Subscribe
Categories
  • 409A
  • COBRA
  • Commentary/Opinions/Views
  • Deferred Compensation
  • Employment Agreements
  • Equity Compensation
  • ERISA Litigation
  • Executive Compensation
  • Family and Medical Leave Act (FMLA)
  • Fiduciary Issues
  • Fringe Benefits
  • General
  • Governmental Plans
  • Health Care Reform
  • Health Plans
  • International Issues
  • International Pension and Benefits
  • Legal Updates
  • Multi-employer Plans
  • Non-qualified Retirement Plans
  • On the Lighter Side
  • Plan Administration and Compliance
  • Qualified Plans
  • Securities Law Implications
  • Severance Agreements
  • Tax-qualified Retirement Plans
  • Uncategorized
  • Welfare Plans
  • Archives
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • BC Network
    Tuesday, May 9, 2017

    480652321Last month, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced a resolution agreement with the Center for Children’s Digestive Health (CCDH) which included a $31,000 penalty.

    This isn’t the first time a covered entity has paid a “resolution amount” to settle potential violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with respect to a business associate agreement (or lack thereof).

    • March 2016: North Memorial Health Care of Minnesota  paid $1.55 million to settle charges that it failed to enter into a business associate agreement with a major contractor performing certain payment and health care operations activities on its behalf and to complete a risk analysis.
    • April 2016: Raleigh Orthopaedic Clinic, P.A. of North Carolina  agreed to pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by handing over the protected health information of approximately 17,300 patients without first executing a business associate agreement.
    • September 2016: Care New England Health System entered into a settlement relating to the failure to timely amend an existing business associate agreement for the HIPAA Omnibus Final Rule and paid $400,000.

    However, unlike the other settlements in which the covered entity had reported a breach, OCR was not investigating a breach involving the CCDH’s protected health information.   It appears that the compliance review of CCDH arose in connection with OCR’s investigation of FileFax, a file storage company used by CCDH.  Instead of disposing a client’s unwanted records in a secure manner, FileFax placed the records in an unlocked outdoor dumpster.  During the investigation, OCR presumably identified the existing relationship between FileFax and CCDH.  Although CCDH records began utilizing FileFax in 2003, the only business associate agreement the parties could produce was executed in 2015.

    In addition to the $31,000 resolution amount (one of the smallest among prior settlements), CCDH must perform certain obligations and make reports to HHS for a period of two years.  During this period CCDH will be subject to increased scrutiny by OCR.

    The CCDH settlement is a timely reminder of the importance of a business associate agreement even if no electronic protected health information is involved and demonstrates OCR’s readiness to require a settlement agreement, resolution amount and corrective action plan even in the absence of any protected health information being made public.  With no sign of a slowdown in OCR compliance and enforcement actions, plan administrators should ensure that as they enter into arrangements with new service providers for their group health plans no protected health information is transferred until the business associate agreement (and not just the service agreement) has been executed.  Plan administrators may also want to confirm that they have the proper business associate agreement in place with each existing business associate and that any prior business associate agreements are retained for at least six years after the date last in effect.

    Friday, May 5, 2017

    Health Care ReformAfter weeks of “will they or won’t they” that rivals some of the great TV sitcom near romances for suspense (even though it was considerably shorter), House Republicans passed the American Health Care Act (“AHCA”) just before going on recess (more information on the bill here and here).   As with the version that was released in early March, this is designed to meet the Republicans’ promise to “repeal and replace” the ACA.  As before, in many respects, the AHCA is less “repeal and replace” and more “retool and repurpose,” but there are some significant changes that could affect employers, if this bill becomes law as-is.

    Below is a brief summary of the most important points (many of which may look familiar from our prior post on the original iteration of the AHCA . Where we did not make any substantive changes from our prior post, we have indicated those with the words “No change”):

    • Employer Mandate, We Hardly Knew You (No change). The ACA employer play or pay mandate is repealed retroactive to January 1, 2016, so if you didn’t offer coverage to your full-time employees, then this is the equivalent of the Monopoly “Get out of Jail Free” card.
    • OTC Reimbursements Allowed from HSAs and FSAs, Without a Prescription (No change). This goes back to the old rules that allowed these reimbursements. This would begin in 2018.
    • Reduction in HSA Penalty (No change). One of the pay-fors for the ACA was an increase in the penalty for non-health expense distributions from HSAs from 10% to 20%. The AHCA takes it back to 10% starting in 2018.
    • Unlimited FSAs Are (or Would Be) Here Again (No change). AHCA repeals the $2,500 (as adjusted) limit on health FSA contributions starting in 2018.
    • Medicare Part D Subsidy Expenses Would Be Deductible Again (No change). The ACA still allowed Medicare Part D subsidies to be excluded from a company’s income, but denied the deduction, for tax purposes, for any expenses that were subsidized.  This reinstates the prior law that allowed a “double tax benefit” of both the exclusion of the subsidy from income and the deduction for the costs funded by the subsidy starting in 2018.
    • A New COBRA Subsidy (No change). The AHCA does away with ACA’s income-based subsidies in favor of age-based subsidies from $2,000 to $4,000 per individual per year (with a max of $14,000 for a family) with a phaseout for incomes over $75,000 per year ($150,000 for married filing jointly). However, unlike the ACA subsidies (which could only be used for individual market insurance), the new subsidies would also be available for unsubsidized COBRA coverage.   This would not kick in until 2020.  The subsidies are adjusted based on the CPI+1, which means they are probably unlikely to keep pace with medical inflation.  Additionally, any excess subsidy (which seems unlikely) would be put into an HSA for the individual’s benefit.
    • Trading in The Cadillac Tax for a Newer Model Year (No change). Hearing the outcry of employers who did not want their health benefits taxed, the bill instead kicks the Cadillac Tax down the road. Instead of applying in 2020, it now applies in 2025.  There is no adjustment to the thresholds in this bill, so it will still pick up coverage that is not all that “Cadillac” (despite its name). Despite being highly unpopular, the Cadillac Tax has basically survived.
    • HSA Enhancements (1 change). The HSA contribution limits would be increased effective in 2018 so that they are the same as the out of pocket maximums that apply to HSAs (currently $6,550 for self-only coverage and $13,100 for family coverage). Additionally, expenses incurred up to 60 days before the account is established could be reimbursed from the account.  This version of the bill would also allow both spouses to make HSA catch-up contributions to the same HSA.
    • Continuous Coverage Requirement (Minor Changes). In lieu of the individual mandate, the law would require individuals to maintain continuous coverage (with no more than a 63-day break in the twelve months prior to enrollment). If they did not, then insurance companies could assess a 30% enrollment surcharge above their regular premium through the end of the year in which they enroll.  This is designed to encourage individuals to stay in the insurance market.  Employers will recognize the 63-day break rule from the old HIPAA creditable coverage rules.  This is basically the same concept, only applied across both employer plans and the individual market (the HIPAA rules did not apply to the individual market).  And unlike the HIPAA rules, the penalty here is a 30% premium increase, whereas under the HIPAA rules, pre-existing conditions could be excluded for a period of time if the individual did not maintain creditable coverage.  For employers, this will probably mean a return to having to issue creditable coverage certificates.
    • No More Small Business Health Care Tax Credit. This would be eliminated starting in 2020. The tax credit was limited to ACA SHOP coverage and could only be claimed for two consecutive years.
    • Elimination of Additional Medicare Tax. The ACA added an additional 0.9% tax on wages above certain thresholds ostensibly to fund Medicare (although, given the way Congress budgets, it could theoretically have been used for anything). AHCA takes this tax away beginning in 2018.
    • Not so Essential Health Benefits. The AHCA allows states to seek a waiver of the current essential health benefits requirement to establish their own set of essential health benefits. For small group plans, this would mean a change in what they have to cover, if the state in which the insurance is issued obtains a waiver.  For large group plans and particularly self-insured plans, it is unclear what impact this will have.  While those plans are not required to cover essential health benefits, they cannot impose annual or lifetime limits on those benefits.  As a practical matter, most plans simply don’t have these limits on nearly all benefits to avoid confusing participants and complicating administration.  However, if a state obtains a waiver, its list of EHBs may be so small that some employers could consider changing their plan designs.

    The AHCA would make many other changes that are beyond the scope of this post, but these are the ones that are most likely to impact on employers or their plans.  Notably, the employer reporting requirement is not removed by this bill, so that will continue to be a compliance obligation.

    The open question is whether this bill will make it through the Senate.  It passed the House 217-213, which was one more than the bare minimum needed to achieve a majority (with certain House seats currently empty).   In the Senate, the margin is even thinner with Republicans holding a 51-49 majority and Vice President Pence holding a tie-breaking vote in the event of a 50-50 split.  Some key Republican Senators are also reportedly saying they will start with a clean slate, which means more negotiation and potential for talks within the Senate or in conference between the Senate and the House to stall.  At the present time, no Democratic support is expected in the Senate.

    Regardless, if and until this bill becomes law, we repeat, yet again, our earlier admonition: continue keeping up with your compliance obligations – and keep your eye on twitter.

    Thursday, April 20, 2017

    Stop-LossOn April 5, the “Self-Insurance Protection Act” passed the House and moved to the Senate.  This bill, if enacted, would amend ERISA, the Public Health Service Act and the Internal Revenue Code (the “Big 3” statutes containing ACA rules) to exclude from the definition of “health insurance coverage” any stop-loss policies obtained by self-insured health plans or a sponsor of a self-insured health plan.  No additional guidance is given regarding what would constitute a “stop-loss policy” under the proposed definition.  According to this fact sheet from one Congressional committee, the law appears to address concerns that HHS might one day decide to try and regulate stop-loss insurance.  In our opinion, that seems unlikely under the current administration, but it could be a regulatory priority in future administrations.

    But what does the Self-Insurance Protection Act mean for state regulation of stop-loss insurance?

    As the Department of Labor noted in a prior technical release (and as we have written about previously), states have been attempting to regulate stop-loss insurance and have previously sought to include stop-loss insurance in the definition of “health insurance coverage” under certain circumstances (i.e., policies with attachment points below specified amounts).  However, such laws have been found to be preempted by ERISA.  In comparison, and as the DOL notes, state laws prohibiting insurers from issuing stop-loss policies with attachment points below specified thresholds are generally not preempted because they regulate insurance, which is an exception from ERISA preemption.  The upshot of this is that a state generally cannot force a stop-loss policy with a low attachment point to act like a regular medical policy, but a state could prevent the sale of that stop-loss policy.

    It appears that the Self-Insurance Protection Act, in its current form, merely gives an additional argument that stop-loss policies cannot be treated like major medical insurance, no matter how low the attachment point is.  This is like the proverbial “belt and suspenders” since treating stop-loss like major medical insurance has been found to be preempted in some cases.  The only additional protection is that the federal government would also be prevented from regulating stop-loss like regular health insurance.  However, in its current form, the act does not prevent states from requiring stop loss policies to have a minimum attachment point.

    In other words, this Act, if it becomes law, would not dramatically change the landscape for stop-loss policies. For most employers considering self-insurance, the key factor from a stop-loss perspective remains understanding what kinds of stop-loss policies your state will allow.

    Tuesday, March 7, 2017

    Health Care ReformLate on Monday, House Republicans revealed, in two parts (here and here, with summaries here and here) the American Health Care Act (“AHCA”) that is designed to meet the Republicans’ promise to “repeal and replace” the ACA.  In many respects, the AHCA is less “repeal and replace” and more “retool and repurpose,” but there are some significant changes that could affect employers, if this bill becomes law as-is.  Below is a brief summary of the most important points:

    • Employer Mandate, We Hardly Knew You. The ACA employer play or pay mandate is repealed retroactive to January 1, 2016, so if you didn’t offer coverage to your full-time employees, then this is the equivalent of the Monopoly “Get out of Jail Free” card.
    • OTC Reimbursements Allowed from HSAs and FSAs, Without a Prescription. This goes back to the old rules that allowed these reimbursements. This would begin in 2018.
    • Reduction in HSA Penalty. One of the pay-fors for the ACA was an increase in the penalty for non-health expense distributions from HSAs from 10% to 20%. The AHCA takes it back to 10% starting in 2018.
    • Unlimited FSAs Are (or Would Be) Here Again. AHCA repeals the $2,500 (as adjusted) limit on health FSA contributions starting in 2018.
    • Medicare Part D Subsidy Expenses Would Be Deductible Again. The ACA still allowed Medicare Part D subsidies to be excluded from a company’s income, but denied the deduction, for tax purposes, for any expenses that were subsidized.  This reinstates the prior law that allowed a “double tax benefit” of both the exclusion of the subsidy from income and the deduction for the costs funded by the subsidy starting in 2018.
    • A New COBRA Subsidy. The AHCA does away with ACA’s income-based subsidies in favor of age-based subsidies from $2,000 to $4,000 per individual (with a max of $14,000 for a family) with a phaseout for incomes over $75,000 per year ($150,000 for married filing jointly). However, unlike the ACA subsidies (which could only be used for individual market insurance), the new subsidies would also be available for unsubsidized COBRA coverage.   This would not kick in until 2020.  The subsidies are adjusted based on the CPI+1, which means they are probably unlikely to keep pace with medical inflation.  Additionally, any excess subsidy (which seems unlikely) would be put into an HSA for the individual’s benefit.
    • Trading in The Cadillac Tax for a Newer Model Year. Hearing the outcry of employers who did not want their health benefits taxed, the bill instead kicks the Cadillac Tax down the road. Instead of applying in 2020, it now applies in 2025.  There is no adjustment to the thresholds in this bill, so it will still pick up coverage that is not all that “Cadillac” (despite its name). Despite being highly unpopular, the Cadillac Tax has basically survived.
    • HSA Enhancements. The HSA contribution limits would be increased effective in 2018 so that they are the same as the out of pocket maximums that apply to HSAs (currently $6,550 for self-only coverage and $13,100 for family coverage). Additionally, expenses incurred up to 60 days before the account is established could be reimbursed from the account.
    • Continuous Coverage Requirement. In lieu of the individual mandate, the law would require individuals to maintain continuous coverage (with no more than a 63-day break). If they did not, then insurance companies could assess a 30% enrollment surcharge above their regular premium for twelve months.  This is designed to encourage individuals to stay in the insurance market, even if they don’t need coverage.  Employers will recognize the 63-day break rule from the old HIPAA creditable coverage rules.  This is basically the same concept, only applied across both employer plans and the individual market (the HIPAA rules did not apply to the individual market).  And unlike the HIPAA rules, the penalty here is a 30% premium increase, whereas under the HIPAA rules, pre-existing conditions could be excluded for a period of time if the individual did not maintain creditable coverage.  For employers, this probably mostly would mean a return to having to issue creditable coverage certificates.

    The proposed AHCA makes many other changes that are beyond the scope of this post, but these are the ones that are most likely to have an impact on employer plans.  Of course, at this point, this is just proposed legislation and there’s no telling how much (if any) of this will survive the legislative process.   At least now, however, some legislators have something specific with which to work (and others have something specific to criticize).

    Tuesday, February 14, 2017

    Mental Health ScrabbleWhile on this day, most people focus on the heart, we’re going to spend a little time focusing on the head.  Under the Mental Health Parity and Addiction Equity Act (MHPAEA), health plans generally cannot impose more stringent “non-quantitative” treatment limitations on mental health and substance abuse benefits (we will use “mental health” for short) than they impose on medical/surgical benefits.  The point of the rule is to prevent plans from imposing standards (pre-approval/precertification or medical necessity, as two examples) that make it harder for participants to get coverage for mental health benefits than medical/surgical benefits. “Non-quantitative” has been synonymous with “undeterminable” and “unmeasurable”,  so to say that this is a “fuzzy” standard is an understatement.

    However, we are not without some hints as to the Labor Department’s views on how this standard should be applied.  Most recently, the DOL released a fact sheet detailing some of its MHPAEA enforcement actions over its last fiscal year.  In addition to offering insight on the DOL’s enforcement methods, it also provides some examples of violations of the rule:

    • A categorical exclusion for “chronic” behavior disorders (a condition lasting more than six months) when there was no similar exclusion for medical/surgical “chronic” conditions.
    • No coverage resulting from failure to obtain prior authorization for mental health benefits (for medical/surgical benefits, a penalty was applied, but coverage was not denied).
    • A categorical exclusion for all residential treatment services for mental health benefits.
    • Requiring prior authorization for all mental health benefits when that requirement does not apply to medical/surgical benefits.
    • Requiring a written treatment plan and follow-up for mental health benefits when no similar requirements were imposed on medical/surgical benefits.
    • Delay in responding to an urgent mental health matter (it’s not quite clear how this is a violation of the rule since there was no discussion comparing the delay to medical/surgical benefits, but we list it for completeness).

    This is not an exhaustive list, but it gives at least a flavor of some of the plan provisions and/or practices that might violate the rule. In addition, the DOL previously issued a “Warning Signs” document that provided other examples.  Further clarity is also expected in the future.  Under the 21st Century Cures Act that was passed late last year, the DOL and other relevant departments are tasked with providing additional examples and greater clarity on how these rules apply.

    One might be tempted to think that the Trump Administration will not enforce the MHPAEA rules as tightly as the Obama Administration did. At this point, it is hard to say.  The 21st Century Cures Act also directed the relevant agencies to come up with an action plan to facilitate improved Federal/State coordination on these issues, so even if the Federal government backs off, there may be state enforcement actions under applicable state statutes as well.

    Given these developments, plan sponsors should review the existing DOL releases and additional documents as they come out against their plan terms and discuss practices for approving and denying mental health claims with their insurers or third party administrators to evaluate whether they may be running afoul of these rules. Plan sponsors of self-funded plans have greater control over how their plans are designed and, in some cases, administered.  However, even sponsors of insured plans should consider engaging their insurers in a discussion on these points to avoid potential employee relations issues and unexpected jumps in premiums that could happen if an insurer is forced to change its policies by the government.

    Friday, January 27, 2017

    PenaltyLast week, the Department of Labor (DOL) released adjusted penalty amounts which are effective for penalties assessed on or after January 13, 2017, whose associated violations occurred after November 2, 2015.  You might remember that these penalties were just adjusted effective August 1, 2016 (also for violations which occurred after November 2, 2015); however, the DOL is required by law to release adjusted penalties every year by January 15th, so you shouldn’t be surprised to see these amounts rise again next year.

    All of the adjusted penalties are published in the Federal Register, but we’ve listed a few of the updated penalty amounts under the Employee Retirement Income Security Act of 1974 (ERISA) for you below:

    General Penalties

    • For a failure to file a 5500, the penalty will be $2,097 per day (up from $2,063).
    • If you don’t provide documents and information requested by the DOL, the penalty will be $149 per day (up from $147), up to a maximum penalty of $1,496 per request (up from $1,472).
    • A failure to provide reports to certain former participants or failure to maintain records to determine their benefits remained stable at $28 per employee.

    Pension and Retirement

    • A failure to provide a blackout notice will be subject to a $133 per day per participant penalty (up from $131).
    • A failure to provide participants a notice of benefit restrictions under an underfunded pension plan under 436 of the tax code will cost $1,659 per day (up from $1,632).
      • Failure of fiduciary to make a properly restricted distribution from a defined benefit plan will be $16,169 per distribution (up from $15,909).
    • A failure of a multiemployer plan to provide plan documents and other information or to provide an estimate of withdrawal liability will be $1,659 per day (up from $1,632).
    • A failure to provide notice of an automatic contribution arrangement required under Section 514(e)(3) of ERISA will also be $1,659 per day per participant (also up from $1,632).

    Health and Welfare

    • For a multiple employer welfare arrangement’s failure to file a M-1, the penalty will be $1,527 per day (up from $1,502).
    • Employers who fail to give employees their required CHIP notices will be subject to a $112 per day per employee penalty (up from $110).
    • Failing to give State Medicaid & CHIP agencies information on an employee’s health coverage will also cost $112 per day per participant/beneficiary (again, up from $110).
    • Health plan violations of the Genetic Information Nondiscrimination Act will also go up to $112 per day per participant/beneficiary from $110. Additionally, the following minimums and maximums for GINA violations also go up:
      • minimum penalty for de minimis failures not corrected prior to receiving a notice from DOL: $2,790 (formerly $2,745)
      • minimum penalty for GINA failures that are not de minimis and are not corrected prior to receiving a notice from the DOL: $16,742 (up from $16,473)
      • cap on unintentional GINA failures: $558,078 (up from $549,095)
    • Failure to provide the Affordable Care Act’s Summary of Benefits and Coverage is now $1,105 per failure (up from $1,087).

    The penalty amounts listed above are generally maximums, but there is no guarantee the DOL will negotiate reduced penalties.  If you’re already wavering on some of your new year’s resolutions, we recommend you stick with making sure your plans remain compliant!

    Monday, November 21, 2016

    ACAOn Friday, IRS and the Department of Treasury issued Notice 2016-70 granting an automatic 30-day extension for furnishing 2016 Forms 1095-B, Health Coverage, and 1095-C, Employer-Provided Health Insurance Offer and Coverage, to individuals for employers and other providers of minimum essential coverage (MEC).  These forms must now be provided to individuals by March 2, 2017 rather than January 31, 2017.  Coverage providers can seek an additional hardship extension by filing a Form 8809.  Notice 2016-70 provides that individual taxpayers do not need to wait to receive the Forms 1095-B and 1095-C before filing their tax-returns.

    The due date for 2016 ACA filings (Forms 1094-B, 1094-C, 1095-B, 1095-B) with the IRS remains February 28, 2017 (or March 31 if filed electronically).   Employers and other coverage providers can request an automatic 30-day extension for filing these forms with the IRS by submitting a Form 8809 before February 28, 2017.  Notice 2016-70 advises that employers and other coverage providers that do not meet the relevant due dates should still furnish and file the forms, even if late, as the Service will take such action into consideration when determining whether to abate penalties for reasonable cause.

    Regarding penalties, Notice 2016-70 extends the good faith standard for providing correct and complete forms that applied to 2015 filings.    The penalty for failure to file a correct informational return with the IRS is $260 for each return for which the failure occurs, with the total penalty for a calendar year not to exceed $3,193,000.  The same level of penalty applies for failure to provide an accurate payee statement.  The good-faith relief applies to missing and inaccurate taxpayer identification numbers and dates of birth, as well as other information required on the return or statement and not to failure to timely furnish or file a statement or return.

    When evaluating good faith, the Service will take into account whether an employer or other coverage provider made reasonable efforts to prepare for reporting, such as gathering and transmitting the necessary data to an agent to prepare the data for submission to the Service.  In addition, the Service will take into account the extent to which an employer or other coverage provider is taking steps to ensure it will be able to comply with reporting requirements for 2017.  No penalty relief is provided in the case of reporting entities that do not make a good-faith effort to provide correct and accurate returns and statements or that fail to file an informational return or furnish a statement by the due dates.

    Treasury and the Service do not anticipate extending this relief with respect to due-dates or good-faith compliance for future years.

    Wednesday, November 16, 2016

    CC000596In the latest round of ACA and Mental Health Parity FAQs (part 34, if you’re counting at home), the triumvirate agencies addressed tobacco cessation, medication assisted treatment for heroin (like methadone maintenance), and other mental health parity issues.

    Big Tobacco.  The US Preventive Services Task Force (USPSTF) updated its recommendation regarding tobacco cessation on September 22, 2015. Under the Affordable Care Act preventive care rules, group health plans have to cover items and services under the recommendation without cost sharing for plan years that begin September 22, 2016.  For calendar year plans, that’s the plan year starting January 1, 2017.

    The new recommendation requires detailed behavioral interventions.  It also describes the seven FDA-approved medications now available for treating tobacco use.  The question that the agencies are grappling with is how to apply the updated recommendation.

    Much like a college sophomore pulling an all-nighter on a term paper before the deadline, the agencies are just now asking for comments on this issue.   Plan sponsors who currently cover tobacco cessation should review Q&A 1 closely and consider providing comments to the email address marketform@cms.hhs.gov.  Comments are due by January 3, 2017.  The guidance does not say this, but the implication is that until a revised set of rules is issued, the existing guidance on tobacco cessation seems to control.

    Nonquantitative Treatment Limitations. Under applicable mental health parity rules, group health plans generally cannot impose “nonquantitative treatment limitations” (NQTLs) that are more stringent for mental health and substance use disorder (MH/SUD) benefits than they are for medical/surgical benefits.  “Nonquantitative” includes items like medical necessity criteria, step-therapy/fail-first policies, formulary design, etc.  By their very nature, these items are (to use a technical legal term) squishy.

    Importantly for plan sponsors, the agencies gave examples of impermissible NQTLs in Q&As 4 and 5. In Q&A 4, they describe a plan that requires an in-person examination as part of getting pre-authorized for inpatient mental health treatment, but does preauthorization over the phone for medical benefits.  The agencies say this does not work.

    Additionally, Q&A 5 addresses a situation where a plan implements a step therapy protocol that requires intensive outpatient therapy before inpatient treatment is approved for substance use disorder treatment. The plan requires similar step therapy for comparable medical/surgical benefits.  So far, so good.  However, in the Q&A, intensive outpatient therapy centers are not geographically convenient to the participant, while similar first step treatments are convenient for medical surgical benefits.  Under these facts, applying the step therapy protocol to the participant is not permitted.  The upshot, from the Q&A, is that plan sponsors might have to waive such protocols in similar situations.  This particular interpretation will not be enforced before March 1, 2017.

    Substantially All Analysis. To be able to apply a financial requirement (e.g. copayment) or quantitative treatment limitation (e.g. maximum number of visits) to a MH/SUD benefit, a plan must look at the amount spent under the plan for similar medical surgical benefits (e.g. in-patient, in-network or prescription drugs, as just two examples). Among other requirements, the financial requirement or treatment limitation must apply to “substantially all” (defined as at least two-thirds) of similar medical/surgical benefits.

    The details of that calculation are beyond the scope of this post, but Q&A 3 sets out some ground rules. First, if actual plan-level data is available and is credible, that data should be used.  Second, if an appropriately experienced actuary determines that plan-level data will not work, then other “reasonable” data may be used.  This includes data from similarly-structured plans with similar demographics.  To the extent possible, claims data should be customized to the particular group health plan.

    This means that, when conducting this analysis, plan sponsors should question the data their providers are using. If it is not plan-specific data, other more general data sets (such as data for an insurer’s similar products that it sells) may not be sufficient.  Additionally, general claims data that may be available from other sources is probably insufficient on its own to conduct these analyses.

    Medication Assisted Treatment. The agencies previously clarified the MHPAEA applies to medication assisted treatment of opioid use disorder (e.g., methadone). Q&As 6 and 7 provide examples of more stringent NQTLs and are fairly straightforward. Q&A 8 addresses a situation where a plan says that it follows nationally-recognized treatment guidelines for prescription drugs, but then deviates from those guidelines.  The agencies say a mere deviation by a plan’s pharmacy and therapeutics (P&T) committee, for example, from national guidelines can be permissible.  However, the P&T committee’s work will be evaluated under the mental health parity rules, such as by taking into account whether the committee has sufficient MH/SUD expertise.  Like we said, it’s squishy.

    Court-Ordered Treatment. Q&A 9 specifically addresses whether plans or issuers may exclude court-ordered treatment for mental health or substance use disorders. You guessed it — a plan or issuer may not exclude court-ordered treatment for MH/SUD if it does not have a similar limitation for medical/surgical benefits. However, a plan can apply medically necessary criteria to court-ordered treatment.

    The Bottom Line.  The bottom line of all this guidance is that plan sponsors may need to take a harder look at how their third party administrators apply their plan rules.  Given the lack of real concrete guidance, there’s a fair amount of room for second guessing by the government.  Therefore, plan sponsors should document any decisions carefully and retain that documentation.

    Tuesday, October 25, 2016

    HHScloud recently posted guidance on its website addressing HIPAA’s approach to cloud computing.  Basically, any time a cloud service provider has electronic protected health information (ePHI), it’s a business associate.  This is true even if the cloud provider only stores encrypted ePHI and even if the cloud provider does not have the encryption key (and therefore, in theory, could not access the data).  This means that both health plans and their business associates who use outsourced cloud computing services must have business associate agreements with those services.

    At first blush, this might seem like it doesn’t directly touch the health plan, but cloud computing can take many forms. For example, if your company has an off-site data server that is managed by a third party and ePHI is stored on that server, a business associate agreement with that third party is probably necessary.  Even if all you do is use something like Google Docs, OneNote, Evernote, or Dropbox for storage, that could be considered cloud computing subject to these rules.  Therefore, the sweep is broad and employees working on health plan matters would be well advised to consult with the plan’s Security Officer and their IT departments about this guidance.  HHS’s position is that it is a HIPAA violation if ePHI is shared with a cloud provider and there’s no business associate agreement in place.

    The HHS guidance provides some points to consider in contracting with cloud providers. Some of those points will likely be addressed in a general service agreement between the company and the provider.  In addition, this one page summary from Bryan Cave’s data privacy team has some additional general thoughts on issues to consider when contracting with cloud providers.

    Next Steps

    In response to this information, employees charged with health plan matters should consider the following steps:

    1. Evaluate with your IT department and HIPAA Security Officer whether you use any cloud service providers.
    2. Review the HHS guidance with the relevant IT personnel.
    3. Determine whether ePHI is created, received, maintained, or transmitted by the cloud service provider or if it is possible to avoid having ePHI handled by the cloud service provider.
    4. Determine whether a business associate agreement is in place with the cloud service provider (and if not, get one as soon as possible). In negotiating that agreement, consider what data protections you may need or want to include.
    5. Include an evaluation of the cloud service provider in your HIPAA risk assessment.
    Tuesday, October 4, 2016

    stethoscope-and-dollar-billsWhile the litigation over wellness programs rages on, the EEOC is still marching forward with the implementation of its wellness rules that we wrote about previously.  As most people in the wellness space are aware, the EEOC’s rules under ADA and GINA do not align completely with the HIPAA wellness rules, particularly on the issue of the amount of the incentive.  The ADA and GINA rules apply to all wellness programs, whether participation-only or health contingent, and generally limit the incentive that is available to 30% of the cost of self-only coverage.

    One open question under the ADA and GINA rules was how to calculate the incentive when an employer offers multiple tiers of coverage (e.g. Gold, Silver, Bronze) under a health plan. The ADA and GINA rules address the calculation of the incentive when there are multiple group health plans, but not multiple tiers.  When an employer offers multiple group health plans, and an employee is eligible for a wellness program as long as he or she is enrolled in any one of them, then the maximum incentive is 30% of the lowest cost self-only option among the plans.

    In a recently released informal discussion letter, the EEOC addressed how these rules apply to a single group health plan with multiple tiers where an employee enrolled in any tier can participate in the same wellness plan.  Not surprisingly, the same rules used for multiple group health plans apply.  In other words, the incentive is limited to 30% of the lowest cost self-only tier of coverage.  (There are minor language differences between the ADA and GINA regulations in this regard, but the EEOC says they are “legally inconsequential.”). This means that if a company offers Gold, Silver, and Bronze tiers, for example, and employees enrolled in any tier get the same wellness plan, the reward is limited to 30% of the self-only Bronze premium.

    While not a watershed piece of guidance, this clarification at least lets employers know what the rules of the road are. Because the letter is informal, it is not necessarily binding on the EEOC, but given the restrictive nature of the guidance, it seems unlikely the EEOC would take a different position in court or an investigation.  If you have comments about this piece of EEOC guidance, or the wellness program rules in general, feel free to leave them in the comment section on this post.