The latest set of Affordable Care Act FAQs (Part XIV) announces the release of updated templates for the SBC and uniform glossary. The updated templates are designed to provide employers and insurers with tools to comply with the SBC requirement for the second year of applicability.

Note that many fiscal-year plans may not yet have begun their first year of applicability for the SBC requirement, which essentially begins with the first open-enrollment period beginning on or after September 23, 2012.

Limited Template Changes. The updated templates reflect only two significant changes. They add language for describing whether the coverage does (or does not) provide minimum essential coverage (MEC), and they add language for describing whether the coverage does (or does not) provide minimum value (MV). There is no change in the language describing whether benefits are (or are not) subject to annual limits, and the template keeps the same two coverage examples (childbirth and diabetes).

Extended Enforcement Relief. Perhaps the most significant guidance in the FAQs is an extension of much of the helpful enforcement relief that was provided through previous FAQs. For example:

• Compliance emphasis. IRS, DOL, and HHS will continue to emphasize "assisting (rather than imposing penalties on) plans, issuers and others that are working diligently and in good faith to understand and come into compliance with the new law" (Part VIII, Q2) and "will not impose penalties on plans and issuers that are working diligently and in good faith to comply" (Part IX, Q8).
• Electronic distribution. The additional safe      Continue Reading...

HHS, DOL, and IRS recently proposed regulations interpreting the health care reform mandate limiting health plan waiting periods to no more than 90 days. The guidance is fairly straightforward, but does not include one clarification we were anticipating: 3 months cannot be used as a substitute for 90 days. 90 days means 90 days. Period.

What is a waiting period? Under the rules, a waiting period is any period of time that must pass before coverage may become effective for anyone who has otherwise satisfied the plan's eligibility criteria. Eligibility criteria that are based solely on the lapse of a time period count as part of the waiting period. So, for example, if a plan requires employees to work in a particular job classification to be eligible for coverage, time spent working in an ineligible job classification does not count as a waiting period, and the 90-day period may be imposed once an employee moves to an eligible job classification. But if a plan merely requires 60 days of full-time employment to become eligible, those 60 days of employment count toward the waiting period, so another 90 days may not be imposed.

Variable-hour employees. We know from the regulations on the look-back measurement method (see coverage here) that we may need some time (up to 12 months or so) to determine whether a variable-hour employee meets an eligibility requirement relating to average hours worked. These proposed regulations clarify that the period during which a variable-hour employee's hours of service are being measured      Continue Reading...

All covered entities and business associates will need to review their business associate agreements in light of the new final HIPAA regulations (see prior coverage here). The new rules are effective March 26, 2013, with a general compliance deadline of September 23, 2013. So what is the deadline for reviewing and updating a business associate agreement?

Transition Rule. Under a transition rule in the new regulations, covered entities and business associates (and business associates and their subcontractors) may continue to operate under certain existing agreements for up to one year beyond the general compliance date of September 23, 2013.

There are two conditions for this rule:

(1) Already in existence. A written business associate agreement must have been in existence on January 25, 2013 (the date the new final rule was released) and must satisfy the requirements of the prior HIPAA rule.

(2) Not renewed or modified. The business associate agreement must not be renewed or modified between March 26, 2013 and September 23, 2013.

If these conditions are satisfied, the agreement will be deemed to satisfy the new rules until the earlier of (i) the date the agreement is renewed or modified on or after September 23, 2013, or (ii) September 22, 2014. In other words, if these conditions are met, covered entities and business associates will have until as late as September 22, 2014 to update their agreements to comply with the final rule.

Evergreen Agreements. This transition rule is available for agreements that automatically renew between March 26, 2013 and September 23,      Continue Reading...

Two more sets of tri-agency FAQs have been released, providing additional interpretive guidance on the Affordable Care Act. They are Part XII and Part XIII in the series.

Cost-Sharing Limitations. Part XII includes two important clarifications on the cost-sharing limitations that will apply to group health plans beginning in 2014.

(1) Deductible. The rule that limits the annual deductible under a plan to $2,000 for self-only coverage and $4,000 for family coverage will apply only to non-grandfathered plans in the individual and small-group markets. Grandfathered plans and large-group plans will be permitted to impose higher deductibles. This may be important for large-group plans that want to offer an option with a high deductible that meets the minimum requirements for a 60% actuarial value plan.

(2) Out-of-pocket maximum. The rule that limits overall cost-sharing under a plan to $5,000 for self-only coverage and $10,000 for family coverage will apply to all non-grandfathered plans. So even large-group plans will be limited.

Preventive Care. Part XII also provides detailed guidance on miscellaneous issues related to the requirement for non-grandfathered plans to offer preventive-care services without cost-sharing. Some highlights:

(1) Out-of-network services. Plans generally are permitted to impose cost-sharing with respect to preventive-care services obtained out of network. However, if a service that is required to be covered by the plan is not available through any in-network provider, the plan must cover the out-of-network service without cost-sharing.

(2) Over-the-counter items. Some of the covered preventive-care items include over-the-counter drugs and devices, such as aspirin. A plan is only      Continue Reading...

Employers are not directly affected by the establishment of state insurance exchanges under health care reform, but understanding the exchange landscape helps clarify the bigger picture of health care reform and how employers fit within that.

So here's where we are today: The deadline ran last Friday for states to file applications to run an exchange in partnership with the federal government for 2014. Some did that, but as I've written about previously (here), the response has been underwhelming. States that do not have their own exchanges and do not partner with the federal government will default to having a federally facilitated exchange. 

The Kaiser Family Foundation has an interesting graphic (here) that illustrates what's going on in each state. It reflects that only 17 states (plus the District of Columbia) will run their own exchanges, 7 states will have partnership exchanges, and 26 states will default to the federal exchange.

Depending on your political view, that's either a good first step toward national uniformity in the health insurance market or a lot of federal involvement.

Either way, a lot of questions remain, including whether and how these exchanges will be fully functional by October (when they need to begin enrollment for 2014) and what the exchange interface will look like. The federal government continues to believe it is on track (see here), but there is a lot of ground to cover between now and then.

The IRS, DOL, and HHS have proposed two key changes in the rules that exempt certain religious employers from complying with the mandate to cover all FDA-approved contraception and sterilization procedures for women (see proposed rules here). 

1. Definition of Religious Employer

Employers that are "religious employers" are wholly exempt from compliance with the mandate. The new rules would modify the definition of religious employer slightly. The definition would still be limited to houses of worship (churches, synagogues, mosques, and the like) and religious orders. But the change would clarify that those organizations will not fail to be religious employers even if they also provide educational, charitable, or social services, without regard to whether the persons served share the same religious values.

Example. A church with a parochial school that employs teachers or serves students who are not necessarily of the same religious faith may still qualify as a religious employer.

2. Broader Accommodation for Non-Profit Religious Organizations

A non-profit organization that is not a church or religious order but that meets specified criteria would be provided an "accommodation" exempting the organization from directly providing contraceptive coverage. The criteria are:

• The organization opposes some or all of the required contraceptive coverage on religious grounds
• The organization is a non-profit entity
• The organization holds itself out as a religious organization
• The organization self-certifies that it meets the first three criteria

This change is intended to exempt organizations such as religious-affiliated non-profit institutional health care providers, educational institutions, and charities from a direct requirement to provide contraceptive      Continue Reading...

The updated sample agreement is here. It reflects changes in the HIPAA privacy, security, and breach-notification rules made by the final omnibus regulation (prior coverage here).

The template is a helpful starting point for drafting and reviewing business associate agreements in light of the new rules. Although it does not purport to address all issues that might merit consideration in an agreement, health plans, brokers, TPAs, and other covered entities or business associates will want to be familiar with it, if for no other reason than it is likely to form the backbone of many standard BAA templates.

Reminder: The final omnibus rule is effective March 26, 2013, with a general compliance date of September 23, 2013. 

The IRS, DOL, and HHS have released their 11th series of FAQs (here) addressing various issues related to health care reform implementation.

Exchange Notice Requirement. In a helpful clarification, the agencies confirmed that employers will not have to provide a notice to employees regarding insurance exchanges until “regulations are issued and become applicable.” By statute, the notice is required to be distributed by March 1, 2013. This guidance effectively allows employers to delay compliance until further notice.

Stand-Alone HRAs. Three of the FAQs address issues related to health reimbursement arrangements (HRAs). The technical clarifications are as follows:

(1) An HRA cannot be treated as “integrated” with individual insurance coverage.

(2) An HRA can only be treated as “integrated” with major-medical coverage if participation in the HRA is conditioned on being enrolled in that major-medical coverage.

(3) Most amounts credited to an HRA before January 1, 2014, will continue to be available for reimbursements on and after January 1, 2014 without causing the HRA to violate the annual-limit rules under Section 2711 of the Public Health Service Act.

While all of this seems straightforward enough, the proverbial elephant in the room is the fundamental question whether stand-alone HRAs will be deemed to violate the prohibition against annual and lifetime limits under Section 2711 of the Public Health Service Act. These FAQs are the strongest indication yet that future guidance will say they do violate the prohibition, effectively eliminating stand-alone HRAs. 

Plan sponsors that maintain stand-alone HRAs - or are considering implementing one for 2014 - will want      Continue Reading...

A fundamental insurance-market reform under the Affordable Care Act is that, beginning in 2014, insurance carriers that want to sell individual policies will be required to make those policies available to all applicants (guaranteed issue) and will be required to set the premiums for those policies based on a "community" rating, with variations based only on the tier of coverage purchased (individual or family), age of the insured, geographic area, and tobacco use by the insured. This is intended to ensure that individuals have access to health insurance without regard to health factors that might otherwise make insurance prohibitively expensive or simply unavailable.

That all sounds pretty good, unless you're the insurance carrier trying to figure out how to absorb the additional risks associated with having to cover people at a set price without regard to how much health care expense they may consume. But the Affordable Care Act makes some provision for them too. For 2014, 2015, and 2016, there will be a transitional reinsurance program through which insurers may offload some of the additional risk assumed in connection with these policies. And it's a pretty big program - $12 billion in 2014, $8 billion in 2015, and $5 billion in 2016.

So who's going to pay for that? Answer: Group health plans.

Beginning in 2014, group health plans will be required to pay a fee for each individual covered under the plan that will be used to fund the transitional reinsurance program. The fee is paid once a year. Plans will      Continue Reading...

HHS has finally released its long-anticipated final “omnibus” regulation (here) addressing the 2009 HITECH Act changes and making other updates to the privacy, security, breach notification, and enforcement rules.

Foulston Siefkin’s health care practice has already posted an issue alert (here) providing an overview of the regulation.

Compliance Date. The advance copy of the regulation runs 563 pages, so there is a considerable detail to digest. Luckily, HHS gave us a little time to get our heads around it. The regulation is effective March 26, 2013, and covered entities and business associates are generally required to begin complying with the final rules by September 23, 2013.

Some Key Points. Here are a few key points to understand about the final rules:

1. Business associate agreements may require modification. Business associates are now directly liable for compliance with portions of the HIPAA privacy and security rules. This requirement and other HITECH Act changes will require review and possible modification of business associate agreements to ensure they are in compliance.

2. Notices of privacy practices will require attention. The final rule changes some of the information that is required to be provided in the notice of privacy practices and generally requires re-distribution of an updated notice.

3. The standard for breach notification has changed. Under current rules, a covered entity is required to provide notification of a breach of protected health information (PHI) only if there is a substantial risk of harm from the breach. That “harm” standard has been replaced. There is now a presumption      Continue Reading...

HHS has posted a health care reform timeline to its website (here). Although it covers more than just the employer-related features of the law - and, in fact, doesn’t directly address all of the group health plan mandates and other issues affecting employers - it provides a helpful overview if you want to quickly see what’s been implemented already or what’s yet to come.

See also: Health Care Reform Calendar (covering August 1, 2012 through July 31, 2013)

HHS has announced a Resolution Agreement (here) with a nonprofit hospice organization in Idaho, resolving its investigation of a HIPAA breach involving the theft of a laptop computer. Although much about this case is similar to others like it that HHS has settled in the past few months (see, for example, here), the noteworthy points in this case are the ways in which it differs.

Size of Breach. The breach in this case involved electronic protected health information of 441 individuals. That’s a lot of people, but it is the first case HHS has resolved involving a breach affecting fewer than 500 individuals. (Because the breach affected fewer than 500 individuals, it would not have been disclosed to HHS immediately, but rather would have been identified on a log as part of the annual breach-notification requirement.) 

The point: HHS takes these cases seriously, whether they involve thousands of individuals or just a few hundred. A breach will not stay below the governments radar just because there is no separate notification requirement.

Resolution Amount and Corrective Action Plan. The case was resolved for a resolution amount of $50,000 (compared to over $1M in other recent cases), and HHS demanded a relatively light corrective action plan. Why would HHS be more lenient here? Reading between the lines, the answer seems to be based on the covered entity’s voluntary efforts to correct its error and take steps to prevent similar problems from occurring in the future.

The Resolution Agreement indicates that once the covered      Continue Reading...

HHS has released a list of the state insurance exchanges that have received conditional approval for operation in 2014 (with open enrollment beginning in October 2013) - and the list is short.

States receiving conditional approval for state-based exchanges:

1. Colorado
2. Connecticut
3. District of Columbia 
4. Kentucky
5. Maryland
6. Massachusetts
7. Minnesota
8. New York
9. Oregon
10. Rhode Island
11. Washington

States receiving conditional approval for state partnership exchanges:

1. Delaware

This could leave as many as at least 39 states (including Kansas) in which qualified health plans will be available in 2014 only through a federally facilitated exchange.

States still have until February 15, 2013 to file declaration letters and applications to establish a state partnership exchange.

For additional background on exchanges and exchange implementation, see here, here, and here.

New proposed regulations from HHS have outlined a framework for identifying the package of "essential health benefits" (EHB) that must be offered by certain health plans beginning in 2014.

Affected Plans. The plans directly affected by the rules include "qualified health plans" (or "QHPs") that will be offered through an exchange, and any other non-grandfathered individual and small-group insurance policies, whether or not offered through an exchange.

Defining Essential Health Benefits. Rather than defining a package of essential health benefits that must be covered by all affected plans, the regulations propose that essential health benefits be determined on a state-by-state basis by reference to an "EHB-benchmark plan" identified by each state (or identified by default, if the state does not make an affirmative designation). The benchmark plan may be selected from one of the following:

1. The largest plan by enrollment in any of the 3 largest small-group insurance products in the state.
2. Any of the largest 3 state employee health benefit plans by enrollment.
3. Any of the largest 3 national health plan options available to Federal employees under the Federal Employees Health Benefit Program.
4. The largest insured commercial HMO operating in the state.

An Appendix to the proposed regulations lists, for each state, the plan that the state has already designated as its benchmark plan or that will be the default plan, if the state does not make an affirmative designation.

List of Largest State Small-Group Products. Earlier this year, HHS published a list of the largest 3 small-group insurance products for      Continue Reading...

The IRS, DOL, and HHS have issued a joint proposed regulation addressing wellness plans and the wellness exception to the HIPAA nondiscrimination rules. 

Background. Section 2705 of the Public Health Service Act, as added by the Affordable Care Act, provides statutory affirmation of the wellness-plan rules that have existed by regulation for several years as part of the HIPAA nondiscrimination rules (rules that prohibit, among other things, discrimination on the basis of health factors). It also gives the relevant governmental agencies (IRS, DOL, and HHS) express authority to issue further rules on wellness plans that increase the permissible reward or penalty to as much as 50% of the cost of associated heath-plan coverage.

Proposed Regulations. The proposed regulations largely follow the structure of the existing wellness-plan regulations, requiring, among other things, that wellness programs requiring a particular health outcome (e.g., smoking cessation, biometric screening results, minimum BMI, etc.) provide reasonable alternatives and limit the reward or penalty offered or imposed in connection with the plan. However, there are a couple of points worth highlighting:

• Participation v. Health-Contingent. The proposed regulations label wellness programs as either "participatory" or "health-contingent." It is only the health-contingent programs that are subject to more rigorous regulation under the proposed rules. Participatory programs include fitness-club memberships, general health education, and other similar programs that do not provide for a reward or include any conditions based on satisfying a standard related to a health factor.
• Size of Reward. The requirements that must be satisfied by a health-contingent program      Continue Reading...

In the tally of recent cases involving the women’s health preventive-care mandate and for-profit employers (see, for example, here, here, and here), mark one down in the government’s column.  Earlier this week, a federal court in Oklahoma ruled against Hobby Lobby (prior coverage here), concluding that the company (as distinct from its owners) did not have religious views or freedoms that would be infringed by enforcement of the mandate.

Hobby Lobby has already appealed the decision to the Tenth Circuit court of appeals, so we may soon have a higher court weighing in on the issue.

Additional coverage of both the decision and the appeal is available here and here.

In a letter from HHS secretary Kathleen Sebelius released late yesterday, HHS has given states another month to file the Declaration Letter necessary to show their intent to establish a state-based insurance exchange for 2014. The deadline is now December 14, 2012.  A state's Blueprint Application for a state-based exchange will be due the same time.

The original deadline for filing both the Declaration Letter and the Blueprint Application was November 16, 2012 (see here).

Last week, HHS extended the deadline for filing the Blueprint Application to December 14, 2012, but left the November 16 deadline in place for the Declaration Letter (see here).

HHS also previously extended until February 15, 2013 the deadline for filing a Declaration Letter and Blueprint Application for states that want to establish state partnership exchanges, rather than full-blown state-based exchanges (see here). That deadline remains in place.

HHS has released a fact sheet extending a key deadline for states to take the steps necessary to establish either a state-based insurance exchange or a state partnership exchange. This modifies the timetable set out in HHS's previously released Blueprint for establishing an insurance exchange (see coverage here). The highlights:

• State-Based Exchange. To create a state-based exchange, states still must file a Declaration Letter by November 16, 2012, but they will now have until December 14, 2012 to complete the required Blueprint Application.
• State Partnership Exchange. To create a state partnership exchange, states have until February 15, 2013 to file a Declaration Letter and Blueprint Application. They must indicate in those documents what roles they intend to fill in the partnership exchange (plan management functions, consumer assistance functions, or both).
• 2015 Deadlines. States that want to adopt a different exchange model for 2015 than they use in 2014 must submit a Declaration Letter by November 18, 2013 and a Blueprint Application by December 16, 2013.

Kansas Governor Sam Brownback recently affirmed his position that Kansas will not participate in the exchange system at any level for 2014 (his signature is necessary for the state to file a Declaration Letter), so Kansas residents will be covered by a federally facilitated exchange for 2014, absent a change in position before the February 15, 2013 deadline to apply for a state partnership exchange.

In the ongoing saga over the contraception rules under health care reform's preventive-care mandate (see prior coverage here and here), the Washington Times has a recent article reporting that a for-profit Bible publisher is suing to obtain relief from the law. It claims it is a "religious employer" and should be exempt from the requirement to provide free access to contraception. HHS's regulations limit the religious-employer exemption to non-profit organizations engaged in ecclesiastical functions (essentially houses of worship) and, thus, categorically deny exemption for any for-profit employer.

This aspect of health care reform has proven especially controversial and contentious, because it touches on two hot-button issues: (1) the line between government regulation and religious freedom, and (2) the ability of women to access certain health-care products and services. Given the battle lines that have been drawn already, the issues seem unlikely to be resolved soon.

HHS continues to show it is serious about investigating and enforcing breaches of the HIPAA privacy and security rules. It recently announced a $1.5 million settlement with two non-profit medical service and research organizations in Massachusetts stemming from the theft of an unencrypted laptop that contained electronic PHI. The two organizations reported the theft to HHS, as required by the HITECH breach-notification rule.

In its news release, HHS had particularly stringent things to say about the covered entities' security practices.

• "[HHS's] investigation indicated that [the covered entities] failed to take necessary steps to comply with certain requirements of the Security Rule, such as conducting a thorough analysis of the risk to the confidentiality of ePHI maintained on portable devices . . . ."
• "[HHS's] investigation indicated that these failures continued over an extended period of time, demonstrating a long-term, organizational disregard for the requirements of the Security Rule."
• "This enforcement action emphasizes that compliance with the HIPAA Privacy and Security Rules must be prioritized by management and implemented throughout an organization, from top to bottom."

As in other recent cases, HHS entered into a resolution agreement with the covered entities that not only required payment of the $1.5 million "resolution amount," but also outlined the terms of a corrective action plan to be followed by the covered entities over the next three years.

A few takeaways:

1. This case happened to involve a medical provider and a research organization, but nothing about the outcome was unique to that status. Any covered entity -      Continue Reading...

Notice 2012-59 provides guidance on the requirement under Section 2708 of the Public Health Service Act (added by PPACA) that a group health plan not apply any waiting period that exceeds 90 days. The rule applies for plan years beginning on or after January 1, 2014.

Among the clarifications offered by the guidance:

• Definition of Waiting Period. A "waiting period" is defined as a period of time that must pass before coverage can become effective for an individual who is otherwise eligible to enroll under a plan. Eligibility conditions based solely on the lapse of time cannot exceed 90 days, but other eligibility conditions (e.g., working full time or working in a covered job classification) are permissible, even if they have the effect of excluding an individual from coverage under the plan for more than 90 days.
• Determining Full-Time Status for Variable-Hour Employees. If a plan limits coverage to full-time employees, it may take a reasonable period of time to determine whether a newly hired employee meets the full-time standard, if it is not clear on the date of hire that the employee will work the required number of hours (e.g., 30 hours per week). In general, this determination must be made within a year after the employee is hired, and if the employee satisfies the eligibility requirements, coverage must be offered beginning within 13 months after the date of hire. Otherwise, the plan may be treated as indirectly avoiding the 90-day-waiting-period requirement.

This notice was issued in connection with a      Continue Reading...

The Department of Health and Human Services (HHS) has issued an enforcement safe harbor relating to the content of benefit-claim denial notices issued by non-federal governmental health plans.

Under health care reform, all non-grandfathered group health plans are required to follow the DOL's rules and regulations regarding the content of notices of adverse benefit determinations. Among other things, those rules require providing (1) a statement about a participant's right to bring suit under ERISA, and (2) contact information for the federal Employee Benefits Security Administration (EBSA) or a state insurance department.

Non-federal governmental plans are not subject to ERISA, so participants do not have the right to sue under ERISA to seek recovery of benefits. In addition, participants in non-federal governmental plans are not provided services by the EBSA, because they do not have rights under ERISA. 

The enforcement safe harbor clarifies that non-federal governmental plans can exclude ERISA right-to-sue language and EBSA contact information from their benefit-denial notices and they will not be treated as violating the health-care-reform mandates. Contact information is not required to be provided for a state insurance department either, unless the plan actually uses an insurance policy issued by a carrier subject to regulation by a state insurance department.

There are some nuances to the safe harbor, so HHS's notice should be carefully reviewed by any non-federal governmental plan intending to rely on the safe harbor. But on the whole this should come as a welcome (and practical) clarification for affected plans.

HHS has updated its enforcement safe harbor relating to required contraceptive coverage and non-profit organizations that object to such coverage for religious reasons. The updated safe harbor clarifies three items:

1. The safe harbor is available to non-profit organizations with religious objections to some but not all contraceptive coverage.
2. Organizations that took some action as of February 10, 2012 that was intended to limit or exclude contraceptive coverage but that was unsuccessful are not, solely for that reason, precluded from relying on the safe harbor.
3. Organizations that are not sure whether they qualify for the broader religious-employer exemption may utilize the safe harbor without prejudicing their ability to rely on the religious-employer exemption in the future.

With regard to item 1, the specific language of the revised notice says that since February 10, 2012, the plan must have "consistently not provided all or the same subset of the contraceptive coverage otherwise required at any point . . . ." Although this language will not win any awards for clarity, it appears to mean that the safe harbor is not an all-or-nothing rule. An employer may be able to offer some types of contraceptive coverage but exclude others on religious grounds and remain within the safe harbor.

With regard to item 2, the guidance does not provide any examples of situations where, despite its best efforts, an employer might be unable to exclude contraceptive coverage. Perhaps it contemplates a case such as one where the employer directs an insurance carrier to cease providing      Continue Reading...

The Department of Health and Human Services (HHS) has released a "Blueprint" describing the process by which states must apply to obtain approval to operate an insurance exchange beginning in 2014. The document also details the features and activities an exchange will be required to offer.

Although the finer points of this document are primarily of interest to states that will be seeking to operate an exchange (either alone or in partnership with the federal government), it provides employers some sense of how and when the exchanges will come together. Among the highlights:

• There are three exchange models: (1) state-based exchanges (operated largely by the states); (2) state partnership exchanges (operated largely by the federal government but with some state involvement); and (3) federally facilitated exchanges (operated almost exclusively by the federal government).
• States wanting to participate under any of these models must receive approval or conditional approval from HHS by January 1, 2013. A "declaration letter" and "exchange application" must be submitted no later than November 16, 2012.
• An exchange must be operational for an open-enrollment period beginning October 1, 2013.
• Required exchange activities will include (1) providing consumer support for coverage decisions; (2) facilitating eligibility determinations for individuals; (3) providing for enrollment in qualified health plans (QHPs); (4) certifying health plans as QHPs; and (5) operating a Small Business Health Options Program (SHOP).

From this we can see that the exchange landscape will be better defined by January 1, 2013, once it is clear which states have received HHS      Continue Reading...

The federal Department of Health and Human Services (HHS) recently announced that it has entered into a resolution agreement with the Alaska Department of Health and Social Services (which operates the Alaska Medicaid program) to settle potential violations of the HIPAA security rule.

The underlying facts are painfully simple. [read: Yes, this could happen to you.] A computer technician for the Alaska agency had a USB thumb drive stolen from the technician's car. The thumb drive potentially contained electronic protected health information about individuals covered through the Alaska Medicaid program. (There was no evidence that data on the drive had, in fact, been accessed.) The agency reported the potential breach to HHS, as required under the HITECH breach-notification rules. HHS began its investigation within three months after the notification.

To resolve this potential violation of the HIPAA security rule, the Alaska agency agreed to pay a "resolution amount" of $1.7 million and enter into a corrective-action plan that, among other things, allows HHS to closely monitor the agency's HIPAA compliance for the next three years.

Although a state Medicaid program operates on a much larger scale than a private employer's group health plan, this investigation and resolution agreement show that HHS will take HIPAA compliance by health plans just as seriously as compliance by health-care providers and other covered entities. It is imperative that health plans have proper privacy and security policies and procedures in effect and assess security risks. Those policies, procedures, and assessments must be periodically reviewed and updated to      Continue Reading...

The Department of Health and Human Services (HHS) has issued three new Q&As updating its guidance on the medical loss ratio (MLR) rules. Although the guidance is directed primarily at insurance carriers, it provides some helpful information to employers and participants in insured group health plan about new notices they may be receiving in the near future.

• For plans that will be receiving MLR rebates, the carrier must provide a rebate notice to all "subscribers," which includes all current plan participants. Those participants should be receiving notices on or before August 1, 2012.
• For insurers that meet the MLR standard, a notice to that effect must be provided to all plan participants with the first "plan document" distributed on or after July 1, 2012. The guidance clarifies that the notice may be provided separately (i.e., distributed before any plan documents are distributed). The guidance also provides examples of documents that constitute "plan documents" for this purpose.

For our prior coverage of MLR rebates and the important considerations that apply under ERISA if and when a rebate is received, click here.

The federal department of Health and Human Services (HHS) has released a comprehensive audit protocol that describes in detail the manner in which it will audit compliance by covered entities with the HIPAA privacy, security, and breach-notification rules. The protocol gives group health plans and other covered entities a useful (albeit thorough) checklist for evaluating their compliance with these rules and, if necessary, taking steps to shore up their records, policies, and procedures on issues HHS is sure to review in the event of an audit.

There are 165 separate audit points in the protocol, and not all of them will be relevant for every covered entity. But for group health plans, the following will be of particular interest:

• Organizational Requirements for Group Health Plans. "Inquire of management as to whether the plan documents restrict the use and disclosure of PHI by the plan sponsor. Obtain and review a sample of plan documents. Verify if the use and disclosure of PHI by the plan sponsor is restricted. Verify what information the sponsor does obtain and how it is used."
• Notice of Privacy Practices. "Obtain and review the notice of privacy practices and evaluate the content relative to the specified criteria given to individuals by the covered entity." And for group health plans specifically: "Obtain and review the formal or informal policies and procedures in place regarding the provision of the notice of privacy practices. For a selection of individuals, obtain and review the individuals' files for the past year to      Continue Reading...