The Baldwin Bulletin- April 2024

Welcome to the April 2024 issue of the Baldwin Bulletin – a monthly guide to important legal news and employee benefits-related industry happenings, designed to keep you abreast of the latest developments.

This month’s issue of the Baldwin Bulletin focuses on providing you with important upcoming compliance deadlines as well as information regarding certain hot-button compliance issues significantly impacting employers.

Upcoming Compliance Deadlines.

Employers must comply with numerous reporting and disclosure requirements in connection with their group health plans. Please note the following upcoming deadlines. We have also included links to register for our next HIPAA training and educational webinar and attached our compliance calendar for the remainder of 2024.

Our forthcoming topic in our BRCC Educational Webinar Series, “Transparency 101: The Transparency Roundup for 2024” is April 24, 2024. Please register here to attend.

Also, please don’t forget to register for our next HIPAA training on May 7, 2024, “HIPAA 105: Introduction to the Security Risk Analysis” here.

Lastly, our compliance calendar for the remainder of 2024 is available here.

2024 HIPAA Privacy and Security Rule Training Calendar.

BRCC’s HIPAA training calendar for 2024 is available here. Please note that all trainings will be broadcast on the first Tuesday of each month h, beginning at 3:00 pm Eastern, 12:00 pm Pacific time. You will also see that the HIPAA training is divided into four sessions and repeated twice throughout the year. Pre-registration is required. Registration links are embedded in the attachment.

2024 BRCC Educational Webinar Calendar.

The BRCC’s monthly webinar calendar for 2024 is available here. Note that the webinar series is scheduled for the last Wednesday of every month at 1:00 pm Eastern, 10:00 am Pacific time. Program participants who attend a live BPEC webcast presentation are eligible to apply for HRCI or SHRM professional continuing education credits. Pre-registration is required. Registration links are embedded in the attachment.

Medicare Part D Changes May Impact Creditable Coverage Status of Employer Plans.

The Inflation Reduction Act of 2022 (IRA) includes several cost-reduction provisions affecting Medicare Part D plans, which may impact the creditable coverage status of employer-sponsored prescription drug coverage beginning in 2025.

Employer Action Items

• Employers should monitor CMS’ final program instructions for 2025, which are expected to be published no later than April 1, 2024;
• Employers should confirm whether the prescription drug coverage offered under their group health plans for 2025 is creditable or non-creditable as soon as possible, as the deadlines for preparation and submission of the Medicare Part D disclosure notices is approaching.

Under existing CMS guidance, there are a few different ways for an employer to determine whether its prescription drug coverage is creditable:

• As a first step, employers with insured prescription drug plans should ask their carriers whether they have determined whether the plan’s coverage is creditable;
• For self-insured plans, or where the carrier for an insured plan has not yet decided whether the plan is creditable, employers may use a simplified determination if the coverage meets certain design requirements. If it doesn’t, the employer must use an actuarial determination method. However, CMS has stated that the simplified determination method will no longer be a valid methodology to determine creditable coverage status as of calendar year 2025.

According to the CMS, as of calendar year 2025, the simplified determination methodology will no longer be valid to determine whether an entity’s prescription drug coverage is creditable.

Summary

Employers that provide prescription drug coverage to individuals who are eligible for Medicare Part D must inform these individuals and the Centers for Medicare & Medicaid Services (CMS) whether their prescription drug coverage is creditable, meaning that the employer’s prescription drug coverage is at least as good as Medicare Part D coverage.

CMS’ Draft Part D Redesign Program Instructions state that given the significant changes that the IRA made to Medicare Part D, one of the methods for determining whether employer-sponsored prescription drug coverage is creditable will no longer be valid as of calendar year 2025. These draft program instructions are subject to change, and CMS will issue final program instructions for 2025 after considering the public comments received in response to the draft program instructions.

Disclosure to Individuals

Plan sponsors must provide creditable coverage disclosure notices to individuals each year before October 15—the beginning date for the Medicare Part D annual enrollment period.  The disclosure notice alerts individuals as to whether the employer’s group health plan prescription drug coverage is deemed creditable. Model notices are available for employers to use.

Disclosure to CMS

The disclosure to CMS is due within 60 days after the start of each plan year. For calendar year plans, this deadline is March 1 of each year (Feb. 29 for leap years). Plan sponsors are required to use the online disclosure form prepared by CMS.

Enforcement

There is no penalty or fee to the employer to the extent any prescription coverage offered that is non-creditable in nature. Non-creditable prescription drug coverage can still be a valuable benefit for employees. However, individuals need to know whether their prescription drug coverage is creditable or non-creditable. If the coverage is non-creditable and Medicare-eligible individuals fail to enroll in Part D during their initial enrollment period, they may be subject to a higher Part D premium if they enroll in Part D at a later date.

There are also no specific penalties for employers that fail to comply with the Medicare Part D disclosure requirements, except for employers that are claiming the Retiree Drug Subsidy. However, by not providing creditable coverage disclosure notices, employer plan sponsors may trigger adverse employee relations issues. In addition, noncompliant employers may face indirect consequences or other liabilities arising in connection with other federal laws (such as the Employee Retirement Income Security Act’s fiduciary duty requirements).

More Information

More information and resources related to the IRA’s changes to the Medicare Part D program are available on the CMS Part D Improvements webpage.

2024 RxDC Reporting.

Group health plan sponsors and health insurance issuers are required to submit an annual prescription drug data collection report (“RxDC reporting”) to the Centers for Medicare & Medicaid Services (“CMS”), detailing certain prescription drug benefits and other health care spending data respective of the group health plans they sponsor.  Respecting the 2023 calendar year reporting cycle, these informational disclosures must be provided to CMS on or before Saturday, June 1, 2024.

Employer Action Items

As of the date of receipt of this BRCC Alert, if you have not received RxDC reporting related communications from your health insurance carrier(s), third party administrator (“TPA”), or pharmacy benefit manager (“PBM”), please consider the following actions:

• Contact your vendors. Identify whether, and to what extent, your vendors may require additional information from you to perform the federal reporting obligations on a timely basis. Many carriers, TPAs, and BPMs have either voluntarily or contractually agreed to make these disclosures on behalf of the employer sponsored plans they insure and/or administer;
• Review your written agreements. The vendor agreements maintained with your vendors should contemplate the performance of the RxDC reporting obligations. If your written agreements are silent respecting the performance of these obligations, time is of the essence to assure that that your carriers and administrators will prepare and submit these disclosures on your behalf;
• Provide Plan-specific Information to your Vendors. Your vendors may require additional plan or enrollee-specific information (such as group health plan premiums, prescription drug pricing, and participant enrollment data) to perform the RxDC reporting obligations on your behalf. In many instances, these vendors are emailing informational surveys to employers requesting missing information. Closely monitor your email for the arrival of these important vendor surveys and upon receipt of any vendor survey or informational request, respond on an accurate and timely basis.

Note: Employers with self-funded plans should confirm their TPA or PBM (as relevant) is preparing and submitting these disclosures, because ultimately, it is the employer plan sponsor who is charged to assure compliance with the RxDC reporting obligations.

Summary

Under Section 204 (of Title II, Division BB) of the https://www.congress.gov/116/bills/hr133/BILLS-116hr133enr.pdf (CAA), insurance companies and employer-based health plans must submit information about prescription drugs and health care spending. This data submission is called the RxDC report. The “Rx” stands for prescription drug and the “DC” stands for data collection. The RxDC report isn’t limited to prescription drug reporting; the reporting also operates to require disclosure of additional information related to spending on health care services and the coverage premiums paid by members and employers.

https://www.cms.gov/marketplace/about/oversight/other-insurance-protections/prescription-drug-data-collection-rxdc

The RxDC report is comprised of several files, including those that require specific plan-level information (such as the underlying plan year beginning and end dates, enrollment information, and premium data), as well as detailed information respective of the employer’s pharmacy and medical benefits.

Most employers contract with third parties, such as issuers, TPAs and PBMs, respecting the preparation and submission of the employer’s RxDC reporting filed on behalf of the health plans sponsored by the employer.  In some instances, Employers may even work with multiple third parties to assist or manage the preparation their RxDC reporting obligations. CMS will consider a health plan’s submission complete if it receives all required files.

Primary Filing Resources:

• RxDC reporting instructions (PDF)
• RxDC templates and data dictionary (ZIP)
• RxDC drug name and therapeutic class crosswalk (XLSX)
• RxDC data validations (XLSX)

More Information:

• Frequently Asked Questions (PDF)
• Training Resource Directory (PDF)
• RxDC YouTube Playlist
• Federal Regulation

ACA Reporting Penalties.

Employer Action Items

Proposed penalty assessments from the Internal Revenue Service (“IRS”) arising from an employer’s failure to comply with the ACA’s annual employer information reporting obligations seem to have a knack for sneaking up on unsuspecting employers. These assessments can also begin to add up quickly, so employers that are required to perform the annual information reporting requirements are encouraged to furnish and/or file their outstanding ACA Forms 1094-B, 1095-B, 1094-C and 1095-C (as applicable) as soon as possible. If an employer has thus far failed to fully and accurately perform its annual information reporting obligations (or otherwise failed to prepare and submit an IRS Form 8809, Application for Extension of Time of Time to File Information Returns), the employer should work expeditiously to resolve any outstanding reporting-related deficiencies. .

The April 1, 2024, filing deadline for applicable large employers and small employers sponsoring self-funded and/or level-funded group health plans during calendar year 2023 to prepare and submit their required Forms 1094-B, 1094-C, 1095-B and 1095-C (as applicable) has unfortunately already passed.  Potential IRS-imposed monetary penalties arising from the employer’s information reporting related deficiencies, as detailed in the following schedule of penalties:

• $60/form if filed within 30 days of the missed deadline;
• $120/form if filed after 30 days but before August 1;
• $310/form if filed August 1 or after; and,
• $630/form if the failure to file is intentionally disregarded by the underlying employer.

Note: There are annual maximums that may apply.

• Also, keep in mind that there are distinct penalties associated with the failure to furnish Form 1095-B or Form 1095-C (as applicable) to the plan’s covered persons or its covered full-time employees, but only to the extent such failure to furnish is not remedied on or before March 1, 2024 (respecting the 2023 calendar year reporting cycle).

Summary

Organizations that do not offer Minimal Essential Coverage (“MEC”) to at least 95% of their full-time employees and their dependents for any month in 2024, and for which one or more full-time employees receives a Premium Tax Credit (PTC) subsidizing their purchase of health insurance coverage through a state-mandated insurance exchange, or the federal ACA marketplace, may be subject to an IRS assessed monetary penalty, as detailed under IRC Section 4980H(a) (the “A Penalty”).

Remember, the 4980H(a) penalty, also called the “sledgehammer penalty” (due to its pass-fail nature), is calculated, and assessed by the IRS on a per-employee basis, taking into consideration the underlying employer’s total count of fulltime employees. Consequently, to the extent an employer fails to provide a qualifying offer of enrollment for a MEC-complaint health insurance product (as sponsored by the underlying entity) to less than 95% of the sum of its total population of fulltime employees, the employer shall be assessed an applicable 4980H(a) noncompliance penalty.

More Information

For more information, please visit the IRS website at or see the December 2023 edition of The Baldwin Bulletin for additional and more comprehensive expert commentary regarding these significant ACA-imposed  information reporting obligations.

Medical Expenses Related to Nutrition, Wellness and General Health.

A recent bulletin from the IRS reminded taxpayers that certain personal health and wellness expenses may not be reimbursed via a health flexible spending account (FSA), a health savings account (HSA), a health reimbursement arrangement (HRA), or an Archer medical savings account (MSA). Incurred expenses related to certain therapies, including nutritional counseling and other weight-management related programming, may only be reimbursed with a qualifying account-based plan under certain regulatorily prescribed and situationally limited circumstances.

Employer Action Items

Employers should review the reimbursement requirements and applicable plan procedures, as maintained, and administered respecting the account-based plans they sponsor (or otherwise make available for enrollment). The best practice for employers sponsoring these account-based plans is careful contemplation respecting development of participant directed communications, reminding enrollees that plan-level reimbursements may not be made for individual expenditures that are deemed to be “merely beneficial” to the “general, overall health” of the enrollee.

To be sure, each expenditure that is contemplated for reimbursement under a qualifying account-based plan must adhere to the stringent eligibility and reimbursement guidelines administered by the Internal Revenue Service (in particular, the standards outlined in IRC Section 213(d). Employers that are unsure respecting the nature of reimbursement eligibility for any participant expenditure (or any class of expenditures), are reminded to consult with legal counsel and/or tax advisory professionals to confirm whether, and to what extent, such expenditure(s) are eligible for reimbursement via the underlying account-based plan..

Plan Sponsors and their enrollees are advised to carefully and routinely evaluate (and where appropriate, to audit) the reimbursement-related practices of the plan’s third-party administrators, insurers, vendors, and other professional service providers, so as to assure substantive compliance with the medical reimbursement guidelines, as enforced by the IRS.

Summary

In summary, certain generalized healthcare expenditures, particularly many arising in the wellness context (for example, nutrition-related counseling and certain diet-related participant education), may not qualify for reimbursement under the terms of a qualifying account-based plan. To that end, employers are cautioned to evaluate the underlying purpose and effect of healthcare related expenditures that are submitted for reimbursement by the plan’s participants. In particular, plan sponsors should carefully evaluate the propriety of plan-level reimbursement requests, always keeping the following guidance in mind:

• The cost of nutritional counseling or a weight-loss program is a qualified medical expense only if it treats a specific disease diagnosed by a physician (such as obesity or diabetes);
• The cost of nutritional supplements is a qualified medical expense only if the supplements are recommended by a medical practitioner as treatment for a specific medical condition diagnosed by a physician;
• The cost of weight-loss food or beverages is a qualified medical expense only if the food or beverage does not satisfy normal nutritional needs, the food or beverage alleviates or treats an illness, and the need for the food or beverage is substantiated by a physician. The medical expense is limited to the amount by which the cost of the food or beverage exceeds that of a product that satisfies normal nutritional needs;
• The cost of exercise for the improvement of general health, such as swimming or dance lessons, is never a qualified medical expense (even if recommended by a doctor); and,
• The cost of a gym membership is a qualified medical expense only if the membership was purchased for the sole purpose of affecting a structure or function of the body (such as a prescribed plan for physical therapy to treat an injury) or for the sole purpose of treating a specific disease diagnosed by a physician (such as obesity, hypertension or heart disease).

More Information

The IRS has authored additional agency guidance in the form of frequently asked questions related to certain healthcare reimbursements submitted under qualifying account-based plans (see:  here).

Change Healthcare Cybersecurity Attack.

UnitedHealth Group’s Change Healthcare Announces Unprecedented Cyberattack on Financial and Payment Operating Systems.

Employer Action Items

Employer actions items include the following:

• Fully insured Group Health Plan Sponsors. Employers sponsoring fully insured group health plans are largely excused from HIPAA’s substantive compliance requirements and, thus, they have limited regulatory obligations arising in the breach context, because the issuers of these types of insurance products maintain direct control over the PHI and e-PHI maintained by these plans. Accordingly, fully insured employer plan sponsors are not directly responsible for HIPAA-related compliance and breach resolution activities, notwithstanding assisting their insurance issuers with any required investigatory or notification processes required incident to a breach event;
• Self-funded and Level Funded Group Health Plan Sponsors. Conversely, employers sponsoring self-funded (or level funded) group health plans maintain direct control over the PHI/e-PHI arising from the operation of their lines of coverage (these plans are referred to as “covered entities” in the HIPAA context). Accordingly, covered entities are required to perform extensive breach related regulatory responsibilities under HIPAA which involve the investigation and resolution of breach events, mitigation of harms arising in connection with breach events, as well as the preparation and dissemination of notification announcements designed to inform participants and beneficiaries of such breach events. Further, covered entities are also required to prepare and electronically submit breach notification reports with the Secretary of HHS without unreasonable delay and in no case later than 60 days following a breach event, or on an annual basis (depending upon the number of individuals affected by the underlying breach incident).

Summary

On February 21, 2024, Change Healthcare, a division of UnitedHealth Group, was the victim of a large-scale ransomware attack perpetrated by foreign cybercriminals. The unprecedented cyberattack shut down the largest healthcare payment system in the United States, causing widespread network disruption and implicating the confidentiality, availability, and integrity of a wide range of electronic protected health information (“e-PHI”) arising in the context of the financial and other business operations of Change Healthcare.

In this context, depending upon the underlying funding status of an employer sponsored group health plan, affected employer plan sponsors have varying legal and regulatory obligations arising in connection with a breach of e-PHI, as detailed in the Health Insurance Portability and Accountability Act (“HIPAA”). Namely, HIPAA-related breach duties involve the timely investigation and resolution of breach events, mitigation of any resulting harms, as well as breach notification operations directed to affected participants and beneficiaries, as well as to the Secretary of the US Health and Human Services Department (“HHS”) (the “Secretary”).

UnitedHealth Group reports they have made substantial progress mitigating the impact to consumers and care providers arising from the unprecedented cyberattack, and specifically upon the Change Healthcare claims and payment infrastructure. Their ongoing focus is ensuring access to care and medications by addressing challenges to pharmacy, medical claims and payment systems targeted by the attack. Further, the health organization reports there is no indication that any other UnitedHealth Group technology systems have been affected by the attack, notwithstanding Change Healthcare. To address the needs of customers, the company announced several actions, as detailed in the following sections.

Timeline to Restore Change Healthcare Systems

Change Healthcare, through its UnitedHealth, has worked aggressively to restorate their technology-based systems and services. At their current rate of progress, they expect key system functionalities to be restored and available according to the following timelines:

• UnitedHealth Pharmacy Services. Electronic prescribing was fully functional as of the announcement with claim submission and payment transmissions. The company further reports they have taken actions to assure patients can access their medicines, including their Optum Rx pharmacies sending members their medications based on the date required;
• UnitedHealth Payments Platform. The company reported that beginning March 15, 2024, electronic payment functionality was restored, and their systems are now available for connection;
• United Health Medical Claims. The company reported that during the week of March 18, 2024, they began testing and reestablishing connectivity with their claims network and operations software; and,
• The iEDI Claim Submission System Workaround. While the company works to restore its technology-based systems, they recommend that providers and payer clients utilize available and established workarounds to maintain their functionality, including utilization of their new iEDI claim submission system, which was apparently unaffected by the attack.

Continued Funding Support for Community-Based Providers

On March 1, Optum launched a Temporary Funding Assistance Program to help bridge the gap in short-term cash flow needs for providers who received payments from payers that were processed by Change Healthcare. UnitedHealthcare will provide further funding solutions for its provider partners. This applies to medical, dental and vision providers and will involve advancing funds each week representing the difference between their historical payment levels and the payment levels post attack. Advances will not need to be repaid until claim flows have fully resumed.

Notwithstanding UnitedHealthcare’s provider funding relief, Optum is also expanding its funding program to include providers who both have exhausted all available connection options and work with a payer who opted not to advance funds to providers during the period when Change Healthcare systems were down. This expansion is a funding mechanism of last resort, especially for small and regional providers, and will be evaluated on a case-by-case basis. An Optum Pay account is required to complete registration and to receive and repay funds.

For those who receive funding support, there are no fees, interest, or other associated costs with the assistance. For repayment, providers will receive an invoice once standard payment operations resume and will have 30 days to return the funds. These terms now apply to both the original and expanded funding programs.

Additional Consumer Actions:

The company is taking several actions designed to reduce consumer impacts associated with the cyberattack, which include:

• For Medicare Advantage plans, including Dual Special Needs Plans, the company is temporarily suspending prior authorizations for most outpatient services, excepting those for Durable Medical Equipment, cosmetic procedures and Part B step therapies;
• The company is temporarily suspending utilization review for MA inpatient admissions;
• Respecting Medicare Part D pharmacy benefits, the company is temporarily suspending drug formulary exception review processes; and,
• These actions will remain in place until March 31, as the company works with state Medicaid agencies on any interrelated actions they wish to implement.

Prescription Support

As of March 15, 2024, the company reported that all major pharmacy claims and payment systems were restored and fully functional. The company continues to assure patients that they have continuing access to their required medications, including Optum Rx pharmacies sending members their medications based on the date needed.

Additionally, Optum Rx Pharmacy Benefit Manager, (“PBM”) notified its network pharmacy partners and pharmacy associations it would reimburse all appropriate pharmacy claims filled with the good faith understanding that medications will be covered. The company is now focused on its remaining areas of pharmacy disruption, including specialty coupon programs and certain claims for infusion providers.

More Information:

Citing the unprecedented magnitude of the cyberattack and the best interest of patients and health care providers, on March 13, HHS’ Office for Civil Rights (“OCR”) initiated an investigation of the cyberattack at UnitedHealth Group’s Change Healthcare to determine whether there were, in fact, breaches of protected health data and whether the company followed U.S. health privacy laws and regulations respecting performance of its investigation and breach response obligations, primarily those arising under the law of HIPAA. At this time, UnitedHealth is cooperating with the investigation; however, the company has not yet disclosed any specific details respecting the participant information and other patient data may have been exposed in the cyberattack.

UnitedHealth has blamed the hack on the “Blackcat” gang, a notorious ransomware group that has a history of disruptive attacks. In a message posted to, and then quickly deleted from their darknet site, the hackers said on February 21 that they stole millions of sensitive records, including medical insurance and health data, from the company.

Change Healthcare processes about 50% of medical claims in the U.S. for around 900,000 physicians, 33,000 pharmacies, 5,500 hospitals and 600 laboratories.

Health Insurance Carrier Data Breaches.

While any commercial enterprises may be potential target for a cybercriminal, insurance carriers and other professional service providers operating in the employee benefits space may be particularly susceptible or otherwise vulnerable to cybercrime activities, respecting both the range of plan-level PHI they receive, maintain, and transmit, as well as the sheer volume of PHI-implicating transactions within which they engage on a daily basis.

Remember that the viewing and/or exfiltration (that is, the removal of unsecured HIPAA PHI to a location controlled by a cybercriminal, rather than by the covered entity or its agent) may give rise to a noticeable HIPAA breach event; thus, triggering various investigatory duties, harm mitigation responsibilities, breach notification obligations, and other interrelated defensive operations by the sponsoring employer. Employers are encouraged to routinely review and administer their administrative simplification responsibilities, as detailed under HIPAA. To that end, please see the following link for a summary checklist detailing many of the HIPAA administrative simplification requirements for HIPAA covered entities.

Employer Action Items

As a group health plan sponsor, an employer’s responsive obligations arising in the context of certain cybercrime events depends largely upon the underlying funding status of the employer’s core employee benefit plans (e.g., health, vision, and dental plans):

• For fully insured arrangements, the sponsoring employer will generally defer to the plan’s insurance issuers or its carriers for performance of any HIPAA mandated obligations, including any breach-related duties;
• Conversely, self-funded and level-funded plan sponsors are charged to assure their own satisfaction of HIPAA’s privacy and security requirements due to their status as individual plan sponsors of group health plans maintained pursuant to these funding methodologies (in this context, the core benefit plans sponsored by these employers are referred to a “HIPAA covered entities”.

Employer plan sponsors that are HIPAA covered entities may also need to comply with additional interrelated responsibilities arising outside the context of HIPAA (for example, certain obligations memorialized in the organization’s handbooks, its organizational policies and procedures, and its standard operating procedures). Additional privacy and security related obligations for the employer may be detailed in various state-level statutory mandates or even within certain international laws or other global-scope regulations. Finally, note that a diligent review of the employer’s administrative and vendor-related service agreements may give rise to additional employer responsibilities arising in this arena.

The HIPAA breach notification requirements must be individually evaluated and comprehensively performed by HIPAA covered entities, oftentimes with assistance from the employer’s contracted business associates to the extent there is a breach event resulting in the viewing and/or acquisition of unsecured protected health information (PHI). Thus, responsibility for issuing the required and appropriate classes of breach notification (including disclosures to affected individuals, the local news media, and to the Secretary of the US Health and Human Services Department (as applicable) will always consider and depend chiefly upon an analysis of the affected plan’s underlying funding methodology(ies).

Several notifications may be required as a consequence of a data breach. The particulars of notice performance, including the scope of the notice operation and respecting identification of specific parties entitled to such notification, will depend on the scope of the breach and several other factors. Following, please find summaries respecting three distinct types of notice operations:

1. Individual Notice. A notice of breach must be provided by the covered entity to any affected individuals. Generally, this notice will be in written form and must be delivered via first-class mail (or by email, if the affected individual has agreed to receive such notices electronically). Notification must take place without unreasonable delay and in no instance, later than 60 days from the date of discovery of the breach. A toll-free phone number must be provided for individuals to use to learn whether their information was involved in the breach. This number must be active for at least 90 days.

A notice may have to be placed on the covered entity’s website or a similar location if more than 10 individually affected persons cannot be reached due to the organization’s maintenance of insufficient or out-of-date contact information;

2. Media Notice. A covered entity that experiences a breach affecting more than 500 residents of a state or jurisdiction must notify prominent media outlets that serve that state or jurisdiction. Notification is generally made in the form of a press release to these media outlets, typically including the same information as that contained within the individual notice. The notice to the media must be provided without unreasonable delay, and in no instance later than 60 days after the breach is discovered; and,
3. Notice to the Secretary. All breaches of HIPAA protected health information must be reported to the Secretary of US Department of Health and Human Services (HHS) via the Department’s public website. Breaches affecting 500 or more individuals must be reported without delay, and in no instance later than 60 days after the breach discovery; whereas, breaches affecting fewer than 500 individuals must be reported in a summary annual filing that is submitted to the Department via a dedicated web portal, as maintained by HHS.

Summary

Compromised data may include private or personally identifiable information, such as names, addresses, phone numbers, email addresses, birthdates, Social Security numbers, medical records, health history, and bank account and credit card numbers.

When an insurance carrier suffers a data breach, many people are affected, and the stolen information may trigger various responsibilities under the Health Insurance Portability and Accountability Act (“HIPAA”). If a carrier or third-party administrator (TPA) that you work with is attacked by cybercriminals, you need to understand your responsibilities, including development of organizational best practices related to the communication of certain required information, as well as details explaining employer-provided tools and resources intended to mitigate any resulting harms associated with the breach event.

Be aware of specific state-level statutory requirements imposing additional notification requirements on the entities affected by a cyberattack or other breach. State laws may be preempted if they conflict with the federal requirements outlined above. Otherwise, employers or other entities may have to comply with both the state-level statutory requirements, as well as the very comprehensive federal requirements. This could mean that employers would have to meet more stringent requirements, as may be demanded at the state level.

Employee Communication

Communication with employees is important, especially when they may be anxious about a data breach that personally affects them. This is the case regardless of any legal requirements that may apply. Below are a few points to consider as you develop best practices for communication following a carrier data breach:

• Let employees know what’s going on. After a breach occurs, employees may hear about it on the news or from friends and family. Make sure you give them the facts and inform them of how it affects them as soon as you have information from your insurance carrier. Depending on your contracted relationship, you may be responsible for complying with federal or state notification rules, as discussed above.
• Reassure employees of your security measures. As their employer, you possess a lot of personally identifiable and financial information, so make sure they know that the information you store is properly secured.
• Warn employees about the potential for scams, especially ones that are already known. Following large data breaches, phishing scams and other criminal attempts at soliciting personal information proliferate quickly. Scammers will often pose as the affected company and contact individuals under the pretense of helping them to gain sensitive information.
• Take this opportunity to remind employees of the importance of protecting personal and company data. Reminders about passwords and other data security measures may be heeded more strongly following a breach of employees’ personal information.

Whether or not you are legally obligated to provide breach notifications to your employees, you still need to have a strategy in place to communicate with them because affected employees will have questions and concerns.

Contact The Baldwin Regulatory Compliance Collaborative for more information on responding to carrier data breaches.

More Information

Further details regarding notification requirements are available at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule

Question of the Month.

Question: Is it true that the annual fees charged by concierge doctors are an ineligible medical expense for reimbursement from an HSA or FSA?

Answer: That is correct. Such “membership fees” are generally not considered qualified medical expenses, excepting certain rare circumstances (see the last sentence below).

An access fee can be a flat amount payment paid to a provider in addition or as a substitution to any qualified plan’s cost share), regardless of the frequency the provider wants paid, generally will not qualify as an eligible expense for reimbursement under a HSA and/or FSA  Some perks offered for this flat amount  generally will not qualify include fees for preferential “extras” (e.g., priority when scheduling appointments, 24-hour access to the doctor, less time in the waiting area before appointments, a special waiting room, etc.). Depending on how the underlying program is structured, some services might be reimbursable if presented as a requirement implicating the plan’s cost sharing features, such as member copays. In such instances, part or all of the fee might actually satisfy IRC Section 213(d), thereby qualifying for reimbursement on the basis of a qualifying and eligible individual healthcare related expense.