A Compliance Newsletter by: The Baldwin Regulatory Compliance Collaborative (BRCC)
Welcome to the April 2023 issue of the Baldwin Bulletin – a monthly guide to important legal news and employee benefits-related industry happenings, designed to keep you abreast of the latest developments.
This month’s issue of the Baldwin Bulletin focuses on providing employers with important 2023 compliance deadlines, as well as certain compliance issues that potentially will have a significant impact on employers over the next several months.
HIPAA Privacy and Security Breaches Continue to Increase
The U.S. Department of Health and Human Services (HHS)’ Office of Civil Rights (OCR) is the primary agency arm charged with enforcement of the Privacy Rule and Security Rule provisions of the Health Insurance Portability and Accountability Act (“HIPAA”). OCR recently delivered its 2021 Enforcement Reports to Congress detailing national compliance assuredness efforts by the agency. Namely, the reports provide statistics related to breaches of unsecured protected health information (PHI), as required by the Health Information Technology for Economic and Clinical Health Act (“HITECH”).
- The first report, HIPAA Privacy, Security, and Breach Notification Rule Compliance, identifies the number of complaints received, the method by which those complaints were resolved, and other OCR HIPAA compliance enforcement activities. It is important to note that OCR did not perform any audits in 2021 due to lack of financial resources.
- The second report, Breaches of Unsecured Protected Health Information, identifies the number and nature of breaches of unsecured PHI that were reported to HHS and the actions taken in response to the breaches.
The Table below summarizes some surprising statistics from the full text of the recent two reports to Congress:
Employer Action Items
- The results from this report highlight the continued need for covered entities to improve compliance with the Administrative Simplification requirements of HIPAA’s Security Rule, including the need for risk analysis and management, information system activity review, and audit and access controls.
- These annual reports are also an important reminder of the agency’s HIPAA compliance enforcement activities.
- OCR has requested that the HITECH civil penalty caps be increased in the HHS Fiscal Year 2023 Legislative Supplement sent to Congress to secure enough staff and resources to carry out OCR’s enforcement activities, which have been significantly hindered due to a lack of funding to accommodate the increased breach and complaint incidents noted above.
- It is crucial that employers who create, use, disclose and/or maintain PHI, be able to demonstrate their compliance with the HIPAA administrative simplification requirements on an ongoing basis and that their employees be adequately and appropriately trained on a timely and reoccurring basis.
As a reminder, the Security Rule’s Administrative Simplification provisions detail the compliance assuredness activities all covered entities should perform, regardless of breach status. These requirements include, without limitation, the following obligations for covered entities:
- Designating an assigned Privacy Officer;
- Designating an assigned Security Officer;
- Identification of the covered entity’s designated individuals;
- Provision of adequate full-scope HIPAA training for officers and designated individuals, including security reminders and refresher training;
- Drafting and maintaining written policies and procedures governing the administration of PHI within/without the covered entity;
- Drafting and maintaining a harm mitigation policy, as well as security incident procedures;
- Performing the security risk analysis and management process, including performance and documenting of a written security risk analysis and accompanying report;
- Adopting of a written sanctions policy for non-conforming staff; and
- Development of reasonable and appropriate physical, technical, and administrative safeguards for PHI.
For the covered entity’s use in performing and evaluating its satisfaction of the Security Rule’s administrative simplification requirements, please click here for a copy of the BRCC’s HIPAA Administrative Simplification checklist and worksheet for covered entities. The checklist details the administrative simplification requirements in an easy-to-follow inventory-style format.
Upcoming 2023 Compliance Deadlines
Employers must comply with numerous reporting and disclosure requirements throughout the year in connection with their group health plans. The attached Compliance Timeline explains key compliance deadlines for employer-sponsored group health plans for the remainder of the year. In particular, please note the following upcoming deadlines:
Disclosure Form: https://www.cms.gov/Medicare/Prescription-Drug-Coverage/CreditableCoverage/CCDisclosureForm.html
Gag Clause Attestations Due by December 31
The Departments of Labor, Health and Human Services and the Treasury (the “Departments”) recently issued Frequently Asked Questions (FAQs) related to the Consolidated Appropriations Act, 2021 (CAA)’s transparency related prohibition of gag clauses. Health plans and health insurance issuers must submit their first attestation of compliance with the CAA’s prohibition of gag clauses by the end of this year, covering the period beginning December 27, 2020, through the date of the attestation. Subsequent attestations will be due annually on December 31, covering the period since the last attestation.
Employer Action Items
- The attestation requirement applies to both grandfathered and non-grandfathered group health plans, whether fully-insured or self-insured, and including ERISA plans, non-federal governmental plans, and church plans.
- Plans that provide solely excepted benefits (e.g., stand-alone dental or vision plans) and account-based plans (e.g., health reimbursement accounts) are exempt.
- Sponsors of group medical plans should review their contracts with health care issuers, third-party administrators (TPAs) and other health plan service providers to ensure any contracts with them providing or offering access to a network of providers do not violate the CAA’s prohibition of gag clauses.
- The CAA’s requirements prohibiting gag clauses already went into effect, so any remaining gag clauses are now prohibited.
- The attestation obligation serves as a way to evidence contracts are in compliance.
- If an issuer submits an attestation on behalf of a plan, the Departments will consider the plan to have satisfied the attestation requirement. Consequently, confirm your health care issuer is providing the attestation on your behalf.
- Self-funded plan sponsors should consider entering into written agreements with their TPAs to provide the attestation.
The FAQs provide additional guidance on the CAA requirements prohibiting gag clauses (a gag clause is defined as a contractual term that directly or indirectly restricts specific data and information that a health plan or issuer can make available to another party). The CAA generally prohibits group health plans and issuers offering group health insurance from entering into agreements with health care providers, TPAs or other service providers that include certain gag clause language. Specifically, these contracts cannot restrict a plan or issuer from:
- Providing provider-specific cost or quality-of-care information or data to referring providers, the plan sponsor, participants, beneficiaries or enrollees (or individuals eligible to become participants, beneficiaries or enrollees) of the plan or coverage;
- Electronically accessing de-identified claims and encounter information or data for each participant, beneficiary or enrollee upon request and consistent with privacy rules under the Health Insurance Portability and Accountability Act (HIPAA), the Genetic Information Nondiscrimination Act (GINA), and the Americans with Disabilities Act (ADA); and
- Sharing information or data described above or directing such information to be shared with a business associate, consistent with applicable privacy rules.
For example, if a contract between a TPA and a health plan provides that the plan sponsor’s access to provider-specific cost and quality-of-care information is only at the discretion of the TPA, that contractual provision would be considered a prohibited gag clause.
The FAQs are available here. In addition, the Departments have launched a website through the Centers for Medicare and Medicaid Services for health plans and issuers to submit their gag clause compliance attestations. The Departments have also provided instructions, a system user manual, and a reporting entity Excel template for plans and issuers to submit the required attestation, all of which are available here.
Expansion of Electronic Filing of Employee Benefit Plan Returns Beginning in 2024
The Internal Revenue Service (IRS) has finalized regulations lowering the threshold for the mandatory electronic filing of certain employee benefit plan returns, including Affordable Care Act (ACA) reporting Forms 1094-B, 1095-B, 1094-C and 1095-C. This threshold went from 250 to 10 returns and is determined by looking at the aggregate number of information returns (including Forms W-2 and 1099) to be filed with the IRS beginning in calendar year 2024. This will require most employers to file electronically starting next year.
The IRS may grant waivers to the electronic filing requirement, but only in limited circumstances. Under the ACA, employers can use the AIR System to electronically file ACA information returns with the IRS. This system is separate from the system used to file other information returns like Forms W-2. Employers who are not currently set up for electronic filing should take steps to do so soon, whether on their own or through a third party.
For more information on the electronic filing process and the AIR System, read here.
IRS Announces 2024 Affordable Care Act Play or Pay Penalties
The IRS has released Revenue Procedure 2023-17, announcing 2024 indexing adjustments to the applicable dollar amount used to calculate employer shared responsibility penalty payments (ESRP) under the Affordable Care Act (ACA).
Employer Action Items
- To the extent an employee applies for and is awarded a premium subsidy from either national or state-run insurance marketplaces, the ALE may be assessed an ESRP.
- Applicable Large Employers (ALEs) may be liable for an employer shared responsibility penalty under Internal Revenue Code (Code) Section 4980H(a) should they fail to offer minimum essential coverage to at least 95% of their full-time employees and dependents.
- For 2024, the monthly ESRP that will be assessed under Code Section 4980H(a) will be equal to the ALE’s total number of full-time employees (minus 30) multiplied by 1/12 of $2,970, or $247.50, for any applicable month.
- Alternatively, an ALE may be subject to a Code Section 4980H(b) penalty if it offers minimum essential coverage to the required number of full-time employees, but the coverage offered is not affordable or does not provide 60% minimum value.
- For 2024, the monthly penalty that will be assessed under Code Section 4980(b) on an ALE for each employee who waives the employer coverage, goes to the Marketplace, and obtains a subsidy is 1/12 of $4,460, or $371.67, for any applicable month, capped at the maximum Code Section 4980(a) penalty amount.
- The IRS release is available here.
EEO-1 Reporting Deadlines Extended
The deadline for the annual EEO-1 Report to the Equal Employment Opportunity Commission (EEOC) for the 2022 year, initially due on March 31, 2023, has been delayed. The collection of 2022 information and the portal for submitting EEO-1 reports is not yet open. Instead, the EEOC expects to open the portal for employers to begin entering 2022 EEO-1 information sometime in mid-July 2023. While no formal deadline has been set, the deadline for submitting 2022 data will likely be no later than mid-September 2023.
EEO-1 reporting for the previous three years was also delayed, with the portal for submitting 2019 and 2020 information opening in April 2021 and ultimately closing in November 2021 and the portal for submitting 2021 information opening in April 2022 and ultimately closing in July 2022. The unique situations present in those prior years may limit their value as guidance for the current year.
Employer Action Items
- Employers should monitor the EEOC’s EEO-1 webpage for updates. The collection of 2022 EEO-1 data is tentatively expected to begin in mid-July 2023. The deadline for submitting 2022 data will likely be no later than mid-September 2023.
- Employers filing EEO-1 Reports for the first time must register to receive a company login, password and further instructions for filing from the EEOC.
Under Title VII of the Civil Rights Act (Title VII), employers with 100 or more employees and certain federal contractors must submit a report about their workforces to the EEOC by March 31 every year. This report, known as the EEO-1 report, is a federally mandated survey that collects workforce data categorized by race, ethnicity, sex and job category.
The following entities are subject to EEO-1 reporting:
- A private employer that has 100 or more employees (with limited exceptions for schools and other organizations).
- A private employer with between 15 and 99 employees if it is part of a group of employers that legally constitutes a single enterprise that employs a total of 100 or more employees; and
- A federal contractor that has 50 or more employees, is either a prime contractor or first-tier subcontractor, and has a contract, subcontract or purchase order amounting to $50,000 or more.
Although the EEOC sends notification letters to employers it knows to be subject to the EEO-1 requirements, all employers are responsible for obtaining and submitting the necessary information prior to the appropriate deadline. An employer that fails or refuses to file an EEO-1 report as required may be compelled to do so by a federal district court. Federal contractors also risk losing their government contracts for failures to comply.
IRS Issues FAQs on the Reimbursement of Qualifying Medical Expenses from HSAs, FSAs and HRAs
On March 17, 2023, the Internal Revenue Service (IRS) posted frequently asked questions (FAQs) that address whether certain costs related to nutrition, wellness, and general health are medical expenses that may be paid or reimbursed under a health savings account (HSA), health flexible spending account (FSA), Archer medical savings account (Archer MSA), or health reimbursement account (HRA). These FAQs were released as are part of a federal government undertaking to end hunger and reduce diet-related diseases by 2030.
Employer Action Items
- Certain expenses related to the provision of medical care, more particularly costs related to nutrition, wellness, and general health, may be eligible to be paid or reimbursed on a tax-advantaged basis through an HSA, FSA, Archer MSA, or HRA, to the extent such expenses meet ICR Section 213(d)’s definition of an eligible expense.
- Any amount that is paid or reimbursed under tax-advantaged account (listed above) is prohibited for individual deduction on the taxpayer’s annual federal income tax return.
- For these purposes, medical expenses are defined as the costs of diagnosis, cure, mitigation, treatment, or prevention of disease, and for the purpose of affecting any part or function of the body, including:
- Payments for legal medical services rendered by physicians, surgeons, dentists, and other medical practitioners;
- Costs of equipment, supplies, and diagnostic devices needed for such purposes;
- Costs of medicines and drugs that are prescribed by a physician;
- Expenses primarily to alleviate or prevent a physical or mental disability or illness, including the prevention of hunger and diet-related diseases;
- Expenses that are merely beneficial to general health are excluded.
The FAQs are available here. For more information about whether costs related to nutrition, wellness and general health are medical expenses, see Publication 502, Medical and Dental Expenses, and Tax Topic 502, Medical and Dental Expenses. For more information about HSAs, FSAs, Archer MSAs and HRAs, see Publication 969, Health Savings Accounts and Other Tax-Favored Health Plans. In addition, unrelated to this topic, note that IRS Publication 503, Child and Dependent Care Expenses, has also been updated and released. The publication explains the requirements that taxpayers must meet to claim the dependent care tax credit for child and dependent care expenses. It also explains how to figure and claim the credit.
Medicare Guide to Coordination of Benefits
Medicare is the federal health insurance program that provides coverage to individuals who are 65 years or older, as well as those with certain disabilities. However, Medicare does not cover all healthcare expenses, and some individuals may have other insurance plans that can help cover these costs. This is where Medicare’s Coordination of Benefits (COB) rules come into play.
Medicare’s COB rules outline how Medicare works with other insurance plans (notably group health plans) to ensure that beneficiaries receive the maximum coverage possible. The rules explain how Medicare determines which plan pays first and how much each plan will pay. It is important for beneficiaries to understand their coordination of benefits so they can avoid paying more than necessary for their healthcare expenses.
Overall, Medicare’s COB rules help beneficiaries navigate the complex world of health insurance and ensure they receive the best possible coverage for their medical needs. For more information and details on how Medicare works with other insurances, read here.
Preventive Care Benefits Toolkit Available
The Affordable Care Act (ACA) requires non-grandfathered health plans and health insurance issuers to cover certain preventive health services at 100% coverage without imposing cost-sharing requirements when the services are provided by in-network providers. These preventive health services include, for example, many cancer screenings, blood pressure, diabetes and cholesterol tests, vaccinations against diseases, and counseling on topics such as smoking cessation and losing weight. This coverage mandate also includes preventive health services for women, such as well-woman visits, breastfeeding support, domestic violence screening, and contraceptive coverage. In essence, preventive care aims to shift the focus from treating sickness to maintaining wellness and good health.
This Benefits Toolkit is an employer’s introductory guide to preventive care. It provides an overview of the three types of preventive care (preventive care for adults, preventive care for women, and preventive care for children), the impact of preventive care on the workplace (including the cost, its challenges as well as its benefits), and employer considerations. Click here to read more.
Lifestyle Spending Accounts
Lifestyle spending accounts (LSAs) are employer-funded, taxable spending accounts that employees can use to support their individual needs, including their physical, mental, emotional, and financial health and wellness. Unlike flexible spending accounts (FSAs) and health savings accounts (HSAs), employers fully fund LSAs, which are considered taxable income when spent. Also, LSAs are not subject to nondiscrimination requirements under the Internal Revenue Code (Code) and are designed to be exempt from the Employee Retirement Income Security Act (ERISA).
Each LSA can have its own design, services, eligibility requirements, dollar amounts, reimbursement process, and spending timeframe. As a result, LSAs are viewed as an emerging benefit that employers are considering offering – or already are offering – as part of their overall benefits package. It is well known that meaningful and competitive benefits are a leading way for employers to attract and retain workers—and LSAs could be a desirable piece of the benefits puzzle.
To learn more about LSAs, including their pros and cons, click here.
Milliman Releases Recent Mental Health Benefits Survey
A recent survey conducted by Milliman, Inc. (Milliman), one of the largest privately held consulting and actuarial firms, polled employers representing over 1.6 million lives, about the mental health benefits they provide to their employees and how plan members utilize those benefits.
The results indicate a significant increase in utilization by plan members since the beginning of the Covid-19 pandemic, but without a corresponding increase in data to aid managers in developing plans to engage members and manage their plans. The survey indicates that plan sponsors are very aware that this aspect of their benefit plans requires greater attention to both improve access for plan members and to reduce any stigma attached to the care they receive.
To read the Milliman report, see here.
Survey of Women’s Experiences with Provider Communications and Interactions in Health Care Settings
In a recent survey conducted by the Kaiser Family Foundation between May 10 and June 7, 2022, 46% of all women between the ages of 18-35 who had seen a health care provider in the past two years reported experiencing a negative reaction with a health care provider. The survey involved a nationally representative sample of 5,145 self-identified women and 1,225 self-identified men between the ages of 18 to 64.
Other findings among women ages 18-64 who had seen a health care provider in the past two years, include the following:
- 29% found that their doctor had dismissed their concerns (compared to 21% of men)
- 15% reported that a provider did not believe they were telling the truth (compared to 12% of men)
- 13% indicated that their provider personally blamed them for their health problem (similar to the % of men)
- 9% experienced discrimination during a health care visit because of their age, gender, race, sexual orientation, religion or other personal characteristic (compared to 5% of men)
Women’s experience with provider communications and interactions in healthcare settings can have an impact on their overall health outcomes. The quality of communication between women and their healthcare providers can also affect accuracy of diagnoses, adherence to treatment plans, and patient satisfaction. Research has also shown that women often feel dismissed or unheard by their providers. This can lead to delayed or inadequate care, as well as feelings of frustration and mistrust. Effective communication between women and their healthcare providers requires active listening, empathy, and a willingness to address patients’ concerns. Providers should also be aware of cultural differences that may affect communication styles.
In order to improve women’s experiences with provider communication and interactions in healthcare settings, it is important for providers to receive training on effective communication skills. Additionally, creating a supportive environment that encourages open dialogue between patients and providers can help build trust and improve patient outcomes.
Read here for more information on this topic.
Question of the Month
Question: Whether the medical expenses of an employee’s adult children can be reimbursed tax-free from an employee’s health savings account (HSA).
Answer: Only if the adult children can qualify as tax dependents under the HSA rules.
- High deductible health plans (HDHPs) that provide dependent coverage of children must make the coverage available until a child turns age 26.
- The age 26 mandate does not generally apply to HSAs because they are not group health plans.
- The income exclusion for employer-provided health coverage includes employees’ children who are under age 27 as of the end of the taxable year, regardless of whether those children qualify as tax dependents; however, similar provisions do not appear in the HSA tax-free reimbursement rules.
- Instead, whether an adult child’s medical expenses can be reimbursed tax-free from a parent’s HSA depends on whether the child qualifies as a tax dependent for HSA distribution purposes—e., whether the adult child is a qualifying child (for example, due to disability) or a qualifying relative (where the parent provides over one-half of the child’s support).
- Distributions from a parent’s HSA that reimburse a nondependent adult child’s medical expenses are taxable and may be subject to an additional 20% tax.
- Consequently, the medical expenses of some adult children who are enrolled as dependents in a company’s HDHP will not qualify for tax-free reimbursement from the employee-parent’s HSA. It is possible, however, that these children may be HSA-eligible themselves. If they cannot be claimed as tax dependents and they meet the other HSA eligibility requirements, they could open HSAs of their own.
Source: Thompson Reuters.