Welcome to the February-March 2024 issue of the Baldwin Bulletin – a monthly guide to important legal news and employee benefits-related industry happenings, designed to keep you abreast of the latest developments.
This month’s issue of the Baldwin Bulletin focuses on providing you with important upcoming compliance deadlines as well as information regarding certain hot-button compliance issues significantly impacting employers.
Upcoming Compliance Deadlines
Employers must comply with numerous reporting and disclosure requirements in connection with their group health plans. In particular, please note the following upcoming deadlines. We have also included links to register for our next HIPAA training and educational webinar and attached our compliance calendar for the remainder of 2024.
To view the Employee Benefits Related Timeline of Pending Deadlines, click here, and to view our compliance calendar for the remainder of 2024 click here.
Our forthcoming topic in our BRCC Educational Webinar Series, “HIPAA 105: HIPAA Nondiscrimination for Employer Sponsored Wellness and Wellbeing Programs” is March 27, 2024. Please register here to attend.
Also, please don’t forget to register for our next HIPAA training on April 2, 2024, “HIPAA 103/104: An Introduction to the Breach Notification and Enforcement Rule” here.
2024 Federal Poverty Level Guidelines Announced
The Department of Health and Human Services (HHS) has released the U.S. Federal poverty guidelines for 2024 for the 48 contiguous states and the District of Columbia. The poverty guideline has increased to $15,060 for a family of one (from $14,580 in 2023). Many employers use this guideline to set the premium costs for the lowest cost health plan that is offered to employees to satisfy the Federal Poverty Line (FPL) Safe Harbor under the Affordable Care Act (ACA)’s employer shared responsibility provisions.
Employer Action Items
Applicable Large Employers (ALEs) who seek to satisfy the FPL Safe Harbor to support that they offered affordable coverage to their eligible employees should take note, as they may use this guideline to set the maximum employee contribution amount for the lowest cost self-only health plan that can be offered to their full-time employees for 2024 non-calendar year plans going forward.
Summary
As a brief review, under the FPL Safe Harbor, an ALE’s offer of coverage to an employee is treated as affordable if the employee’s required contribution for the calendar month for the lowest cost self-only coverage that provides minimum value does not exceed 9.5% (as adjusted for inflation) of a monthly amount determined as the Federal poverty level for a single individual for the applicable calendar year, divided by 12. This safe harbor is intended to provide ALEs with a predetermined maximum amount of employee contribution that in all cases will result in the coverage being deemed affordable, regardless of an employee’s change in hours worked or pay.
For 2024, if the lowest cost employee-only contribution amount does not exceed 8.39% (the affordability percentage for plan years beginning in 2024) of the Federal poverty income guideline for a single person, the plan is deemed affordable and no penalty will be charged. The Federal poverty guidelines for 2024 were released by HHS mid-January. While the release date may have been too late to rely on for plans with calendar year plan years or even February plan years, plans may, but are not required, to use the Federal guideline amount in effect within 6 months before the start of the plan year. For example, this means that a calendar year plan starting on January 1, 2024, can have a FPL safe harbor limit of $101.94 (calculated by multiplying $14,580 by 8.39% and dividing by 12), and a non-calendar year plan beginning March 2024 or later can have a FPL safe harbor limit of $105.29 (calculated by multiplying $15,060 by 8.39% and dividing by 12).
More Information
For more information on the 2024 Federal Poverty Guidelines, see here.
IRS Reduces ACA Penalties for 2025
On February 12, 2024, the IRS released Revenue Procedure 2024-14, which updated penalty amounts for 2025 related to the employer shared responsibility (play or pay) rules under the Affordable Care Act (ACA). For calendar year 2025, the adjusted $2,000 penalty amount is $2,900, and the adjusted $3,000 penalty amount is $4,350. This is a decrease from the penalty amounts for the 2024 calendar year, which are $2,970, and $4,460, respectively.
Employer Action Items
To the extent an employee applies for and is awarded a premium subsidy from either national or state-run insurance Marketplaces, an Applicable Large Employer (ALE) may be assessed a penalty should it not offer its employees affordable coverage with minimum value to at least 95% of its full-time employees (as those terms are defined in the ACA). ALEs should therefore review their benefit packages and contribution strategies for the coming year to minimize the potential for a penalty assessment.
Summary
Under the play or pay rules, an ALE is only liable for a penalty if at least one full-time employee receives a subsidy for coverage obtained through the Marketplace. Employees who are offered affordable, minimum-value (MV) coverage are generally not eligible for these subsidies. Depending on the circumstances, one of two penalties may apply: the penalty under Code Section 4980H(a) (Part A or $2,000 Penalty) or the penalty under Code Section 4980H(b) (Part B $3,000 Penalty).
- Part A Penalty: Under Code Section 4980H(a), an ALE will be subject to a penalty if it does not offer minimum essential coverage to “substantially all” (generally, at least 95%) of its full-time employees (and dependents) and any one of its full-time employees receives a subsidy toward a health plan purchased in the Marketplace. The monthly penalty assessed is equal to the ALE’s number of full-time employees (minus 30) multiplied by 1/12 of $2,000 (as adjusted) for any applicable month.
- Part B Penalty: Under Code Section 4980H(b), ALEs that offer minimum essential coverage to substantially all full-time employees (and dependents) may still be subject to a penalty if at least one full-time employee obtains a subsidy through the Marketplace because the ALE did not offer coverage that is affordable or did not provide minimum value. The monthly penalty assessed on an ALE for each full-time employee who receives a subsidy is 1/12 of $3,000 (as adjusted) for any applicable month. However, the total penalty for an ALE is limited to the 4980H(a) penalty amount.
More Information
The IRS provides a variety of resources on the play-or-pay provisions that provide more information on calculating the penalty. Employers can use the following IRS web pages for more details:
Additional web pages are dedicated to other aspects of the play or pay rules.
CMS Releases Revised RxDC Reporting Instructions
The Centers for Medicare and Medicaid Services (CMS) has released revised reporting instructions to be used when completing the prescription drug data collection (RxDC) reporting due June 1, 2024, for the 2023 reference year.
Employer Action Items
The responsibility for the reporting officially lies with the plan sponsor. For fully insured plans, the insurer can be directly responsible for the reporting obligation as long as the plan sponsor and insurer execute a written agreement confirming this shift in responsibility.
Plan sponsors of self-insured and level-funded plans may have a third-party, such as a third-party administrator (TPA) or pharmacy benefit manager (PBM), submit some or all of the data on their behalf. In nearly all instances, this should be the case because the third-party will have access to the Health Insurance Oversight System (HIOS). Otherwise, the plan sponsor must set up its own HIOS account with CMS. Thus, employers sponsoring self-insured health plans should confirm, in writing, that the third-party will be filing on their behalf.
Summary
Section 204 of the Consolidated Appropriations Act, 2021 (CAA) stipulates that insurers and sponsors of self-insured health plans must report certain information about prescription drugs (Rx) and spending for health care premiums and services. The purpose of the report is to assist in identifying the key drivers of Rx and health care spending price increases, understanding the impact of drug rebates on premiums and out-of-pocket costs, and promoting transparency in Rx pricing. Reporting is done through the HIOS (which is through the CMS Enterprise Portal).
The upcoming RxDC report due is for the 2023 reference year. A reference year refers to the calendar year of the data that is in the RxDC report. Thus, a plan with a non-calendar year plan year will contain information for two plan years to the extent it occurred in a year being reported on. For example, the 2023 RxDC report for a plan with a July 1 – June 30 plan year will contain information pertaining to January 1 – June 30 of the 2022 plan year and July 1 – December 31 of the 2023 plan year.
More Information
For more information, including links to the revised instructions, see here.
FAQs Issued on Coverage of Contraceptive Services
The Departments of Labor, Treasury, and Health and Human Services (Departments) recently issued a set of frequently asked questions (FAQs), regarding regulations relating to preventive care services that non-grandfathered group health plans and health insurance issuers are required to cover without cost-sharing under the Affordable Care Act (ACA). The FAQs reiterate the scope of the mandate, express concern about noncompliance, and describe a new optional approach for using reasonable medical management techniques in the coverage of FDA-approved contraceptive drugs and drug-led devices.
Employer Action Items
Given the federal government’s focus on contraceptive coverage, employers should review their health plan’s contraceptive coverage for compliance with the ACA’s mandate. In particular, employers should watch for problematic medical management techniques, such as onerous step therapy protocols, age-related restrictions and burdensome administrative requirements related to the exceptions process. Employers should also note that a new therapeutic equivalence approach may apply to their coverage of contraceptive drugs and drug-led devices.
Summary
The ACA requires non-grandfathered health plans and health insurance issuers to cover certain preventive care services without cost sharing, including coverage for contraceptives as outlined in guidelines supported by the Health Resources and Services Administration (HRSA). Exemptions are available to religious employers and eligible employers who object to providing this coverage based on their sincerely held religious beliefs or moral convictions.
The Departments require that one form of contraception in each of the categories listed in HRSA’s guidelines must be covered without cost sharing, as well as any contraceptive services and FDA-approved, cleared or granted products, that an individual’s health care provider determines to be medically appropriate (including newer contraceptive products, regardless of whether they are included in HRSA’s guidelines).
Health plans and issuers may use reasonable medical management techniques within a specified category of contraception (or within a group of substantially similar services or products for categories not described in HRSA’s guidelines) when HRSA’s guidelines do not specify the frequency, method, treatment, or setting for the provision of a recommended contraceptive service or product. When medical management techniques are used, the plan or issuer must provide an easily accessible, transparent, and sufficiently expedient exceptions process that is not unduly burdensome and allows an individual to access, without cost sharing, the specific contraceptive service or product that is medically necessary, as determined by the individual’s health care provider.
The Departments are aware of reports that health plans and issuers are continuing to impose “widespread barriers” to contraceptive coverage, including unreasonable medical management techniques. To help address these compliance problems, the FAQs describe a new optional therapeutic equivalence approach that health plans and issuers may use to comply with the ACA’s contraceptive coverage mandate. Under this approach, a health plan’s or issuer’s medical management techniques for FDA-approved contraceptive drugs and drug-led devices within a specified category described in HRSA’s guidelines (or a group of substantially similar products not included in a specified category) will be considered reasonable if the plan or issuer:
- Covers all FDA-approved contraceptive drugs and drug-led devices in that category (or group of substantially similar products) without cost sharing, other than those for which there is at least one therapeutic equivalent drug or drug-led device that the plan or issuer covers without cost sharing.
- Provides an exceptions process that allows an individual to access without cost sharing the specific contraceptive drug or drug-led device (that is a therapeutic equivalent to the product that is covered without cost sharing) that is medically necessary for the individual, as determined by their health care provider. A contraceptive drug or device is considered therapeutically equivalent to another drug or device if it is identified as a therapeutic equivalent in the FDA’s Approved Drug Products with Therapeutic Equivalence Evaluations (Orange Book).
The FAQs also include an example of a reasonable medical management technique under the new approach.
More Information
The Departments’ FAQs are available here.
HIPAA Security Rule Guide Updated
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) have published a final version of their guidance to assist HIPAA covered entities and their business associates with improving cybersecurity and compliance with HIPAA’s Security Rule.
Employer Action Items
Cybersecurity breaches are a significant threat to health insurance carriers and employer-sponsored plans, and such threats continue to grow. The Federal government has made preventing data breaches a top priority in its HIPAA enforcement efforts.
HIPAA regulated entities, especially sponsors of self- insured health plans and business associates, should review their HIPAA policies and procedures, and assess their risk management plan, to ensure that they are up-to-date and reflect adequate cybersecurity practices and safeguards. They should consider whether an updated risk assessment analysis is warranted.
Summary
As a background, HIPAA’s Security Rule focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities. The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. This publication provides practical guidance and resources that can be used by regulated entities of all sizes to safeguard ePHI and better understand the security concepts discussed in the HIPAA Security Rule.
More Information
The cybersecurity resource guide is available here. For further information regarding available BRCC training and assistance to bring your health plan into compliance with HIPAA’s privacy, security and breach notification rules, please contact your client representative.
HHS Issues Annual Report on HIPAA Compliance
As required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Office of Civil Rights (OCR) has issued its annual report to Congress on HIPAA Privacy, Security, and Breach Notification Rule compliance for the 2022 calendar year.
Employer Action Items
Plan sponsors of HIPAA covered entities, especially those of self-insured health plans and business associates, should continually self-assess their compliance with the HIPAA privacy and data security rules, and the requirements under the HITECH Act. This includes ensuring business associate agreements are current, appropriate safeguards are being maintained, and policies and procedures are up-to-date and being followed.
Summary
A summary of OCR’s findings found that during 2022, it received 30,435 new complaints alleging violations of HIPAA and the HITECH Act, and resolved 32,250 complaints. Most of these (87%) were resolved before initiating an investigation. In the 560 investigations that the OCR conducted, the covered entity or business associate took corrective action. 17 were resolved with Resolution Agreements and Corrective Action Plans (RA/CAP) and monetary settlements totaling over $802,500, and two with civil money penalties totaling $100,000.
The OCR also completed 846 compliance reviews and required entities to take corrective action or pay a civil penalty in 674 (80%) of these investigations, two of which resulted in RA/CAPs, along with monetary payments totaling over $2.4 million.
In addition, the OCR engaged in 124 outreach activities to (1) increase education to the public about their HIPAA rights, and to regulated entities about trends in large HIPAA breaches and (2) educate regarding the requirements of the HIPAA rules.
More Information
Read the full report here.
DOL Releases 2023 Audit Enforcement Results
The Department of Labor (DOL) has released the results of its Employee Benefits Security Administration’s (EBSA) enforcement actions during fiscal year (FY) 2023, including the following:
- Over $1.4 billion was recovered for plans, participants, and beneficiaries.
- 731 civil investigations were closed, 69% of which resulted in monetary results for plans or other corrective actions.
- 50 cases were referred for civil litigation.
- 196 criminal investigations were closed, which led to the indictment of 60 individuals, including plan officials, corporate officers, and service providers, for offenses related to employee benefit plans.
- 1,192 applications were received through the DOL’s Voluntary Fiduciary Compliance Program (VFCP).
- 18,955 annual reports were filed through the DOL’s Delinquent Filer Voluntary Correction Program (DFVCP).
- The EFAST2 Help Desk handled over 16,000 inquiries to help filers meet their ERISA reporting obligations.
Employer Action Items
EBSA has been very active in its enforcement efforts. It is especially important for plan sponsors to keep their plans in compliance, and if necessary, take corrective action to remedy any compliance breaches prior to the commencement of any DOL audit. This includes making use of the DOL’s VFCP and DFVCP programs to bring their plans into compliance.
Summary
The DOL has broad authority to investigate or audit an employee benefit plan’s compliance with ERISA. Its EBSA division handles audits of employee benefit plans. To perform these audits, EBSA employs investigators working out in its field offices, many of whom are lawyers or CPAs or who have advanced degrees in business or finance. The VFCP and DFVCP are two programs available to plan sponsors to take corrective action to remedy breaches and voluntarily report violations to EBSA without becoming subject to an enforcement action.
More Information
EBSA’s fact sheet summarizing its FY 2023 enforcement actions is available here. The EBSA has a dedicated enforcement webpage, which includes outlines of ERISA civil violations and criminal provisions, as well as enforcement accomplishments and national enforcement priorities and projects. There is also an agency enforcement results archive for prior fiscal years.
Enforcement of California Privacy Rights Act Regulations May Begin Immediately
California’s Third District Court of Appeals recently vacated a lower court decision that had stayed the implementation of regulations under the California Privacy Right Act (CPRA) and held that the California Privacy Protection Agency (CPPA), the state agency in charge of enforcing the CPRA, may begin enforcing its regulations immediately.
Employer Action Items
Employers with employees in California should review the CPRA regulations to ensure that their company is compliant.
Employee data falls within the scope of the CPRA. There is no exemption for workforce members. Thus, information from a person acting as job applicant, employee, owner, director, officer, medical staff member, or independent contractor of the business, now falls under the regulations. This includes emergency contact information of that person as well as information necessary to administer benefits of that person. The regulations are effective immediately, including the requirement to provide certain privacy notices in various situations. Also, regulations that are still in draft form will become effective upon finalization.
Note that personal information subject to the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, or the Health Insurance Portability and Accountability Act (HIPAA) will not be subject to the CPRA. However, employee personal information that falls outside the scope of these laws are subject to the CPRA.
Summary
The Third District Appellate Court ruling concerned the implementation of the CPRA, which was approved by California voters by passing Proposition 24 in November 2020. Proposition 24 amended and expanded the California Consumer Privacy Act of 2018 (CCPA), a far-reaching law that was passed by the state legislature to protect consumers’ privacy rights by providing consumers with meaningful control over how their personal information is collected, used, and disclosed by a covered business.
The statutory deadline for implementing regulations under the CPRA was July 1, 2022. Ultimately, final regulations on seven of 15 delineated subject matter areas were issued on March 29, 2023 (additional regulations are in draft form pending finalization). The California Chamber of Commerce sought a writ petition to delay implementation of the regulations for one year because businesses needed more time to comply, the CPPA had missed its deadline and some of the regulations were still in draft form. The lower court agreed and stayed enforcement for a period of 12 months from the date an individual regulation becomes final. This appellate court decision reversed the lower court ruling.
More Information
The Third District Court of Appeals decision describes the chronological events leading up to its stay of the lower court decision and is available here. The CPRA regulations can be found here. A detailed summary and action steps for compliance from the law firm of Fisher Phillips is available here.
2024 HIPAA Privacy and Security Rule Training Calendar
BRCC’s HIPAA training calendar for 2024 is available here. Please note that all trainings will be broadcast on the first Tuesday of each month (there is no training scheduled for March), beginning at 3:00 pm Eastern, 12:00 pm Pacific time. You will also see that the HIPAA training is divided into four sessions and repeated twice throughout the year. Pre-registration is required. Registration links are embedded in the attachment.
2024 BRCC Educational Webinar Calendar
The BRCC’s monthly webinar calendar for 2024 is available here. Note that the webinar series is scheduled for the last Wednesday of every month at 1:00 pm Eastern, 10:00 am Pacific time. Program participants who attend a live BPEC webcast presentation are eligible to apply for HRCI or SHRM professional continuing education credits. Pre-registration is required. Registration links are embedded in the attachment.
Question of the Month
Question: What requirements must be met for a payroll practice to fall under the Department of Labor (DOL)’s safe harbor exemption from ERISA?
Answer: Certain welfare benefit plans that would otherwise fall under ERISA and are characterized as “payroll practices” are exempted by DOL regulations. To fall under the DOL’s safe harbor exemption, a payroll practice must: (1) be unfunded; (2) not pay more than an employee’s normal compensation; and (3) cover current employees only (e.g., cannot cover former employees, retirees, or other nonemployees). If the payroll practice meets these requirements, it will not be considered an ERISA plan.
Examples of practices that may fall under this exemption include the following:
- The payment of wages for work performed by an employee, including overtime pay, shift premiums, and holiday or weekend premiums.
- Income replacement, short-term disability, salary continuation, or paid medical leave programs (including sick pay), paid out of an employer’s general assets. These are self-insured programs and generally all are self-administered.
- Vacation or holiday pay.
- Pay during active military duty, jury duty, or testifying in official proceedings.
- Pay received during periods engaged in training in which the employee is performing little or no productive work (even if paid through government subsidies).
Pay received during sabbatical leaves or time off while pursuing further education.
