HHS Announces Opening of Phase 2 HIPAA Audit Program
|
04/23/2016
|
By: Jason Lacey
|
The
HHS
Office
of
Civil
Rights
(OCR)
has
announced
the
opening
of
its
"Phase
2"
HIPAA
audit
program.
We
have
been
anticipating
this
program
for
some
time.
It
potentially
affects
all
HIPAA
covered
entities,
including
employer-sponsored
group
health
plans,
as
well
as
business
associates
of
those
covered
entities,
such
as
third-party
administrators
for
self-insured
health
plans.
The
purpose
of
the
audit
program
is
to
"assess
compliance"
with
the
HIPAA
privacy,
security,
and
breach
notification
rules.
Accordingly,
these
audits
will
be
directed
at
a
cross-section
of
HIPAA
covered
entities
and
business
associates,
rather
than
based
on
specific
complaints
or
news
reports.
Covered
entities
and
business
associates
that
are
potential
candidates
for
audit
will
be
contacted
by
email
(check
your
spam
filter!)
and
asked
to
complete
a
pre-audit
questionnaire.
Not
all
covered
entities
and
business
associates
that
go
through
the
pre-audit
process
will
be
selected
for
audit.
But
those
who
fail
to
respond
to
the
pre-audit
questionnaire
will
still
be
included
in
the
potential
audit
pool,
and
it
seems
fair
to
assume
that
a
failure
to
respond
may
increase
OCR's
interest
in
conducting
a
full-scope
audit.
Based
on
the
updated
audit
protocol that
OCR
is
using
to
train
its
auditors,
we
have
a
good
idea
what
OCR
will
be
looking
for
if
it
conducts
an
audit.
In
the
case
of
an
employer-sponsored
group
health
plan,
the
audit
is
likely
to
include
a
review
of
the
following:
- The
plan
document
(to
determine
whether
the
proper
HIPAA plan
language
has
been
adopted)
Continue Reading...
|
|
HIPAA Settlement Highlights Focus on Security Concerns
|
12/15/2014
|
By: Jason Lacey
|
The
latest
announcement
by
HHS
regarding
settlement
of
an
investigation
under
the
HIPAA
privacy,
security,
and
breach-notification
rules
reflects
an
increased
focus
by
HHS
on
security-related
issues
and
the
need
for
health
plans
and
other
covered
entities
to
take
reasonable
steps
to
protect
PHI
from
hacking,
viruses,
and
malware
attacks.
Background.
The
covered
entity
in
this
case
(a
non-profit
community
mental
health
services
organization)
reported
a
breach
affecting
the
PHI
of
approximately
2,700
individuals.
The
breach
was
caused
by
a
malware
attack
on
the
covered
entity’s
IT
system.
The
system
was
using
outdated
software
that
made
it
vulnerable
to
attack. Following
the
HHS
investigation,
the
covered
entity
agreed
to
a
settlement
that
included
a
cash
payment
of
$150,000
and
a
two-year
corrective
action
plan.
Keep
Your
Software
Updated!
A
key
takeaway
from
this
case
is
that
covered
entities
will
be
held
responsible
for
maintaining
a
sound
IT
infrastructure.
System
software
must
be
kept
up-to-date,
and
appropriate
technical
security
measures
must
be
implemented,
such
as
firewalls
capable
of
threat
monitoring.
Common
Sense
Approach.
Although
covered
entities
may
have
varying
degrees
of
technical
sophistication,
HHS’s
press
release
emphasized
the
need
for
a
“common
sense
approach”
to
risk
mitigation.
“This
includes
reviewing
systems
for
unpatched
vulnerabilities
and
unsupported
software
that
can
leave
[PHI]
susceptible
to
malware
and
other
risks.”
Adopting
Policies
Isn’t
Enough.
Another
key
takeaway
is
that
adopting
policies
and
procedures
to
address
the
HIPAA
privacy
and
security
rules
is
only
the
beginning
of
an
appropriate
HIPAA
compliance
program.
The
policies
must
be
implemented,
followed,
and
Continue Reading...
|
|
IRS and HHS Rein in Minimum Value Plans
|
11/05/2014
|
By: Jason Lacey
|
New
guidance
from
the
IRS
and
HHS
aims
to
quickly
scuttle
the
use
of
health
plans
designed
to
push
the
limits
of
minimum
value.
These
plans
(sometimes
referred
to
in
the
market
simply
as
“minimum
value
plans,”
“MVPs,”
or
“MV
lite”)
aimed
to
reduce
cost
by
excluding
coverage
for
key
benefits,
such
as
physician
services
or
inpatient
hospitalization,
but
were
nonetheless
said
to
provide
minimum
value
because
they
qualified
under
the
MV
calculator.
The
Concept.
The
idea
behind
MVPs
was
to
create
a
plan
that
would
allow
a
large
employer
to
avoid
all
penalties
under
the
ACA’s
employer
shared
responsibility
mandate
at
relatively
low
cost.
As
minimum
essential
coverage
that
provided
minimum
value,
an
MVP
would
allow
a
large
employer
to
avoid
all
penalties,
so
long
as
the
plan
was
affordable.
And
due
to
the
relatively
low
cost,
employers
could
make
MVPs
affordable
with
little
or
no
premium
subsidy.
But
the
effect
of
MVPs
was
not
limited
to
penalty
avoidance
by
employers.
Employees
who
are
offered
coverage
under
an
affordable,
minimum
value
plan
are
ineligible
for
premium
tax
credits
(PTCs)
through
state
and
federal
exchanges,
even
if
they
turn
down
the
employer-sponsored
coverage.
And
with
MVPs,
this
meant
employees
could
be
knocked
out
of
PTC
eligibility
with
an
offer
of
coverage
under
a
plan
that
intentionally
excluded
a
significant
category
of
benefits
(e.g.,
inpatient
hospitalization).
This
may
well
have
been
their
undoing.
MV
Calculator.
Why
did
this
seem
to
work?
It
all
came
down
to
the
MV
calculator.
Final
HHS
regulations
and
Continue Reading...
|
|
CMS Indefinitely Delays HPID Implementation
|
11/01/2014
|
By: Jason Lacey
|
On
the
eve
of
the
deadline
for
large
controlling
health
plans
(CHPs)
to
obtain
an
HPID,
CMS
has
announced
that
it
is
indefinitely
delaying
enforcement
of
the
regulations
that
require
obtaining
an
HPID
and
using
the
HPID
in
covered
transactions.
The
announcement
is
effective
October
31,
2014
and
applies
“to
all
HIPAA
covered
entities,
including
healthcare
providers,
health
plans,
and
healthcare
clearinghouses.”
What
Does
This
Mean
for
Large
Health
Plans?
The
immediate
impact
of
this
announcement
appears
to
be
that
large
CHPs
are
no
longer
required
to
obtain
an
HPID
by
the
November
5,
2014
deadline.
Whether
or
when
they
may
be
required
to
do
so
in
the
future
will
depend
on
when
(or
if)
CMS
decides
to
begin
enforcing
the
regulations
again.
What
Does
This
Mean
for
Small
Health
Plans?
The
deadline
for
small
CHPs
to
obtain
an
HPID
was
November
5,
2015.
Technically,
that
deadline
has
been
suspended
as
well,
although
with
a
year
between
now
and
then,
it’s
possible
that
CMS
could
reverse
course
and
begin
enforcing
the
rule
again
before
then.
So
small
plans
should
monitor
the
status
of
the
rule,
but
likely
will
not
want
to
attempt
to
obtain
an
HPID
until
further
notice.
Where
Did
This
Come
From?
The
CMS
announcement
references
a
September
23,
2014
report
from
the
National
Committee
on
Vital
and
Health
Statistics
(NCVHS).
In
that
report,
the
NCVHS
unequivocally
recommended
that
covered
entities
not
begin
using
an
HPID
in
transactions
involving
health
plans.
The
report
argues
that
there
is
already
a
Continue Reading...
|
|
CMS FAQs Clarify HIPAA Health Plan Identifier (HPID) Requirement
|
10/13/2014
|
By: Jason Lacey
|
Health
plans,
including
some
employer-sponsored
plans,
face
a
looming
deadline
to
obtain
a
HIPAA
health
plan
identifier
(HPID).
There
have
been
many
questions
surrounding
this
requirement,
particularly
as
it
applies
to
employer-sponsored
plans.
Recent
FAQ
guidance
from
CMS
(here)
has
provided
some
key
clarifications,
although
questions
remain.
Here's
what
you
need
to
know.
Background.
HIPAA
requires
health
plans
and
other
covered
entities
to
engage
in
certain
covered
transactions
in
a
standardized
way.
This
is
sometimes
referred
to
as
the
HIPAA
"transactions
rule."
The
details
of
that
rule
are
beyond
what
can
be
addressed
here.
But
the
key
thing
to
understand
is
that
the
ACA
amended
the
transactions
rule
to
require
health
plans
to
obtain
a
specific
identifier
(the
HPID)
to
be
used
in
connection
with
covered
transactions.
Deadline.
For
plans
that
are
required
to
get
an
HPID,
the
deadline
is
November
5,
2014,
unless
the
plan
is
a
"small"
health
plan,
in
which
case
the
deadline
is
November
5,
2015.
Small
Health
Plan.
A
small
health
plan
is
a
plan
that
has
$5
million
or
less
in
annual
receipts.
The
CMS
FAQs
tell
us
that
annual
receipts
mean
premiums
paid
during
the
last
full
fiscal
year,
in
the
case
of
fully
insured
plans,
and
health
care
claims
paid
during
the
last
full
fiscal
year,
in
the
case
of
self-insured
plans.
Plans
that
are
partially
insured
and
partially
self-insured
combine
the
premiums
and
health
care
claims
paid
to
determine
their
total
annual
receipts.
Stop-Loss
Premiums.
It's
not
clear
whether
annual
receipts
are
intended
to
Continue Reading...
|
|
HHS Addresses Same-Sex Spouses Under HIPAA
|
09/19/2014
|
By: Jason Lacey
|
The
HHS
Office
for
Civil
Rights
(OCR)
has
provided
guidance
on
the
status
of
same-sex
spouses
under
the
HIPAA
privacy
rule.
In
light
of
the
Supreme
Court's
Windsor
decision,
same-sex
spouses
are
recognized
as
lawful
spouses
for
purposes
of
all
federal
law,
including
HIPAA.
Under the
HIPAA
privacy
rule,
spouses
are
"family
members"
of
a
protected
individual,
which
is
relevant
for
at
least
the
following
two
purposes:
- Under
certain
circumstances,
a
covered
entity
(including
a
health
plan)
is
permitted
to
share
an
individual's
protected
health
information
with
the
individual's
family
members.
The
guidance
makes
clear
that
a
family
member
includes
an
individual's
same-sex
spouse.
- The
privacy
rule
prohibits
health
plans
from
using
or
disclosing
genetic
information
for
underwriting
purposes.
Genetic
information
includes,
for
example,
genetic
tests
of
an
individual's
family
member
or
information
regarding
the
manifestation
of
a
disease
or
disorder
in
an
individual's
family
member.
The
guidance
makes
clear
that
a
family
member
for
this
purposes
also
includes
an
individual's
same-sex
spouse.
An
individual's
same-sex
spouse
may
also
qualify
as
the
"personal
representative"
of
an
individual
under
the
privacy
rule,
which,
among
other
things,
would
allow
the
same-sex
spouse
to
act
on
behalf
of
the
individual
in
some
circumstances.
OCR
indicates
that
further
clarification
regarding
treatment
of
same-sex
spouses
as
personal
representatives
will
be
forthcoming.
The
bottom
line
for
health
plans
and
other
covered
entities
is
that
same-sex
spouses
will
be
treated
the
same
as
opposite-sex
spouses
for
purposes
of
the
HIPAA
Continue Reading...
|
|
HHS Proposes 2015 Reinsurance Contribution Amount and Plan Maximums
|
11/27/2013
|
By: Jason Lacey
|
HHS
has
issued
is
proposed
Notice
of
Benefit
and
Payment
Parameters
for
2015
(here).
It
is
frankly
a
pretty
mind-numbing
piece
of
regulatory
handiwork,
but
it
includes
a
few
interesting
nuggets
for
employers.
Transitional
Reinsurance
Program.
The
notice
discusses
the
transitional
reinsurance
program
at
some
length
but
has
three
proposals
that
are
particularly
noteworthy.
(1)
2015
Contribution
Rate.
The
proposed
contribution
rate
for
2015
is
$44
per
covered
life,
as
compared
to
$63
per
covered
life
for
2014.
(2)
Change
in
Payment
Schedule.
The
payment
schedule
is
proposed
to
change
so
that
the
fee
would
be
paid
in
two
installments
instead
of
one. The
first
installment
will
generally
be
due
in
January
following
the
benefit
year,
and
the
second
installment
will
generally
be
due
in
November
or
December
following
the
benefit
year.
Both
installments
will
be
based
on
the
same
enrollment
count.
For
the
2014
benefit
year,
it
is
anticipated
that
this
will
result
in
the
$63
fee
being
paid
as
follows:
$52.50
in
January
2015
and
$10.50
in
late
2015.
For
the
2015
benefit
year,
it
is
anticipated
that
this
will
result
in
the
proposed
$44
fee
being
paid
as
follows:
$33
in
January
2016
and
$11
in
late
2016.
(3)
Exclusion
for
Self-Administered
Self-Insured
Plans.
Several
groups
that
sponsor
self-insured
plans
(notably
multiemployer
self-insured
plans)
have
been
lobbying
for
an
exemption
from
the
transitional
reinsurance
fee.
(There
is
some
merit
to
their
arguments,
since
the
transitional
reinsurance
program
will
not
benefit
them,
but
that's
beside
the
point
here.)
While
this
proposed
notice
does
Continue Reading...
|
|
New Hardship Exemption from Individual Mandate
|
10/29/2013
|
By: Jason Lacey
|
In
the
wake
of
the
troubled
rollout
of
the
public
exchanges,
which
has
delayed
the
ability
of
many
individuals
and
small
businesses
to
enroll
in
coverage
offered
through
the
exchanges,
HHS
has
announced
(here)
a
new
hardship
exemption
from
the
individual
mandate.
Anyone
who
enrolls
in
coverage
through
an
exchange
by
the
end
of
the
initial
exchange
enrollment
period
(March
31,
2014)
will
be
exempt
from
the
individual
mandate
during
the
period
in
2014
before
the
date
the
exchange-based
coverage
becomes
effective.
Background.
The
individual
mandate
is
the
rule
that
requires
most
Americans
to
maintain
health
insurance
coverage
or
pay
a
penalty.
It
takes
effect
January
1,
2014.
But
there
are
a
number
of
exemptions
available.
Those
who
qualify
for
an
exemption
will
not
owe
a
penalty
even
if
they
fail
to
maintain
insurance
coverage.
One
exemption
category
is
for
"hardships,"
as
defined
by
the
government.
Exchange
Enrollment
Period
and
Coverage
Effective
Date.
The
initial
exchange
enrollment
period
began
October
1,
2013
and
runs
through
March
31,
2014.
No
coverage
under
the
exchange
becomes
effective
before
January
1,
2014.
Beginning
in
December,
those
who
enroll
in
coverage
on
or
before
the
15th
of
the
month
will
have
coverage
that
becomes
effective
on
the
first
day
of
the
next
month.
Those
who
enroll
after
the
15th
of
the
month
will
have
coverage
that
becomes
effective
on
the
first
day
of
the
second
following
month.
For
example,
an
individual
who
enrolls
for
coverage
on
January
10,
2014
will
have
coverage
effective
as
of
February
Continue Reading...
|
|
New Guidance Will Limit HRAs and Employer Use of Individual Market Coverage
|
09/16/2013
|
By: Jason Lacey
|
A
continuing
area
of
uncertainty
under
health
care
reform
has
been
the
treatment
of
health
reimbursement
arrangements
(HRAs)
and
other
arrangements
that
might
be
used
to
allow
employees
to
purchase
health
insurance
through
individual
policies
with
the
employer
subsidizing
some
or
all
of
the
cost.
A
new
notice
from
the
IRS,
HHS,
and
DOL
(here)
provides
some
clarity
on
these
-
and
some
related
-
issues.
Employer
Payment
Plans.
As
a
preliminary
matter,
this
guidance
gives
us
a
new
term:
"employer
payment
plan."
This
refers
to
an
arrangement
by
which
an
employer
provides
payment
or
reimbursement
of
individual
market
insurance
premiums
in
the
manner
described
in
an
old
Revenue
Ruling
(Rev.
Rul.
61-146).
Historically,
these
employer
payment
plans
have
been
permissible
and
have
allowed
employers
to
provide
pre-tax
subsidies
of
individual
market
coverage.
Integration
of
Plans
with
Individual
Market
Coverage.
A
concern
with
HRAs
and
employer
payment
plans
is
that
they
may
be
treated
as
violating
two
key
health
care
reform
mandates:
the
prohibition
on
annual
limits
and
the
requirement
to
provide
no-cost
preventive
care
services.
Previous
FAQ
guidance
(see
coverage
here)
said
that
HRAs
would
be
treated
as
satisfying
the
annual
limit
rule
if
they
were
"integrated"
with
other
coverage
that
satisfies
the
annual
limit
rule.
This
guidance
effectively
confirms
that
treatment
and
provides
a
similar
rule
for
preventive
care.
But
the
guidance
goes
on
to
say
that
HRAs
and
employer
payment
plans
may
not
be
treated
as
integrated
with
individual
market
coverage.
Thus,
an
HRA
or
employer
payment
plan
Continue Reading...
|
|
Health Plan's Photocopier Prints a $1.2M HIPAA Fine
|
08/14/2013
|
By: Jason Lacey
|
HHS
has
announced
another
significant
HIPAA
privacy
settlement
(see
press
release
here),
this
time
involving
a
managed
care
plan
that
failed
to
remove
protected
health
information
from
the
hard
drive
of
a
photocopier
it
had
been
leasing.
The
enforcement
action
stemmed
-
not
surprisingly
-
from
a
breach
report
filed
by
the
health
plan
in
which
the
plan
estimated
that
over
340,000
individuals
may
have
been
affected
by
the
breach.
Of
greater
interest,
however,
is
the
manner
in
which
the
health
plan
discovered
the
breach.
It
was
contacted
by
a
representative
of
the
CBS
Evening
News
and
informed
that
CBS
had
purchased
the
photocopier
as
part
of
an
investigative
report
and
identified
confidential
medical
information
on
the
photocopier's
hard
drive.
Ouch.
In
the
settlement
with
HHS
(see
agreement
here),
the
health
plan
agreed
to
pay
a
$1,200,000
resolution
amount
and
implement
a
corrective
action
plan
that
includes
using
its
best
efforts
to
retrieve
all
hard
drives
contained
on
photocopiers
previously
leased
by
the
plan.
|
|
Final Regs Make Few Changes to Contraception Mandate
|
07/10/2013
|
By: Jason Lacey
|
Final
tri-agency
regulations
were
released
recently
on
the
religious
employer
exemption
from
health
care
reform's
contraception
mandate,
and
there
is
little
change
from
the
approach
outlined
in
the
proposed
regulations
(see
discussion
here).
In
short,
the
regulations
finalize
a
moderate
expansion
of
the
definition
of
"religious
employer,"
but
continue
to
require
religiously
affiliated
nonprofit
organizations
to
seek
an
"accommodation"
that
allows
individuals
covered
under
their
plans
to
obtain
contraception
coverage
at
no
cost
through
an
insurance
carrier.
Applicability
Date.
A
key
piece
of
the
final
regulations
is
the
effective-date
provision,
which
provides
nonprofit
organizations
some
additional
time
to
comply
with
the
accommodation
requirement.
The
regulations
generally
apply
for
plan
years
beginning
on
or
after
January
1,
2014,
rather
than
applying
for
plan
years
beginning
on
or
after
August
1,
2013,
as
previously
expected.
Nonprofit
organizations
that
had
been
relying
on
a
one-year
safe
harbor
from
application
of
the
mandate
(see
description
here
and
here)
may
continue
relying
on
the
safe
harbor
until
the
first
plan
year
beginning
on
or
after
January
1,
2014.
CMS
has
updated
its
guidance
on
the
nonenforcement
safe
harbor
(here).
Definition
of
Religious
Employer.
The
definition
of
religious
employer
is
unchanged
from
the
proposed
regulations.
Although
not
intended
to
expand
the
number
of
organizations
that
qualify
as
religious
employers,
the
change
is
intended
to
clarify
that
religious
employers
providing
educational,
charitable,
and
social
services
may
qualify
for
the
exemption
even
though
some
of
their
constituents
or
employees
may
not
be
of
the
same
Continue Reading...
|
|
HIPAA Enforcement: Watch Out for Disabled Firewalls
|
05/31/2013
|
By: Jason Lacey
|
I've
been
fairly
diligent
in
reporting
on
enforcement
actions
taken
by
HHS
under
the
HIPAA
privacy
and
security
rules
over
the
past
year
or
so.
If
you've
followed
those
posts,
the
outcome
of
the
following
case
will
not
surprise
you.
In
a
recent press
release,
HHS
announced
a
$400,000
settlement
and resolution
agreement with
Idaho
State
University
relating
to
violations
of
the
HIPAA
security
rule
that
resulted
in
a
data
breach
with
respect
to
17,500
patients
of
a
primary
care
clinic
operated
by
the
university.
The
breach
occurred
when
a
firewall
providing
security
for
a
server
storing
patient
data
was
disabled,
leaving
the
data
unsecured.
The
press
release
and
resolution
agreement
do
not
indicate
that
any
actual
disclosure
of
the
patient
data
occurred.
But
the
firewall
had
been
disabled
for
10
months
before
the
clinic
or
university
realized
it.
Yes,
10
months.
Quoting
from
the
press
release:
"[HHS]
concluded
that
ISU
did
not
apply
proper
security
measures
and
policies
to
address
risks
to
ePHI
and
did
not
have
procedures
for
routine
review
of
their
information
system
in
place,
which
could
have
detected
the
firewall
breach
much
sooner."
In
other
words,
they
weren't
trying
hard
enough
-
maybe
not
at
all.
Here
are
a
few
takeaways:
- The
HIPAA
security
rule
is
just
as
potent
as
the
HIPAA
privacy
rule.
Failure
to
comply
with
the
security
rule
won't
be
excused
just
because
there
was
no
actual
loss
of
privacy.
- You
have
to
try.
The
security
rule
is
written
in
relative
rather
Continue Reading...
|
|
More ACA FAQs: Mini-Med Plans and Clinical Trials
|
05/01/2013
|
By: Jason Lacey
|
We
are
now
up
to
Part
XV
of
the
tri-agency
FAQs
providing
guidance
on
various
ACA-related
issues.
The
most
important
guidance
in
these
FAQs
relates
to
the
treatment
of
mini-med
plans
that
obtained
a
waiver
from
the
prohibition
on
annual
limits.
But
the
FAQs
also
acknowledge,
in
so
many
words,
that
there
are
some
issues
on
which
further
guidance
simply
will
not
be
provided
before
2014,
so
we're
going
to
have
to
use
our
best
judgment.
Changing
the
Plan
Year
on
Mini-Med
Plans.
Employers
and
insurance
carriers
offering
mini-med
plans
were
required
to
obtain
a
waiver
from
the
prohibition
on
annual
limits.
Under
the
waiver
program,
plans
were
allowed
to
continue
until
the
end
of
the
plan
year
ending
in
2014.
Creative
employers
and
carriers
began
exploring
whether
they
could
change
their
plan
years
now
and
effectively
extend
waiver
through
most
of
2014.
For
example,
a
plan
with
a
plan
year
ending
June
30
might
change
to
a
plan
year
ending
November
30
and
rely
on
the
waiver
until
November
30.
These
FAQs
provide,
unequivocally,
that
a
change
in
the
plan
year
will
not
be
effective
to
extend
a
plan's
waiver.
The
waiver
only
applies
until
the
end
of
the
plan
year
ending
in
2014,
based
on
the
plan
year
the
plan
was
using
when
it
applied
for
the
waiver.
In
other
words,
nice
try.
Why
would
this
matter?
Well,
it
now
appears
that
mini-med
coverage
extending
into
2014
will
be
sufficient
to
allow
employers
with
fiscal
year
plans
to
avoid
some
of
the
Continue Reading...
|
|
New SBC Guidance and Templates
|
04/24/2013
|
By: Jason Lacey
|
The
latest
set
of
Affordable
Care
Act
FAQs
(Part
XIV)
announces
the
release
of
updated
templates
for
the
SBC
and
uniform
glossary.
The
updated
templates
are
designed
to
provide
employers
and
insurers
with
tools
to
comply
with
the
SBC
requirement
for
the
second
year
of
applicability.
Note
that
many
fiscal-year
plans
may
not
yet
have
begun
their
first
year
of
applicability
for
the
SBC
requirement,
which
essentially
begins
with
the
first
open-enrollment
period
beginning
on
or
after
September
23,
2012.
Limited
Template
Changes.
The
updated
templates
reflect
only
two
significant
changes.
They
add
language
for
describing
whether
the
coverage
does
(or
does
not)
provide
minimum
essential
coverage
(MEC),
and
they
add
language
for
describing
whether
the
coverage
does
(or
does
not)
provide
minimum
value
(MV).
There
is
no
change
in
the
language
describing
whether
benefits
are
(or
are
not)
subject
to
annual
limits,
and
the
template
keeps
the
same
two
coverage
examples
(childbirth
and
diabetes).
Extended
Enforcement
Relief.
Perhaps
the
most
significant
guidance
in
the
FAQs
is
an
extension
of
much
of
the
helpful
enforcement
relief
that
was
provided
through
previous
FAQs.
For
example:
- Compliance
emphasis.
IRS,
DOL,
and
HHS
will
continue
to
emphasize
"assisting
(rather
than
imposing
penalties
on)
plans,
issuers
and
others
that
are
working
diligently
and
in
good
faith
to
understand
and
come
into
compliance
with
the
new
law"
(Part
VIII,
Q2)
and
"will
not
impose
penalties
on
plans
and
issuers
that
are
working
diligently
and
in
good
faith
to
comply"
(Part
IX,
Q8).
Continue Reading...
|
|
PPACA Waiting Period Rules: 90 Days Means 90 Days
|
03/27/2013
|
By: Jason Lacey
|
HHS,
DOL,
and
IRS
recently
proposed
regulations
interpreting
the
health
care
reform
mandate
limiting
health
plan
waiting
periods
to
no
more
than
90
days.
The
guidance
is
fairly
straightforward,
but
does
not
include
one
clarification
we
were
anticipating:
3
months
cannot
be
used
as
a
substitute
for
90
days.
90
days
means
90
days.
Period.
What
is
a
waiting
period?
Under
the
rules,
a
waiting
period
is
any
period
of
time
that
must
pass
before
coverage
may
become
effective
for
anyone
who
has
otherwise
satisfied
the
plan's
eligibility
criteria.
Eligibility
criteria
that
are
based
solely
on
the
lapse
of
a
time
period
count
as
part
of
the
waiting
period.
So,
for
example,
if
a
plan
requires
employees
to
work
in
a
particular
job
classification
to
be
eligible
for
coverage,
time
spent
working
in
an
ineligible
job
classification
does
not
count
as
a
waiting
period,
and
the
90-day
period
may
be
imposed
once
an
employee
moves
to
an
eligible
job
classification.
But
if
a
plan
merely
requires
60
days
of
full-time
employment
to
become
eligible,
those
60
days
of
employment
count
toward
the
waiting
period,
so
another
90
days
may
not
be
imposed.
Variable-hour
employees. We
know
from
the
regulations
on
the
look-back
measurement
method
(see
coverage here)
that
we
may
need
some
time
(up
to
12
months
or
so)
to
determine
whether
a
variable-hour
employee
meets
an
eligibility
requirement
relating
to
average
hours
worked.
These
proposed
regulations
clarify
that
the
period
during
which
a
variable-hour
employee's
hours
of
service
are
being
measured
Continue Reading...
|
|
What Is the Deadline for Updating Business Associate Agreements?
|
03/12/2013
|
By: Jason Lacey
|
All
covered
entities
and
business
associates
will
need
to
review
their
business
associate
agreements
in
light
of
the
new
final
HIPAA
regulations
(see
prior
coverage
here).
The
new
rules
are
effective
March
26,
2013,
with
a
general
compliance
deadline
of
September
23,
2013.
So
what
is
the
deadline
for
reviewing
and
updating
a
business
associate
agreement?
Transition
Rule.
Under
a
transition
rule
in
the
new
regulations,
covered
entities
and
business
associates
(and
business
associates
and
their
subcontractors)
may
continue
to
operate
under
certain
existing
agreements
for
up
to
one
year
beyond
the
general
compliance
date
of
September
23,
2013.
There
are
two
conditions
for
this
rule:
(1)
Already
in
existence.
A
written
business
associate
agreement
must
have
been
in
existence
on
January
25,
2013
(the
date
the
new
final
rule
was
released)
and
must
satisfy
the
requirements
of
the
prior
HIPAA
rule.
(2)
Not
renewed
or
modified.
The
business
associate
agreement
must
not
be
renewed
or
modified
between
March
26,
2013
and
September
23,
2013.
If
these
conditions
are
satisfied,
the
agreement
will
be
deemed
to
satisfy
the
new
rules
until
the
earlier
of
(i)
the
date
the
agreement
is
renewed
or
modified
on
or
after
September
23,
2013,
or
(ii)
September
22,
2014.
In
other
words,
if
these
conditions
are
met,
covered
entities
and
business
associates
will
have
until
as
late
as
September
22,
2014
to
update
their
agreements
to
comply
with
the
final
rule.
Evergreen
Agreements.
This
transition
rule
is
available
for
agreements
that
automatically
renew
between
March
26,
2013
and
September
23,
Continue Reading...
|
|
New ACA FAQ Guidance Addresses Cost Sharing, Preventive Care, and Expatriate Plans
|
03/10/2013
|
By: Jason Lacey
|
Two
more
sets
of
tri-agency
FAQs
have
been
released,
providing
additional
interpretive
guidance
on
the
Affordable
Care
Act.
They
are
Part
XII
and
Part
XIII
in
the
series.
Cost-Sharing
Limitations.
Part
XII
includes
two
important
clarifications
on
the
cost-sharing
limitations
that
will
apply
to
group
health
plans
beginning
in
2014.
(1)
Deductible.
The
rule
that
limits
the
annual
deductible
under
a
plan
to
$2,000
for
self-only
coverage
and
$4,000
for
family
coverage
will
apply
only
to
non-grandfathered
plans
in
the
individual
and
small-group
markets.
Grandfathered
plans
and
large-group
plans
will
be
permitted
to
impose
higher
deductibles.
This
may
be
important
for
large-group
plans
that
want
to
offer
an
option
with
a
high
deductible
that
meets
the
minimum
requirements
for
a
60%
actuarial
value
plan.
(2)
Out-of-pocket
maximum.
The
rule
that
limits
overall
cost-sharing
under
a
plan
to
$5,000
for
self-only
coverage
and
$10,000
for
family
coverage
will
apply
to
all
non-grandfathered
plans.
So
even
large-group
plans
will
be
limited.
Preventive
Care.
Part
XII
also
provides
detailed
guidance
on
miscellaneous
issues
related
to
the
requirement
for
non-grandfathered
plans
to
offer
preventive-care
services
without
cost-sharing.
Some
highlights:
(1)
Out-of-network
services.
Plans
generally
are
permitted
to
impose
cost-sharing
with
respect
to
preventive-care
services
obtained
out
of
network.
However,
if
a
service
that
is
required
to
be
covered
by
the
plan
is
not
available
through
any
in-network
provider,
the
plan
must
cover
the
out-of-network
service
without
cost-sharing.
(2)
Over-the-counter
items.
Some
of
the
covered
preventive-care
items
include
over-the-counter
drugs
and
devices,
such
as
aspirin.
A
plan
is
only
Continue Reading...
|
|
The Landscape Becomes Clearer for State Insurance Exchanges
|
02/19/2013
|
By: Jason Lacey
|
Employers
are
not
directly
affected
by
the
establishment
of
state
insurance
exchanges
under
health
care
reform,
but
understanding
the
exchange
landscape
helps
clarify
the
bigger
picture
of
health
care
reform
and
how
employers
fit
within
that.
So
here's
where
we
are
today:
The
deadline
ran
last
Friday
for
states
to
file
applications
to
run
an
exchange
in
partnership
with
the
federal
government
for
2014.
Some
did
that,
but
as
I've
written
about
previously
(here),
the
response
has
been
underwhelming.
States
that
do
not
have
their
own
exchanges
and
do
not
partner
with
the
federal
government
will
default
to
having
a
federally
facilitated
exchange.
The
Kaiser
Family
Foundation
has
an
interesting
graphic
(here)
that
illustrates
what's
going
on
in
each
state.
It
reflects
that
only
17
states
(plus
the
District
of
Columbia)
will
run
their
own
exchanges,
7
states
will
have
partnership
exchanges,
and
26
states
will
default
to
the
federal
exchange.
Depending
on
your
political
view,
that's
either
a
good
first
step
toward
national
uniformity
in
the
health
insurance
market
or
a
lot
of
federal
involvement.
Either
way,
a
lot
of
questions
remain,
including
whether
and
how
these
exchanges
will
be
fully
functional
by
October
(when
they
need
to
begin
enrollment
for
2014)
and
what
the
exchange
interface
will
look
like.
The
federal
government
continues
to
believe
it
is
on
track
(see
here),
but
there
is
a
lot
of
ground
to
cover
between
now
and
then.
|
|
Agencies Propose Changes to Contraception Mandate for Religious Employers
|
02/06/2013
|
By: Jason Lacey
|
The
IRS,
DOL,
and
HHS
have
proposed
two
key
changes
in
the
rules
that
exempt
certain
religious
employers
from
complying
with
the
mandate
to
cover
all
FDA-approved
contraception
and
sterilization
procedures
for
women
(see
proposed
rules
here).
1.
Definition
of
Religious
Employer
Employers
that
are
"religious
employers"
are
wholly
exempt
from
compliance
with
the
mandate.
The
new
rules
would
modify
the
definition
of
religious
employer
slightly.
The
definition
would
still
be
limited
to
houses
of
worship
(churches,
synagogues,
mosques,
and
the
like)
and
religious
orders.
But
the
change
would
clarify
that
those
organizations
will
not
fail
to
be
religious
employers
even
if
they
also
provide
educational,
charitable,
or
social
services,
without
regard
to
whether
the
persons
served
share
the
same
religious
values.
Example.
A
church
with
a
parochial
school
that
employs
teachers
or
serves
students
who
are
not
necessarily
of
the
same
religious
faith
may
still
qualify
as
a
religious
employer.
2.
Broader
Accommodation
for
Non-Profit
Religious
Organizations
A
non-profit
organization
that
is
not
a
church
or
religious
order
but
that
meets
specified
criteria
would
be
provided
an
"accommodation"
exempting
the
organization
from
directly
providing
contraceptive
coverage.
The
criteria
are:
- The
organization
opposes
some
or
all
of
the
required
contraceptive
coverage
on
religious
grounds
- The
organization
is
a
non-profit
entity
- The
organization
holds
itself
out
as
a
religious
organization
- The
organization
self-certifies
that
it
meets
the
first
three
criteria
This
change
is
intended
to
exempt
organizations
such
as
religious-affiliated
non-profit
institutional
health
care
Continue Reading...
|
|
HHS Has Updated Its Sample Business Associate Agreement
|
02/02/2013
|
By: Jason Lacey
|
The
updated
sample
agreement
is
here.
It
reflects
changes
in
the
HIPAA
privacy,
security,
and
breach-notification
rules
made
by
the
final
omnibus
regulation
(prior
coverage
here).
The
template
is
a
helpful
starting
point
for
drafting
and
reviewing
business
associate
agreements
in
light
of
the
new
rules.
Although
it
does
not
purport
to
address
all
issues
that
might
merit
consideration
in
an
agreement,
health
plans,
brokers,
TPAs,
and
other
covered
entities
or
business
associates
will
want
to
be
familiar
with
it,
if
for
no
other
reason
than
it
is
likely
to
form
the
backbone
of
many
standard
BAA
templates.
Reminder:
The
final
omnibus
rule
is
effective
March
26,
2013,
with
a
general
compliance
date
of
September
23,
2013.
|
|
New Health Care Reform FAQs Answer Some Questions and Raise Others
|
02/01/2013
|
By: Jason Lacey
|
The
IRS,
DOL,
and
HHS
have
released
their
11th
series
of
FAQs
(here)
addressing
various
issues
related
to
health
care
reform
implementation.
Exchange
Notice
Requirement.
In
a
helpful
clarification,
the
agencies
confirmed
that
employers
will
not
have
to
provide
a
notice
to
employees
regarding
insurance
exchanges
until
“regulations
are
issued
and
become
applicable.”
By
statute,
the
notice
is
required
to
be
distributed
by
March
1,
2013.
This
guidance
effectively
allows
employers
to
delay
compliance
until
further
notice.
Stand-Alone
HRAs.
Three
of
the
FAQs
address
issues
related
to
health
reimbursement
arrangements
(HRAs).
The
technical
clarifications
are
as
follows:
(1)
An
HRA
cannot
be
treated
as
“integrated”
with
individual
insurance
coverage.
(2)
An
HRA
can
only
be
treated
as
“integrated”
with
major-medical
coverage
if
participation
in
the
HRA
is
conditioned
on
being
enrolled
in
that
major-medical
coverage.
(3)
Most
amounts
credited
to
an
HRA
before
January
1,
2014,
will
continue
to
be
available
for
reimbursements
on
and
after
January
1,
2014
without
causing
the
HRA
to
violate
the
annual-limit
rules
under
Section
2711
of
the
Public
Health
Service
Act.
While
all
of
this
seems
straightforward
enough,
the
proverbial
elephant
in
the
room
is
the
fundamental
question
whether
stand-alone
HRAs
will
be
deemed
to
violate
the
prohibition
against
annual
and
lifetime
limits
under
Section
2711
of
the
Public
Health
Service
Act.
These
FAQs
are
the
strongest
indication
yet
that
future
guidance
will
say
they
do
violate
the
prohibition,
effectively
eliminating
stand-alone
HRAs.
Plan
sponsors
that
maintain
stand-alone
HRAs
-
or
are
considering
implementing
one
for
2014
-
will
want
Continue Reading...
|
|
What's Up With This Transitional Reinsurance Fee Anyway?
|
01/31/2013
|
By: Jason Lacey
|
A
fundamental
insurance-market
reform
under
the
Affordable
Care
Act
is
that,
beginning
in
2014,
insurance
carriers
that
want
to
sell
individual
policies
will
be
required
to
make
those
policies
available
to
all
applicants
(guaranteed
issue)
and
will
be
required
to
set
the
premiums
for
those
policies
based
on
a
"community"
rating,
with
variations
based
only
on
the
tier
of
coverage
purchased
(individual
or
family),
age
of
the
insured,
geographic
area,
and
tobacco
use
by
the
insured.
This
is
intended
to
ensure
that
individuals
have
access
to
health
insurance
without
regard
to
health
factors
that
might
otherwise
make
insurance
prohibitively
expensive
or
simply
unavailable.
That
all
sounds
pretty
good,
unless
you're
the
insurance
carrier
trying
to
figure
out
how
to
absorb
the
additional
risks
associated
with
having
to
cover
people
at
a
set
price
without
regard
to
how
much
health
care
expense
they
may
consume.
But
the
Affordable
Care
Act
makes
some
provision
for
them
too.
For
2014,
2015,
and
2016,
there
will
be
a
transitional
reinsurance
program
through
which
insurers
may
offload
some
of
the
additional
risk
assumed
in
connection
with
these
policies.
And
it's
a
pretty
big
program
-
$12
billion
in
2014,
$8
billion
in
2015,
and
$5
billion
in
2016.
So
who's
going
to
pay
for
that?
Answer:
Group
health
plans.
Beginning
in
2014,
group
health
plans
will
be
required
to
pay
a
fee
for
each
individual
covered
under
the
plan
that
will
be
used
to
fund
the
transitional
reinsurance
program.
The
fee
is
paid
once
a
year.
Plans
will
Continue Reading...
|
|
Comprehensive Final HIPAA Regulation Released
|
01/23/2013
|
By: Jason Lacey
|
HHS
has
finally
released
its
long-anticipated
final
“omnibus”
regulation
(here)
addressing
the
2009
HITECH
Act
changes
and
making
other
updates
to
the
privacy,
security,
breach
notification,
and
enforcement
rules.
Foulston
Siefkin’s
health
care
practice
has
already
posted
an
issue
alert
(here)
providing
an
overview
of
the
regulation.
Compliance
Date.
The
advance
copy
of
the
regulation
runs
563
pages,
so
there
is
a
considerable
detail
to
digest.
Luckily,
HHS
gave
us
a
little
time
to
get
our
heads
around
it.
The
regulation
is
effective
March
26,
2013,
and
covered
entities
and
business
associates
are
generally
required
to
begin
complying
with
the
final
rules
by
September
23,
2013.
Some
Key
Points.
Here
are
a
few
key
points
to
understand
about
the
final
rules:
1.
Business
associate
agreements
may
require
modification.
Business
associates
are
now
directly
liable
for
compliance
with
portions
of
the
HIPAA
privacy
and
security
rules.
This
requirement
and
other
HITECH
Act
changes
will
require
review
and
possible
modification
of
business
associate
agreements
to
ensure
they
are
in
compliance.
2.
Notices
of
privacy
practices
will
require
attention.
The
final
rule
changes
some
of
the
information
that
is
required
to
be
provided
in
the
notice
of
privacy
practices
and
generally
requires
re-distribution
of
an
updated
notice.
3.
The
standard
for
breach
notification
has
changed.
Under
current
rules,
a
covered
entity
is
required
to
provide
notification
of
a
breach
of
protected
health
information
(PHI)
only
if
there
is
a
substantial
risk
of
harm
from
the
breach.
That
“harm”
standard
has
been
replaced.
There
is
now
a
presumption
Continue Reading...
|
|
Health Care Reform Timeline on HHS Website
|
01/11/2013
|
By: Jason Lacey
|
HHS
has
posted
a
health
care
reform
timeline
to
its
website
(here).
Although
it
covers
more
than
just
the
employer-related
features
of
the
law
-
and,
in
fact,
doesn’t
directly
address
all
of
the
group
health
plan
mandates
and
other
issues
affecting
employers
-
it
provides
a
helpful
overview
if
you
want
to
quickly
see
what’s
been
implemented
already
or
what’s
yet
to
come.
See
also:
Health
Care
Reform
Calendar
(covering
August
1,
2012
through
July
31,
2013)
|
|
HHS Shows Some Leniency in Recent HIPAA Settlement
|
01/08/2013
|
By: Jason Lacey
|
HHS
has
announced
a
Resolution
Agreement
(here)
with
a
nonprofit
hospice
organization
in
Idaho,
resolving
its
investigation
of
a
HIPAA
breach
involving
the
theft
of
a
laptop
computer.
Although
much
about
this
case
is
similar
to
others
like
it
that
HHS
has
settled
in
the
past
few
months
(see,
for
example,
here),
the
noteworthy
points
in
this
case
are
the
ways
in
which
it
differs.
Size
of
Breach.
The
breach
in
this
case
involved
electronic
protected
health
information
of
441
individuals.
That’s
a
lot
of
people,
but
it
is
the
first
case
HHS
has
resolved
involving
a
breach
affecting
fewer
than
500
individuals.
(Because
the
breach
affected
fewer
than
500
individuals,
it
would
not
have
been
disclosed
to
HHS
immediately,
but
rather
would
have
been
identified
on
a
log
as
part
of
the
annual
breach-notification
requirement.)
The
point:
HHS
takes
these
cases
seriously,
whether
they
involve
thousands
of
individuals
or
just
a
few
hundred.
A
breach
will
not
stay
below
the
governments
radar
just
because
there
is
no
separate
notification
requirement.
Resolution
Amount
and
Corrective
Action
Plan.
The
case
was
resolved
for
a
resolution
amount
of
$50,000
(compared
to
over
$1M
in
other
recent
cases),
and
HHS
demanded
a
relatively
light
corrective
action
plan.
Why
would
HHS
be
more
lenient
here?
Reading
between
the
lines,
the
answer
seems
to
be
based
on
the
covered
entity’s
voluntary
efforts
to
correct
its
error
and
take
steps
to
prevent
similar
problems
from
occurring
in
the
future.
The
Resolution
Agreement
indicates
that
once
the
covered
Continue Reading...
|
|
HHS Releases List of Conditionally Approved State Insurance Exchanges
|
12/21/2012
|
By: Jason Lacey
|
HHS
has
released
a
list
of
the
state
insurance
exchanges
that
have
received
conditional
approval
for
operation
in
2014
(with
open
enrollment
beginning
in
October
2013)
-
and
the
list
is
short.
States
receiving
conditional
approval
for
state-based
exchanges:
- Colorado
- Connecticut
- District
of
Columbia
- Kentucky
- Maryland
- Massachusetts
- Minnesota
- New
York
- Oregon
- Rhode
Island
- Washington
States
receiving
conditional
approval
for
state
partnership
exchanges:
- Delaware
This
could
leave
as
many
as
at
least
39
states
(including
Kansas)
in
which
qualified
health
plans
will
be
available
in
2014
only
through
a
federally
facilitated
exchange.
States
still
have
until
February
15,
2013
to
file
declaration
letters
and
applications
to
establish
a
state
partnership
exchange.
For
additional
background
on
exchanges
and
exchange
implementation,
see
here,
here,
and
here.
|
|
Proposed Regulations Sketch Out Framework for Identifying Essential Health Benefits
|
12/07/2012
|
By: Jason Lacey
|
New
proposed
regulations
from
HHS
have
outlined
a
framework
for
identifying
the
package
of
"essential
health
benefits"
(EHB)
that
must
be
offered
by
certain
health
plans
beginning
in
2014.
Affected
Plans.
The
plans
directly
affected
by
the
rules
include
"qualified
health
plans"
(or
"QHPs")
that
will
be
offered
through
an
exchange,
and
any
other
non-grandfathered
individual
and
small-group
insurance
policies,
whether
or
not
offered
through
an
exchange.
Defining
Essential
Health
Benefits.
Rather
than
defining
a
package
of
essential
health
benefits
that
must
be
covered
by
all
affected
plans,
the
regulations
propose
that
essential
health
benefits
be
determined
on
a
state-by-state
basis
by
reference
to
an
"EHB-benchmark
plan"
identified
by
each
state
(or
identified
by
default,
if
the
state
does
not
make
an
affirmative
designation).
The
benchmark
plan
may
be
selected
from
one
of
the
following:
- The
largest
plan
by
enrollment
in
any
of
the
3
largest
small-group
insurance
products
in
the
state.
- Any
of
the
largest
3
state
employee
health
benefit
plans
by
enrollment.
- Any
of
the
largest
3
national
health
plan
options
available
to
Federal
employees
under
the
Federal
Employees
Health
Benefit
Program.
- The
largest
insured
commercial
HMO
operating
in
the
state.
An
Appendix
to
the
proposed
regulations
lists,
for
each
state,
the
plan
that
the
state
has
already
designated
as
its
benchmark
plan
or
that
will
be
the
default
plan,
if
the
state
does
not
make
an
affirmative
designation.
List
of
Largest
State
Small-Group
Products.
Earlier
this
year,
HHS
Continue Reading...
|
|
Agencies Release Joint Proposed Regulation on Wellness Plans
|
12/03/2012
|
By: Jason Lacey
|
The
IRS,
DOL,
and
HHS
have
issued
a
joint
proposed
regulation
addressing
wellness
plans
and
the
wellness
exception
to
the
HIPAA
nondiscrimination
rules.
Background.
Section
2705
of
the
Public
Health
Service
Act,
as
added
by
the
Affordable
Care
Act,
provides
statutory
affirmation
of
the
wellness-plan
rules
that
have
existed
by
regulation
for
several
years
as
part
of
the
HIPAA
nondiscrimination
rules
(rules
that
prohibit,
among
other
things,
discrimination
on
the
basis
of
health
factors).
It
also
gives
the
relevant
governmental
agencies
(IRS,
DOL,
and
HHS)
express
authority
to
issue
further
rules
on
wellness
plans
that
increase
the
permissible
reward
or
penalty
to
as
much
as
50%
of
the
cost
of
associated
heath-plan
coverage.
Proposed
Regulations.
The
proposed
regulations
largely
follow
the
structure
of
the
existing
wellness-plan
regulations,
requiring,
among
other
things,
that
wellness
programs
requiring
a
particular
health
outcome
(e.g.,
smoking
cessation,
biometric
screening
results,
minimum
BMI,
etc.)
provide
reasonable
alternatives
and
limit
the
reward
or
penalty
offered
or
imposed
in
connection
with
the
plan.
However,
there
are
a
couple
of
points
worth
highlighting:
- Participation
v.
Health-Contingent.
The
proposed
regulations
label
wellness
programs
as
either
"participatory"
or
"health-contingent."
It
is
only
the
health-contingent
programs
that
are
subject
to
more
rigorous
regulation
under
the
proposed
rules.
Participatory
programs
include
fitness-club
memberships,
general
health
education,
and
other
similar
programs
that
do
not
provide
for
a
reward
or
include
any
conditions
based
on
satisfying
a
standard
related
to
a
health
factor.
- Size
of
Reward.
The
requirements
that
must
Continue Reading...
|
|
Government Wins a Round on the Contraception Mandate
|
11/23/2012
|
By: Jason Lacey
|
In
the
tally
of
recent
cases
involving
the
women’s
health
preventive-care
mandate
and
for-profit
employers
(see,
for
example,
here,
here,
and
here),
mark
one
down
in
the
government’s
column.
Earlier
this
week,
a
federal
court
in
Oklahoma
ruled
against
Hobby
Lobby
(prior
coverage
here),
concluding
that
the
company
(as
distinct
from
its
owners)
did
not
have
religious
views
or
freedoms
that
would
be
infringed
by
enforcement
of
the
mandate.
Hobby
Lobby
has
already
appealed
the
decision
to
the
Tenth
Circuit
court
of
appeals,
so
we
may
soon
have
a
higher
court
weighing
in
on
the
issue.
Additional
coverage
of
both
the
decision
and
the
appeal
is
available
here
and
here.
|
|
HHS Grants 11th Hour Second Extension of State Exchange Deadline
|
11/16/2012
|
By: Jason Lacey
|
In
a
letter
from
HHS
secretary
Kathleen
Sebelius
released
late
yesterday,
HHS
has
given
states
another
month
to
file
the
Declaration
Letter
necessary
to
show
their
intent
to
establish
a
state-based
insurance
exchange
for
2014.
The
deadline
is
now
December
14,
2012.
A
state's
Blueprint
Application
for
a
state-based
exchange
will
be
due
the
same
time.
The
original
deadline
for
filing
both
the
Declaration
Letter
and
the
Blueprint
Application
was
November
16,
2012
(see
here).
Last
week,
HHS
extended
the
deadline
for
filing
the
Blueprint
Application
to
December
14,
2012,
but
left
the
November
16
deadline
in
place
for
the
Declaration
Letter
(see
here).
HHS
also
previously
extended
until
February
15,
2013
the
deadline
for
filing
a
Declaration
Letter
and
Blueprint
Application
for
states
that
want
to
establish
state
partnership
exchanges,
rather
than
full-blown
state-based
exchanges
(see
here).
That
deadline
remains
in
place.
|
|
HHS Extends Deadlines for States to Make Exchange Decisions
|
11/12/2012
|
By: Jason Lacey
|
HHS
has
released
a
fact
sheet
extending
a
key
deadline
for
states
to
take
the
steps
necessary
to
establish
either
a
state-based
insurance
exchange
or
a
state
partnership
exchange.
This
modifies
the
timetable
set
out
in
HHS's
previously
released
Blueprint
for
establishing
an
insurance
exchange
(see
coverage
here).
The
highlights:
- State-Based
Exchange. To
create
a
state-based
exchange,
states
still
must
file
a
Declaration
Letter
by
November
16,
2012,
but
they
will
now
have
until
December
14,
2012
to
complete
the
required
Blueprint
Application.
- State
Partnership
Exchange. To
create
a
state
partnership
exchange,
states
have
until
February
15,
2013
to
file
a
Declaration
Letter
and
Blueprint
Application.
They
must
indicate
in
those
documents
what
roles
they
intend
to
fill
in
the
partnership
exchange
(plan
management
functions,
consumer
assistance
functions,
or
both).
- 2015
Deadlines. States
that
want
to
adopt
a
different
exchange
model
for
2015
than
they
use
in
2014
must
submit
a
Declaration
Letter
by
November
18,
2013
and
a
Blueprint
Application
by
December
16,
2013.
Kansas
Governor
Sam
Brownback
recently
affirmed his
position
that
Kansas
will
not
participate
in
the
exchange
system
at
any
level
for
2014
(his
signature
is
necessary
for
the
state
to
file
a
Declaration
Letter),
so
Kansas
residents
will
be
covered
by
a
federally
facilitated
exchange
for
2014,
absent
a
change
in
position
before
the
February
15,
2013
deadline
to
apply
for
a
state
partnership
exchange.
|
|
Bible Publisher Files Lawsuit Over Contraception Mandate
|
10/04/2012
|
By: Jason Lacey
|
In
the
ongoing
saga
over
the
contraception
rules
under
health
care
reform's
preventive-care
mandate
(see
prior
coverage
here
and
here),
the
Washington
Times
has
a
recent
article reporting
that
a
for-profit
Bible
publisher
is
suing
to
obtain
relief
from
the
law.
It
claims
it
is
a
"religious
employer"
and
should
be
exempt
from
the
requirement
to
provide
free
access
to
contraception.
HHS's
regulations
limit
the
religious-employer
exemption
to
non-profit
organizations
engaged
in
ecclesiastical
functions
(essentially
houses
of
worship)
and,
thus,
categorically
deny
exemption
for
any
for-profit
employer.
This
aspect
of
health
care
reform
has
proven
especially
controversial
and
contentious,
because
it
touches
on
two
hot-button
issues:
(1)
the
line
between
government
regulation
and
religious
freedom,
and
(2)
the
ability
of
women
to
access
certain
health-care
products
and
services.
Given
the
battle
lines
that
have
been
drawn
already,
the
issues
seem
unlikely
to
be
resolved
soon.
|
|
HHS Settles Another HIPAA Enforcement Matter for $1.5 Million
|
09/28/2012
|
By: Jason Lacey
|
HHS
continues
to
show
it
is
serious
about
investigating
and
enforcing
breaches
of
the
HIPAA
privacy
and
security
rules.
It
recently
announced a
$1.5
million
settlement
with
two
non-profit
medical
service
and
research
organizations
in
Massachusetts
stemming
from
the
theft
of
an
unencrypted
laptop
that
contained
electronic
PHI.
The
two
organizations
reported
the
theft
to
HHS,
as
required
by
the
HITECH
breach-notification
rule.
In
its
news
release,
HHS
had
particularly
stringent
things
to
say
about
the
covered
entities'
security
practices.
- "[HHS's]
investigation
indicated
that
[the
covered
entities]
failed
to
take
necessary
steps
to
comply
with
certain
requirements
of
the
Security
Rule,
such
as
conducting
a
thorough
analysis
of
the
risk
to
the
confidentiality
of
ePHI
maintained
on
portable
devices
.
.
.
."
- "[HHS's]
investigation
indicated
that
these
failures
continued
over
an
extended
period
of
time,
demonstrating
a
long-term,
organizational
disregard
for
the
requirements
of
the
Security
Rule."
- "This
enforcement
action
emphasizes
that
compliance
with
the
HIPAA
Privacy
and
Security
Rules
must
be
prioritized
by
management
and
implemented
throughout
an
organization,
from
top
to
bottom."
As
in
other
recent
cases,
HHS
entered
into
a
resolution
agreement
with
the
covered
entities
that
not
only
required
payment
of
the
$1.5
million
"resolution
amount,"
but
also
outlined
the
terms
of
a
corrective
action
plan
to
be
followed
by
the
covered
entities
over
the
next
three
years.
A
few
takeaways:
- This
case
happened
to
involve
a
medical
provider
and
a
research
organization,
but
nothing
Continue Reading...
|
|
IRS, DOL, and HHS Issue Joint Guidance on 90-Day Waiting Period Limitation Under PPACA
|
09/04/2012
|
By: Jason Lacey
|
Notice
2012-59
provides
guidance
on
the
requirement
under
Section
2708
of
the
Public
Health
Service
Act
(added
by
PPACA)
that
a
group
health
plan
not
apply
any
waiting
period
that
exceeds
90
days.
The
rule
applies
for
plan
years
beginning
on
or
after
January
1,
2014.
Among
the
clarifications
offered
by
the
guidance:
- Definition
of
Waiting
Period.
A
"waiting
period"
is
defined
as
a
period
of
time
that
must
pass
before
coverage
can
become
effective
for
an
individual
who
is
otherwise
eligible
to
enroll
under
a
plan.
Eligibility
conditions
based
solely
on
the
lapse
of
time
cannot
exceed
90
days,
but
other
eligibility
conditions
(e.g.,
working
full
time
or
working
in
a
covered
job
classification)
are
permissible,
even
if
they
have
the
effect
of
excluding
an
individual
from
coverage
under
the
plan
for
more
than
90
days.
- Determining
Full-Time
Status
for
Variable-Hour
Employees.
If
a
plan
limits
coverage
to
full-time
employees,
it
may
take
a
reasonable
period
of
time
to
determine
whether
a
newly
hired
employee
meets
the
full-time
standard,
if
it
is
not
clear
on
the
date
of
hire
that
the
employee
will
work
the
required
number
of
hours
(e.g.,
30
hours
per
week).
In
general,
this
determination
must
be
made
within
a
year
after
the
employee
is
hired,
and
if
the
employee
satisfies
the
eligibility
requirements,
coverage
must
be
offered
beginning
within
13
months
after
the
date
of
hire.
Otherwise,
the
plan
may
be
treated
as
indirectly
avoiding
the
90-day-waiting-period
requirement.
This
notice
Continue Reading...
|
|
HHS Provides Enforcement Safe Harbor for Claim-Denial Notices by Governmental Plans
|
08/20/2012
|
By: Jason Lacey
|
The
Department
of
Health
and
Human
Services
(HHS)
has
issued
an
enforcement
safe
harbor
relating
to
the
content
of
benefit-claim
denial
notices
issued
by
non-federal
governmental
health
plans.
Under
health
care
reform,
all
non-grandfathered
group
health
plans
are
required
to
follow
the
DOL's
rules
and
regulations
regarding
the
content
of
notices
of
adverse
benefit
determinations.
Among
other
things,
those
rules
require
providing
(1)
a
statement
about
a
participant's
right
to
bring
suit
under
ERISA,
and
(2)
contact
information
for
the
federal
Employee
Benefits
Security
Administration
(EBSA)
or
a
state
insurance
department.
Non-federal
governmental
plans
are
not
subject
to
ERISA,
so
participants
do
not
have
the
right
to
sue
under
ERISA
to
seek
recovery
of
benefits.
In
addition,
participants
in
non-federal
governmental
plans
are
not
provided
services
by
the
EBSA,
because
they
do
not
have
rights
under
ERISA.
The
enforcement
safe
harbor
clarifies
that
non-federal
governmental
plans
can
exclude
ERISA
right-to-sue
language
and
EBSA
contact
information
from
their
benefit-denial
notices
and
they will
not
be
treated
as
violating
the
health-care-reform
mandates.
Contact
information
is
not
required
to
be
provided
for
a
state
insurance
department
either,
unless
the
plan
actually
uses
an
insurance
policy
issued
by
a
carrier
subject
to
regulation
by
a
state
insurance
department.
There
are
some
nuances
to
the
safe
harbor,
so
HHS's
notice
should
be
carefully
reviewed
by
any
non-federal
governmental
plan
intending
to
rely
on
the
safe
harbor.
But
on
the
whole
this
should
come
as
a
welcome
(and
practical)
clarification
for
affected
plans.
|
|
HHS Clarifies Enforcement Safe Harbor for Contraceptive Coverage
|
08/17/2012
|
By: Jason Lacey
|
HHS
has
updated
its
enforcement
safe
harbor
relating
to
required
contraceptive
coverage
and
non-profit
organizations
that
object
to
such
coverage
for
religious
reasons.
The
updated
safe
harbor
clarifies
three
items:
- The
safe
harbor
is
available
to
non-profit
organizations
with
religious
objections
to
some
but
not
all
contraceptive
coverage.
- Organizations
that
took
some
action
as
of
February
10,
2012
that
was
intended
to
limit
or
exclude
contraceptive
coverage
but
that
was
unsuccessful
are
not,
solely
for
that
reason,
precluded
from
relying
on
the
safe
harbor.
- Organizations
that
are
not
sure
whether
they
qualify
for
the
broader
religious-employer
exemption
may
utilize
the
safe
harbor
without
prejudicing
their
ability
to
rely
on
the
religious-employer
exemption
in
the
future.
With
regard
to
item
1,
the
specific
language
of
the
revised
notice
says
that
since
February
10,
2012,
the
plan
must
have
"consistently
not
provided
all
or
the
same
subset
of
the
contraceptive
coverage
otherwise
required
at
any
point
.
.
.
."
Although
this
language
will
not
win
any
awards
for
clarity,
it
appears
to
mean
that
the
safe
harbor
is
not
an
all-or-nothing
rule.
An
employer
may
be
able
to
offer
some
types
of
contraceptive
coverage
but
exclude
others
on
religious
grounds
and
remain
within
the
safe
harbor.
With
regard
to
item
2,
the
guidance
does
not
provide
any
examples
of
situations
where,
despite
its
best
efforts,
an
employer
might
be
unable
to
exclude
contraceptive
coverage.
Perhaps
it
contemplates
a
case
such
as
one
where
Continue Reading...
|
|
HHS Releases "Blueprint" for Approval of Insurance Exchanges
|
08/15/2012
|
By: Jason Lacey
|
The
Department
of
Health
and
Human
Services
(HHS)
has
released
a
"Blueprint"
describing
the
process
by
which
states
must
apply
to
obtain
approval
to
operate
an
insurance
exchange
beginning
in
2014.
The
document
also
details
the
features
and
activities
an
exchange
will
be
required
to
offer.
Although
the
finer
points
of
this
document
are
primarily
of
interest
to
states
that
will
be
seeking
to
operate
an
exchange
(either
alone
or
in
partnership
with
the
federal
government),
it
provides
employers
some
sense
of
how
and
when
the
exchanges
will
come
together.
Among
the
highlights:
- There
are
three
exchange
models:
(1)
state-based
exchanges
(operated
largely
by
the
states);
(2)
state
partnership
exchanges
(operated
largely
by
the
federal
government
but
with
some
state
involvement);
and
(3)
federally
facilitated
exchanges
(operated
almost
exclusively
by
the
federal
government).
- States
wanting
to
participate
under
any
of
these
models
must
receive
approval
or
conditional
approval
from
HHS
by
January
1,
2013.
A
"declaration
letter"
and
"exchange
application"
must
be
submitted
no
later
than
November
16,
2012.
- An
exchange
must
be
operational
for
an
open-enrollment
period
beginning
October
1,
2013.
- Required
exchange
activities
will
include
(1)
providing
consumer
support
for
coverage
decisions;
(2)
facilitating
eligibility
determinations
for
individuals;
(3)
providing
for
enrollment
in
qualified
health
plans
(QHPs);
(4)
certifying
health
plans
as
QHPs;
and
(5)
operating
a
Small
Business
Health
Options
Program
(SHOP).
From
this
we
can
see
that
the
exchange
landscape
will
be
better
defined
by
Continue Reading...
|
|
HIPAA Privacy and Security Enforcement Heats Up for Health Plans: Even States Aren't Exempt
|
07/30/2012
|
By: Jason Lacey
|
The
federal
Department
of
Health
and
Human
Services
(HHS)
recently
announced that
it
has
entered
into
a
resolution
agreement
with
the
Alaska
Department
of
Health
and
Social
Services
(which
operates
the
Alaska
Medicaid
program)
to
settle
potential
violations
of
the
HIPAA
security
rule.
The
underlying
facts
are
painfully
simple.
[read:
Yes,
this
could
happen
to
you.]
A
computer
technician
for
the
Alaska
agency
had
a
USB
thumb
drive
stolen
from
the
technician's
car.
The
thumb
drive
potentially
contained
electronic
protected
health
information
about
individuals
covered
through
the
Alaska
Medicaid
program.
(There
was
no
evidence
that
data
on
the
drive
had,
in
fact,
been
accessed.)
The
agency
reported
the
potential
breach
to
HHS,
as
required
under
the
HITECH
breach-notification
rules.
HHS
began
its
investigation
within
three
months
after
the
notification.
To
resolve
this
potential
violation
of
the
HIPAA
security
rule,
the
Alaska
agency
agreed
to
pay
a
"resolution
amount"
of
$1.7
million
and
enter
into
a
corrective-action
plan
that,
among
other
things,
allows
HHS
to
closely
monitor
the
agency's
HIPAA
compliance
for
the
next
three
years.
Although
a
state
Medicaid
program
operates
on
a
much
larger
scale
than
a
private
employer's
group
health
plan,
this
investigation
and
resolution
agreement
show
that
HHS
will
take
HIPAA
compliance
by
health
plans
just
as
seriously
as
compliance
by
health-care
providers
and
other
covered
entities.
It
is
imperative
that
health
plans
have
proper
privacy
and
security
policies
and
procedures
in
effect
and
assess
security
risks.
Those
policies,
procedures,
and
assessments
must
be
periodically
reviewed
and
updated
to
Continue Reading...
|
|
HHS Updates MLR Guidance
|
07/18/2012
|
By: Jason Lacey
|
The
Department
of
Health
and
Human
Services
(HHS)
has
issued
three
new
Q&As
updating
its
guidance
on
the
medical
loss
ratio
(MLR)
rules.
Although
the
guidance
is
directed
primarily
at
insurance
carriers,
it
provides
some
helpful
information
to
employers
and
participants
in
insured
group
health
plan
about
new
notices
they
may
be
receiving
in
the
near
future.
- For
plans
that
will
be
receiving
MLR
rebates,
the
carrier
must
provide
a
rebate
notice
to
all
"subscribers,"
which
includes
all
current
plan
participants.
Those
participants
should
be
receiving
notices
on
or
before
August
1,
2012.
- For
insurers
that
meet
the
MLR
standard,
a
notice
to
that
effect
must
be
provided
to
all
plan
participants
with
the
first
"plan
document"
distributed
on
or
after
July
1,
2012.
The
guidance
clarifies
that
the
notice
may
be
provided
separately
(i.e.,
distributed
before
any
plan
documents
are
distributed).
The
guidance
also
provides
examples
of
documents
that
constitute
"plan
documents"
for
this
purpose.
For
our
prior
coverage
of
MLR
rebates
and
the
important
considerations
that
apply
under
ERISA
if
and
when
a
rebate
is
received,
click here.
|
|
HHS Releases Audit Protocol for HIPAA Audits
|
07/02/2012
|
By: Jason Lacey
|
The
federal
department
of
Health
and
Human
Services
(HHS)
has
released
a
comprehensive
audit
protocol
that
describes
in
detail
the
manner
in
which
it
will
audit
compliance
by
covered
entities
with
the
HIPAA
privacy,
security,
and
breach-notification
rules.
The
protocol
gives
group
health
plans
and
other
covered
entities
a
useful
(albeit
thorough)
checklist
for
evaluating
their
compliance
with
these
rules
and,
if
necessary,
taking
steps
to
shore
up
their
records,
policies,
and
procedures
on
issues
HHS
is
sure
to
review
in
the
event
of
an
audit.
There
are
165
separate
audit
points
in
the
protocol,
and
not
all
of
them
will
be
relevant
for
every
covered
entity.
But
for
group
health
plans,
the
following
will
be
of
particular
interest:
- Organizational
Requirements
for
Group
Health
Plans.
"Inquire
of
management
as
to
whether
the
plan
documents
restrict
the
use
and
disclosure
of
PHI
by
the
plan
sponsor.
Obtain
and
review
a
sample
of
plan
documents.
Verify
if
the
use
and
disclosure
of
PHI
by
the
plan
sponsor
is
restricted.
Verify
what
information
the
sponsor
does
obtain
and
how
it
is
used."
- Notice
of
Privacy
Practices.
"Obtain
and
review
the
notice
of
privacy
practices
and
evaluate
the
content
relative
to
the
specified
criteria
given
to
individuals
by
the
covered
entity."
And
for
group
health
plans
specifically:
"Obtain
and
review
the
formal
or
informal
policies
and
procedures
in
place
regarding
the
provision
of
the
notice
of
privacy
practices.
For
a
selection
of
individuals,
obtain
and
review
the
individuals'
Continue Reading...
|
|
|
Editors
Don Berner, the Labor Law, OSHA, & Immigration Law Guy
Boyd Byers, the General Employment Law Guy
Jason Lacey, the Employee Benefits Guy
Additional Sources

|