Earlier this year, HHS published a final rule amending HIPAA’s Privacy, Security, Breach Notification and Enforcement Rules that affects HIPAA-covered entities and business associates alike.
Business Associates and Business Associate Agreements
The final rule both expands the definition of “business associate” to include subcontractors, certain vendors to group health plans and entities that store protected health information (“PHI”), and makes all business associates directly liable for compliance with HIPAA’s administrative, physical and technical safeguard standards. Business associates that use subcontractors or other similar vendors must now enter into business associate agreements with their subcontractors or vendors to ensure that all PHI remains protected.
The final rule permits covered entities and business associates to take advantage of a transition period to determine whether any changes need to be made to existing business associate agreements. If a business associate agreement existed before Jan. 25, 2013, complied with HIPAA’s rules in effect at that time and has not been renewed or modified as of Sept. 23, 2013, that agreement will be deemed to comply with the final rule until the later of the date the agreement is modified or renewed or Sept. 22, 2014. HHS has posted a revised model business associate agreement that covered entities and business associates can use for this purpose.
The final rule has also tightened the requirement for a breach notification. For comparative purposes, a breach notification was required if there was a significant risk that harm would result from the breach. Now, under the final rule, if PHI is used or disclosed in violation of the Privacy Rule, the PHI is presumed to be compromised and a breach notification is required unless an exception applies (e.g., the PHI is recovered before it could have been seen or accessed by the unintended recipient). To rebut this presumption, a group health plan or business associate must establish that there is a low probability that the PHI was compromised by assessing the risk that the PHI was compromised, using a minimum of the following objective factors:
- The nature and extent of the PHI involved;
- The unauthorized person who used or accessed the PHI, or to whom the PHI was disclosed;W
It is important to note that no breach notification is necessary for secured electronic PHI, and electronic PHI will be considered secured if it is encrypted.
Notices of Privacy Practices
The final rule requires group health plans to review their notices of privacy practices to ensure that they include statements to the effect that:
- Individuals will be notified of a breach of unsecured PHI;
- Written authorization will generally be required for marketing purposes, disclosures of PHI that constitute a sale of PHI, and the disclosure of psychotherapy notes (if applicable);s
- Uing or disclosing PHI that is genetic information is prohibited for underwriting purposes; and
- If a covered entity contacts individuals for fundraising purposes, individuals can opt out of receiving such materials.
Notices of privacy practices, to the extent they do not already do so, must be revised and posted on the plan’s website or intranet by Sept. 23, 2013 and hard copies must be provided in the plan’s next annual mailing. If a plan does not have a website or intranet, it must provide hard copies of the revised notice within 60 days of Sept. 23, 2013.
ACA-Mandated Participant Communications
Summary of Benefits and Coverage
Plan administrators of self-insured group health plans and health insurance issuers of fully insured group health plans must continue to provide a Summary of Benefits and Coverage (“SBC”) to participants and beneficiaries. Although SBCs generally must be provided to new hires and upon request, the SBC must also be distributed during open enrollment for the next plan year. For most calendar year plans, open enrollment occurs during October. The Departments have issued an updated template that now requires plan administrators and health insurance issuers to disclose whether their plans provide minimum essential coverage and meet the minimum value standard for the benefits provided (i.e., the plans’ share of the total allowed cost of benefits provided under the plans is at least 60 percent of such cost). If plan administrators and health insurance issuers cannot fit this new information within the eight-page form, they can include it in a cover letter to the SBC. In addition, the Departments have stated that they will extend the enforcement relief that applied during the first year of applicability to this second year of compliance. This means that for this next plan year, the Departments will not impose penalties on plans and issuers that work diligently and in good faith to provide the SBC in a manner that complies in both form and content with the final regulations.
Notice of Health Insurance Exchanges
It is estimated that more than seven million Americans will enroll in the state exchanges in October 2013. Under the Affordable Care Act, employers (of all sizes) that are subject to the Fair Labor Standards Act must provide a notice of health coverage options to each employee, regardless of the employee’s enrollment status in the employer’s health plan or whether the employee is a part-time or full-time employee. The Department of Labor has clarified that employers are not required to provide a separate notice to dependents or other individuals who are, or may be, eligible for coverage under the employer’s plan but who are not employees (e.g., spouses). The notice must provide an overview of both the Health Insurance Marketplace, or “exchange,” as well as the health coverage offered by the employer.
“The Departments have issued an updated template that now requires plan administrators and health insurance issuers to disclose whether their plans provide minimum essential coverage and meet the minimum value standard for the benefits provided.”
Beginning Oct. 1, 2013, employers must provide the notice to employees at the time of hiring. The notice can be distributed by the employer’s insurer or third-party administrator. For employees hired prior to Oct. 1, 2013, employers must provide the notice no later than Oct. 1, 2013. For employees hired on and after Oct. 1, 2013, the Department of Labor will consider an employer to have timely provided the notice if it is provided within 14 days of an employee’s start date.
The Department of Labor has issued a model notice that employers can rely on and has stated that the notice can be provided by first-class mail or electronically if the requirements of the Department of Labor’s electronic disclosure safe harbor rule are met. The DOL has confirmed that a third party can distribute the notice in satisfaction of the employer’s disclosure obligation. Alternatively, plan sponsors (of both single and multiemployer plans) may choose to draft their own notice to be used in place of the model notice that the DOL has provided or include a cover letter with the DOL’s model notice.
Revised COBRA Notices
All COBRA Notices will need to be revised to include information that employees and dependents who lose coverage due to a qualifying event under COBRA are eligible to purchase coverage on an the Health Insurance Exchange. ACA Implications for Plan Years Beginning in 2014 and Beyond
Plan sponsors of group health plans should be aware of the following provisions of the Affordable Care Act that may impact their plans in the coming years:
Delay of Employer Penalty and Associated Reporting Requirements
Under the Affordable Care Act, “large” employers (employers with 50 or more full-time equivalent employees) may face a penalty if they do not offer a health plan for their employees, or if they offer a health plan that does not provide minimum value or is “unaffordable” (e.g., an employee’s share of the premium for employee-only coverage exceeds 9.5 percent of the employee’s household income, determined using a safe harbor such as the employee’s W-2 wages). An employee is generally considered to be a “full-time” employee if he or she works an average of 30 or more hours of service per week).
Earlier this year, the Obama Administration announced that it will delay the implementation of the employer penalty and its associated reporting requirements until 2015. The penalty and reporting requirements were initially scheduled to take effect for plan years beginning on or after Jan. 1, 2014. The delay does not affect any other provision of the Affordable Care Act and plan sponsors must therefore continue to prepare to comply with the new requirements.
Requirement to Offer Dependent Coverage
Large employers that currently do not offer coverage to dependent children up to age 26 must take steps to do so during the 2014 plan year, and offer such coverage during the 2015 plan year, or potentially face a penalty beginning in 2015.
90-Day Waiting Periods
Effective for plan years beginning on or after Jan. 1, 2014, group health plans cannot apply “waiting periods” in excess of 90 days. A “waiting period” is defined as the period of time that must pass before coverage for an eligible employee or dependent becomes effective.
Removal of Pre-Existing Condition Exclusions
Effective Jan. 1, 2014, group health plans and individual health insurance coverage cannot impose any preexisting condition exclusions. Currently, group health plans and group and individual health insurance coverage cannot impose pre-existing condition exclusions on individuals under age 19.
Earlier this summer, the IRS and the Treasury issued a final rule implementing PPACA’s “individual mandate.” This final rule largely tracks the proposed rule, which the IRS and the Treasury issued in January 2013. The individual mandate provision of PPACA requires nonexempt individuals to maintain minimum essential coverage for each month of the year or pay a penalty; the amount of the monthly penalty for 2014 (due with individuals’ tax returns filed in 2015) will generally be the greater of 1/12 of $95 per adult and $47.50 per child (up to a maximum of $285 per family) or one percent of the individual’s household income. The penalty is phased in through 2016 to a maximum of $695 per adult ($2,085 maximum per family) or 2.5 percent of income, if greater. After 2016, the maximum penalty will be adjusted for cost of living.
Essential Health Benefits
Effective Jan. 1, 2014, fully insured group health plans and health plans offered through state exchanges must offer the “essential health benefits package.” The essential health benefits package limits cost-sharing and provides certain levels of coverage.
The Departments have tasked states with the responsibility of defining the specific benefits that will constitute essential health benefits; for reference, New York has chosen the Oxford EPO plan, which is the largest small-group plan in the state, as its benchmark plan for purposes of determining the essential health benefits package.
“It is estimated that more than seven million Americans will enroll in the state exchanges in October 2013.”
Essential Health Benefit Categories
At a minimum, essential health benefits must include:
- Ambulatory patient services;
- Emergency services;
- Maternity and newborn care;
- Mental health and substance use disorder services, including behavioral health treatment;
- Prescription drugs;
- Rehabilitative and habilitative services and devices;
- Laboratory services;
- Preventive and wellness services and chronic disease management; and
- Pediatric services, including oral and vision care
No Annual Limits
For plan years beginning on and after Jan. 1, 2014, group health plans can no longer impose annual limits on the dollar value of essential health benefits offered under the plan.
Effective Jan. 1, 2014, group health plans can increase their wellness incentives from the current level of 20 percent of premium costs to 30 percent of premium costs.
Nondiscrimination for Fully Insured Health Plans
PPACA extends the current requirement that self-insured plans not discriminate in favor of highly compensated individuals as to fully insured plans. This requirement, however, has been delayed pending further regulations from the IRS which will detail the specifics of the rule. The rule is expected to become effective beginning the first plan year after such regulations are issued.
Excise Tax on Cadillac Plans
Effective Jan. 1, 2018, high-cost, or “Cadillac,” health plans will be assessed a 40 percent nondeductible excise tax on the value of health coverage that exceeds $10,200 for an individual and $27,500 for a family, indexed for inflation. Insurers of fully insured plans will be responsible for the payment of the tax