The HHS Office of Civil Rights (OCR) has announced the opening of its "Phase 2" HIPAA audit program. We have been anticipating this program for some time. It potentially affects all HIPAA covered entities, including employer-sponsored group health plans, as well as business associates of those covered entities, such as third-party administrators for self-insured health plans.

The purpose of the audit program is to "assess compliance" with the HIPAA privacy, security, and breach notification rules. Accordingly, these audits will be directed at a cross-section of HIPAA covered entities and business associates, rather than based on specific complaints or news reports.

Covered entities and business associates that are potential candidates for audit will be contacted by email (check your spam filter!) and asked to complete a pre-audit questionnaire. Not all covered entities and business associates that go through the pre-audit process will be selected for audit. But those who fail to respond to the pre-audit questionnaire will still be included in the potential audit pool, and it seems fair to assume that a failure to respond may increase OCR's interest in conducting a full-scope audit. 

Based on the updated audit protocol that OCR is using to train its auditors, we have a good idea what OCR will be looking for if it conducts an audit. In the case of an employer-sponsored group health plan, the audit is likely to include a review of the following:

• The plan document (to determine whether the proper HIPAA plan language has been adopted)
     Continue Reading...

The latest announcement by HHS regarding settlement of an investigation under the HIPAA privacy, security, and breach-notification rules reflects an increased focus by HHS on security-related issues and the need for health plans and other covered entities to take reasonable steps to protect PHI from hacking, viruses, and malware attacks.

Background. The covered entity in this case (a non-profit community mental health services organization) reported a breach affecting the PHI of approximately 2,700 individuals. The breach was caused by a malware attack on the covered entity’s IT system. The system was using outdated software that made it vulnerable to attack. Following the HHS investigation, the covered entity agreed to a settlement that included a cash payment of $150,000 and a two-year corrective action plan.

Keep Your Software Updated! A key takeaway from this case is that covered entities will be held responsible for maintaining a sound IT infrastructure. System software must be kept up-to-date, and appropriate technical security measures must be implemented, such as firewalls capable of threat monitoring.

Common Sense Approach. Although covered entities may have varying degrees of technical sophistication, HHS’s press release emphasized the need for a “common sense approach” to risk mitigation. “This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave [PHI] susceptible to malware and other risks.”

Adopting Policies Isn’t Enough. Another key takeaway is that adopting policies and procedures to address the HIPAA privacy and security rules is only the beginning of an appropriate HIPAA compliance program. The policies must be implemented, followed, and      Continue Reading...

New guidance from the IRS and HHS aims to quickly scuttle the use of health plans designed to push the limits of minimum value. These plans (sometimes referred to in the market simply as “minimum value plans,” “MVPs,” or “MV lite”) aimed to reduce cost by excluding coverage for key benefits, such as physician services or inpatient hospitalization, but were nonetheless said to provide minimum value because they qualified under the MV calculator.

The Concept. The idea behind MVPs was to create a plan that would allow a large employer to avoid all penalties under the ACA’s employer shared responsibility mandate at relatively low cost. As minimum essential coverage that provided minimum value, an MVP would allow a large employer to avoid all penalties, so long as the plan was affordable. And due to the relatively low cost, employers could make MVPs affordable with little or no premium subsidy.

But the effect of MVPs was not limited to penalty avoidance by employers. Employees who are offered coverage under an affordable, minimum value plan are ineligible for premium tax credits (PTCs) through state and federal exchanges, even if they turn down the employer-sponsored coverage. And with MVPs, this meant employees could be knocked out of PTC eligibility with an offer of coverage under a plan that intentionally excluded a significant category of benefits (e.g., inpatient hospitalization). This may well have been their undoing.

MV Calculator. Why did this seem to work? It all came down to the MV calculator. Final HHS regulations and      Continue Reading...

On the eve of the deadline for large controlling health plans (CHPs) to obtain an HPID, CMS has announced that it is indefinitely delaying enforcement of the regulations that require obtaining an HPID and using the HPID in covered transactions. The announcement is effective October 31, 2014 and applies “to all HIPAA covered entities, including healthcare providers, health plans, and healthcare clearinghouses.”

What Does This Mean for Large Health Plans? The immediate impact of this announcement appears to be that large CHPs are no longer required to obtain an HPID by the November 5, 2014 deadline. Whether or when they may be required to do so in the future will depend on when (or if) CMS decides to begin enforcing the regulations again.

What Does This Mean for Small Health Plans? The deadline for small CHPs to obtain an HPID was November 5, 2015. Technically, that deadline has been suspended as well, although with a year between now and then, it’s possible that CMS could reverse course and begin enforcing the rule again before then. So small plans should monitor the status of the rule, but likely will not want to attempt to obtain an HPID until further notice.

Where Did This Come From? The CMS announcement references a September 23, 2014 report from the National Committee on Vital and Health Statistics (NCVHS). In that report, the NCVHS unequivocally recommended that covered entities not begin using an HPID in transactions involving health plans. The report argues that there is already a      Continue Reading...

Health plans, including some employer-sponsored plans, face a looming deadline to obtain a HIPAA health plan identifier (HPID). There have been many questions surrounding this requirement, particularly as it applies to employer-sponsored plans. Recent FAQ guidance from CMS (here) has provided some key clarifications, although questions remain. Here's what you need to know.

Background. HIPAA requires health plans and other covered entities to engage in certain covered transactions in a standardized way. This is sometimes referred to as the HIPAA "transactions rule." The details of that rule are beyond what can be addressed here. But the key thing to understand is that the ACA amended the transactions rule to require health plans to obtain a specific identifier (the HPID) to be used in connection with covered transactions.

Deadline. For plans that are required to get an HPID, the deadline is November 5, 2014, unless the plan is a "small" health plan, in which case the deadline is November 5, 2015.

Small Health Plan. A small health plan is a plan that has $5 million or less in annual receipts. The CMS FAQs tell us that annual receipts mean premiums paid during the last full fiscal year, in the case of fully insured plans, and health care claims paid during the last full fiscal year, in the case of self-insured plans. Plans that are partially insured and partially self-insured combine the premiums and health care claims paid to determine their total annual receipts.

Stop-Loss Premiums. It's not clear whether annual receipts are intended to      Continue Reading...

The HHS Office for Civil Rights (OCR) has provided guidance on the status of same-sex spouses under the HIPAA privacy rule.

In light of the Supreme Court's Windsor decision, same-sex spouses are recognized as lawful spouses for purposes of all federal law, including HIPAA. Under the HIPAA privacy rule, spouses are "family members" of a protected individual, which is relevant for at least the following two purposes:

• Under certain circumstances, a covered entity (including a health plan) is permitted to share an individual's protected health information with the individual's family members. The guidance makes clear that a family member includes an individual's same-sex spouse.
   
• The privacy rule prohibits health plans from using or disclosing genetic information for underwriting purposes. Genetic information includes, for example, genetic tests of an individual's family member or information regarding the manifestation of a disease or disorder in an individual's family member. The guidance makes clear that a family member for this purposes also includes an individual's same-sex spouse.

An individual's same-sex spouse may also qualify as the "personal representative" of an individual under the privacy rule, which, among other things, would allow the same-sex spouse to act on behalf of the individual in some circumstances. OCR indicates that further clarification regarding treatment of same-sex spouses as personal representatives will be forthcoming.

The bottom line for health plans and other covered entities is that same-sex spouses will be treated the same as opposite-sex spouses for purposes of the HIPAA      Continue Reading...

HHS has issued is proposed Notice of Benefit and Payment Parameters for 2015 (here). It is frankly a pretty mind-numbing piece of regulatory handiwork, but it includes a few interesting nuggets for employers.

Transitional Reinsurance Program. The notice discusses the transitional reinsurance program at some length but has three proposals that are particularly noteworthy.

(1) 2015 Contribution Rate. The proposed contribution rate for 2015 is $44 per covered life, as compared to $63 per covered life for 2014.

(2) Change in Payment Schedule. The payment schedule is proposed to change so that the fee would be paid in two installments instead of one. The first installment will generally be due in January following the benefit year, and the second installment will generally be due in November or December following the benefit year. Both installments will be based on the same enrollment count.

For the 2014 benefit year, it is anticipated that this will result in the $63 fee being paid as follows: $52.50 in January 2015 and $10.50 in late 2015. For the 2015 benefit year, it is anticipated that this will result in the proposed $44 fee being paid as follows: $33 in January 2016 and $11 in late 2016.

(3) Exclusion for Self-Administered Self-Insured Plans. Several groups that sponsor self-insured plans (notably multiemployer self-insured plans) have been lobbying for an exemption from the transitional reinsurance fee. (There is some merit to their arguments, since the transitional reinsurance program will not benefit them, but that's beside the point here.) While this proposed notice does      Continue Reading...

In the wake of the troubled rollout of the public exchanges, which has delayed the ability of many individuals and small businesses to enroll in coverage offered through the exchanges, HHS has announced (here) a new hardship exemption from the individual mandate. Anyone who enrolls in coverage through an exchange by the end of the initial exchange enrollment period (March 31, 2014) will be exempt from the individual mandate during the period in 2014 before the date the exchange-based coverage becomes effective.

Background. The individual mandate is the rule that requires most Americans to maintain health insurance coverage or pay a penalty. It takes effect January 1, 2014. But there are a number of exemptions available. Those who qualify for an exemption will not owe a penalty even if they fail to maintain insurance coverage. One exemption category is for "hardships," as defined by the government. 

Exchange Enrollment Period and Coverage Effective Date. The initial exchange enrollment period began October 1, 2013 and runs through March 31, 2014. No coverage under the exchange becomes effective before January 1, 2014. Beginning in December, those who enroll in coverage on or before the 15th of the month will have coverage that becomes effective on the first day of the next month. Those who enroll after the 15th of the month will have coverage that becomes effective on the first day of the second following month.

For example, an individual who enrolls for coverage on January 10, 2014 will have coverage effective as of February      Continue Reading...

A continuing area of uncertainty under health care reform has been the treatment of health reimbursement arrangements (HRAs) and other arrangements that might be used to allow employees to purchase health insurance through individual policies with the employer subsidizing some or all of the cost. A new notice from the IRS, HHS, and DOL (here) provides some clarity on these - and some related - issues.

Employer Payment Plans. As a preliminary matter, this guidance gives us a new term: "employer payment plan." This refers to an arrangement by which an employer provides payment or reimbursement of individual market insurance premiums in the manner described in an old Revenue Ruling (Rev. Rul. 61-146). Historically, these employer payment plans have been permissible and have allowed employers to provide pre-tax subsidies of individual market coverage.

Integration of Plans with Individual Market Coverage. A concern with HRAs and employer payment plans is that they may be treated as violating two key health care reform mandates: the prohibition on annual limits and the requirement to provide no-cost preventive care services. Previous FAQ guidance (see coverage here) said that HRAs would be treated as satisfying the annual limit rule if they were "integrated" with other coverage that satisfies the annual limit rule.

This guidance effectively confirms that treatment and provides a similar rule for preventive care. But the guidance goes on to say that HRAs and employer payment plans may not be treated as integrated with individual market coverage. Thus, an HRA or employer payment plan      Continue Reading...

HHS has announced another significant HIPAA privacy settlement (see press release here), this time involving a managed care plan that failed to remove protected health information from the hard drive of a photocopier it had been leasing.

The enforcement action stemmed - not surprisingly - from a breach report filed by the health plan in which the plan estimated that over 340,000 individuals may have been affected by the breach. Of greater interest, however, is the manner in which the health plan discovered the breach. It was contacted by a representative of the CBS Evening News and informed that CBS had purchased the photocopier as part of an investigative report and identified confidential medical information on the photocopier's hard drive.

Ouch.

In the settlement with HHS (see agreement here), the health plan agreed to pay a $1,200,000 resolution amount and implement a corrective action plan that includes using its best efforts to retrieve all hard drives contained on photocopiers previously leased by the plan.

Final tri-agency regulations were released recently on the religious employer exemption from health care reform's contraception mandate, and there is little change from the approach outlined in the proposed regulations (see discussion here). In short, the regulations finalize a moderate expansion of the definition of "religious employer," but continue to require religiously affiliated nonprofit organizations to seek an "accommodation" that allows individuals covered under their plans to obtain contraception coverage at no cost through an insurance carrier.

Applicability Date. A key piece of the final regulations is the effective-date provision, which provides nonprofit organizations some additional time to comply with the accommodation requirement. The regulations generally apply for plan years beginning on or after January 1, 2014, rather than applying for plan years beginning on or after August 1, 2013, as previously expected. Nonprofit organizations that had been relying on a one-year safe harbor from application of the mandate (see description here and here) may continue relying on the safe harbor until the first plan year beginning on or after January 1, 2014. CMS has updated its guidance on the nonenforcement safe harbor (here). 

Definition of Religious Employer. The definition of religious employer is unchanged from the proposed regulations. Although not intended to expand the number of organizations that qualify as religious employers, the change is intended to clarify that religious employers providing educational, charitable, and social services may qualify for the exemption even though some of their constituents or employees may not be of the same      Continue Reading...

I've been fairly diligent in reporting on enforcement actions taken by HHS under the HIPAA privacy and security rules over the past year or so. If you've followed those posts, the outcome of the following case will not surprise you. 

In a recent press release, HHS announced a $400,000 settlement and resolution agreement with Idaho State University relating to violations of the HIPAA security rule that resulted in a data breach with respect to 17,500 patients of a primary care clinic operated by the university. The breach occurred when a firewall providing security for a server storing patient data was disabled, leaving the data unsecured. The press release and resolution agreement do not indicate that any actual disclosure of the patient data occurred. But the firewall had been disabled for 10 months before the clinic or university realized it. 

Yes, 10 months.

Quoting from the press release: "[HHS] concluded that ISU did not apply proper security measures and policies to address risks to ePHI and did not have procedures for routine review of their information system in place, which could have detected the firewall breach much sooner." In other words, they weren't trying hard enough - maybe not at all.

Here are a few takeaways:

• The HIPAA security rule is just as potent as the HIPAA privacy rule. Failure to comply with the security rule won't be excused just because there was no actual loss of privacy.
• You have to try. The security rule is written in relative rather      Continue Reading...

We are now up to Part XV of the tri-agency FAQs providing guidance on various ACA-related issues.

The most important guidance in these FAQs relates to the treatment of mini-med plans that obtained a waiver from the prohibition on annual limits. But the FAQs also acknowledge, in so many words, that there are some issues on which further guidance simply will not be provided before 2014, so we're going to have to use our best judgment.

Changing the Plan Year on Mini-Med Plans. Employers and insurance carriers offering mini-med plans were required to obtain a waiver from the prohibition on annual limits. Under the waiver program, plans were allowed to continue until the end of the plan year ending in 2014. Creative employers and carriers began exploring whether they could change their plan years now and effectively extend waiver through most of 2014. For example, a plan with a plan year ending June 30 might change to a plan year ending November 30 and rely on the waiver until November 30. 

These FAQs provide, unequivocally, that a change in the plan year will not be effective to extend a plan's waiver. The waiver only applies until the end of the plan year ending in 2014, based on the plan year the plan was using when it applied for the waiver.

In other words, nice try.

Why would this matter? Well, it now appears that mini-med coverage extending into 2014 will be sufficient to allow employers with fiscal year plans to avoid some of the      Continue Reading...

The latest set of Affordable Care Act FAQs (Part XIV) announces the release of updated templates for the SBC and uniform glossary. The updated templates are designed to provide employers and insurers with tools to comply with the SBC requirement for the second year of applicability.

Note that many fiscal-year plans may not yet have begun their first year of applicability for the SBC requirement, which essentially begins with the first open-enrollment period beginning on or after September 23, 2012.

Limited Template Changes. The updated templates reflect only two significant changes. They add language for describing whether the coverage does (or does not) provide minimum essential coverage (MEC), and they add language for describing whether the coverage does (or does not) provide minimum value (MV). There is no change in the language describing whether benefits are (or are not) subject to annual limits, and the template keeps the same two coverage examples (childbirth and diabetes).

Extended Enforcement Relief. Perhaps the most significant guidance in the FAQs is an extension of much of the helpful enforcement relief that was provided through previous FAQs. For example:

• Compliance emphasis. IRS, DOL, and HHS will continue to emphasize "assisting (rather than imposing penalties on) plans, issuers and others that are working diligently and in good faith to understand and come into compliance with the new law" (Part VIII, Q2) and "will not impose penalties on plans and issuers that are working diligently and in good faith to comply" (Part IX, Q8).
     Continue Reading...

HHS, DOL, and IRS recently proposed regulations interpreting the health care reform mandate limiting health plan waiting periods to no more than 90 days. The guidance is fairly straightforward, but does not include one clarification we were anticipating: 3 months cannot be used as a substitute for 90 days. 90 days means 90 days. Period.

What is a waiting period? Under the rules, a waiting period is any period of time that must pass before coverage may become effective for anyone who has otherwise satisfied the plan's eligibility criteria. Eligibility criteria that are based solely on the lapse of a time period count as part of the waiting period. So, for example, if a plan requires employees to work in a particular job classification to be eligible for coverage, time spent working in an ineligible job classification does not count as a waiting period, and the 90-day period may be imposed once an employee moves to an eligible job classification. But if a plan merely requires 60 days of full-time employment to become eligible, those 60 days of employment count toward the waiting period, so another 90 days may not be imposed.

Variable-hour employees. We know from the regulations on the look-back measurement method (see coverage here) that we may need some time (up to 12 months or so) to determine whether a variable-hour employee meets an eligibility requirement relating to average hours worked. These proposed regulations clarify that the period during which a variable-hour employee's hours of service are being measured      Continue Reading...

All covered entities and business associates will need to review their business associate agreements in light of the new final HIPAA regulations (see prior coverage here). The new rules are effective March 26, 2013, with a general compliance deadline of September 23, 2013. So what is the deadline for reviewing and updating a business associate agreement?

Transition Rule. Under a transition rule in the new regulations, covered entities and business associates (and business associates and their subcontractors) may continue to operate under certain existing agreements for up to one year beyond the general compliance date of September 23, 2013.

There are two conditions for this rule:

(1) Already in existence. A written business associate agreement must have been in existence on January 25, 2013 (the date the new final rule was released) and must satisfy the requirements of the prior HIPAA rule.

(2) Not renewed or modified. The business associate agreement must not be renewed or modified between March 26, 2013 and September 23, 2013.

If these conditions are satisfied, the agreement will be deemed to satisfy the new rules until the earlier of (i) the date the agreement is renewed or modified on or after September 23, 2013, or (ii) September 22, 2014. In other words, if these conditions are met, covered entities and business associates will have until as late as September 22, 2014 to update their agreements to comply with the final rule.

Evergreen Agreements. This transition rule is available for agreements that automatically renew between March 26, 2013 and September 23,      Continue Reading...

Two more sets of tri-agency FAQs have been released, providing additional interpretive guidance on the Affordable Care Act. They are Part XII and Part XIII in the series.

Cost-Sharing Limitations. Part XII includes two important clarifications on the cost-sharing limitations that will apply to group health plans beginning in 2014.

(1) Deductible. The rule that limits the annual deductible under a plan to $2,000 for self-only coverage and $4,000 for family coverage will apply only to non-grandfathered plans in the individual and small-group markets. Grandfathered plans and large-group plans will be permitted to impose higher deductibles. This may be important for large-group plans that want to offer an option with a high deductible that meets the minimum requirements for a 60% actuarial value plan.

(2) Out-of-pocket maximum. The rule that limits overall cost-sharing under a plan to $5,000 for self-only coverage and $10,000 for family coverage will apply to all non-grandfathered plans. So even large-group plans will be limited.

Preventive Care. Part XII also provides detailed guidance on miscellaneous issues related to the requirement for non-grandfathered plans to offer preventive-care services without cost-sharing. Some highlights:

(1) Out-of-network services. Plans generally are permitted to impose cost-sharing with respect to preventive-care services obtained out of network. However, if a service that is required to be covered by the plan is not available through any in-network provider, the plan must cover the out-of-network service without cost-sharing.

(2) Over-the-counter items. Some of the covered preventive-care items include over-the-counter drugs and devices, such as aspirin. A plan is only      Continue Reading...

Employers are not directly affected by the establishment of state insurance exchanges under health care reform, but understanding the exchange landscape helps clarify the bigger picture of health care reform and how employers fit within that.

So here's where we are today: The deadline ran last Friday for states to file applications to run an exchange in partnership with the federal government for 2014. Some did that, but as I've written about previously (here), the response has been underwhelming. States that do not have their own exchanges and do not partner with the federal government will default to having a federally facilitated exchange. 

The Kaiser Family Foundation has an interesting graphic (here) that illustrates what's going on in each state. It reflects that only 17 states (plus the District of Columbia) will run their own exchanges, 7 states will have partnership exchanges, and 26 states will default to the federal exchange.

Depending on your political view, that's either a good first step toward national uniformity in the health insurance market or a lot of federal involvement.

Either way, a lot of questions remain, including whether and how these exchanges will be fully functional by October (when they need to begin enrollment for 2014) and what the exchange interface will look like. The federal government continues to believe it is on track (see here), but there is a lot of ground to cover between now and then.

The IRS, DOL, and HHS have proposed two key changes in the rules that exempt certain religious employers from complying with the mandate to cover all FDA-approved contraception and sterilization procedures for women (see proposed rules here). 

1. Definition of Religious Employer

Employers that are "religious employers" are wholly exempt from compliance with the mandate. The new rules would modify the definition of religious employer slightly. The definition would still be limited to houses of worship (churches, synagogues, mosques, and the like) and religious orders. But the change would clarify that those organizations will not fail to be religious employers even if they also provide educational, charitable, or social services, without regard to whether the persons served share the same religious values.

Example. A church with a parochial school that employs teachers or serves students who are not necessarily of the same religious faith may still qualify as a religious employer.

2. Broader Accommodation for Non-Profit Religious Organizations

A non-profit organization that is not a church or religious order but that meets specified criteria would be provided an "accommodation" exempting the organization from directly providing contraceptive coverage. The criteria are:

• The organization opposes some or all of the required contraceptive coverage on religious grounds
• The organization is a non-profit entity
• The organization holds itself out as a religious organization
• The organization self-certifies that it meets the first three criteria

This change is intended to exempt organizations such as religious-affiliated non-profit institutional health care      Continue Reading...

The updated sample agreement is here. It reflects changes in the HIPAA privacy, security, and breach-notification rules made by the final omnibus regulation (prior coverage here).

The template is a helpful starting point for drafting and reviewing business associate agreements in light of the new rules. Although it does not purport to address all issues that might merit consideration in an agreement, health plans, brokers, TPAs, and other covered entities or business associates will want to be familiar with it, if for no other reason than it is likely to form the backbone of many standard BAA templates.

Reminder: The final omnibus rule is effective March 26, 2013, with a general compliance date of September 23, 2013. 

The IRS, DOL, and HHS have released their 11th series of FAQs (here) addressing various issues related to health care reform implementation.

Exchange Notice Requirement. In a helpful clarification, the agencies confirmed that employers will not have to provide a notice to employees regarding insurance exchanges until “regulations are issued and become applicable.” By statute, the notice is required to be distributed by March 1, 2013. This guidance effectively allows employers to delay compliance until further notice.

Stand-Alone HRAs. Three of the FAQs address issues related to health reimbursement arrangements (HRAs). The technical clarifications are as follows:

(1) An HRA cannot be treated as “integrated” with individual insurance coverage.

(2) An HRA can only be treated as “integrated” with major-medical coverage if participation in the HRA is conditioned on being enrolled in that major-medical coverage.

(3) Most amounts credited to an HRA before January 1, 2014, will continue to be available for reimbursements on and after January 1, 2014 without causing the HRA to violate the annual-limit rules under Section 2711 of the Public Health Service Act.

While all of this seems straightforward enough, the proverbial elephant in the room is the fundamental question whether stand-alone HRAs will be deemed to violate the prohibition against annual and lifetime limits under Section 2711 of the Public Health Service Act. These FAQs are the strongest indication yet that future guidance will say they do violate the prohibition, effectively eliminating stand-alone HRAs. 

Plan sponsors that maintain stand-alone HRAs - or are considering implementing one for 2014 - will want      Continue Reading...

A fundamental insurance-market reform under the Affordable Care Act is that, beginning in 2014, insurance carriers that want to sell individual policies will be required to make those policies available to all applicants (guaranteed issue) and will be required to set the premiums for those policies based on a "community" rating, with variations based only on the tier of coverage purchased (individual or family), age of the insured, geographic area, and tobacco use by the insured. This is intended to ensure that individuals have access to health insurance without regard to health factors that might otherwise make insurance prohibitively expensive or simply unavailable.

That all sounds pretty good, unless you're the insurance carrier trying to figure out how to absorb the additional risks associated with having to cover people at a set price without regard to how much health care expense they may consume. But the Affordable Care Act makes some provision for them too. For 2014, 2015, and 2016, there will be a transitional reinsurance program through which insurers may offload some of the additional risk assumed in connection with these policies. And it's a pretty big program - $12 billion in 2014, $8 billion in 2015, and $5 billion in 2016.

So who's going to pay for that? Answer: Group health plans.

Beginning in 2014, group health plans will be required to pay a fee for each individual covered under the plan that will be used to fund the transitional reinsurance program. The fee is paid once a year. Plans will      Continue Reading...

HHS has finally released its long-anticipated final “omnibus” regulation (here) addressing the 2009 HITECH Act changes and making other updates to the privacy, security, breach notification, and enforcement rules.

Foulston Siefkin’s health care practice has already posted an issue alert (here) providing an overview of the regulation.

Compliance Date. The advance copy of the regulation runs 563 pages, so there is a considerable detail to digest. Luckily, HHS gave us a little time to get our heads around it. The regulation is effective March 26, 2013, and covered entities and business associates are generally required to begin complying with the final rules by September 23, 2013.

Some Key Points. Here are a few key points to understand about the final rules:

1. Business associate agreements may require modification. Business associates are now directly liable for compliance with portions of the HIPAA privacy and security rules. This requirement and other HITECH Act changes will require review and possible modification of business associate agreements to ensure they are in compliance.

2. Notices of privacy practices will require attention. The final rule changes some of the information that is required to be provided in the notice of privacy practices and generally requires re-distribution of an updated notice.

3. The standard for breach notification has changed. Under current rules, a covered entity is required to provide notification of a breach of protected health information (PHI) only if there is a substantial risk of harm from the breach. That “harm” standard has been replaced. There is now a presumption      Continue Reading...

HHS has posted a health care reform timeline to its website (here). Although it covers more than just the employer-related features of the law - and, in fact, doesn’t directly address all of the group health plan mandates and other issues affecting employers - it provides a helpful overview if you want to quickly see what’s been implemented already or what’s yet to come.

See also: Health Care Reform Calendar (covering August 1, 2012 through July 31, 2013)

HHS has announced a Resolution Agreement (here) with a nonprofit hospice organization in Idaho, resolving its investigation of a HIPAA breach involving the theft of a laptop computer. Although much about this case is similar to others like it that HHS has settled in the past few months (see, for example, here), the noteworthy points in this case are the ways in which it differs.

Size of Breach. The breach in this case involved electronic protected health information of 441 individuals. That’s a lot of people, but it is the first case HHS has resolved involving a breach affecting fewer than 500 individuals. (Because the breach affected fewer than 500 individuals, it would not have been disclosed to HHS immediately, but rather would have been identified on a log as part of the annual breach-notification requirement.) 

The point: HHS takes these cases seriously, whether they involve thousands of individuals or just a few hundred. A breach will not stay below the governments radar just because there is no separate notification requirement.

Resolution Amount and Corrective Action Plan. The case was resolved for a resolution amount of $50,000 (compared to over $1M in other recent cases), and HHS demanded a relatively light corrective action plan. Why would HHS be more lenient here? Reading between the lines, the answer seems to be based on the covered entity’s voluntary efforts to correct its error and take steps to prevent similar problems from occurring in the future.

The Resolution Agreement indicates that once the covered      Continue Reading...

HHS has released a list of the state insurance exchanges that have received conditional approval for operation in 2014 (with open enrollment beginning in October 2013) - and the list is short.

States receiving conditional approval for state-based exchanges:

1. Colorado
2. Connecticut
3. District of Columbia 
4. Kentucky
5. Maryland
6. Massachusetts
7. Minnesota
8. New York
9. Oregon
10. Rhode Island
11. Washington

States receiving conditional approval for state partnership exchanges:

1. Delaware

This could leave as many as at least 39 states (including Kansas) in which qualified health plans will be available in 2014 only through a federally facilitated exchange.

States still have until February 15, 2013 to file declaration letters and applications to establish a state partnership exchange.

For additional background on exchanges and exchange implementation, see here, here, and here.

New proposed regulations from HHS have outlined a framework for identifying the package of "essential health benefits" (EHB) that must be offered by certain health plans beginning in 2014.

Affected Plans. The plans directly affected by the rules include "qualified health plans" (or "QHPs") that will be offered through an exchange, and any other non-grandfathered individual and small-group insurance policies, whether or not offered through an exchange.

Defining Essential Health Benefits. Rather than defining a package of essential health benefits that must be covered by all affected plans, the regulations propose that essential health benefits be determined on a state-by-state basis by reference to an "EHB-benchmark plan" identified by each state (or identified by default, if the state does not make an affirmative designation). The benchmark plan may be selected from one of the following:

1. The largest plan by enrollment in any of the 3 largest small-group insurance products in the state.
2. Any of the largest 3 state employee health benefit plans by enrollment.
3. Any of the largest 3 national health plan options available to Federal employees under the Federal Employees Health Benefit Program.
4. The largest insured commercial HMO operating in the state.

An Appendix to the proposed regulations lists, for each state, the plan that the state has already designated as its benchmark plan or that will be the default plan, if the state does not make an affirmative designation.

List of Largest State Small-Group Products. Earlier this year, HHS      Continue Reading...

The IRS, DOL, and HHS have issued a joint proposed regulation addressing wellness plans and the wellness exception to the HIPAA nondiscrimination rules. 

Background. Section 2705 of the Public Health Service Act, as added by the Affordable Care Act, provides statutory affirmation of the wellness-plan rules that have existed by regulation for several years as part of the HIPAA nondiscrimination rules (rules that prohibit, among other things, discrimination on the basis of health factors). It also gives the relevant governmental agencies (IRS, DOL, and HHS) express authority to issue further rules on wellness plans that increase the permissible reward or penalty to as much as 50% of the cost of associated heath-plan coverage.

Proposed Regulations. The proposed regulations largely follow the structure of the existing wellness-plan regulations, requiring, among other things, that wellness programs requiring a particular health outcome (e.g., smoking cessation, biometric screening results, minimum BMI, etc.) provide reasonable alternatives and limit the reward or penalty offered or imposed in connection with the plan. However, there are a couple of points worth highlighting:

• Participation v. Health-Contingent. The proposed regulations label wellness programs as either "participatory" or "health-contingent." It is only the health-contingent programs that are subject to more rigorous regulation under the proposed rules. Participatory programs include fitness-club memberships, general health education, and other similar programs that do not provide for a reward or include any conditions based on satisfying a standard related to a health factor.
• Size of Reward. The requirements that must      Continue Reading...

In the tally of recent cases involving the women’s health preventive-care mandate and for-profit employers (see, for example, here, here, and here), mark one down in the government’s column.  Earlier this week, a federal court in Oklahoma ruled against Hobby Lobby (prior coverage here), concluding that the company (as distinct from its owners) did not have religious views or freedoms that would be infringed by enforcement of the mandate.

Hobby Lobby has already appealed the decision to the Tenth Circuit court of appeals, so we may soon have a higher court weighing in on the issue.

Additional coverage of both the decision and the appeal is available here and here.

In a letter from HHS secretary Kathleen Sebelius released late yesterday, HHS has given states another month to file the Declaration Letter necessary to show their intent to establish a state-based insurance exchange for 2014. The deadline is now December 14, 2012.  A state's Blueprint Application for a state-based exchange will be due the same time.

The original deadline for filing both the Declaration Letter and the Blueprint Application was November 16, 2012 (see here).

Last week, HHS extended the deadline for filing the Blueprint Application to December 14, 2012, but left the November 16 deadline in place for the Declaration Letter (see here).

HHS also previously extended until February 15, 2013 the deadline for filing a Declaration Letter and Blueprint Application for states that want to establish state partnership exchanges, rather than full-blown state-based exchanges (see here). That deadline remains in place.

HHS has released a fact sheet extending a key deadline for states to take the steps necessary to establish either a state-based insurance exchange or a state partnership exchange. This modifies the timetable set out in HHS's previously released Blueprint for establishing an insurance exchange (see coverage here). The highlights:

• State-Based Exchange. To create a state-based exchange, states still must file a Declaration Letter by November 16, 2012, but they will now have until December 14, 2012 to complete the required Blueprint Application.
• State Partnership Exchange. To create a state partnership exchange, states have until February 15, 2013 to file a Declaration Letter and Blueprint Application. They must indicate in those documents what roles they intend to fill in the partnership exchange (plan management functions, consumer assistance functions, or both).
• 2015 Deadlines. States that want to adopt a different exchange model for 2015 than they use in 2014 must submit a Declaration Letter by November 18, 2013 and a Blueprint Application by December 16, 2013.

Kansas Governor Sam Brownback recently affirmed his position that Kansas will not participate in the exchange system at any level for 2014 (his signature is necessary for the state to file a Declaration Letter), so Kansas residents will be covered by a federally facilitated exchange for 2014, absent a change in position before the February 15, 2013 deadline to apply for a state partnership exchange.

In the ongoing saga over the contraception rules under health care reform's preventive-care mandate (see prior coverage here and here), the Washington Times has a recent article reporting that a for-profit Bible publisher is suing to obtain relief from the law. It claims it is a "religious employer" and should be exempt from the requirement to provide free access to contraception. HHS's regulations limit the religious-employer exemption to non-profit organizations engaged in ecclesiastical functions (essentially houses of worship) and, thus, categorically deny exemption for any for-profit employer.

This aspect of health care reform has proven especially controversial and contentious, because it touches on two hot-button issues: (1) the line between government regulation and religious freedom, and (2) the ability of women to access certain health-care products and services. Given the battle lines that have been drawn already, the issues seem unlikely to be resolved soon.

HHS continues to show it is serious about investigating and enforcing breaches of the HIPAA privacy and security rules. It recently announced a $1.5 million settlement with two non-profit medical service and research organizations in Massachusetts stemming from the theft of an unencrypted laptop that contained electronic PHI. The two organizations reported the theft to HHS, as required by the HITECH breach-notification rule.

In its news release, HHS had particularly stringent things to say about the covered entities' security practices.

• "[HHS's] investigation indicated that [the covered entities] failed to take necessary steps to comply with certain requirements of the Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices . . . ."
• "[HHS's] investigation indicated that these failures continued over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the Security Rule."
• "This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom."

As in other recent cases, HHS entered into a resolution agreement with the covered entities that not only required payment of the $1.5 million "resolution amount," but also outlined the terms of a corrective action plan to be followed by the covered entities over the next three years.

A few takeaways:

1. This case happened to involve a medical provider and a research organization, but nothing      Continue Reading...

Notice 2012-59 provides guidance on the requirement under Section 2708 of the Public Health Service Act (added by PPACA) that a group health plan not apply any waiting period that exceeds 90 days. The rule applies for plan years beginning on or after January 1, 2014.

Among the clarifications offered by the guidance:

• Definition of Waiting Period. A "waiting period" is defined as a period of time that must pass before coverage can become effective for an individual who is otherwise eligible to enroll under a plan. Eligibility conditions based solely on the lapse of time cannot exceed 90 days, but other eligibility conditions (e.g., working full time or working in a covered job classification) are permissible, even if they have the effect of excluding an individual from coverage under the plan for more than 90 days.
• Determining Full-Time Status for Variable-Hour Employees. If a plan limits coverage to full-time employees, it may take a reasonable period of time to determine whether a newly hired employee meets the full-time standard, if it is not clear on the date of hire that the employee will work the required number of hours (e.g., 30 hours per week). In general, this determination must be made within a year after the employee is hired, and if the employee satisfies the eligibility requirements, coverage must be offered beginning within 13 months after the date of hire. Otherwise, the plan may be treated as indirectly avoiding the 90-day-waiting-period requirement.

This notice      Continue Reading...

The Department of Health and Human Services (HHS) has issued an enforcement safe harbor relating to the content of benefit-claim denial notices issued by non-federal governmental health plans.

Under health care reform, all non-grandfathered group health plans are required to follow the DOL's rules and regulations regarding the content of notices of adverse benefit determinations. Among other things, those rules require providing (1) a statement about a participant's right to bring suit under ERISA, and (2) contact information for the federal Employee Benefits Security Administration (EBSA) or a state insurance department.

Non-federal governmental plans are not subject to ERISA, so participants do not have the right to sue under ERISA to seek recovery of benefits. In addition, participants in non-federal governmental plans are not provided services by the EBSA, because they do not have rights under ERISA. 

The enforcement safe harbor clarifies that non-federal governmental plans can exclude ERISA right-to-sue language and EBSA contact information from their benefit-denial notices and they will not be treated as violating the health-care-reform mandates. Contact information is not required to be provided for a state insurance department either, unless the plan actually uses an insurance policy issued by a carrier subject to regulation by a state insurance department.

There are some nuances to the safe harbor, so HHS's notice should be carefully reviewed by any non-federal governmental plan intending to rely on the safe harbor. But on the whole this should come as a welcome (and practical) clarification for affected plans.

HHS has updated its enforcement safe harbor relating to required contraceptive coverage and non-profit organizations that object to such coverage for religious reasons. The updated safe harbor clarifies three items:

1. The safe harbor is available to non-profit organizations with religious objections to some but not all contraceptive coverage.
2. Organizations that took some action as of February 10, 2012 that was intended to limit or exclude contraceptive coverage but that was unsuccessful are not, solely for that reason, precluded from relying on the safe harbor.
3. Organizations that are not sure whether they qualify for the broader religious-employer exemption may utilize the safe harbor without prejudicing their ability to rely on the religious-employer exemption in the future.

With regard to item 1, the specific language of the revised notice says that since February 10, 2012, the plan must have "consistently not provided all or the same subset of the contraceptive coverage otherwise required at any point . . . ." Although this language will not win any awards for clarity, it appears to mean that the safe harbor is not an all-or-nothing rule. An employer may be able to offer some types of contraceptive coverage but exclude others on religious grounds and remain within the safe harbor.

With regard to item 2, the guidance does not provide any examples of situations where, despite its best efforts, an employer might be unable to exclude contraceptive coverage. Perhaps it contemplates a case such as one where      Continue Reading...

The Department of Health and Human Services (HHS) has released a "Blueprint" describing the process by which states must apply to obtain approval to operate an insurance exchange beginning in 2014. The document also details the features and activities an exchange will be required to offer.

Although the finer points of this document are primarily of interest to states that will be seeking to operate an exchange (either alone or in partnership with the federal government), it provides employers some sense of how and when the exchanges will come together. Among the highlights:

• There are three exchange models: (1) state-based exchanges (operated largely by the states); (2) state partnership exchanges (operated largely by the federal government but with some state involvement); and (3) federally facilitated exchanges (operated almost exclusively by the federal government).
• States wanting to participate under any of these models must receive approval or conditional approval from HHS by January 1, 2013. A "declaration letter" and "exchange application" must be submitted no later than November 16, 2012.
• An exchange must be operational for an open-enrollment period beginning October 1, 2013.
• Required exchange activities will include (1) providing consumer support for coverage decisions; (2) facilitating eligibility determinations for individuals; (3) providing for enrollment in qualified health plans (QHPs); (4) certifying health plans as QHPs; and (5) operating a Small Business Health Options Program (SHOP).

From this we can see that the exchange landscape will be better defined by      Continue Reading...

The federal Department of Health and Human Services (HHS) recently announced that it has entered into a resolution agreement with the Alaska Department of Health and Social Services (which operates the Alaska Medicaid program) to settle potential violations of the HIPAA security rule.

The underlying facts are painfully simple. [read: Yes, this could happen to you.] A computer technician for the Alaska agency had a USB thumb drive stolen from the technician's car. The thumb drive potentially contained electronic protected health information about individuals covered through the Alaska Medicaid program. (There was no evidence that data on the drive had, in fact, been accessed.) The agency reported the potential breach to HHS, as required under the HITECH breach-notification rules. HHS began its investigation within three months after the notification.

To resolve this potential violation of the HIPAA security rule, the Alaska agency agreed to pay a "resolution amount" of $1.7 million and enter into a corrective-action plan that, among other things, allows HHS to closely monitor the agency's HIPAA compliance for the next three years.

Although a state Medicaid program operates on a much larger scale than a private employer's group health plan, this investigation and resolution agreement show that HHS will take HIPAA compliance by health plans just as seriously as compliance by health-care providers and other covered entities. It is imperative that health plans have proper privacy and security policies and procedures in effect and assess security risks. Those policies, procedures, and assessments must be periodically reviewed and updated to      Continue Reading...

The Department of Health and Human Services (HHS) has issued three new Q&As updating its guidance on the medical loss ratio (MLR) rules. Although the guidance is directed primarily at insurance carriers, it provides some helpful information to employers and participants in insured group health plan about new notices they may be receiving in the near future.

• For plans that will be receiving MLR rebates, the carrier must provide a rebate notice to all "subscribers," which includes all current plan participants. Those participants should be receiving notices on or before August 1, 2012.
• For insurers that meet the MLR standard, a notice to that effect must be provided to all plan participants with the first "plan document" distributed on or after July 1, 2012. The guidance clarifies that the notice may be provided separately (i.e., distributed before any plan documents are distributed). The guidance also provides examples of documents that constitute "plan documents" for this purpose.

For our prior coverage of MLR rebates and the important considerations that apply under ERISA if and when a rebate is received, click here.

The federal department of Health and Human Services (HHS) has released a comprehensive audit protocol that describes in detail the manner in which it will audit compliance by covered entities with the HIPAA privacy, security, and breach-notification rules. The protocol gives group health plans and other covered entities a useful (albeit thorough) checklist for evaluating their compliance with these rules and, if necessary, taking steps to shore up their records, policies, and procedures on issues HHS is sure to review in the event of an audit.

There are 165 separate audit points in the protocol, and not all of them will be relevant for every covered entity. But for group health plans, the following will be of particular interest:

• Organizational Requirements for Group Health Plans. "Inquire of management as to whether the plan documents restrict the use and disclosure of PHI by the plan sponsor. Obtain and review a sample of plan documents. Verify if the use and disclosure of PHI by the plan sponsor is restricted. Verify what information the sponsor does obtain and how it is used."
• Notice of Privacy Practices. "Obtain and review the notice of privacy practices and evaluate the content relative to the specified criteria given to individuals by the covered entity." And for group health plans specifically: "Obtain and review the formal or informal policies and procedures in place regarding the provision of the notice of privacy practices. For a selection of individuals, obtain and review the individuals'      Continue Reading...