Committee on Vital and Health Statistics (NCVHS), an advisory body to HHS. The NCVHS asked HHS to review the HPID requirement and recommended that HPIDs not be used in HIPAA transactions. NCVHS’s primary opposing argument to implementation of the HPID standard was that the healthcare industry has already adopted a “standardized national payer identifier based on the National Association of Insurance Commissioners (NAIC) identifier.”
Whether HHS will adopt the recommendations of the NCVHS on a permanent basis remains to be seen, but for the time being, plan administrators may discontinue the HPID application process and should stay tuned for further announcements from HHS.
The Department of Health and Human Services (HHS) recently updated the Code Set Rules. The Code Set rules are part of the Health Insurance Portability and Accountability Act’s (HIPPA’s) Administrative Simplification Provisions. These rules create uniform electronic standards for common health plan administrative processes. Requiring health care providers and other stakeholders to use the same data formats for common transactions simplifies certain administrative aspects of providing and paying for health care.
Under the latest rules, self funded employers will need to apply for a Health Plan Identifier (HPID). Most employers will have to apply by November 5, 2014. This number will be used to ensure employers comply with certain Code Set rules requirements.
The Code Set Rules have affected covered entities for a number of years. However, certain aspects of these rules were not enforced in the past. In order to promote efficient health coverage, health care reform includes provisions to ensure health care stakeholders are complying with specific transaction and code set requirements.
Review of the HIPAA Code Set Rules
The final HIPAA Transaction and Code regulations published in August 2000 applied to most health plans as of October 16, 2003. They require covered entities conducting certain transactions electronically to use specific standards and code sets. Covered entities include:
Most of the applicable transactions occur between the health plan and health care providers covering areas like claims submission and payment, eligibility, and authorizations/referrals, however the enrollment and disenrollment transaction process generally involves the employer and the health plan.
New Requirements for a HPID for Self Funded Plans
The Code Set rules require all parties involved in the health care system to use an identifying number. Large group health plans (plans with an annual cost of $5 million or more) need to register for their Health Plan Identifier (HPID) number by November 5, 2014. Small group health plans (plans with an annual cost of less than $5 million) will have an extra year to obtain an HPID. Annual cost is based on paid claims before stop loss recoveries and excluding administrative costs and stop loss premiums.
Insurance carriers will likely apply for the 10-digit HPID number for all of their fully- insured group health plans. Employers will have to apply for their 10-digit HPID for self-funded medical plans. The health plan needs to use the HPID number for any of the standard transactions the Code Set rules cover.
Every health plan considered a covered entity must obtain an HPID. The regulations include delineations of group health plans including Controlling Health Plans (a health plan that controls its own business activities, actions and policies) and Subhealth Plan (a health plan whose business activities, actions or policies are directed by a Controlling Health Plan).
Employers are not really sure how the relationship between controlling health plans and subhealth plans would apply to employer-sponsored health plans and are awaiting further clarification from HHS on this issue.
All health plans, regardless of size, must use their HPIDs in standard transactions by November 7, 2016. A “standard transaction” is a CMS menu of transactions, like a claim payment, that must be coded with an HPID.
Employer must provide information about their organizations and health plans when they register for the HPID electronically. More information on applying for an HPID is available here.
Certification Requirements for Compliance with Standard Transaction Rules
Health plans must also verify with HHS that they comply with the Code Set rules. Health plans have been subject to these rules for almost a decade, however there has been little to no oversight on compliance with the common formats. HHS is now requiring a certification showing that the plan is using the standard formats. Initially, the certification will only be done on a few of the required transactions.
The health plan must first certify that they meet the Code Set requirements for eligibility, claim status and EFT and remittance advice transactions. Plans have two different options to certify they are complying. Both involve having specific vendors certify the plan uses the proper transaction formats. The two options are as follows:
The HIPAA Credential option involves testing the required transactions with at least three trading partners. Those three partners have to represent at least 30% of transactions conducted with providers. If it does not constitute 30%, then the plan must confirm it has successfully traded with at least 25%.
The Phase III Core Seal will require the Controlling Health Plan to test transactions with an authorized testing vendor.
All certifications will be filed with HHS. The first one will be due by December 31, 2015. Health insurance carriers and Third Party Administrators will most likely provide the certifications for employer-sponsored health plans, but employers will still need more details on the filing.
The second certification applies to other transactions the Code Set rules cover. Specifically, the second certification applies to claims information, enrollment, premium payments, claims attachments, and authorizations or referrals. HHS has not issued any guidance on these certifications yet. These second certifications are also due by December 31, 2015. However, because of the lack of specific guidance, it is very likely this due date may be delayed.
To register for an HPID, employers need to take the following steps:
1. Determine when the plan must obtain an HPID
2. If your plan if fully insured, contact your insurance carrier. It appears most insurance carriers will apply for the HPID for fully insured plans.
3. If your plan is self-funded, schedule time over the next several months to register for an HPID for your health plan. The registration is a CMS-managed online application process. The regulations estimate that it will take 20 -30 minutes to complete the application. Sponsors will be directed to an online enumeration system titled: Health Plan and Other Entity Enumeration System (HPOES).
The topic this month highlights record retention and cover what employers should be keeping and for how long.
Did you know that there are over 14,000 federal, state, and industry specific laws/standards/regulations that dictate how long employers are required to keep certain records? Non-compliance can result in fines against company employees personally as well as judgments against the company itself.
Some of the Federal Labor and Employment laws that require record retention include:
Please contact our office directly if you would like more information on this topic or if you would like more information regarding how to conduct an audit of your company record retention policies.
Under the 2013 Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules provisions, employers must update their health information disclosure policies and retrain employees to ensure compliance.
The Department of Health and Human Services (HHS) issued the new HIPAA regulations on January 25, 2013, to execute major changes that were mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) as well as the Genetic Information Nondiscrimination Act (GINA).
New Requirements for Business Associates
HIPAA regulations previously generally covered any business associate who performed or assisted in any activity involving the use or disclosure of individually identifiable health information, such as third-party administrators, pharmacy benefit managers and benefit consultants. Under the new regulations, business associate status is triggered when a vendor “creates, receives, maintains, or transmits” personal health information (PHI).
The key addition in this part of the regulation is found in the word ‘maintains’ because any entity that ‘maintains’ PHI on behalf of a covered entity- even if no access to that information is required or expected- will now be considered a business associate.
This change has some important consequences for group health plans that rely on cloud storage as a repository for their PHI or that outsource information-technology support and other functions and do not have business associate agreements (BAAs) with such vendors.
If you give PHI to a vendor before a BAA is in place, you will be in violation of HIPAA, and if you are a vendor, you can’t receive PHI without a compliant BAA in place. There must be a compliant BAA in place first.
Another change is that plan sponsors must enter into a sub-BAA with agents or subcontractors who are retained to help a business associate with covered functions for an employer-sponsored health plan. Plan sponsors should include BAA language that states that a business associate can’t subcontract work without prior permission, and then to monitor compliance with those agreements.
Presumption of PHI Breach Introduced
Under the previous rules, an impermissible use or disclosure of PHI- including electronic PHI- was a breach only if it posed a significant risk of harm to the individual. The HHS included in the new rules a presumption that any impermissible use or disclosure of PHI is a breach, subject to breach-notification rules.
Under the new rules, the only way now to get out of this presumption is by a demonstration that there is a low probability that the PHI was compromised.
To demonstrate low probability, the health plan or business associate must perform a risk assessment of four factors- at a minimum:
The HHS has indicated that it expects these risk assessments to be thorough and completed in good faith and to reach reasonable conclusions. If the risk assessment does not find a low probability that PHI has been compromised, then breach notification is required.
Action Advised for 2013
While the new regulations bring certainty to employer-sponsored health plans and their business associates on HIPAA compliance issues, they also emphasize the department’s intention to subject business associates and their subcontractors to heightened scrutiny.
Employers should review and revise their BAAs to ensure compliance with the security rule, paying special attention to the inclusion of subcontractors. Employers should also review and revise (or create) breach-notification procedures that detail how a risk assessment will be conducted. It is also important to train employees who have access to PHI on these updated policies and procedures.
The final regulations take effect September 23, 2013 and the HHS has provided another one-year transition period for some covered entities and their business associates that had a BAA in place on January 1, 2013. HHS also published an updated version of a template BAA, but it does not address all the unique situations that may arise between a covered entity and a business associate. Employers should ultimately ensure that their business associate agreements are appropriately tailored to their individual circumstances and business needs.
Our topic this month covers the new I-9 form that was recently released as well as various considerations for 2014.
Areas discussed include:
Contact us today for more information on this topic.
Proposed guidance on the 90 day waiting period limit that was set in place by the Affordable Care Act (ACA) was issued on March 21, 2013 by the Department of Labor, Health & Human Services, and the Treasury (the “Departments”). This rule will apply to plan years beginning on or after January 1, 2014.
The 90 day limit set under Health Care Reform prevents an eligible employee or dependent from having to wait more than 90 days before coverage under a group health plan becomes effective. All calendar days (including weekends and holidays) are counted when determining what date the employee has satisfied the 90 day probationary period.
The Departments have confirmed that there is no de minimis exception for the difference between 90 days and 3 months. Therefore, plans with a 3 month waiting period in their group benefit contracts (including the Section 125 plan document) will need to make sure these are amended for the 2014 plan year. In addition, plans with a waiting period in which coverage begins on the first day of the month immediately following 90 days will also need to be amended as coverage can not begin any later than the 90th day. Employers who prefer to use a first day of the month starting date for coverage rather than a date sometime mid-month should consider implementing a 60 day waiting period instead. If an employer runs into an instance where an employee is in the middle of their waiting period when the regulations become effective (on the group’s renewal anniversary date on or following January 1, 2014), the waiting period for the employee may need to be shortened if it would exceed the 90 days.
Caution: Employers sponsoring a group health plan should also be mindful of the rules under the employer “pay or play” mandate. The 90 day limit on waiting periods offers slightly more flexibility than the employer mandate. For instance, if an employer’s health plan provides employees will become eligible for coverage 90 days after obtaining a pilot’s license, that requirement would comply with the 90 day limit on waiting periods. However, the same employer could be liable under the employer mandate for failing to provide coverage to a full time employee within 3 months of their date of hire. So, employers sponsoring a group health plan should confirm that any plan eligibility criteria aligns with both the employer mandate and the 90 day limit on waiting periods.
The Departments have also announced that HIPAA Certificates of Creditable Coverage will be phased out by 2015. Plans will not be permitted to impose any pre-existing condition exclusions effective for plan years beginning on or after January 1, 2014. This provision is also in effect for enrollees who are under age 19. Plan sponsors must continue to provide Certificates through December 31, 2014 since individuals enrolling in plans with plan years beginning later than January 1 may still be subject to pre-existing condition exclusions up through 2014.