A Compliance Newsletter by: The Baldwin Regulatory Compliance Collaborative (BRCC)
Welcome to the October 2023 issue of the Baldwin Bulletin – a monthly guide to important legal news and employee benefits-related industry happenings, designed to keep you abreast of the latest developments.
This month’s issue of the Baldwin Bulletin focuses on providing employers with important compliance deadlines, as well as certain compliance issues that will potentially have a significant impact on employers over the next several months.
Upcoming 2023 Compliance Deadlines
Employers must comply with numerous reporting and disclosure requirements in connection with their group health plans. Please note the following deadlines for fourth quarter 2023, available by accessing the following link:”
Medicare Part D Annual Disclosure Due October 13
Each year, employers that offer prescription drug coverage must provide notices of “creditable” or “non-creditable” coverage to Medicare-eligible employees or covered dependents before the Medicare Part D annual enrollment period begins. These notices provide valuable information to eligible Medicare beneficiaries to help them decide whether to enroll in your health plan or, enroll in Medicare Part D. Medicare beneficiaries who are not covered by creditable prescription drug coverage and do not enroll in Medicare Part D when first eligible will likely pay higher premiums if they enroll at a later date. Although there are no specific penalties for an employer associated with the provision of a late notice, failing to provide the notice may be detrimental to your employees.
The annual enrollment period runs from October 15th, 2023, through December 7th, 2023, so the final day to provide these notices is technically October 14th. However, because this year October 14th falls on a Saturday, the deadline has been moved up to Friday, October 13th.
Additional information about the Medicare Part D notice requirement and links to valuable resources may be found in the attached [Compliance Overview].
The Latest on HIPAA Enforcement
A $1.3 million settlement agreement was announced on September 11, 2023 between the Department of Health and Human Services (HHS)’ Office of Civil Rights (OCR) and the L.A. Care Health Plan (L.A. Care), regarding potential violations of the Health Insurance Portability and Accountability Act (HIPAA)’s Privacy, Security, and Breach Notification Rules (HIPAA Rules) by L.A. Care. The agreement also required L.A. Care to enter into a corrective action plan to address various deficiencies in its HIPAA compliance program.
Employer Action Items
According to OCR Director Melanie Fontes Ranier, “Breaches of protected health information by a HIPAA-regulated entity often reveal systemic, noncompliance with the HIPAA Rules… HIPAA-regulated entities need to be proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies”.
Consequently, as HHS and the OCR continue to ramp up their HIPAA enforcement efforts, plan sponsors of HIPAA covered entities, especially plan sponsors of self-insured health plans, as well as employers who are business associates, should regularly review their policies and procedures to make sure they are current and communicate them to their workforce members handling PHI. Training of these employees should also be conducted on a regular basis.
The settlement resulted from two OCR investigation: one that was triggered by a large breach report, and another, by a large media article involving a separate security incident related to the L.A. Care plan. These investigations uncovered evidence of potential noncompliance with the HIPAA Rules that extended across the whole L.A. Care organization, including the following:
- Failure to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic public health information (ePHI) across the organization.
- Failure to implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
- Failure to implement sufficient procedures to regularly review records of information system activity.
- Failure to perform a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of ePHI.
- Failure to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
In addition to a $1.3 million monetary settlement, L.A. Care agreed to undertake a corrective action plan that OCR will monitor for three years to ensure compliance with HIPAA that includes the following steps:
- Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization.
- Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan.
- Report to HHS when it conducts an evaluation due to an environmental and operational change that affects the security of ePHI in LA Care’s possession or control.
- Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Rules.
The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/la-care-health-plan/index.html . Information regarding the HIPAA Rules can be found here.
Comment Period For Mental Health Parity Proposed Regulations Extended
Employer Action Items
If they have not done so already, plan sponsors, third party administrators, and others subject to the requirements under MHPAEA, particularly its non-qualitative treatment limitation (NQTL) requirements, should consider providing feedback to the Departments.
The comments may be mailed or sent electronically and will be posted to the website https://www.regulations.gov, as soon as possible after they are received. Follow the search instructions on that website to view public comments.
The proposed regulations were published in the Federal Register on August 3, 2023, and, if finalized, would amend existing MHPAEA rules to account for the NQTL comparative analysis requirements added by the Consolidated Appropriations Act, 2021. Specifically, the proposed regulations would prevent plans and issuers from using NQTLS to place greater limits on access to mental health and substance use disorder benefits as compared to medical/surgical benefits. As part of the proposed changes, the proposed rules also would:
- Require plans and insurance issuers to collect and evaluate relevant data in a manner reasonably designed to assess the impact of NQTLs on access to mental health and substance use disorder benefits and medical/surgical benefits. This includes a special rule regarding network composition. (The DOL Technical Release focuses on the analysis of plan network composition and provides a potential safe harbor for NQTLs related to this.)
- Amend existing examples and add new examples to clarify their application and illustrate the protections of MHPAEA.
- Set forth the content requirements for NQTL comparative analyses and specify how to make the analyses available to the Departments.
According to the Departments, “there has been considerable interest expressed in the [proposed regulations and DOL Technical Release] documents and some interested parties have requested additional time to review and submit comments”. The Departments further explain that they are extending the deadline because they “value public feedback as they consider whether and how to issue final rules and future guidance.”
Chicago Region Mandates Commuter Benefits
Illinois Governor Pritzker recently enacted Public Act 103-0291, known as the Transportation Benefits Program Act (Act). The Act requires employers with at least 50 full-time employees in offices located within one mile of a fixed-route transit service in Cook County and certain townships in the Chicago region, to provide a tax-free transportation benefit to their full-time employees (those working an average of 35 hours per week) after 120 days of employment.
The program must comply with Internal Revenue Code Section 132. Employers may comply by participating in a program offered by the Chicago Transit Authority or the Regional Transportation Authority.
The law takes effect January 1, 2024. Employers covered by the Act and interested in establishing a Code Section 132 transportation program should reach out to their benefits broker or tax advisor for assistance.
Free Covid-19 Test Kits Available
COVID-19 home test kits are once again available free of charge to all U.S. households. Each household may order up to four free test kits, and they will be delivered at no cost by the U.S. Postal Service.
Employer Action Items
In preparation for an anticipated uptick in the number of COVID-19 cases this fall and winter season, employers should consider informing their employees of the availability of free testing kits and how to obtain them.
On September 20, the Biden Administration announced that it is reviving a program to mail free COVID-19 rapid home testing kits to those U.S. households that place an order for them at www.COVIDTests.gov, beginning Monday, September 25. Officials have indicated that the tests are able to detect the latest variants and are intended to be used through the end of 2023.
As you may recall, when the public health emergency ended earlier this year, large insurance companies were no longer required to reimburse the costs of home testing kits and as a result, most health plans have ceased making these kits available free of charge. The Biden Administration stopped mailing free tests back in June of this year.
In conjunction with this announcement, the Department of Health and Human Services also indicated that it was awarding $600 million to various COVID-19 testing manufacturers with the hope that it would strengthen domestic manufacturing capacity and provide the U.S. government with 200 million over-the-counter testing kits for future use.
For additional information, visit www.COVIDTests.gov.
Insurance Coverage of Updated Covid-19 Vaccines
The Kaiser Family Foundation (KFF) has released a “cheat sheet” that reflects the various COVID-19 vaccine coverage rules by type of insurance (private and public), as well as for those who are uninsured.
With the September 11, 2023, Federal Drug Administration authorization of updated COVID-19 vaccines (and subsequent Centers for Disease Control adoption), this is the first time COVID-19 vaccines will be transitioned to the commercial market for their manufacturing, procurement, and pricing (previously the federal government had purchased the vaccines and made them available at no cost to anyone, regardless of their insurance coverage status). Thus, the way in which COVID-19 vaccines are paid for and whether they are covered by insurance will now be dictated by insurance market rules and regulations.
Under the Affordable Care Act and laws passed during the COVID-19 pandemic, vaccines will continue to be provided free of charge to those with private and public insurance coverage, at least if obtained through an in-network provider. However, uninsured adults will no longer be guaranteed access to free vaccines. In addition to its cost (between $115 per dose by Pfizer and $128 per dose by Moderna), there may also be costs associated with administering the vaccine and/or the cost of a provider visit.
The KFF “cheat sheet”, along with the legal basis for providing the coverage is available here.
Recent litigation includes a lawsuit filed against CIGNA for using an automated software program to process claims that resulted in it “automatically and algorithmically denying claims”, and a mental health parity lawsuit against Anthem Blue Cross that was decided in favor of the plaintiffs.
Employer Action Items
None at this time. This article is provided for informational purposes. While CIGNA is the defendant in the Connecticut and California PxDx lawsuits, the overarching issue of using automated software to process claims potentially impacts all insurers, and thus, this should be on the radar of all plan sponsors. Furthermore, the ruling against Anthem serves as an important reminder that health plans and third-party administrators face increasing scrutiny to support that they are in compliance with the Mental Health Parity and Equity Addiction Act.
Recently, a lawsuit was filed against CIGNA in Connecticut, almost identical to a similar one filed against it earlier this summer in California. The issue stems from CIGNA’s use of the automated software, PxDx, in the processing of its claims. A ProPublica investigation (available here) found that the software could be used to deny a claim without the provider opening the patient’s file. The U.S. House of Representatives’ Energy and Commerce Committee and state regulators are also investigating the insurance company’s use of the software.
The suit is seeking class action status covering every participant nationwide who had claims reviewed by PxDx, which it alleges has resulted in the improper denial of hundreds, even thousands of claims. For its part, CIGNA is stating that the claims are baseless, and that it uses a standard review process that is similar to those of other insurers.
On September 20, 2023, in K.D. and A.D. v. Anthem Blue Cross and Blue Shield/Group Health Plan of United Technologies Corporation, the U.S. District Court in Utah ruled in favor of the plaintiffs (a health plan participant and dependent daughter) in a mental health parity claim. The court found that Anthem, third-party administrator for the health plan, applied a more stringent limit on residential mental health treatment than on the analogous skilled nursing treatment because mental health patients under the plan were not provided with a course of treatment plan or stages of care in connection with determining a patient’s discharge from the facility, as is the case with skilled nursing facilities under the plan. For further information, please read a related article by the law firm of Kantor & Kantor here.
Questions of the Month
Question: Are employers required to provide participants with health and welfare summary plan descriptions (SPD) annually?
Answer: For health and welfare plans subject to ERISA, there is no requirement that SPDs be routinely provided every year. In general, health and welfare plan SPDs must be furnished when a participant first becomes covered by a plan and at specific intervals thereafter. Different deadlines apply in different situations, as follows:
- Newly Covered Participants.SPDs for existing plans must be automatically furnished within 90 days after a participant first becomes covered.
- New Plans.SPDs for new plans must be automatically furnished within 120 days after the plan is first established and becomes subject to ERISA.
- Five-Year Rule If Material Changes Made.An updated SPD must be automatically furnished at least every five years if any material changes were made within that five-year period. The updated SPD must be furnished no later than 210 days following the last day of the fifth plan year after a material change would have been reflected in the most recently distributed SPD and must incorporate all amendments that occurred during the five-year period. Meanwhile, the material changes must have been communicated via summaries of material modifications.
- Ten-Year Rule If No Material Changes Made.If no material changes were made during the immediately preceding ten-year period, a copy of the most recently distributed SPD must be furnished within 210 days following the last day of the tenth plan year after a material change would have been reflected in the most recently distributed SPD.
- Upon Request. SPDs (and other materials) must be furnished to participants (and certain others) upon request.
Notwithstanding, because SPDs provide important information about participants’ rights and responsibilities, it may be advisable to furnish them sooner than these outside deadlines. If a participant has not been notified of plan requirements, such as the need to follow the plan’s claims procedure, a court might not require the participant to follow the procedure. Thus, furnishing SPDs as soon as practicable is generally in the plan’s and your company’s best interest.
Finally, keep in mind that group health plans are subject to many other disclosure requirements. Some of these, such as the summary of benefits and coverage and notices regarding certain group health plan mandates, have different distribution rules.
Source: Thompson Reuters