Page 1 of 1

DOL Issues Guidance on Outbreak Period Extensions

March 01 - Posted at 1:41 PM Tagged: , , , , , , , , ,

The COVID-19 extensions that the DOL and IRS had issued last year as part of their “Joint Notice” were set to expire at midnight on February 28th.  For weeks, many have been asking the DOL and IRS for guidance on how to handle the statutorily-mandated expiration, and as a result of the lack of guidance, most plans, TPAs, insurers, and COBRA administrators had to make a judgment call as to how to proceed.

But – with 2 days to spare – DOL finally issued Disaster Relief Notice 2021-01  on February 26th.

Notice 2021-01 sets forth the DOL and IRS’ position that the COVID-19 extensions will continue past February 28th, and that all such extensions must be measured on a person-by-person basis – which was not clear from the prior guidance.  Plans, TPAs, insurers, and COBRA administrators may have to reconsider their administrative practices in light of this new direction.

Short Background

The original Joint Notice (85 Fed. Reg. 26351 (May 4, 2020) required that health and retirement plans toll a number of deadlines for individuals during the COVID-19 National Emergency, plus a 60-day period (the “Outbreak Period”) starting March 1, 2020.

But, as described in Footnote 4 of the Joint Notice, ERISA and the Code limit DOL and Treasury’s ability to toll deadlines to one year (“Tolling Period”).

The deadlines impacted in the Joint Notice are:

  • Deadline to elect COBRA;
  • Deadline to pay COBRA premiums;
  • Deadline to elect HIPAA special enrollment;
  • Deadlines to file claims, appeals, and requests for external review; and
  • Deadline for plan to provide COBRA election notice


When there has been disaster relief guidance in the past, these periods have not bumped up against the statutorily-imposed one-year limit, so this COVID-19 extension is new territory – hence all the requests for the agencies to issue guidance regarding the expiration date.

Disaster Relief Notice 2021-01

In this late-breaking Notice 2021-01, DOL says it coordinated with HHS and IRS, and the agencies are interpreting the Tolling Period to be read on a person-by-person basis.

Specifically, DOL says that the Tolling Period ends the earlier of:

  1. One year from the date the deadline would have begun running for that individual; or
  2. 60 days from the end of the National Emergency (which is still ongoing).

This means that each individual has his or her own Tolling Period!

For example, a COBRA Qualified Beneficiary (QB) has 60 days to elect COBRA, counted from the later of their loss of coverage or the date their COBRA election notice is provided.  Under the Joint Notice, a QB’s 60-day deadline was tolled as of March 1, 2020, until the end of the Outbreak Period (that is, until the end of the National Emergency + 60 days).

At the end of the Outbreak Period, the deadlines would start running again, and the QB would have their normal 60-day COBRA election period (or the balance of their election period if it started before March 1, 2020).

BUT – with the 1-year expiration, DOL’s new Notice 2021-01 says that the one-year period does not end on February 28, 2021 for all individuals, but rather each individual has his/her own one-year Tolling Period.

Examples:

  • If QB A’s election period started 2/1/20, her election deadline was tolled as of 3/1/20. Her one-year Tolling Period would end 2/28/21, so her election period would start 3/1/21, and she would have the balance of her 60-day election period.
  • If QB B’s election period started 3/1/20, her election deadline was tolled as of 3/1/20. Her one-year Tolling Period would end 2/28/21, so her 60-day election period would start 3/1/21.
  • If QB C’s election period started 6/1/20, her election deadline was tolled right away, as of 6/1/20. Her one-year Outbreak Period would end 5/31/21, so her 60-day Tolling period would start 6/1/21.
  • If QB D’s election period starts 4/1/21, her election deadline also will be tolled right away on 4/1/21, as long as we are still in the National Emergency. Her one-year Tolling Period would end 3/31/22, so her 60-day election period would start 4/1/22.

For all of these examples, the tolling would end earlier if the National Emergency ends.  In that case, the election period would end 60 days after the end of the National Emergency.

Reasonable Accommodation Requirement

Notice 2021-01 also says that DOL recognizes that enrollees may continue to encounter COVID issues, even after the one-year Tolling Period expiration.  DOL says that the “guiding principle” is for plans to act reasonably, prudently, and in the interest of the workers and their families.  DOL says that plan fiduciaries should make “reasonable accommodations to prevent the loss of or undue delay in payment of benefits . . . and should take steps to minimize the possibility of individuals losing benefits because of a failure to comply with pre-established time frames.”

Notice 2021-01 does not provide any direction regarding what would constitute a “reasonable accommodation.”  It sounds like plans may need a process to consider whether to continue to waive deadlines on a case-by-case basis, but without any guidance as to what parameters to apply.  And DOL suggests that failure to do so could be a fiduciary issue.


Notices

Regarding communicating these changes to enrollees, DOL says:

  • The plan administrator or fiduciary “should consider” affirmatively sending a notice regarding the end of the one-year relief period (presumably to each person based on her own customized extension period).
  • Plans “may need” to reissue or amend prior disclosures if they failed to provide accurate information regarding these new extension deadlines.
  • Plans “should consider” making enrollees aware of other coverage options, such as the Special Enrollment Period under the Health Insurance Marketplace.

DOL seems to be saying that plans may need to notify each individual when his or her one-year extension is about to be up and should include information about the Health Insurance Marketplace.  In addition, plans may need to update prior communications that did not anticipate this new DOL interpretation.

Enforcement

DOL says it acknowledges that there may be instances when plans or service providers themselves may not be able to fully and timely comply with pre-established timeframes and disclosure requirements.  DOL says that where fiduciaries have acted in “good faith and with reasonable diligence under the circumstances,” DOL’s approach to enforcement will be “marked by an emphasis on compliance assistance,” including grace periods or other relief.

DOL and IRS Announce Emergency COVID-19 COBRA Rules

May 04 - Posted at 10:49 AM Tagged: , , , , , ,

On April 29, 2020, the Department of Labor (DOL) and the Internal Revenue Service (IRS) announced in a Notice a “pause” in the timelines that affect many COBRA and HIPAA Special Enrollment Period timelines during the National Emergency due to the COVID-19 pandemic.

The National Emergency declaration for COVID-19 was issued on March 13, 2020, and as of the date of this writing, is still in effect. However, for purposes of COBRA in the eyes of the DOL, the “pause” date is set to begin on March 1, 2020. According to the Notice, the period from March 1 through 60 days after the date the National Emergency is declared ended is known as the “Outbreak Period.”

COBRA Timeline Changes During National Emergency

Normally, group health plan Qualified Beneficiaries (QBs) have 60 days from the date of a COBRA qualifying event to elect COBRA coverage, or in the case of a second COBRA qualifying event, to make a new COBRA election. Once a COBRA election is made, the first payment (going back to the date of the COBRA qualifying event) is due no more than 45 days later. After that, plan sponsors must allow at least a 30 day grace period for late COBRA payments.

According to the Notice, all of these timelines are affected. The 60-day election “clock” is paused beginning March 1, 2020 or later until the the end of the Outbreak Period. Similarly, the 45-day first payment “clock” is also paused during the Outbreak Period, as is the 30-day grace period for making COBRA payments.

Example

ABC Company’s group health plan is subject to COBRA continuation coverage. Jane Jetson and her family are covered under ABC’s group health plan. On February 1, 2020 Jane terminates employment at ABC, and on February 5th, Jane receives her COBRA election notice informing her she has 60 days from February 1st to make an election. Normally, that election period would end on April 1, 2020, 60 days from February 1st.

However, with the new DOL/IRS Notice, the “pause” button on the 60 day election period was hit on March 1st, the beginning of the Outbreak Period, so the 60 day clock stops at 29 days and doesn’t resume until the end of the Outbreak Period.  For sake of this example, let’s assume the National Emergency declaration is lifted on May 31, 2020. On July 30, 2020, 60 days after May 31st and thus the end of the Outbreak Period, the “pause” button is lifted and the COBRA election clock restarts for another 31 days to complete the 60 day COBRA election period, which now would end on August 30, 2020.

Continuing with the example and assumptions, if Jane did make her COBRA election to continue coverage on August 30th (the last day to do so), the 45 day clock to make the first payments back to February 1st would begin, and she would have to make all seven months’ payments by October 14, 2020. Of course, by that date she’d also owe payments for September and October as well, although she’d be in the middle of the grace period for October.

HIPAA Special Enrollment Period

Similarly, the 30 day HIPAA Special Enrollment Period (SEP) for qualified changes of status that impacts group health plan enrollment changes is also “paused” until after the end of the Outbreak Period.

Example

Homer Simpson also works for ABC Company, and has elected not to participate in ABC’s group health plan since he has coverage through his spouse Marge’s employer’s group health plan at XYZ Company. On March 15, 2020, Homer and Marge have a baby named Bart, and decide that Homer would like to cover his entire family under ABC’s plan. In normal times, Homer would have 30 days from the date of Bart’s birth to enroll in ABC’s group health plan utilizing the HIPAA SEP.

However, under the DOL/IRS Notice, that 30-day clock is on “pause” until the end of the Outbreak Period. Using the same assumption in the example above, that clock would start on July 30th, and Homer would have until August 30th to enroll his entire family.

Action Items for Plan Sponsors

Plan sponsors will need to pay close attention to this Notice and make proper adjustments in their established COBRA and HIPAA procedures to accommodate it. 

The U.S. Equal Employment Opportunity Commission (EEOC) recently issued proposed new rules  clarifying its stance on the interplay between the Americans with Disabilities Act (ADA) and employer wellness programs. Officially called a “notice of proposed rulemaking” or NPRM, the new rules propose changes to the text of the EEOC’s ADA regulations and to the interpretive guidance explaining them. 


If adopted, the NPRM will provide employers guidance on how they can use financial incentives or penalties to encourage employees to participate in wellness programs without violating the ADA, even if the programs include disability-related inquiries or medical examinations.  This should be welcome news for employers, having spent nearly the past six years in limbo as a result of the EEOC’s virtual radio silence on this question.

A Brief History: How Did We Get Here?
In 1990, the ADA was enacted to protect individuals with ADA-qualifying disabilities from discrimination in the workplace.  Under the ADA, employers may conduct medical examinations and obtain medical histories as part of their wellness programs so long as employee participation in them is voluntary.  The EEOC confirmed in 2000 that it considers a wellness program voluntary, and therefore legal, where employees are neither required to participate in it nor penalized for non-participation.


Then, in 2006, regulations were issued that exempted wellness programs from the nondiscrimination requirements of the Health Insurance Portability and Accountability Act (HIPAA) so long as they met certain requirements.  These regulations also authorized employers for the first time to offer financial incentives of up to 20% of the cost of coverage to employees to encourage them to participate in wellness programs. 


But between 2006 and 2009 the EEOC waffled on the legality of these financial incentives, stating that “the HIPAA rule is appropriate because the ADA lacks specific standards on financial incentives” in one instance, and that the EEOC was “continuing to examine what level, if any, of financial inducement to participate in a wellness program would be permissible under the ADA” in another.


Shortly thereafter, the 2010 enactment of President Obama’s Patient Protection and Affordable Care Act (ACA), which regulates corporate wellness programs, appeared to put this debate to rest.  The ACA authorized employers to offer certain types of financial incentives to employees so long as the incentives did not exceed 30% of the cost of coverage to employees.


But in the years following the ACA’s enactment, the EEOC restated that it had not in fact taken any position on the legality of financial incentives.  In the wake of this pronouncement, employers were left understandably confused and uncertain.  To alleviate these sentiments, several federal agencies banded together and jointly issued regulations that authorized employers to reward employees for participating in wellness programs, including programs that involved medical examinations or questionnaires.  These regulations also confirmed the previously set 30%–of-coverage ceiling and even provided for incentives of up to 50%of coverage for programs related to preventing or reducing the use of tobacco products. 


After remaining silent about employer wellness programs for nearly five years, in August 2014, the EEOC awoke from its slumber and filed its very first lawsuit targeting wellness programs, EEOC v. Orion Energy Systems, alleging that they violate the ADA.  In the following months, it filed similar suits against Flambeau, Inc., and Honeywell International, Inc.  In EEOC v. Honeywell International, Inc., the EEOC took probably its most alarming position on the subject to date, asserting that a wellness program violates the ADA even if it fully complies with the ACA.


What’s In The NPRM?
According to EEOC Chair Jenny Yang, the purpose of the EEOC’s NPRM is to reconcile HIPAA’s authorization of financial incentives to encourage participation in wellness programs with the ADA’s requirement that medical examinations and inquiries that are part of them be voluntary.  To that end, the NPRM explains:

  • what an employee wellness program is;
  • what it means for an employee  wellness program to be voluntary;
  • what incentives employers may offer as part of a voluntary employee wellness program; and
  • what requirements apply concerning notice and confidentiality of medical information obtained as  part of voluntary employee wellness programs.


Each of these parts of the NPRM is briefly discussed below.


What is an employee wellness program?
In general, the term “wellness program” refers to a program or activity offered by an employer to encourage its employees to improve their health and to reduce overall health care costs.  For instance, one program might encourage employees to engage in healthier lifestyles, such as exercising daily, making healthier diet choices, or quitting smoking.  Another might obtain medical information from them by asking them to complete health risk assessments or undergo a screening for risk factors. 


The NPRM defines wellness programs as programs that are reasonably designed to promote health or prevent disease.  To meet this standard, programs must have a reasonable chance of improving the health of, or preventing disease in, its participating employees.  The programs also must not be overly burdensome, a pretext for violating anti-discrimination laws, or highly suspect in the method chosen to promote health or prevent disease.


How is voluntary defined?
The NPRM contains several requirements that must be met in order for participation in wellness programs to be voluntary.  Specifically, employers may not:

  • require employees to participate in a wellness program;
  • deny or limit coverage or particular benefits for non-participation in a wellness program; or
  • take any adverse action against employees for non-participation in a wellness program or failure to achieve certain health outcomes. 


Additionally, for wellness programs that are part of a group health plan, employers must provide a notice to employees clearly explaining what medical information will be obtained, how it will be used, who will receive it, restrictions on its disclosure, and the protections in place to prevent its improper disclosure.


What incentives may you offer?
The NPRM clarifies that the offer of limited incentives is permitted and will not render wellness programs involuntary.  Under the NPRM, the maximum allowable incentive employers can offer employees for participation in a wellness program or for achieving certain health results is 30% of the total cost of coverage to employees who participate in it.  The total cost of coverage is the amount that the employer and the employee pay, not just the employee’s share of the cost.  The maximum allowable penalty employers may impose on employees who do not participate in the wellness program is the same. 


What about confidentiality?
The NPRM does not change any of the exceptions to the confidentiality provisions in the EEOC’s existing ADA regulations.  It does, however, add a new subsection that explains that employers may only receive information collected by wellness programs in aggregate form that does not disclose, and is not likely to disclose, the identity of the employees participating in it, except as may be necessary to administer the plan. 


Additionally, for a wellness program that is part of a group health plan, the health information that identifies an individual is “protected health information” and therefore subject to HIPAA.  HIPAA mandates that employers maintain certain safeguards to protect the privacy of such personal health information and limits the uses and disclosure of it.


Keep in mind that the NPRM revisions discussed above only clarify the EEOC’s stance regarding how employers can use financial incentives to encourage their employees to participate in employer wellness programs without violating the ADA.  It does not relieve employers of their obligation to ensure that their wellness programs comply with other anti-discrimination laws as well.


Is This The Law?
The NPRM is just a notice that alerts the public that the EEOC intends to revise its ADA regulations and interpretive guidance as they relate to employer wellness programs.  It is also an open invitation for comments regarding the proposed revisions.  Anyone who would like to comment on the NPRM must do so by June 19, 2015.  After that, the EEOC will evaluate all of the comments that it receives and may make revisions to the NPRM in response to them.  The EEOC then votes on a final rule, and once it is approved, it will be published in the Federal Register.


Since the NPRM is just a proposed rule, you do not have to comply with it just yet.  But our advice is that you bring your wellness program into compliance with the NPRM for a few reasons.  For one, it is very unlikely that the EEOC, or a court, would fault you for complying with the NPRM until the final rule is published.  Additionally, many of the requirements that are set forth in the NPRM are already required under currently existing law.  Thus, while waiting for the EEOC to issue its final rule, in the very least, you should make sure that you do not:


  • require employees to participate in wellness programs;
  • deny health insurance coverage to employees for non-participation in wellness programs; or
  • take adverse employment action against employees for non-participation in wellness programs or for failure  to achieve certain health outcomes.


In addition you should provide reasonable accommodations to employees with disabilities to enable them to participate in wellness programs and obtain any incentives offered (e.g., if an employer has a deaf employee and attending a diet and exercise class is part of its wellness program, then the employer should provide a sign language interpreter to enable the deaf employee to participate in the class); and ensure that any medical information is maintained in a confidential manner.

ACA Information Reporting Creates Data Privacy and Security Issues

March 12 - Posted at 2:01 PM Tagged: , , , , , , , , , , , ,

During this year, businesses will be hearing a lot about the Affordable Care Act’s (ACA’s) information reporting requirements under Code Sections 6055 and 6056. Information gathering will be critical to successful reporting, and there is one aspect of that information gathering which employers might want to take action on sooner rather than later – collecting Social Security numbers (SSNs), particularly when required to do so from the spouses and dependents of their employees. There are, of course, ACA implications for not taking this step, as well as data privacy and security risks for employer and their vendors.


Under the ACA, providers of “minimum essential coverage” (MEC) must report certain information about that coverage to the Internal Revenue Service (IRS), as well as to persons receiving that MEC. Employers that sponsor self-insured group health plans are providers of MEC for this purpose, and in the course of meeting the reporting requirements, must collect and report SSNs to the IRS. However, this reporting mandate requires those employers (or vendors acting on their behalf) to transmit to the IRS the SSNs of employee and their spouses and dependents covered under the plan, unless the employers either (i) exhaust reasonable collection efforts described below, (ii) or meet certain requirements for limited reporting overall.


Obviously, employers are familiar with collecting, using and disclosing employee SSNs for legitimate business and benefit plan purposes. Collecting SSNs from spouses and dependents will be an increased burden, creating more risk on employers given the increased amount of sensitive data they will be handling, and possibly from vendors working on their behalf. The reporting rules permit an employer to use a dependent’s date of birth, only if the employer was not able to obtain the SSN after “reasonable efforts.” For this purpose, reasonable efforts means the employer was not able to obtain the SSN after an initial attempt, and two subsequent attempts.

From an ACA standpoint, employers with self-insured plans that have not collected this information should be engaged in these efforts during the year (2015) to ensure they are ready either to report the SSNs, or the DOBs. At the same time, collecting more sensitive information about individuals raises data privacy and security risks for an organization regarding the likelihood and scope of a breach. Some of those risks, and steps employers could take to mitigate those risks, are described below.


  • Determine whether the information is subject to HIPAA. Employers will need to consider whether this information, collected for ACA group health plan reporting requirements, is protected health information under HIPAA (PHI) or within the HIPAA “employment records” exception.


  • Implement appropriate safeguards.  For an employer that determines the information collected for this purpose is PHI, it will need to ensure the appropriate steps are taken under the HIPAA privacy and security rules. Either way, employers need to take steps to safeguard this data. A number of states, such as California, Connecticut, Florida, Maryland, Massachusetts, New York, Oregon require reasonable safeguards be in place to protect such information. Examples of good practices include: (i) design forms to collect only the information needed; (ii) direct responses to the requests for the information to go to a single location; (iii) if collected online, make sure the connection is secure; (iv) limit who has access to the information; and (v) after the information is captured and input, destroy all copies of the information other than as needed for appropriate documentation.


  • Ensure your vendors will protect this information. The IRS reporting regulations permit the use of third party vendors to assist employers in the reporting process. Whether the vendor is a “business associate” under HIPAA or a third-party service provider under state law, employers should be sure the vendor is contractually bound to maintain and implement appropriate privacy and security practices, including data breach preparedness.


Employers navigating through ACA compliance and reporting requirements have many issues to be considered. How personal information or protected health information is safeguarded in the course of those efforts is one more important consideration.

HPID Requirement Delayed by HHS

November 03 - Posted at 1:23 PM Tagged: , , , , , , , ,

The rush for group health plan administrators to navigate the Centers for Medicare & Medicaid Services (CMS) website and obtain a Health Plan Identifier (HPID) ahead of the November 5th deadline is over.  On October 31, 2014, the CMS Office of e-Health Standards and Services (OESS), the division of the Department of Health & Human Services (HHS) that is responsible for enforcement of the HIPAA standard transaction requirements, announced a “delay, until further notice,” of the HPID requirements.  The regulatory obligations of plan administrators delayed by this notice are the: (i) obtaining of a HPID, and (ii) the use of the HPID in HIPAA transactions.

  

This delay comes on the heels of a recommendation by the National Committee on Vital and Health Statistics (NCVHS), an advisory body to HHS.  The NCVHS asked HHS to review the HPID requirement and recommended that HPIDs not be used in HIPAA transactions.  NCVHS’s primary opposing argument to implementation of the HPID standard was that the healthcare industry has already adopted a “standardized national payer identifier based on the National Association of Insurance Commissioners (NAIC) identifier.”

 

Whether HHS will adopt the recommendations of the NCVHS on a permanent basis remains to be seen, but for the time being, plan administrators may discontinue the HPID application process and should stay tuned for further announcements from HHS.

New Responsibility for Self-Funded Employers

August 06 - Posted at 2:01 PM Tagged: , , , , , , , , , , , ,

The Department of Health and Human Services (HHS) recently updated the Code Set Rules. The Code Set rules are part of the Health Insurance Portability and Accountability Act’s (HIPPA’s) Administrative Simplification Provisions. These rules create uniform electronic standards for common health plan administrative processes. Requiring health care providers and other stakeholders to use the same data formats for common transactions simplifies certain administrative aspects of providing and paying for health care.

 

Under the latest rules, self funded employers will need to apply for a Health Plan Identifier (HPID). Most employers will have to apply by November 5, 2014. This number will be used to ensure employers comply with certain Code Set rules requirements.

 

The Code Set Rules have affected covered entities for a number of years. However, certain aspects of these rules were not enforced in the past. In order to promote efficient health coverage, health care reform includes provisions to ensure health care stakeholders are complying with specific transaction and code set requirements.

 

Review of the HIPAA Code Set Rules

The final HIPAA Transaction and Code regulations published in August 2000 applied to most health plans as of October 16, 2003. They require covered entities conducting certain transactions electronically to use specific standards and code sets. Covered entities include:

 

    • Health plans (including employer-sponsored health plans)
    • Health care clearinghouses (organizations, such as PPO network or physician billing services, that process or facilitate the processing of health information)
    • Health care providers that conduct certain transactions electronically

 

Most of the applicable transactions occur between the health plan and health care providers covering areas like claims submission and payment, eligibility, and authorizations/referrals, however the enrollment and disenrollment transaction process generally involves the employer and the health plan.

 

New Requirements for a HPID for Self Funded Plans

The Code Set rules require all parties involved in the health care system to use an identifying number. Large group health plans (plans with an annual cost of $5 million or more) need to register for their Health Plan Identifier (HPID) number by November 5, 2014. Small group health plans (plans with an annual cost of less than $5 million) will have an extra year to obtain an HPID. Annual cost is based on paid claims before stop loss recoveries and excluding administrative costs and stop loss premiums.

 

Insurance carriers will likely apply for the 10-digit HPID number for all of their fully- insured group health plans. Employers will have to apply for their 10-digit HPID for self-funded medical plans. The health plan needs to use the HPID number for any of the standard transactions the Code Set rules cover.

 

Every health plan considered a covered entity must obtain an HPID. The regulations include delineations of group health plans including Controlling Health Plans (a health plan that controls its own business activities, actions and policies) and Subhealth Plan (a health plan whose business activities, actions or policies are directed by a Controlling Health Plan).

 

Employers are not really sure how the relationship between controlling health plans and subhealth plans would apply to employer-sponsored health plans and are awaiting further clarification from HHS on this issue.

 

All health plans, regardless of size, must use their HPIDs in standard transactions by November 7, 2016. A “standard transaction” is a CMS menu of transactions, like a claim payment, that must be coded with an HPID.

 

Employer must provide information about their organizations and health plans when they register for the HPID electronically. More information on applying for an HPID is available here.

 

Certification Requirements for Compliance with Standard Transaction Rules

Health plans must also verify with HHS that they comply with the Code Set rules. Health plans have been subject to these rules for almost a decade, however there has been little to no oversight on compliance with the common formats. HHS is now requiring a certification showing that the plan is using the standard formats. Initially, the certification will only be done on a few of the required transactions.

 

The health plan must first certify that they meet the Code Set requirements for eligibility, claim status and EFT and remittance advice transactions. Plans have two different options to certify they are complying. Both involve having specific vendors certify the plan uses the proper transaction formats. The two options are as follows:

 

  1. HIPAA Credential
  2. Phase III Core Seal

 

The HIPAA Credential option involves testing the required transactions with at least three trading partners. Those three partners have to represent at least 30% of transactions conducted with providers. If it does not constitute 30%, then the plan must confirm it has successfully traded with at least 25%.

 

The Phase III Core Seal will require the Controlling Health Plan to test transactions with an authorized testing vendor.

 

All certifications will be filed with HHS. The first one will be due by December 31, 2015. Health insurance carriers and Third Party Administrators will most likely provide the certifications for employer-sponsored health plans, but employers will still need more details on the filing.

 

The second certification applies to other transactions the Code Set rules cover. Specifically, the second certification applies to claims information, enrollment, premium payments, claims attachments, and authorizations or referrals. HHS has not issued any guidance on these certifications yet. These second certifications are also due by December 31, 2015. However, because of the lack of specific guidance, it is very likely this due date may be delayed.

 

Action Plan

To register for an HPID, employers need to take the following steps:

 

 1. Determine when the plan must obtain an HPID

    • Large group health plans must obtain the HPID by November 5, 2014. A large group health plan is a plan with an expected annual cost of $5 million or higher. Annual cost is based on claims paid.  Reinsurance payments can’t be taken into account when determining annual cost. Administrative expenses and stop loss premiums can be excluded when determining annual cost.

 

  • Small group health plans must obtain the HPID by November 5, 2015. A small group health plan is one with an expected annual cost of less than $5 million.

 

2. If your plan if fully insured, contact your insurance carrier. It appears most insurance carriers will apply for the HPID for fully insured plans.

 

3. If your plan is self-funded, schedule time over the next several months to register for an HPID for your health plan. The registration is a CMS-managed online application process. The regulations estimate that it will take 20 -30 minutes to complete the application. Sponsors will be directed to an online enumeration system titled: Health Plan and Other Entity Enumeration System (HPOES).

March 2014 Monthly Topic- Record Retention

March 19 - Posted at 2:01 PM Tagged: , , , , , , , , , , , , , ,

The topic this month highlights record retention and cover what employers should be keeping and for how long. 

 

Did you know that there are over 14,000 federal, state, and industry specific laws/standards/regulations that dictate how long employers are required to keep certain records? Non-compliance can result in fines against company employees personally as well as judgments against the company itself.

 

Some of the Federal Labor and Employment laws that require record retention include:

 

  • ADEA
  • Title VII
  • ADA
  • FLSA
  • FMLA
  • OSHA
  • IRCA
  • FUTA
  • HIPAA
  • ERISA

 

Please contact our office directly if you would like more information on this topic or if you would like more information regarding how to conduct an audit of your company record retention policies.

HHS Enhanced Enforcement of HIPAA Rules Is On The Horizon

May 21 - Posted at 4:22 PM Tagged: , , , , , , , , , ,

Under the 2013 Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules provisions, employers must update their health information disclosure policies and retrain employees to ensure compliance.

 

The Department of Health and Human Services (HHS) issued the new HIPAA regulations on January 25, 2013, to execute major changes that were mandated by the Health Information Technology for Economic and Clinical Health Act (HITECH) as well as the Genetic Information Nondiscrimination Act (GINA).

 

New Requirements for Business Associates

 

HIPAA regulations previously generally covered any business associate who performed or assisted in any activity involving the use or disclosure of individually identifiable health information, such as third-party administrators, pharmacy benefit managers and benefit consultants. Under the new regulations, business associate status is triggered when a vendor “creates, receives, maintains, or transmits” personal health information (PHI).

 

The key addition in this part of the regulation is found in the word ‘maintains’ because any entity that ‘maintains’ PHI on behalf of a covered entity- even if no access to that information is required or expected- will now be considered a business associate.

 

This change has some important consequences for group health plans that rely on cloud storage as a repository for their PHI or that outsource information-technology support and other functions and do not have business associate agreements (BAAs) with such vendors.

 

If you give PHI to a vendor before a BAA is in place, you will be in violation of HIPAA, and if you are a vendor, you can’t receive PHI without a compliant BAA in place. There must be a compliant BAA in place first.

 

Another change is that plan sponsors must enter into a sub-BAA with agents or subcontractors who are retained to help a business associate with covered functions for an employer-sponsored health plan. Plan sponsors should include BAA language that states that a business associate can’t subcontract work without prior permission, and then to monitor compliance with those agreements.

 

Presumption of PHI Breach Introduced

 

Under the previous rules, an impermissible use or disclosure of PHI- including electronic PHI- was a breach only if it posed a significant risk of harm to the individual. The HHS included in the new rules a presumption that any impermissible use or disclosure of PHI is a breach, subject to breach-notification rules.

Under the new rules, the only way now to get out of this presumption is by a demonstration that there is a low probability that the PHI was compromised. 

 

To demonstrate low probability, the health plan or business associate must perform a risk assessment of four factors- at a minimum:

 

  1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification

     

  2. The unauthorized person who used the PHI or to whom the disclosure was made

     

  3. Whether the PHI was actually acquired or viewed

     

  4. The extent to which the risk to PHI has been mitigated

     

The HHS has indicated that it expects these risk assessments to be thorough and completed in good faith and to reach reasonable conclusions. If the risk assessment does not find a low probability that PHI has been compromised, then breach notification is required.

 

Action Advised for 2013

 

While the new regulations bring certainty to employer-sponsored health plans and their business associates on HIPAA compliance issues, they also emphasize the department’s intention to subject business associates and their subcontractors to heightened scrutiny.

 

Employers should review and revise their BAAs to ensure compliance with the security rule, paying special attention to the inclusion of subcontractors. Employers should also review and revise (or create) breach-notification procedures that detail how a risk assessment will be conducted. It is also important to train employees who have access to PHI on these updated policies and procedures.

 

The final regulations take effect September 23, 2013 and the HHS has provided another one-year transition period for some covered entities and their business associates that had a BAA in place on January 1, 2013.  HHS also published an updated version of a template BAA, but it does not address all the unique situations that may arise between a covered entity and a business associate. Employers should ultimately ensure that their business associate agreements are appropriately tailored to their individual circumstances and business needs.

April 2013 Monthly Topic- New I-9 Form & 2014 Considerations

April 15 - Posted at 8:03 PM Tagged: , , , , , ,

Our topic this month covers the new I-9 form that was recently released as well as various considerations for 2014.

 

Areas discussed include:

 

    • New HIPAA requirements

 

    • New FMLA posting & forms

 

    • Revised I-9 form

 

    • The In & Out’s of the new I-9 form

 

    • Wellness Programs

 

    • Health Care Reform Updates

 

Contact us today for more information on this topic.

Proposed guidance on the 90 day waiting period limit that was set in place by the Affordable Care Act (ACA) was issued on March 21, 2013 by the Department of Labor, Health & Human Services, and the Treasury (the “Departments”).  This rule will apply to plan years beginning on or after January 1, 2014.

 

The 90 day limit set under Health Care Reform prevents an eligible employee or dependent from having to wait more than 90 days before coverage under a group health plan becomes effective. All calendar days (including weekends and holidays) are counted when determining what date the employee has satisfied the 90 day probationary period.

 

The Departments have confirmed that there is no de minimis exception for the difference between 90 days and 3 months. Therefore, plans with a 3 month waiting period in their group benefit contracts (including the Section 125 plan document) will need to make sure these are amended for the 2014 plan year. In addition, plans with a waiting period in which coverage begins on the first day of the month immediately following 90 days will also need to be amended as coverage can not begin any later than the 90th day. Employers who prefer to use a first day of the month starting date for coverage rather than a date sometime mid-month should consider implementing a 60 day waiting period instead. If an employer runs into an instance where an employee is in the middle of their waiting period when the regulations become effective (on the group’s renewal anniversary date on or following January 1, 2014), the waiting period for the employee may need to be shortened if it would exceed the 90 days.

 

Caution: Employers sponsoring a group health plan should also be mindful of the rules under the employer “pay or play” mandate. The 90 day limit on waiting periods offers slightly more flexibility than the employer mandate. For instance, if an employer’s health plan provides employees will become eligible for coverage 90 days after obtaining a pilot’s license, that requirement would comply with the 90 day limit on waiting periods. However, the same employer could be liable under the employer mandate for failing to provide coverage to a full time employee within 3 months of their date of hire. So, employers sponsoring a group health plan should confirm that any plan eligibility criteria aligns with both the employer mandate and the 90 day limit on waiting periods.  

 

The Departments have also announced that HIPAA Certificates of Creditable Coverage will be phased out by 2015. Plans will not be permitted to impose any pre-existing condition exclusions effective for plan years beginning on or after January 1, 2014. This provision is also in effect for enrollees who are under age 19.  Plan sponsors must continue to provide Certificates through December 31, 2014 since individuals enrolling in plans with plan years beginning later than January 1 may still be subject to pre-existing condition exclusions up through 2014.

© 2021 Administrators Advisory Group, Inc. All Rights Reserved