Client Alert: PCORI Payment Due July 31st

Patient-Centered Outcomes Research Institute (PCORI) Fee / Comparative Effectiveness Fee:
Reminder: Plan Sponsors of Applicable Self-Funded Health Plans Must Make PCORI Fee Payment By July 31, 2018

Continue reading Client Alert: PCORI Payment Due July 31st

Client Alert: Administering Benefit Coverage During a Leave of Absence – The Necessity of a Leave of Absence Policy

Administering Benefit Coverage During a Leave of Absence – The Necessity of a Leave of Absence Policy

Employee leaves of absence take on various forms, but whether such leaves are provided as a matter of law or pursuant to employer policy, they create unique challenges from a health and welfare benefits compliance standpoint. Indeed, common issues for employers to analyze when employees are absent from work for an extended period of time are whether health and welfare benefit coverage should be continued and, if so, for how long. The answers are contingent upon various factors such as the circumstances surrounding the leaves of absence, the size of the employer, the terms of the applicable plan documents, and the applicability of various federal and state laws. Establishing and implementing a carefully drafted leave of absence policy addressing the provision of benefits is an essential component of benefit administration during a leave of absence.

Implementing a carefully designed leave of absence policy addressing the provision of health and welfare benefits is an easy way for an employer to reduce its risk of employee disputes, discrimination complaints, and financial exposure related to the provision of benefits. However, care needs to be given to such policy’s terms. At the onset, an employer’s policy needs to address what types of leaves of absence are permitted. Federal law mandates that certain employers provide job protected leaves of absence under the Family and Medical Leave Act of 1993 (“FMLA”) and the Uniformed Services Employment and Reemployment Rights Act of 1994 (“USERRA”). However, many employers also offer extended leave options for non-qualified and/or extended medical, personal, and/or other various reasons. For each type of permitted leave under an employer’s policy, specific issues related to the provision of benefits need to be addressed. For example, issues related to the provision of benefits that should be addressed within and/or considered in conjunction with an employer’s leave of absence policy include, but are not limited to, the following:

  • What Benefits are Continued and For How Long? An employer must decide when to cut off eligibility for various benefits for employees on a leave of absence and then draft its policy carefully to carry out its intent. Generally speaking, an employer covered by the FMLA must maintain coverage under any group health plan (as defined under the FMLA) for the duration of a FMLA leave at the level and under the conditions that coverage would have been provided if the employee had continuously employed for the duration of the leave. Similarly, under USERRA, an employer is required to provide certain benefit rights to employees who take a leave of absence for service in the uniformed services. USERRA generally requires an employer to continue to maintain the employee’s health plan (as defined in 20 C.F.R. section 1002.163) benefits for up to 24 months on the same terms and conditions as if the employee was still an active employee during an USERRA qualifying leave. An employer generally has more leeway with respect to determining how long to continue benefits during leaves not subject to the FMLA and USERRA (either because the protected leave has ended or the leave was not protected to begin with) and benefits not required to be continued under the FMLA and USERRA (e.g., life insurance, accidental death and dismemberment, disability, business travel, etc.). However, with respect to major medical coverage, an employer also needs to consider coverage implications under the Patient Protection and Affordable Care Act’s Employer Shared Responsibility Mandate (i.e., Pay or Play).
  • Has the Insurance/Stop Loss Carrier Agreed to the Continuation of Coverage? Determining how long the insurance company/stop loss carrier has agreed to continue benefits during a leave of absence or other period of time where the employee is not actively working the hours required for eligibility is imperative. Providing coverage that has not been agreed to by the insurance company and/or stop loss carrier can result in substantial exposure through the required self-funding of claims incurred after the carrier refuses to pay due to the participant’s ineligibility. Such financial exposure may be catastrophic to an employer if the claim involves life insurance coverage or massive medical expenses.
  • What Do the Applicable Plan Documents Say? It is necessary for an employer to review the plan documents (including active at work requirements and hour thresholds) to ensure that an employee remains eligible prior to continuing coverage during a leave of absence. All plan eligibility and participation provisions must be drafted with care to address extended eligibility during a leave of absence. Ambiguity and/or inconsistency between the plan documents and employer policy can lead to participant disputes, litigation, and potential self-funding of claims.
  • How Will Benefits Be Paid For During the Leave? An employer must address how long any employer contribution towards the cost of coverage will be continued. Additionally, the policy should articulate how the employee needs to pay for his or her portion of the cost of coverage during the leave of absence. The requirements associated with the payment of an employee’s share of the cost of coverage can be particularly tricky if the leave of absence is unpaid. Issues to be addressed include, but are not limited to, the timing of the required payment and whether such payment is made on a pre-tax or after-tax basis. Careful attention needs to be paid to federal laws and regulations, such as those related to Code Section 125 cafeteria plans, FMLA, and USERRA.
  • When are COBRA Requirements Implicated? A leave of absence is a reduction of hours and is therefore a triggering event that may cause a loss of coverage. COBRA rights may be implicated during a leave of absence if an employee loses eligibility for group health plan coverage. The loss of an employer contribution towards the cost of coverage may also implicate COBRA rights. COBRA requirements need to be carefully analyzed in conjunction with an employer’s benefit structure during a leave of absence to determine whether a qualifying event occurs and, if so, when such event occurs. Failure to timely and accurately provide COBRA continuation rights can result in significant financial ramifications to an employer.

Thus, an employer’s leave of absence policy must be drafted with care taking into account of a plethora of factors. An employer must ensure that it understands when benefits are supposed to end, not only as a matter of its internal company practice, but also as articulated within the applicable plan documents. Ensuring that the employer policy does not create obligations that do not exist within the plan documents is essential. It is equally important for an employer to ensure that it follows the terms of its established leave of absence policy. Deviations from policy terms for one employee can set unintended precedent for future employees. However, case by case analysis may also be required under disability discrimination laws as a leave of absence can also be deemed a reasonable accommodation. Thus, an employer is encouraged to consult with its legal counsel in conjunction with drafting, establishing, implementing, and administering a leave of absence policy.


Elizabeth H. Latchana, Attorney Fraser TrebilcockElizabeth H. Latchana specializes in employee health and welfare benefits. Recognized for her outstanding legal work, in both 2018 and 2015, Beth was selected as “Lawyer of the Year” in Lansing for Employee Benefits (ERISA) Law by Best Lawyers, and in 2017 as one of the Top 30 “Women in the Law” by Michigan Lawyers Weekly. Contact her for more information on this reminder or other matters at 517.377.0826 or elatchana@fraserlawfirm.com.

Client Alert: Simple Cafeteria Plan: A Nondiscrimination Testing Alternative

employee benefits planSimple Cafeteria Plan: A Nondiscrimination Testing Alternative

Many small employers have historically shied away from establishing Internal Revenue Code (“Code”) section 125 cafeteria plans due to administrative and logistical issues associated with nondiscrimination testing. Specifically, many small employers’ employee population and benefit utilization makes it extremely difficult to pass the various nondiscrimination testing requirements under the Code. Further, tracking nondiscrimination testing demographics can be time consuming, costly, and just an overall daunting experience. In an attempt to provide small employers with the tax advantages associated with Code section 125 cafeteria plans without the hassle of monitoring nondiscrimination testing compliance, the Patient Protection and Affordable Care Act amended Code section 125 to permit certain eligible small employers to establish a “simple cafeteria plan”. Of interest to employers, a simple cafeteria plan (and many component benefits offered under the simple cafeteria plan) is treated by the Internal Revenue Service (“IRS”) as meeting the applicable nondiscrimination rules associated with cafeteria plans (including Code sections 125, 105(h), 129(d), and 79(d)). Thus, a simple cafeteria plan is a welcomed additional option for certain small employers that do not want to carefully monitor benefit utilization and/or who in the past have had to exclude certain highly compensated individuals from participation.

Code section 125(j) provides guidance related to compliance and administrative issues associated with simple cafeteria plans. Specifically, this Code subsection establishes (1) which employers can sponsor a simple cafeteria plan; (2) which employees must be eligible under a simple cafeteria plan; and (3) what contributions must be provided under a simple cafeteria plan:

  • Which Employers Can Establish a Simple Cafeteria Plan? In general, employers who employed an average of 100 or less employees on business days during either of the previous two years may establish a simple cafeteria plan. Special rules exist for newly established employers. Additionally, a “growing employer” rule exists for an employer who had been within the 100 employee threshold when it established the simple cafeteria plan under which such employer will continue to be treated as an eligible employer until the year following the first year in which it employs an average of 200 or more employees on business days.
  • Which Employees Must be Eligible? In general, all employees with at least 1,000 hours of service during the previous plan year must be eligible to participate in the plan. However, certain employees may be excluded (e.g., employees who have not attained age 21 before the close of the plan year; employees who have less than one year of service with the employer as of any day during the plan year; certain employees covered by collective bargaining agreements; and certain nonresident aliens working outside of the United States). And, pursuant to general cafeteria plan rules, certain individuals are categorically ineligible to participate (e.g., partners in a partnership, more than 2% S-corporation shareholders, self-employed individuals). Each employee who is eligible to participate must be able to elect any benefit available under the plan (subject to any terms and conditions that apply to all participants).
  • Is the Employer Required to Contribute? Qualified employees (i.e., employees who are eligible to participate in the cafeteria plan and are neither key employees under Code section 416(i) nor highly compensated employees under Code section 414(q)) must receive employer contributions in an amount equal to (1) a uniform percentage of not less than 2% of the employer’s compensation for the plan year; or (2) an amount that is not less than the lesser of 6% of the employee’s compensation for the plan year or twice the amount of the employee’s salary reductions. The employer contribution must be provided to each qualified employee, regardless of whether such employee makes any salary reduction contributions under the plan. Additional rules apply with respect to matching contributions on behalf of highly compensated employees and key employees.

To date, the IRS has not issued regulations or other guidance related to simple cafeteria plans beyond Code section 125(j). As such, to date a fair amount of flexibility exists with respect to how employers can structure their simple cafeteria plans. Nonetheless, Code section 125 cafeteria plan requirements are specific and require detailed documentation and diligence. Employers contemplating establishing a simple cafeteria plan should coordinate with their legal counsel to ensure all applicable requirements are met.

This alert serves as a general summary of lengthy and comprehensive new provisions of the Internal Revenue Code. It does not constitute legal guidance. Please contact us with any specific questions.


Elizabeth H. Latchana, Attorney Fraser TrebilcockElizabeth H. Latchana specializes in employee health and welfare benefits. Recognized for her outstanding legal work, in both 2018 and 2015, Beth was selected as “Lawyer of the Year” in Lansing for Employee Benefits (ERISA) Law by Best Lawyers, and in 2017 as one of the Top 30 “Women in the Law” by Michigan Lawyers Weekly. Contact her for more information on this reminder or other matters at 517.377.0826 or elatchana@fraserlawfirm.com.

Client Alert: Small Employers Have New Option for Benefit Offerings: Qualified Small Employer Health Reimbursement Arrangements

Employee Benefits and Healthcare LawSmall Employers Have New Option for Benefit Offerings: Qualified Small Employer Health Reimbursement Arrangements

In today’s market, small employers have increasingly difficultly offering competitive benefit structures given the elevated financial and administrative cost associated with maintaining comprehensive employer-sponsored group health plan coverage. And, pursuant to guidance issued under the Patient Protection and Affordable Care Act (“PPACA”), employers have been generally unable to pay for the cost of an employee’s health insurance on the individual market without incurring substantial compliance burdens and/or penalties. Certain small employers now have a welcomed new option available to help their employees pay for the cost of health insurance and other medical expenses: a qualified small employer health reimbursement arrangement (“QSEHRA”).

The 21st Century Cures Act amended section 9831 of the Internal Revenue Code (the “Code”) and provides that certain eligible small employers can establish a QSEHRA under which individual health insurance premiums and other Code section 213(d) qualified expenses can be reimbursed from. Unlike other forms of health reimbursement arrangements, a QSEHRA is not considered a “group health plan” for most purposes under the Code, ERISA, and the Public Health Service Act (“PHSA”). As such, a QSEHRA is exempt from numerous cumbersome legal requirements (including the PPACA’s PHSA mandates and COBRA). Thus, small employers that meet the requirements set forth in amended Code section 9831 and IRS guidance (Notice 2017-67) have a new opportunity to make their benefit offerings competitive.

IRS Notice 2017-67 (the “Notice”) provides comprehensive guidance related to compliance and administrative issues associated with QSEHRAs. The Notice is lengthy and comprehensive, and thus requires detailed review by any employer contemplating establishing a QSEHRA. However, a snapshot of highlights from the Notice for employers to keep in mind include:

  • What Employers Can Sponsor a QSEHRA? In order to adopt a QSEHRA, the employer cannot (1) be deemed an applicable large employer (i.e., generally an employer with 50 or more full-time employees (including full-time equivalents) in the preceding calendar year) under the employer shared responsibility mandate; and (2) offer a group health plan as defined in Code section 5000(b) (e.g., medical, dental, vision, health FSA, etc.) to its employees.
  • What Employees Must Be Provided Coverage? The QSEHRA must be provided on the same terms to all eligible employees. Uniformity is determined on the basis of the amount made available for reimbursement and not the amount actually reimbursed. The term “eligible employee” generally means any employee of the employer. However, the QSEHRA may be designed to exclude certain classes of employees including (1) employees who have not completed 90 days of service with the employers; (2) employees who have not attained age 25 before the beginning of the plan year; (3) certain part-time and seasonal employees; (4) certain non-participating employees covered by a collective bargaining agreement; and (5) nonresident aliens who do not receive earned income from the employer from sources within the United States. Employees cannot waive participation in the QSEHRA.
  • What Expenses Can Be Reimbursed? Guidance indicates that a QSEHRA can reimburse employees for Code section 213(d) medical care expenses (including major medical insurance premiums) incurred by the employee or an eligible family member. However, prior to providing reimbursement, the employee must substantiate the incurred expense (using a methodology similar to that used to substantiate health FSA expenses). Expenses reimbursed elsewhere do not qualify for reimbursement. Additionally, the QSEHRA may only reimburse expenses after the employee provides periodic proof that he or she maintains minimum essential coverage.
  • What is the Maximum Benefit That Can Be Provided? The maximum amount available to an employee under a QSEHRA is subject to an annual statutory dollar limit (adjusted annually for inflation). The limit for self-only coverage in 2018 is $5,050. The limit for family coverage is $10,250 for 2018.
  • How Does the QSEHRA Need to be Funded? The QSEHRA must be funded solely by an eligible employer (no salary reduction contributions are permitted).
  • What Notice and Reporting Obligations Are Associated with a QSEHRA? Written notice, which includes certain statutory language, to each eligible employee must be furnished by the employer at least 90 days before the beginning of each plan year (and on or prior to the first day the employee becomes eligible for an employee who is not eligible to participate at the beginning of the plan year). Additionally, the total amount of the employee’s permitted QSEHRA benefit must be reported on Form W-2. And, employers that sponsor a QSEHRA must file a Form 720 annually and pay PCORI fees under Code section 4376.

Small employers that are considering establishing a QSEHRA for their employees should carefully review IRS Notice 2017-67 and Code section 9831 to ensure appropriate legal compliance. The requirements contained in the guidance are numerous and comprehensive. Additionally, employers should keep in mind that QSEHRAs are still subject to the general welfare benefit plan requirements of ERISA and the HIPAA administrative simplification rules (unless an exception exists). Moreover, benefits under a QSEHRA are taken into account for purposes of the Cadillac Tax provisions under Code section 49801. Thus, employers are encouraged to consult with their legal counsel in conjunction with establishing and administering a QSEHRA. Proper administration is imperative and small errors can have large penalties.

Copies of the Notice and Code section 9831 can be found at the following:


Elizabeth H. Latchana, Attorney Fraser TrebilcockElizabeth H. Latchana specializes in employee health and welfare benefits. Recognized for her outstanding legal work, in both 2018 and 2015, Beth was selected as “Lawyer of the Year” in Lansing for Employee Benefits (ERISA) Law by Best Lawyers, and in 2017 as one of the Top 30 “Women in the Law” by Michigan Lawyers Weekly. Contact her for more information on this reminder or other matters at 517.377.0826 or elatchana@fraserlawfirm.com.

Client Reminder: PCORI Payment Due July 31st

Patient-Centered Outcomes Research Institute (PCORI) Fee / Comparative Effectiveness Fee:
Reminder: Plan Sponsors of Applicable Self-Funded Health Plans Must Make PCORI Fee Payment By July 31, 2017 Continue reading Client Reminder: PCORI Payment Due July 31st

CLIENT ALERT: IRS Announces 2018 Increases for HSAs

The IRS has just released its 2018 annual inflation adjustments for Health Savings Accounts (HSAs) as determined under Section 223 of the Internal Revenue Code.

Specifically, IRS Revenue Procedure 2017-37 provides the adjusted limits for contributions to a Health Savings Account (“HSA”), as well as the high deductible health plan (“HDHP”) minimums and maximums for calendar year 2018.

The 2018 limits are as follows:

  • Annual Contribution Limit
    • Single Coverage: $3,450
    • Family Coverage: $6,900
  • HDHP-Minimum Deductible
    • Single Coverage: $1,350
    • Family Coverage: $2,700
  • HDHP Maximum Annual Out-of-Pocket Expenses (including deductibles, co-payments and other amounts, but not including premiums)
    • Single Coverage: $6,650
    • Family Coverage: $13,300
  • The catch-up contribution for eligible individuals age 55 or older by year end remains at $1,000.

Plans and related documentation, including employee communications, should be updated to reflect these new limits.

As always, please keep in mind that participation in a health FSA (or any other non-HDHP) will result in HSA ineligibility, unless the health FSA is limited to: (1) limited-scope dental or vision excepted benefits; and/or (2) post-deductible expenses.

Questions? Contact us to learn more.


Elizabeth H. Latchana, Attorney Fraser TrebilcockElizabeth H. Latchana specializes in employee health and welfare benefits. Recognized for her outstanding legal work, in both 2018 and 2015, Beth was selected as “Lawyer of the Year” in Lansing for Employee Benefits (ERISA) Law by Best Lawyers, and in 2017 as one of the Top 30 “Women in the Law” by Michigan Lawyers Weekly. Contact her for more information on this reminder or other matters at 517.377.0826 or elatchana@fraserlawfirm.com.

Click HERE to sign up to receive email updates and alerts on matters related to Employee Benefits.

The Future of the Patient Protection and Affordable Care Act May be Uncertain… But HIPAA is Here to Stay

While the future of the Patient Protection and Affordable Care Act and any potential replacement legislation is still in question, the Office for Civil Rights (“OCR”) within the U.S. Department of Health and Human Services (“HHS”) has clarified through its recent actions that the HIPAA privacy, security, and breach notification rules contained at 45 C.F.R. Parts 160 and 164 (the “Administrative Simplification Rules”) are here to stay. Audits initiated by OCR and investigations resulting from reported violations reveal that HIPAA compliance continues to be a governmental priority under the new administration. Indeed, nine representative resolution agreements have been released by HHS thus far in 2017 (the latest being released earlier this week) assessing a range of penalties from $31,000 to $5.5 million for a covered entity’s failure to comply with various aspects of HIPAA (including but not limited to failure to conduct a thorough and accurate risk analysis, failure to have a business associate agreement in place, failure to have comprehensive policies and procedures in place and implemented, and failure to protect protected health information (“PHI”) from improper use and disclosure). Thus, it is as important as ever for employer-sponsored group health plans to ensure that they are complying with HIPAA’s encompassing and technical requirements. As the various resolution agreements detail, failure to do so can have dire financial consequences on the group health plan (and correspondingly on the sponsoring employer).

HIPAA’s Administrative Simplification Rules require covered entities and their business associates to protect the confidentiality, integrity, and availability of PHI from improper use and disclosure. A group health plan falls within the definition of “covered entity.” Third parties who create, receive, maintain and/or transmit PHI for or on behalf of a covered entity are generally considered “business associates.” See 45 C.F.R. 160.103. Complying with HIPAA’s Administrative Simplification Rules can be a daunting task for group health plans and the employers sponsoring them. For example, administratively, group health plans are required to create, maintain, implement, and periodically review and update several written documents. The following provides a “checklist” approach of some important documents that group health plans need to have in place in order to comply with the Administrative Simplification Rules. Please keep in mind, however, that merely having the documents in place is insufficient from a HIPAA compliance standpoint; group health plans (and plan sponsors) also need to ensure that they are actually implementing, adhering to, and periodically reviewing the substance of the documents. Thus, it is imperative for employer-sponsored group health plans to continually evaluate their HIPAA compliance position with experienced HIPAA legal counsel. Even minor deficiencies can result in substantial penalties.

1. Business Associate Agreements

A covered entity may permit a business associate to create, receive, maintain or transmit PHI on its behalf only after it obtains satisfactory assurances in the form of a written business associate contract that the business associate will appropriately safeguard the information. See 45 C.F.R. sections 164.502, 164.504, and 164.314. A business associate agreement is a cornerstone HIPAA requirement that is commanding more and more scrutiny by the government.

For example, a resolution agreement released on April 20, 2017, demonstrated that a covered entity’s failure to have a business associate agreement in place with a third party vendor that had access to the covered entity’s PHI was a $31,000 mistake.  Interestingly, the compliance review of the covered entity was initiated by OCR following OCR’s investigation of the business associate. The two-year corrective action plan associated with the $31,000 fine required, among other things, that the covered entity revise its HIPAA policies and procedures to require: (1) the designation of one or more individual(s) who are responsible for ensuring that the covered entity enters into a business associate agreement with each of its business associates prior to disclosing PHI to the applicable business associate; (2) the creation of a standard template business associate agreement; (3) a process for assessing current and future business relationships to determine whether each relationship is with a “business associate;” (4) a process for negotiating and entering into business associate agreements with business associates prior to disclosing PHI to the business associate; (5) a process for maintaining documentation of business associate agreements for at least six years beyond the date of when the business associate relationship is terminated; and (6) a process to limit disclosures of PHI to business associates to the minimum necessary amount of PHI that is reasonably necessary for business associates to perform their duties.

The government’s demand for the creation of a standard template business associate agreement is of particular note for employers sponsoring group health plans for some important reasons. First, HIPAA’s Administrative Simplification Rules contain detailed provisions that must be included in a business associate agreement; variations from these strict regulatory requirements can make the agreement noncompliant. If a group health plan has a template business associate agreement in place prepared by experienced HIPAA legal counsel, it can be assured that the agreement is HIPAA compliant. When the document has been prepared by another party (such as the business associate), the group health plan should have the agreement carefully reviewed to ensure each of the regulatory provisions are correctly stated. Second, like any contract, business associate agreements can be drafted in a one-sided manner. A group health plan will want to have its standard business associate agreement prepared to adequately address, among other items, reporting time limits and indemnification requirements in the group health plan’s favor. While the HIPAA Administrative Simplification Rules set forth minimum requirements, keep in mind that additional information can be included within the agreement. Thus, each contract should be reviewed to ensure that the additional provisions are in fact desirable to be included from the group health plan’s perspective.

2. Security Policies and Procedures

A covered entity is required to implement reasonable and appropriate written policies and procedures to comply with the standards, implementation specifications, and other requirements of the security rules. See 45 C.F.R. 164.316. This requires the covered entity to implement administrative, physical, and technical safeguards to protect the confidentiality and integrity of electronic PHI (“EPHI”). Various resolution agreements highlight the need: (1) for comprehensive security policies and procedures; (2) to train workforce members on the policies and procedures; and (3) periodically evaluate the scope of the policies and procedures.

One of the cornerstones of a covered entity’s security policies and procedures is its security management process. This requires the covered entity to: (1) periodically conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity; (2) implement security measures sufficient to reduce the detected risks and vulnerabilities to a reasonable and appropriate level; (3) apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures; and (4) implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Indeed, two April 2017 resolution agreements demonstrate the need to conduct a thorough and accurate risk analysis to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI and to implement security measures sufficient to reduce those risks and vulnerabilities. In an April 24, 2017 resolution agreement, the covered entity’s HIPAA deficiencies resulted in a $2.5 million settlement. A resolution agreement released April 12, 2017 resulted in a $400,000 settlement. Among other things, the corrective action plan in both cases requires the covered entity to conduct and provide the results of a comprehensive risk analysis to HHS. Thereafter, the covered entity is required to review the risk analysis annually (or more frequently, if appropriate) and promptly update the risk analysis in response to environmental or operational changes affecting the security of EPHI. Thus, through its resolution agreements, HHS is emphasizing the fluid need to ensure that electronic systems adequately safeguard EPHI and that covered entities are appropriately minimizing risk.

3. Privacy Policies and Procedures

Pursuant to 45 CFR 164.530, a covered entity is required to implement written policies and procedures with respect to PHI that are designed to comply with the HIPAA privacy rules and breach notification rules. A limited exception to this requirement is available under 45 CFR 164.530(k) for certain fully-insured group health plans that maintain a “hands off” status (i.e., the group health plan does not create or receive PHI except for certain summary health information and/or enrollment/disenrollment information). Among other items, the privacy policies and procedures must address how a covered entity may use and disclose PHI. They also must address an individual’s rights with respect to his or her PHI and which employees will be granted access to PHI. One May 2017 resolution agreement resulted from a covered entity’s improper disclosure of PHI to the media and various public officials without proper authorization. Another May 2017 resolution agreement resulted from a covered entity’s improper disclosure of PHI to his workplace. The corrective action plans associated with the resolution agreements required the covered entity to develop/review, maintain, and revise as necessary written policies and procedures (which relevantly would set forth the permissible uses and disclosure of PHI), to distribute such policies and procedures to the workforce, and to assess, update, and revise, as necessary, the policies and procedures at least annually. Thus, implementation of comprehensive privacy policies and procedures is deemed a necessity by HHS.

4. Notice of Privacy Practices

Pursuant to 45 CFR 164.520, an individual has a right to adequate notice of the uses and disclosures of PHI that may be made by the covered entity and of the individual’s rights and the covered entity’s legal duties with respect to PHI. The notice of privacy practices is essentially a summary of the covered entity’s privacy policies and procedures. The plan sponsor is obligated under the privacy rules to ensure that the notice is prepared and timely and appropriately distributed to plan participants, except in the case of certain fully-insured group health plans that maintain a hands off status, in which case the insurer has the duty. The content and distribution requirements for notices of privacy practices are strict. Thus, it is imperative for plan sponsors to ensure legal compliance.

5. Plan Sponsor Certifications

A group health plan may disclose PHI to the plan sponsor for plan administration functions only after: (1) the plan document has been amended to incorporate various regulatory requirements related to the plan’s use and disclosure of PHI, and (2) the plan sponsor has certified to the plan, in writing, that the plan has been amended and that the plan sponsor agrees to the restrictions contained in the amendment. See 45 C.F.R. 164.504 and 164.314. Plan sponsors must ensure that their plans have been appropriately amended and that proper written certification is in place.

6. Workforce Training

A covered entity is required to provide training to all members of its workforce on its HIPAA policies and procedures, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. Various resolution agreements stress the necessity of conducting and documenting comprehensive training. For example, two May 2017 resolution agreements indicate that training must be reviewed at least annually, and, where appropriate, updated to reflect changes in the law, issues discovered during internal or external audits, and other relevant developments. Thus, plan sponsors must continually evaluate the need for workforce training and tailor such training to their internal structure.

These are just some of the written documentation requirements that group health plans must adhere to under HIPAA’s Administrative Simplification Rules. Regulatory provisions must be reviewed in conjunction with the group health plan’s administrative practices when drafting these documents. The resolution agreements released this year reaffirm the notion that employer-sponsored group health plans must evaluate their HIPAA compliance position with experienced HIPAA legal counsel. Deficiencies can result in substantial penalties. Please feel free to contact us with any questions you may have with respect to your HIPAA compliance endeavors.

Copies of the resolution agreements are available by clicking HERE.

This email serves solely as a general summary of complex proposed legislation and government initiatives.  It does not constitute legal guidance.  Please contact us with any questions related to the Proposed Legislation and what impact finalization might have on your employer-sponsored plans.

Questions? Contact us to learn more.