HIPAA | Fraser Blog

[Client Alert] Outbreak Period Nightmare: Employee Benefit Deadline Extensions Now Based on Individual Case-by-Case Basis

Employee benefit plan administration is no small feat. However, it is becoming more and more difficult, especially with pandemic related modifications. As you may recall from our previous Client Alert regarding the Outbreak Period, various benefit deadlines were extended due to COVID-19. Plans could not deny certain benefits or impose certain deadlines during the designated Outbreak Period (i.e., March 1, 2020 through 60 days after the National Emergency ends (or another specified date)). However, when the Outbreak Period ends has been a lingering question recently, and the Department of Labor has just answered it in a way that may make plan administrators’ heads spin.

In summary, the period of time which must be disregarded for certain benefits deadline purposes (such as HIPAA special enrollment, as well as certain COBRA and claims procedure due dates) will now end on the earlier of: (a) 1 year from the date that the individual or plan was first eligible for the particular relief, or (b) 60 days after the announced end of the National Emergency (the end of the Outbreak Period). What does this mean? It means that plan administrators must keep track on a case-by-case basis of each individual who would have had a deadline imposed on/or after March 1, 2020 but for the 2020 relief, the date of the original deadline, and track one year from that date (unless the Outbreak Period ends earlier).

Background

Last year when the pandemic hit, and to assist plan participants and beneficiaries, employers and other plan sponsors, plan fiduciaries, and other service providers of employee benefit plans impacted by the COVID-19 pandemic, the U.S. government took the following action as authorized by ERISA Section 518:

2020 Disaster Relief Notice

On April 28, 2020, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued EBSA Disaster Relief Notice 2020-01 (Disaster Relief Notice). The Disaster Relief Notice provided deadline relief and other guidance and extended the time for plan officials to furnish benefit statements, annual funding notices, and other notices and disclosures required by Title I of the Employee Retirement Income Security Act of 1974 (ERISA).

2020 Joint Notice

Additionally, on April 28, 2020, the Department of Treasury, the Internal Revenue Service (IRS), and EBSA issued a joint notice which extended certain time frames affecting participants and beneficiaries under ERISA and the Internal Revenue Code (Joint Notice). The Joint Notice extended time frames affecting a participant’s right to group health plan coverage during the COVID-19 outbreak, special enrollment periods, and COBRA continuation of such coverage. Time periods for filing claims for benefits, appealing denied claims, and external review periods were also extended.

The Joint Notice is applicable to all group health plans, disability plans, other employee welfare benefit plans, and employee pension benefit plans subject to ERISA or the Code. Specifically, the Joint Notice provided that these plans must disregard the period from March 1, 2020 until sixty (60) days after the National Emergency ends (or other specified date) when determining certain deadlines for plan participants, beneficiaries, qualified beneficiaries, and claimants. This period is called the Outbreak Period. In particular, plans must disregard the Outbreak Period for the following due dates:

HIPAA Special Enrollment
COBRA Election Period
COBRA Premium Payment Due Date
Date for Individuals to Notify the Plan of Qualifying Events or Disability Determinations
Claim Procedure Date for Individuals to File A Benefit Claim
- Keep in mind health FSA runout periods and forfeitures are also delayed during this period
Claim Procedure Date for Claimants to File An Appeal
Date for Claimants to File A Request for External Review
Date for Claimants to Perfect A Request for External Review

Note: The Joint Notice only extended the claims procedure deadlines for claimants; it did not explicitly extend the date by which a plan administrator had to respond to claims and appeals. However, the plan administrator’s deadlines for issuing such adverse benefit determination on claims and appeals would appear to fall within the general notice and disclosure relief provided by the Disaster Relief Notice.

Additionally, for purposes of group health plan obligations, the Outbreak Period is disregarded for the following:

Date to Provide a COBRA Election Notice

Employers and Plan Sponsors have had to pay close attention to these deadlines as they can have significant administrative and economic impacts.

Lingering Questions

However, many have questioned whether the deadline extension would end on February 28, 2021 due to statutory provisions within ERISA and the Internal Revenue Code stating that with such declared disasters, the Secretaries of Labor and Treasury may provide that periods of time up to one year may be disregarded when determining certain deadlines. That one year period from March 1, 2020 would have expired February 28, 2021.

However, the Department of Labor answered at the last hour, and unfortunately, the difficulty of these previous administrative functions has just been magnified.

Answer: EBSA Disaster Relief Notice 2021-01 (Released Friday, February 26, 2021)

On Friday, February 26, 2021, the Department of Labor released EBSA Disaster Relief Notice 2021-01. The Departments of Treasury, IRS and HHS have reviewed and concur with this guidance.

Instead of ending the disregarded periods on February 28, 2021, or instead of extending the period of disregarded periods to a future date certain, the Department of Labor instituted a case by case analysis, applicable to individuals and plans for whom timeframes were extended. Specifically, individuals and plans who are subject to the relief afforded under the 2020 Disaster Relief Notice and the 2020 Joint Notice as described above will have the applicable periods under the Notices disregarded until the earlier of:

(a) 1 year from the date they were first eligible for relief, or
(b) 60 days after the announced end of the National Emergency (the end of the Outbreak Period).

On the applicable date, the timeframes for individuals and plans with periods that were previously disregarded under the Notices will resume. In no case will a disregarded period exceed 1 year.

Notice 2021-01 provides examples to illustrate application of the above:

If a qualified beneficiary, for example, would have been required to make a COBRA election by March 1, 2020, the Joint Notice delays that requirement until February 28, 2021, which is the earlier of 1 year from March 1, 2020 or the end of the Outbreak Period (which remains ongoing). Similarly, if a qualified beneficiary would have been required to make a COBRA election by March 1, 2021, the Joint Notice delays that election requirement until the earlier of 1 year from that date (i.e., March 1, 2022) or the end of the Outbreak Period. Likewise, if a plan would have been required to furnish a notice or disclosure by March 1, 2020, the relief under the Notices would end with respect to that notice or disclosure on February 28, 2021. The responsible plan fiduciary would be required to ensure that the notice or disclosure was furnished on or before March 1, 2021. In all of these examples, the delay for actions required or permitted that is provided by the Notices does not exceed 1 year.

The Department of Labor further reiterates concerns over COVID-19 related problems that plan participants and beneficiaries may encounter. In such vain, the Department states as follows:

plan fiduciaries should make reasonable accommodations to prevent the loss of or undue delay in payment of benefits in cases where pandemic delayed deadlines are reinstated; and
plans should take steps to minimize the possibility of individuals losing benefits because of a failure to comply with pre-established time frames, such as:
- affirmatively sending a notice regarding the end of the relief period;
- reissuing or amending disclosures regarding the end of the relief period and the time period in which participants and beneficiaries are required to take action, e.g., COBRA election notices and claims procedure notices;
- reminding participants and beneficiaries who are losing coverage under ERISA group health plans that other coverage options may be available to them, including the opportunity to obtain coverage through the Health Insurance Marketplace in their state.

The Department of Labor understands that full and timely compliance with ERISA’s disclosure and claims processing requirements by plans and service providers may not always be possible due to the end of the relief period. Good faith compliance will be taken into consideration.

Conclusion

The case-by-case determinations were not anticipated last year and will require continual monitoring and possibly enhanced recordkeeping, especially if initially imposed deadlines were not accurately recorded at the time due to the deadline delay. Plan sponsors should promptly speak with their benefit and COBRA administrators to ensure the new guidance can be followed. And, as mentioned by the Department of Labor, group health plan communications regarding these deadline changes should be made as quickly as possible.

As you are well aware, the law and guidance are rapidly evolving in this area. Please check with your Fraser Trebilcock attorney for the most recent updates.

We have created a response team to the rapidly changing COVID-19 situation and the law and guidance that follows, so we will continue to post any new developments. You can view our COVID-19 Response Page and additional resources by following the link here. In the meantime, if you have any questions, please contact your Fraser Trebilcock attorney.

Elizabeth H. Latchana specializes in employee health and welfare benefits. Recognized for her outstanding legal work, in both 2019 and 2015, Beth was selected as “Lawyer of the Year” in Lansing for Employee Benefits (ERISA) Law by Best Lawyers, and in 2017 as one of the Top 30 “Women in the Law” by Michigan Lawyers Weekly. Contact her for more information on this reminder or other matters at 517.377.0826 or elatchana@fraserlawfirm.com.

Brian T. Gallagher is an attorney at Fraser Trebilcock specializing in ERISA, Employee Benefits, and Deferred and Executive Compensation. He can be reached at (517) 377-0886 or bgallagher@fraserlawfirm.com.

Client Alert: Major Extension of Employee Benefit Plan Deadlines Due to COVID-19 Outbreak

The coronavirus outbreak has affected virtually every aspect of normal life and business relations, including operation and administration of employee benefit plans. To assist plan participants and beneficiaries, employers and other plan sponsors, plan fiduciaries, and other service providers of employee benefit plans impacted by the COVID-19 pandemic, the U.S. government took action as authorized by ERISA Section 518.

On April 28, 2020, the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) issued EBSA Disaster Relief Notice 2020-01 (Disaster Relief Notice). The Disaster Relief Notice provides deadline relief and other guidance and extends the time for plan officials to furnish benefit statements, annual funding notices, and other notices and disclosures required by Title I of the Employee Retirement Income Security Act of 1974 (ERISA).

Additionally, on April 28, 2020, the Department of Treasury, the Internal Revenue Service, and EBSA issued a joint notice which extends certain time frames affecting participants and beneficiaries under ERISA and the Internal Revenue Code (Joint Notice). The Joint Notice extends certain time frames affecting a participant’s right to group health plan coverage during the COVID-19 outbreak, special enrollment periods, and COBRA continuation of such coverage after employment ends. Time periods for filing claims for benefits, appealing denied claims, and external review periods are also extended.

While the Department of Health and Human Services (HHS) was not involved in this round of guidance, it has been in consultation with EBSA and the Treasury and has advised that it will extend similar relief timeframes applicable to non-Federal governmental group health plans.

The News Release and Frequently Asked Questions regarding the Disaster Notice and Joint Notice can be found here:

FAQs

News Release

Joint Notice

The Joint Notice is applicable to all group health plans, disability plans, other employee welfare benefit plans, and employee pension benefit plans subject to ERISA or the Code. Specifically, these plans must disregard the period from March 1, 2020 until sixty (60) days after the National Emergency ends (or other specified date) when determining certain deadlines for plan participants, beneficiaries, qualified beneficiaries, and claimants. This period is called the Outbreak Period. In particular, plans must disregard the Outbreak Period for the following due dates:

HIPAA Special Enrollment
COBRA Election Period
COBRA Premium Payment Due Date
Date for Individuals to Notify the Plan of Qualifying Events or Disability Determinations
Claim Procedure Date for Individuals to File A Benefit Claim
- Keep in mind health FSA runout periods and forfeitures are also delayed during this period
Claim Procedure Date for Claimants to File An Appeal
Date for Claimants to File A Request for External Review
Date for Claimants to Perfect A Request for External Review

Note: The Joint Notice only extends the claims procedure deadlines for claimants; it does not explicitly extend the date by which a plan administrator has to respond to claims and appeals. However, the plan administrator’s deadlines for issuing such adverse benefit determination on claims and appeals would appear to fall within the general notice and disclosure relief provided by the Disaster Relief Notice.

Additionally, for purposes of group health plan obligations, the Outbreak Period is disregarded for the following:

Date to Provide a COBRA Election Notice

The Joint Notice includes a number of examples to explain how these rules take effect. Each of these examples assumes that the National Emergency ends on April 30, 2020, meaning that the Outbreak Period extends from March 1, 2020 through June 29, 2020, the latter date being 60 days after the National Emergency ends.

With regard to COBRA, one of the listed examples maintains an employee loses group health plan coverage due to a reduction in hours. The COBRA election notice is provided on April 1, 2020. Although typically an individual has 60 days to elect COBRA, here the Outbreak Period is disregarded. Therefore, the 60 day period begins to run on June 29, 2020, so the individual has until August 28, 2020 to elect COBRA.

In another example, an employee was eligible for but declined enrollment in her employer’s group health plan. On March 31, 2020 she gave birth and wants to enroll herself and her child, which is a 30-day HIPAA special enrollment right. The Outbreak Period (again through June 29, 2020 for purposes of these examples) is disregarded, so the 30 day enrollment ends instead on July 29, 2020.

Employers will want to pay close attention to these deadlines as they can have significant administrative and economic impacts. For example, group health plans may have to bear the financial responsibility for continuing premium contributions for months prior to a beneficiary making a COBRA payment. See Example 3:

Example 3 (COBRA premium payments).

(i) Facts. On March 1, 2020, Individual C was receiving COBRA continuation coverage under a group health plan. More than 45 days had passed since Individual C had elected COBRA. Monthly premium payments are due by the first of the month. The plan does not permit qualified beneficiaries longer than the statutory 30-day grace period for making premium payments. Individual C made a timely February payment, but did not make the March payment or any subsequent payments during the Outbreak Period. As of July 1, Individual C has made no premium payments for March, April, May, or June. Does Individual C lose COBRA coverage, and if so for which month(s)?

(ii) Conclusion. In this Example 3, the Outbreak Period is disregarded for purposes of determining whether monthly COBRA premium installment payments are timely. Premium payments made by 30 days after June 29, 2020, which is July 29, 2020, for March, April, May, and June 2020, are timely, and Individual C is entitled to COBRA continuation coverage for these months if she timely makes payment. Under the terms of the COBRA statute, premium payments are timely if made within 30 days from the date they are first due. In calculating the 30-day period, however, the Outbreak Period is disregarded, and payments for March, April, May, and June are all deemed to be timely if they are made within 30 days after the end of the Outbreak Period. Accordingly, premium payments for four months (i.e., March, April, May, and June) are all due by July 29, 2020. Individual C is eligible to receive coverage under the terms of the plan during this interim period even though some or all of Individual C’s premium payments may not be received until July 29, 2020. Since the due dates for Individual C’s premiums would be postponed and Individual C’s payment for premiums would be retroactive during the initial COBRA election period, Individual C’s insurer or plan may not deny coverage, and may make retroactive payments for benefits and services received by the participant during this time.

Importantly, the Joint Notice acknowledges that different geographical regions may have different Outbreak Period end dates. In such case, additional guidance will be issued.

Disaster Relief Notice

In the Disaster Relief Notice, the Department of Labor announced an extension of deadlines for furnishing certain required notices and disclosures to plan participants, beneficiaries and others in order for plan sponsors to meet their ERISA obligations during the coronavirus outbreak.

Participant Disclosures

Subject to the duration limitation in ERISA section 518, an employee benefit plan and the responsible plan fiduciary will not be in violation of ERISA for a failure to timely furnish a notice, disclosure, or document that must be furnished between March 1, 2020, and 60 days after the announced end of the COVID-19 National Emergency, if the plan and responsible fiduciary act in good faith and furnish the notice, disclosure, or document as soon as administratively practicable under the circumstances. Good faith acts include use of electronic alternative means of communicating with plan participants and beneficiaries who the plan fiduciary reasonably believes have effective access to electronic means of communication, including email, text messages, and continuous access websites.

Such notices include Summary Plan Descriptions, Summaries of Material Modifications, benefit determinations, annual funding notices, periodic benefit statements, summary annual reports, participant fee disclosures, QDIA notices, and blackout notices, as long as good faith efforts are made to furnish these documents as soon as administratively practicable. Of note, this Disaster Relief Notice uses the same Outbreak Period as in the Joint Notice.

Employee Pension Benefit Plans

The Disaster Relief Notice also addresses certain items specific to employee pension benefit plans, including:

An ERISA retirement plan’s failure to follow the usual procedural requirements for plan loans and distributions will not be treated as a failure by the DOL, provided that:

The failure is solely attributable to the COVID-19 outbreak;
The plan administrator makes a good-faith diligent effort to comply with ERISA’s procedural requirements;
The plan administrator makes a reasonable attempt to correct any procedural deficiencies as soon as practicable.

The DOL confirmed that it will not treat participant loans as violating ERISA if those loans comply with the increased loan limits and/or suspension of loan repayments provided by the CARES Act, and that it will treat a plan as having been operated in accordance with its terms with respect to certain plan loan and distribution provisions available under the CARES Act if the plan satisfies the conditions for the extended amendment deadline under the CARES Act. This guidance is unsurprising, but appreciated.

The Disaster Relief Notice also indicates that the DOL will not take enforcement action if a plan fiduciary fails to meet the usual deadlines for forwarding participant contributions and loan repayments to a plan during the Outbreak Period, if the failure is solely attributable to the COVID-19 outbreak, provided the employer and/or service provider acts reasonably, prudently, and in the interest of employees to comply as soon as administratively practicable under the circumstances.

Finally, the Disaster Relief Notice specifically confirms that blackout notices are covered by the general good faith relief from notice and disclosure deadlines under ERISA section 518 described earlier, and further provides that a plan fiduciary is not required to make a written determination that the failure to meet the normal 30-day advance notice requirement was due to events beyond the reasonable control of the plan administrator, as a pandemic inherently satisfies that standard.

Form 5500 and Form M-1 Filing Relief

The IRS had previously extended the Form 5500 deadline in certain limited cases related to the COVID-19 pandemic. See IRS Notice 2020-23. Specifically, for filings otherwise due on or after April 1, 2020 and before July 15, 2020 are now due on July 15, 2020. This does NOT apply to calendar year plans as their filings are due July 31, 2020 and are outside the relief period. Presumably, this is because calendar year plans can already obtain an automatic extension of their 2019 Form 5500 deadline until October 15, 2020. However, the guidance indicates that the DOL will continue to monitor the situation and may issue further relief depending on how things unfold.

The Disaster Relief Notice now extends this same relief to Form M-1 filings. Form M-1 is applicable to multiple employer welfare arrangements (MEWAs) and certain other entities required to report for their ERISA group health plans. While Form M-1 is normally due March 1, if an entity had timely requested a 60-day extension, that extended period falls within the relief period and now would be due by July 15, 2020.

General Compliance Guidance

Last, the Disaster Relief Notice provides several points of general ERISA fiduciary compliance guidance during this coronavirus pandemic, notably that:

Plans must act reasonably, prudently, and in the interest of the covered workers and their families who rely on their health, retirement, and other employee benefit plans for their physical and economic wellbeing.
Plan fiduciaries should make reasonable accommodations to prevent the loss of benefits or undue delay in benefits payments.
When the pandemic prevents plans and service providers from fully and timely complying with claims processing and other ERISA requirements, the Department of Labor will emphasize compliance assistance and include grace periods and other relief where appropriate.

Importantly, however, the fiduciary relief provided by the Disaster Relief Notice is generally limited to adoption of nonenforcement positions by the DOL. It does not necessarily restrict a participant’s ability to enforce his or her substantive rights under ERISA.

As you are well aware, the law and guidance are rapidly evolving in this area. Please check with your Fraser Trebilcock attorney for the most recent updates.

This alert serves as a general summary, and does not constitute legal guidance. Please contact us with any specific questions.

NEW VIDEO: The HITECH Act and HIPAA

With the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act, it has caused a number of issues for employers. It is crucial for employers to stay in legal compliance to avoid audits, and the substantial penalties that come with HIPAA violations.

This video discusses the HITECH Act and HIPAA, and their possible effects on employers.

Our lawyers at Fraser Trebilcock also devote substantial amounts of time to advising clients of legislative and regulatory changes in the employee benefits area, and frequently write and lecture on employee benefits topics. Click HERE to sign up to receive updates and alerts on matters related to Employee Benefits Law.

Business Legal Compliance Checklist

A critical overview of laws and regulations governing businesses of all sizes.

Download the Checklist

Attorney Elizabeth Latchana honored among Michigan’s ‘Women in the Law’

When the entire country was seeking to understand and respond to the myriad of employee benefit changes, mandates and associated penalties accompanying the passage of the Patient Protection and Affordable Care Act, Fraser Trebilcock attorney Elizabeth Latchana stepped up to the challenge and became a leading advisor to employers of all sizes across the state of Michigan – and beyond.

“Her dedication to providing clients and the community with the most current information and updates has inspired one of the most active blogs for this legal practice in the state of Michigan,” said Fraser Trebilcock President Brian Morley. “With the proposed changes under the new administration and, for that matter, all future administrations that may aim to continue tweaking or outright changing the laws, Beth’s legal guidance and leadership will be needed for many years to come. We are grateful to have her experience on our side at Fraser.”

Beth found her niche in the transactional health and welfare employee benefits practice just a few years into her legal career. “With the incredible training and assistance of my predecessor and others, I was able to learn, grow, and expand Fraser’s health and welfare employee benefits practice area, sevenfold, and am sincerely honored to have received some accolades along the way,” she says.

Selected in 2015 as “Lawyer of the Year” for Employee Benefits (ERISA) Law in Lansing by Best Lawyers, the Genesee County native has achieved an AV Preeminent peer review rating by Martindale-Hubbell, and continues to be selected by Leading Lawyers and Best Lawyers. Her most recent accolade is selection as one of the Top 30 “Women in the Law” by Michigan Lawyers Weekly, and she will be among those honored at a Sept. 7 luncheon in Troy.

When the graduate of Alma College and University of Notre Dame Law School first joined Fraser Trebilcock as an associate, she set a number of goals, from hitting certain billable hour thresholds, to attaining shareholder status, to growing a client base and expanding her practice, to serving on the Board of Directors, all while volunteering in the community and raising a family.

“Nearly 19 years later, I’m happily still a member of the Fraser Trebilcock family, and I’m pleased to say I’ve met each one of my goals,” she says. “I’m proud of my longevity at this great law firm and happy to be of service to it.”

A vice president on Fraser Trebilcock’s Board of Directors, co-chair of the Employee Benefits practice, and an employee benefits coordinator, Latchana became a leading advisor to employers following the passage of the Patient Protection and Affordable Care Act.

She recalls a tip from a senior associate in the early years: make the boss’ job easier. “It led me to focus on working as a team, not just completing a legally correct and hopefully impressively shiny project, but going the extra mile to reach beyond the assignment to simplify the shareholder’s own work,” she says.

“I’ve taken that advice to heart to this day, now with my own clients, helping navigate them through legal hoops and finding creative solutions while ensuring this is done in a way to allow them to focus on what’s most important to them, their own business. I’m able to use creative thought to develop solutions for clients while ensuring they are complying with the plethora of legal mandates thrown at them in the ever-evolving world of employee benefits.”

[pjc_slideshow slide_type=”women-in-the-law-2017″]

The legal industry is one which focuses on serving others, which Beth feels drawn to. Giving of oneself to the assistance and hopefully betterment of others is, she says, what life is all about. “As lawyers, we are held to incredibly high ethical and professional standards, as well as displaying an excellent work ethic. We have been trained this way, and it is ingrained in our very being. Therefore, it’s almost impossible for these standards not to trickle over in one’s personal life and activities, and in all ways we serve.”

With her own legal practice in the health and welfare benefits arena, she is able to use creative thought to develop solutions for clients while ensuring they are complying with the plethora of legal mandates thrown at them in the ever-evolving world of employee benefits. “My goal is serve my clients in a way that allows them to have full confidence in their benefit structure so they can focus on their own business…”

Personally, her practice has enabled her to balance professional life with things she enjoys outside of work. A mother of three, Latchana serves as being a role model for youth and assists her community through activities including participating in alumni career fairs, coaching and managing youth in various recreational sports leagues, assisting with creating a community dog park, organizing and collecting donations for local shelters, or serving in leadership capacities of local non-profit organizations, most recently the Board of Directors for the Food Bank of Eastern Michigan.

And if Beth commits to something, she utilizes those high standards she was taught to ensure the task is completed to the best of her ability, no matter the subject.

Click HERE to sign up to receive updates and alerts on matters related to Employee Benefits Law. You can also learn more about the legal services provided by Beth and our Employee Benefits attorneys, in their own words:

Business Legal Compliance Checklist

A critical overview of laws and regulations governing businesses of all sizes.

Download the Checklist

The Future of the Patient Protection and Affordable Care Act May be Uncertain… But HIPAA is Here to Stay

While the future of the Patient Protection and Affordable Care Act and any potential replacement legislation is still in question, the Office for Civil Rights (“OCR”) within the U.S. Department of Health and Human Services (“HHS”) has clarified through its recent actions that the HIPAA privacy, security, and breach notification rules contained at 45 C.F.R. Parts 160 and 164 (the “Administrative Simplification Rules”) are here to stay. Audits initiated by OCR and investigations resulting from reported violations reveal that HIPAA compliance continues to be a governmental priority under the new administration. Indeed, nine representative resolution agreements have been released by HHS thus far in 2017 (the latest being released earlier this week) assessing a range of penalties from $31,000 to $5.5 million for a covered entity’s failure to comply with various aspects of HIPAA (including but not limited to failure to conduct a thorough and accurate risk analysis, failure to have a business associate agreement in place, failure to have comprehensive policies and procedures in place and implemented, and failure to protect protected health information (“PHI”) from improper use and disclosure). Thus, it is as important as ever for employer-sponsored group health plans to ensure that they are complying with HIPAA’s encompassing and technical requirements. As the various resolution agreements detail, failure to do so can have dire financial consequences on the group health plan (and correspondingly on the sponsoring employer).

HIPAA’s Administrative Simplification Rules require covered entities and their business associates to protect the confidentiality, integrity, and availability of PHI from improper use and disclosure. A group health plan falls within the definition of “covered entity.” Third parties who create, receive, maintain and/or transmit PHI for or on behalf of a covered entity are generally considered “business associates.” See 45 C.F.R. 160.103. Complying with HIPAA’s Administrative Simplification Rules can be a daunting task for group health plans and the employers sponsoring them. For example, administratively, group health plans are required to create, maintain, implement, and periodically review and update several written documents. The following provides a “checklist” approach of some important documents that group health plans need to have in place in order to comply with the Administrative Simplification Rules. Please keep in mind, however, that merely having the documents in place is insufficient from a HIPAA compliance standpoint; group health plans (and plan sponsors) also need to ensure that they are actually implementing, adhering to, and periodically reviewing the substance of the documents. Thus, it is imperative for employer-sponsored group health plans to continually evaluate their HIPAA compliance position with experienced HIPAA legal counsel. Even minor deficiencies can result in substantial penalties.

1. Business Associate Agreements

A covered entity may permit a business associate to create, receive, maintain or transmit PHI on its behalf only after it obtains satisfactory assurances in the form of a written business associate contract that the business associate will appropriately safeguard the information. See 45 C.F.R. sections 164.502, 164.504, and 164.314. A business associate agreement is a cornerstone HIPAA requirement that is commanding more and more scrutiny by the government.

For example, a resolution agreement released on April 20, 2017, demonstrated that a covered entity’s failure to have a business associate agreement in place with a third party vendor that had access to the covered entity’s PHI was a $31,000 mistake. Interestingly, the compliance review of the covered entity was initiated by OCR following OCR’s investigation of the business associate. The two-year corrective action plan associated with the $31,000 fine required, among other things, that the covered entity revise its HIPAA policies and procedures to require: (1) the designation of one or more individual(s) who are responsible for ensuring that the covered entity enters into a business associate agreement with each of its business associates prior to disclosing PHI to the applicable business associate; (2) the creation of a standard template business associate agreement; (3) a process for assessing current and future business relationships to determine whether each relationship is with a “business associate;” (4) a process for negotiating and entering into business associate agreements with business associates prior to disclosing PHI to the business associate; (5) a process for maintaining documentation of business associate agreements for at least six years beyond the date of when the business associate relationship is terminated; and (6) a process to limit disclosures of PHI to business associates to the minimum necessary amount of PHI that is reasonably necessary for business associates to perform their duties.

The government’s demand for the creation of a standard template business associate agreement is of particular note for employers sponsoring group health plans for some important reasons. First, HIPAA’s Administrative Simplification Rules contain detailed provisions that must be included in a business associate agreement; variations from these strict regulatory requirements can make the agreement noncompliant. If a group health plan has a template business associate agreement in place prepared by experienced HIPAA legal counsel, it can be assured that the agreement is HIPAA compliant. When the document has been prepared by another party (such as the business associate), the group health plan should have the agreement carefully reviewed to ensure each of the regulatory provisions are correctly stated. Second, like any contract, business associate agreements can be drafted in a one-sided manner. A group health plan will want to have its standard business associate agreement prepared to adequately address, among other items, reporting time limits and indemnification requirements in the group health plan’s favor. While the HIPAA Administrative Simplification Rules set forth minimum requirements, keep in mind that additional information can be included within the agreement. Thus, each contract should be reviewed to ensure that the additional provisions are in fact desirable to be included from the group health plan’s perspective.

2. Security Policies and Procedures

A covered entity is required to implement reasonable and appropriate written policies and procedures to comply with the standards, implementation specifications, and other requirements of the security rules. See 45 C.F.R. 164.316. This requires the covered entity to implement administrative, physical, and technical safeguards to protect the confidentiality and integrity of electronic PHI (“EPHI”). Various resolution agreements highlight the need: (1) for comprehensive security policies and procedures; (2) to train workforce members on the policies and procedures; and (3) periodically evaluate the scope of the policies and procedures.

One of the cornerstones of a covered entity’s security policies and procedures is its security management process. This requires the covered entity to: (1) periodically conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity; (2) implement security measures sufficient to reduce the detected risks and vulnerabilities to a reasonable and appropriate level; (3) apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures; and (4) implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Indeed, two April 2017 resolution agreements demonstrate the need to conduct a thorough and accurate risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI and to implement security measures sufficient to reduce those risks and vulnerabilities. In an April 24, 2017 resolution agreement, the covered entity’s HIPAA deficiencies resulted in a $2.5 million settlement. A resolution agreement released April 12, 2017 resulted in a $400,000 settlement. Among other things, the corrective action plan in both cases requires the covered entity to conduct and provide the results of a comprehensive risk analysis to HHS. Thereafter, the covered entity is required to review the risk analysis annually (or more frequently, if appropriate) and promptly update the risk analysis in response to environmental or operational changes affecting the security of EPHI. Thus, through its resolution agreements, HHS is emphasizing the fluid need to ensure that electronic systems adequately safeguard EPHI and that covered entities are appropriately minimizing risk.

3. Privacy Policies and Procedures

Pursuant to 45 CFR 164.530, a covered entity is required to implement written policies and procedures with respect to PHI that are designed to comply with the HIPAA privacy rules and breach notification rules. A limited exception to this requirement is available under 45 CFR 164.530(k) for certain fully-insured group health plans that maintain a “hands off” status (i.e., the group health plan does not create or receive PHI except for certain summary health information and/or enrollment/disenrollment information). Among other items, the privacy policies and procedures must address how a covered entity may use and disclose PHI. They also must address an individual’s rights with respect to his or her PHI and which employees will be granted access to PHI. One May 2017 resolution agreement resulted from a covered entity’s improper disclosure of PHI to the media and various public officials without proper authorization. Another May 2017 resolution agreement resulted from a covered entity’s improper disclosure of PHI to his workplace. The corrective action plans associated with the resolution agreements required the covered entity to develop/review, maintain, and revise as necessary written policies and procedures (which relevantly would set forth the permissible uses and disclosure of PHI), to distribute such policies and procedures to the workforce, and to assess, update, and revise, as necessary, the policies and procedures at least annually. Thus, implementation of comprehensive privacy policies and procedures is deemed a necessity by HHS.

4. Notice of Privacy Practices

Pursuant to 45 CFR 164.520, an individual has a right to adequate notice of the uses and disclosures of PHI that may be made by the covered entity and of the individual’s rights and the covered entity’s legal duties with respect to PHI. The notice of privacy practices is essentially a summary of the covered entity’s privacy policies and procedures. The plan sponsor is obligated under the privacy rules to ensure that the notice is prepared and timely and appropriately distributed to plan participants, except in the case of certain fully-insured group health plans that maintain a hands off status, in which case the insurer has the duty. The content and distribution requirements for notices of privacy practices are strict. Thus, it is imperative for plan sponsors to ensure legal compliance.

5. Plan Sponsor Certifications

A group health plan may disclose PHI to the plan sponsor for plan administration functions only after: (1) the plan document has been amended to incorporate various regulatory requirements related to the plan’s use and disclosure of PHI, and (2) the plan sponsor has certified to the plan, in writing, that the plan has been amended and that the plan sponsor agrees to the restrictions contained in the amendment. See 45 C.F.R. 164.504 and 164.314. Plan sponsors must ensure that their plans have been appropriately amended and that proper written certification is in place.

6. Workforce Training

A covered entity is required to provide training to all members of its workforce on its HIPAA policies and procedures, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. Various resolution agreements stress the necessity of conducting and documenting comprehensive training. For example, two May 2017 resolution agreements indicate that training must be reviewed at least annually, and, where appropriate, updated to reflect changes in the law, issues discovered during internal or external audits, and other relevant developments. Thus, plan sponsors must continually evaluate the need for workforce training and tailor such training to their internal structure.

These are just some of the written documentation requirements that group health plans must adhere to under HIPAA’s Administrative Simplification Rules. Regulatory provisions must be reviewed in conjunction with the group health plan’s administrative practices when drafting these documents. The resolution agreements released this year reaffirm the notion that employer-sponsored group health plans must evaluate their HIPAA compliance position with experienced HIPAA legal counsel. Deficiencies can result in substantial penalties. Please feel free to contact us with any questions you may have with respect to your HIPAA compliance endeavors.

Copies of the resolution agreements are available by clicking HERE.

This email serves solely as a general summary of complex proposed legislation and government initiatives. It does not constitute legal guidance. Please contact us with any questions related to the Proposed Legislation and what impact finalization might have on your employer-sponsored plans.

Questions? Contact us to learn more.

Client Alert: Soaring Compliance Burdens for Wellness Programs Continue to Emerge: New Final Regulations under the ADA and GINA Issued

The desire to offer a wellness program to employees may seem like a no-brainer. Why wouldn’t employers encourage their employees to adopt healthy lifestyles and thereby hopefully reduce the future medical claims and health insurance premiums of employer-sponsored medical plans? Continue reading Client Alert: Soaring Compliance Burdens for Wellness Programs Continue to Emerge: New Final Regulations under the ADA and GINA Issued

Deadline Approaching for Employer Compliance with Pay or Play: Cash Outs and Affordability (New Guidance)

Unless transition relief applies, applicable large employers must comply with the Employer Shared Responsibility Mandate (i.e., Pay or Play) effective January 1, 2015. Under Pay or Play, applicable large employers are required, among other things, to offer affordable medical coverage which provides minimum value to their full-time employees. Although numerous guidance exists regarding determining whether coverage offered is affordable, this Client Alert focuses on the impact of cashable credits offered under a section 125 cafeteria plan.

Continue reading Deadline Approaching for Employer Compliance with Pay or Play: Cash Outs and Affordability (New Guidance)

Client Alert: HIPAA HPID Deadline Delayed until Further Notice

On the eve of the HPID November 5, 2014 deadline, CMS announced that enforcement of the HPID requirements is delayed, until further notice.

“Effective October 31, 2014, the Centers for Medicare & Medicaid Services (CMS) Office of e-Health Standards and Services (OESS), the division of the Department of Health & Human Services (HHS) that is responsible for enforcement of compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) standard transactions, code sets, unique identifiers and operating rules, announces a delay, until further notice, in enforcement of 45 CFR 162, Subpart E,

Continue reading Client Alert: HIPAA HPID Deadline Delayed until Further Notice

Client Alert: HIPAA Deadline to Obtain Health Plan Identifier Quickly Approaching

The deadline for a large health plan to obtain its health plan identifier (“HPID”) is quickly approaching. As we previously advised (please see our Client Alert dated April 21, 2014), the Patient Protection and Affordable Care Act requires a controlling health plan (“CHP”) to obtain a HPID, which must be used in any HIPAA electronic covered transaction that the health plan conducts or that a business associate conducts on behalf of the health plan. The term “controlling health plan” or “CHP” means a health plan (as defined by HIPAA) that (1) controls its own business activities, actions, or policies; or (2) (i) is controlled by an entity that is not a health plan; Continue reading Client Alert: HIPAA Deadline to Obtain Health Plan Identifier Quickly Approaching

HIPAA – Electronic Transaction Standards – Action Required!

Employer-sponsored health plans have a lot of work to do over the next couple of years to ensure continued compliance with HIPAA’s electronic transaction standards. HIPAA’s administrative simplification rules require a health plan to conduct certain electronic transactions in accordance with standards, code sets, and operating rules adopted by the Department of Health and Human Services (“HHS”). The PPACA significantly expands on these standards, code sets, and operating rules. The PPACA also adds the requirements that a health plan (1) obtain a health plan identifier (“HPID”) for the health plan to use with respect to the electronic transaction standards; and (2) certify compliance with the applicable electronic transaction standards.

Thus, under the PPACA’s expansion of HIPAA’s electronic transaction standards, a health plan needs to (1) ensure that it is in compliance with all currently applicable standards and operating rules (and prepare to comply with upcoming standards and operating rules); (2) obtain a HPID by November 5, 2014 (or November 5, 2015 if it is a small health plan); and (3) prepare to certify to HHS that it is in compliance with certain electronic transaction standards by December 31, 2015 (or December 31, 2016 if it is a small health plan).

Continue reading HIPAA – Electronic Transaction Standards – Action Required!