A Compliance Newsletter by: The Baldwin Regulatory Compliance Collaborative (BRCC)
Welcome to the August 2023 issue of the Baldwin Bulletin – a monthly guide to important legal news and employee benefits-related industry happenings, designed to keep you abreast of the latest developments.
This month’s issue of the Baldwin Bulletin focuses on providing employers with important 2023 compliance deadlines, as well as certain compliance issues that will potentially have a significant impact on employers over the next several months.
Upcoming 2023 Compliance Deadlines
Employers must comply with numerous reporting and disclosure requirements throughout the year in connection with their group health plans. The attached Compliance Timeline explains key compliance deadlines for employer-sponsored group health plans for the months of August through December 2023. Please note the following upcoming deadlines:
Proposed Regulations Issued Regarding Short-term, Limited-Duration Insurance and Health Insurance Indemnity Plans
On July 7, 2023, the Departments of Health and Human Services (HHS), Labor, and the Treasury (collectively, the Departments) released a notice of proposed rulemaking (NPRM), that addresses several issues, including proposals to:
- Modify the definition of short-term, limited-duration insurance (STLDI).
- Modify the conditions for hospital indemnity or other fixed indemnity insurance to be considered an excepted benefit.
- Clarify the tax treatment of certain benefit payments in fixed amounts received under employer-provided accident and health plans.
In addition, the Departments are soliciting comments regarding specified disease excepted benefits coverage (e.g., cancer insurance) and level-funded plan arrangements.
Employer Action Items
The regulations set forth in the NPRM are only proposed, and thus, no action by employers is required at this time. However, employers with STLDI and fixed indemnity plans should familiarize themselves with the proposed changes and be prepared to work with their carrier /administrator to ensure the appropriate compliance with the final rules once effective. Employers who sponsor level-funded plans and offer specified disease coverages should also expect to see potential guidance in the forthcoming months.
Summary of the NPRM
STLDI plans are often referred to as “gap” coverage plans. They are intended to bridge short-term gaps in comprehensive coverage and are mostly marketed through associations and group trusts. The proposed amendments would limit the STLDI length of the initial contract period to no more than 3 months (with a maximum coverage period of 4 months, including renewals and extensions). Currently, the maximum coverage length is 12 months, with a maximum duration of 36 months, including renewals and extensions. The regulations also propose to limit carriers from issuing multiple STLDI policies to the same policy holder within a 12-month period, in order to close a loophole in current requirements that have had the effect of avoiding the duration limits.
Furthermore, the proposed regulations would amend hospital indemnity or other fixed indemnity insurance requirements for qualifying as an excepted benefit. As with STLDI plans, the objective of amending the current rules is to help consumers distinguish these plans from comprehensive medical coverage. Proposed modifications include having additional payment standards for such indemnity plans to be considered an excepted benefit, including a requirement to pay benefits without regard to services or items received or incurred, the severity of the illness/injury, or characteristics particular to the course of treatment. Fixed indemnity coverage will also be required to be offered as independent, stand-alone coverage. An example in the proposed regulations would clarify that impermissible coordination with comprehensive coverage plans occurs when fixed indemnity insurance is offered as a coverage option that is coordinated with an exclusion of benefits under the same employer’s group health plan.
In addition, the Departments are seeking comments to assist them in better understanding excepted benefits coverages for specified disease or illness, and the prevalence of level-funded plans, such plans’ designs, and whether additional guidance or rulemaking is needed to clarify a plan sponsor’s obligation with respect to coverage provided through a level-funded plan arrangement. Level-funded plans are often regulated as self-funded plans, but they tend to mirror many features of fully insured plans.
Lastly, the Department of Treasury and the IRS are proposing amendments to address the taxability of fixed indemnity and other similar health insurance plans if the amounts are paid without regard to the actual amount of any incurred medical expenses. Substantiation requirements will also need to be met with respect to plan reimbursements.
Departments Issue Frequently Asked Questions on Implementing ACA’s Cost-Sharing Limit and No Surprises Act
On July 7, 2023, the Departments of Health and Human Services, Labor, and the Treasury (collectively, the Departments) issued frequently asked questions (FAQs) on the implementation of the Affordable Care Act’s (ACA) overall cost-sharing limit and the No Surprises Act’s (NSA) protections against surprise medical billing.
Employer Action Items
Employers should confirm, in writing, that their health insurance issuers and/or third-party administrators are properly applying the costs associated with out-of-network emergency services against the plan’s maximum out-of-pocket (OOP) limit.
Effective for plan years beginning on or after January 1, 2022, the NSA provides federal protections against balance billing and limits out-of-network cost sharing for emergency services, non-emergency services furnished by nonparticipating providers with respect to a visit to a participating health care facility, and air ambulance services furnished by nonparticipating providers of air ambulance services.
In addition, to comply with the ACA, non-grandfathered health plans must ensure that an enrollee’s annual cost sharing for essential health benefits does not exceed the maximum OOP limit. For plan years beginning in 2023, the maximum OOP limit is $9,100 for self-only coverage and $18,200 for family coverage. For plan years beginning in 2024, this limit increases to $9,450 for self-only coverage and $18,900 for family coverage. If a health plan uses a network of providers, it is not required to count an individual’s OOP spending for out-of-network items and services toward the maximum OOP limit.
The FAQs provide the following guidance on the NSA’s protections and the ACA’s maximum OOP limit:
- Cost sharing for services furnished by a provider, facility or provider of air ambulance services that are considered nonparticipating for purposes of the NSA’s protections is considered cost sharing for benefits provided outside of a plan’s network for purposes of the maximum OOP limit; and
- A plan or issuer with a contractual relationship (directly or indirectly) with a provider, facility or provider of air ambulance services that sets forth the terms and conditions on which a relevant item or service is provided under the plan or coverage, is considered participating for purposes of the NSA, and is also considered in-network for purposes of the ACA’s maximum OOP limit.
In addition, the Transparency in Coverage (TiC) final rule requires health plans and issuers to make price comparison information available to participants, beneficiaries, and enrollees through an internet-based self-service tool and in paper form upon request. This information must be available for plan years beginning on or after January 1, 2023, with respect to certain 500 shoppable items and services as well as all covered items and services, for plan years beginning on or after January 1, 2024. The FAQs clarify that this price comparison information must include facility fees that are increasingly being charged for health care received outside of hospital settings.
Employee Benefits Lawsuits on the Rise
There has been an uptick in the number of lawsuits by employers against insurers and other third-party administrators (TPAs) that administer their health and welfare benefit plans. It is now believed that employees may follow suit and bring causes of action against their employer-sponsored health plan, ushering in a new wave of ERISA litigation.
Most recently, on June 30, 2023, Kraft Heinz Company (Kraft Heinz) sued Aetna Life Insurance Company (Aetna), the former administrator of its self-insured employee benefit plan, alleging breach of fiduciary duty in the administration of the plan. The lawsuit alleges that Aetna leveraged its role as a TPA to enrich itself to Kraft Heinz’s detriment and engaged in prohibited transactions. This included (a) taking more than $1 billion from Kraft Heinz to pay providers for medical services provided to plan participants over the past 10 years; (b) paying millions of dollars in provider claims that never should have been paid; (c) wrongfully retaining millions of dollars in undisclosed fees, and (d) engaging in claims processing related misconduct to the detriment of Kraft Heinz.
Draft 2023 ACA Reporting Forms Released
The IRS has released draft 2023 forms for reporting under Internal Revenue Code (Code) Sections 6055 and 6056. (Note: draft instructions for these forms have not yet been released).
- 2023 draft Forms 1094-B and 1095-B are draft versions of forms that will be used by providers of minimum essential coverage (e.g., insurers), including self-insured plan sponsors that are not applicable large employers (ALEs), to report under Code Section 6055. In addition, these forms are used to satisfy reporting and furnishing requirements in some states.
- 2023 draft Forms 1094-C and 1095-C are draft versions of forms that ALEs will use to report under Code Section 6056 as well as for combined Code Sections 6055 and 6056 reporting by ALEs who sponsor self-insured plans.
No major substantive changes were made to the draft forms for 2023 reporting. However, the IRS still may make certain changes once these forms are finalized or when draft or final instructions are released. In addition, note that the deadline for furnishing statements to individuals has been permanently extended, and beginning next year, most employers must now file electronically.
Employer Action Items
Employers should become familiar with these forms for 2023 calendar year reporting, keeping in mind that these are draft versions only and should not be filed with the IRS or relied upon for filing. Employers should also monitor future developments for the release of the 2023 draft instructions and begin to explore options for filing Affordable Care Act (ACA)’s reporting returns electronically (e.g., they may be able to work with a third-party vendor to complete the electronic filing). The following are important deadlines for 2023 reporting:
- Individual statements for 2023 must be furnished by March 2, 2024. However, since this is a Saturday, individual statements must be furnished by the next business day, which is March 4, 2024.
- Paper IRS returns for 2023 must be filed by February 28, 2024; however, this will not be an option for most employers, who must now file electronically.
- Electronic IRS returns for 2023 must be filed by March 31, 2024. However, since this is a Sunday, electronic returns must be filed by the next business day, which is April 1, 2024.
Reporting entities that may be in a position to perform their own electronic reporting can review the IRS’ ACA Information Returns (AIR) Program webpage.
Code Section 6055
Code Section 6055 requires all persons who provide minimum essential coverage to an individual to report certain information to the IRS that identifies covered individuals and the period of coverage, and to furnish a statement to the covered individuals with the same information. These information returns and written statements were needed to administer the individual shared responsibility provisions under Code Section 5000A until the individual shared responsibility payment amount was reduced to zero for months beginning after December 31, 2018. However, the reporting and furnishing requirements have remained in place.
Code Section 6056
Code Section 6056 requires an ALE, and any member of an aggregated group that is determined to be an ALE, to report to the IRS and furnish statements to their full-time employees containing certain information regarding the health insurance coverage offered to them, if any. The information is used by the IRS to assist it in administering the employer shared responsibility provisions of Code Section 4980H, and by certain full-time employees to help determine their eligibility for a premium tax credit under Code Section 36B.
Furnishing Deadline Extension
A final rule issued in late 2022 extended the annual furnishing deadlines under both Code Sections 6055 and 6056 for an additional 30 days (note: the due date for filing forms with the IRS remains unchanged).
In addition, the rule confirmed the availability of an alternate method for furnishing statements to individuals under Code Section 6055 for every year in which the individual mandate penalty is zero.
Most Employers Must Now File Electronically
Under the original reporting rules, any reporting entity required to file at least 250 individual statements under Code Sections 6055 or 6056 was required to file electronically. However, on February 23, 2023, the IRS released a final rule that lowers the 250-return threshold for mandatory electronic reporting to 10 returns. This means most reporting entities will be required to complete their ACA reporting electronically starting in 2024.
Mental Health Parity Proposed Regulations Issued
On July 25, 2023, the Departments of Labor, Health and Human Services, and the Treasury (Departments) issued a proposed rule to strengthen the requirements of the Mental Health Parity and Addiction Equity Act (MHPAEA).
Employer Action Items
Mental health parity compliance is high on the radar of both state and federal regulators, as the Biden Administration has indicated a commitment to address the country’s mental health challenges. If finalized, the proposed rule would establish new requirements for group health plans and health insurance issuers to collect and evaluate relevant data to assess the impact of a nonquantitative treatment limitation (NQTL) on access to mental health and substance use disorder (MH/SUD) benefits and medical/surgical benefits. Health plans and issuers would be required to consider this impact as part of their analysis of whether the NQTL, in operation, complies with federal parity requirements.
MHPAEA requires parity between a group health plan’s medical/surgical benefits and MH/SUD benefits. The parity requirements apply to (a) financial requirements, such as deductibles, copayments, and coinsurance; (b) quantitative treatment limitations, such as day or visit limits; and (c) NQTLs, which generally limit the scope or duration of benefits, such as prior authorization requirements, step therapy requirements and standards for provider admission to participate in a network. The parity requirements apply to group health plans sponsored by employers with more than 50 employees, as well as insured health plans in the small group market.
The Consolidated Appropriations Act, 2021 amended MHPAEA to require health plans and health insurance issuers to conduct comparative analyses of the NQTLs used for medical/surgical benefits compared to MH/SUD benefits. These analyses must contain a detailed, written, and reasoned explanation of the specific plan terms and practices at issue and include the basis for the plan’s or issuer’s conclusion that the NQTLs comply with MHPAEA.
The proposed rule would amend existing MHPAEA protections and establish new requirements for health plans and issuers. According to the Departments, these proposed changes would result in more robust MH/SUD provider networks and fewer and less restrictive prior authorization requirements for individuals seeking MH/SUD treatment. Specifically, the proposed rule would generally prohibit health plans and issuers from imposing NQTLs on MH/SUD benefits unless:
- The NQTL is no more restrictive as applied to MH/SUD benefits in a classification (as written or in operation) than the predominant NQTL that applies to medical/surgical benefits in the same classification.
- The plan or issuer satisfies certain requirements related to the design and application of the NQTL.
- The plan or issuer collects, evaluates, and considers the impact of relevant data on access to MH/SUD benefits relative to access to medical/surgical benefits and takes reasonable action as necessary to address any material differences in access shown in the data to ensure compliance with MHPAEA.
The proposed rule would also impose a special rule for NQTLs related to network composition. It would amend existing examples and add new examples on the application of the rules for NQTLs to clarify and illustrate the protections of MHPAEA.
In addition, the proposed rule would establish minimum standards for developing NQTL comparative analyses to assess whether an NQTL, as written and in operation, complies with MHPAEA’s requirements. The proposed rule would also specify the content elements of comparative analyses and the time frame for plans and issuers to respond to a request from the Departments to submit their comparative analyses.
In addition to the proposed rule, available here, the Departments also released the following:
- A technical release that requests public feedback on proposed data requirements for limitations related to the composition of a health plan’s or issuer’s network, available here.
- The second MHPAEA comparative analysis report to Congress, as required by federal law, available here.
- A fact sheet on MHPAEA enforcement results for cases closed in fiscal year 2022, available here.
OCR Addresses HIPAA and Cybersecurity Authentication; Warns of Privacy and Security Risks of Using Online Tracking Technologies
In its June 2023 Cybersecurity Newsletter, the Department of Health and Human Services’ Office of Civil Rights (OCR) addressed authentication processes in light of recent cybersecurity attacks targeting electronic protected health information (ePHI).
In addition, on July 20, 2023, together with the Federal Trade Commission (FTC), the OCR issued a letter sent to certain hospitals and telehealth providers to draw attention to potential privacy and security risks related to the use of online tracking technologies that may be present on company websites or mobile applications. Following on the heels of proposed amendments issued to strengthen the FTC’s Breach Notification Rule (see article in the July issue of the Baldwin Bulletin here), this letter also emphasizes the role that the FTC plays in ensuring privacy protection for consumers’ personal health data.
Employer Action Items
As a best practice, HIPAA covered entities and business associates (HIPAA regulated entities) that receive, use, create and store ePHI and other sensitive information should consider implementing multi-factor authentication solutions, including phishing-resistant multi-factor authentication, where appropriate to improve the security of ePHI as well as other sensitive data, and to best protect their information systems from cyber-attacks.
Furthermore, even if a company is not a HIPAA regulated entity, it still has obligations to protect against impermissible disclosures of personal health information under the FTC and the FTC’s Health Breach Notification Rule (HBNR). Thus, all entities that collect health information about consumers online should review the latest joint letter from the OCR and FTC. Considering the recent enforcement trends and the growing number of states enacting consumer privacy legislation, the law firm of Mintz Levin has recommended the following next steps to consider:
- Review the use of tracking technologies.
- Perform data mapping to understand the data collected from consumers, including what identifiable information can be inferred by the data collected using tracking technologies.
- Determine whether HIPAA, the HBNR, or similar state laws apply to your organization, and if necessary, update privacy, security, and incident/breach response policies and procedures.
- Ensure public facing statements regarding data privacy and security practices are accurate.
- Review agreements with third parties to ensure data sharing provisions align with applicable law, information privacy and security policies and procedures, and public representations.
- Consider whether prior use and disclosure of health information resulted in a reportable breach under HIPAA, the HBNR, or applicable state laws.
HIPAA and Cybersecurity Authentication
The June 2023 issue of OCR’s Cybersecurity Newsletter stresses the importance of having strong authentication processes to lessen and prevent cyberattacks that may result in unauthorized access to ePHI.
As a bit of background, the HIPAA Security Rule requires HIPAA regulated entities to implement authentication procedures “to verify that a person or entity seeking access to [ePHI] is the one claimed.” According to OCR, non-compliance with the Security Rule’s authentication standard continues to leave HIPAA regulated entities vulnerable to successful cyber-attacks and breaches of ePHI.
Use of Online Tracking Technologies
The joint letter by the OCR and FTC addresses findings in recent research, news reports, FTC enforcement actions (e.g., Easy Healthcare Corp., BetterHelp, Inc., GoodRx Holdings, Inc., and Flo Health Inc.), as well as in a December 2022 OCR Bulletin. The letter highlights risks and concerns about the use of technologies, such as the Meta/Facebook pixel and Google Analytics, that can track a user’s online activities, resulting in impermissible disclosures of an individual’s personal health information, and potential harm to such individual, including identity theft, financial loss, and serious negative consequences to the individual’s reputation, health, or physical safety. The letter stresses the importance of monitoring data flows of health information to third parties through tracking technologies.
The June 2023 OCR Cybersecurity Newsletter is available here, which also contains links to additional helpful resources. An overview of the HIPAA Security Rule for regulated entities is available here. The OCR/FTC memorandum regarding the use of online tracking technologies is available here. A related article from the law firm of Mintz Levin is available here.
Question of the Month
Question: What federal laws must be considered when setting up a wellness program for your employees?
Answer: There are many overlapping laws and continually changing rules that govern the various types of wellness programs. In addition, wellness programs may offer a wide range of rewards, from T-shirts or gift cards to significant discounts on group health plan premiums.
The following is a high-level overview of some of the federal laws that employers with ERISA group health plans should consider before adding a wellness program:
- HIPAA. HIPAA’s health status nondiscrimination rules generally prohibit group health plans from varying contributions or benefits based on individual health factors. However, wellness programs may vary benefits (including cost-sharing features) and the amount of premiums or contributions if they comply with HIPAA’s nondiscrimination requirements for wellness programs or the benign discrimination exception. Most wellness programs must also comply with HIPAA’s privacy and security requirements. Among other things, this triggers the need for business associate agreements with vendors.
- Internal Revenue Code. Tax issues can arise when employers provide rewards to employees for participating in wellness or disease-management programs or for meeting certain program goals. Cafeteria plan election change issues can also arise when employees qualify for wellness incentives during the cafeteria plan year.
- COBRA. A wellness program that provides health benefits as part of the group health plan is subject to COBRA. However, COBRA does not apply to an employer-sponsored wellness program that provides only general health information (e.g., informational brochures about flu prevention or lunchtime seminars about weight management).
- ERISA. Wellness programs that are offered as part of a group health plan or provide medical benefits are subject to ERISA’s reporting and disclosure requirements (e.g., there must be a plan document). Also, because most employers that offer wellness programs to their employees are not experts in wellness program design and administration, they require assistance from service providers. Service providers must be selected in accordance with ERISA’s fiduciary rules (e.g., duties of prudence and loyalty).
- GINA. GINA’s requirements must be met if a wellness program requests or requires genetic information from an employee, spouse, or dependent. If the spouse’s past or current health status is requested related to the manifestation of disease or disorder, specific GINA requirements apply.
- ADA. A wellness program that requires disabled individuals to participate to attain benefits equal to those offered to nondisabled individuals might be found to violate the ADA. Also, employee inquiries or medical examinations that are part of a health risk assessment or medical history are considered “disability-related inquiries or medical examinations” that trigger the need for ADA compliance.
A more-detailed compliance overview by Zywave of the legal issues regarding the design of wellness plans can be viewed here.
Note that the GINA and ADA wellness provisions are in flux, and plan sponsors would welcome additional guidance from the U.S. Equal Employment Opportunity Commission (EEOC). In response to court action, the EEOC announced proposed regulations in early 2021 that would significantly change the incentives permitted under the two statutes. However, the proposals were withdrawn pursuant to a regulatory freeze at the beginning of the Biden administration.
The above summary is not an exhaustive description of all wellness program requirements. Also, some of the laws have exceptions (e.g., for certain small employers), which vary by statute. Other issues to consider include how wellness programs interact with state law or other plan designs (e.g., HRAs and HSAs). Each wellness program design requires an individual analysis of applicable law. Employers should rely on the expertise of counsel to navigate this complex and evolving area of the law.
Source: Thompson Reuters