A Compliance Newsletter by: The Baldwin Regulatory Compliance Collaborative (BRCC)
Welcome to the March 2023 issue of the Baldwin Bulletin – a monthly guide to important legal news and employee benefits-related industry happenings, designed to keep you abreast of the latest developments.
This month’s issue of the Baldwin Bulletin focuses on providing employers with important 2023 compliance deadlines, as well as certain compliance issues that will potentially have a significant impact on employers over the next several months.
Upcoming 2023 Compliance Deadlines
Employers must comply with numerous reporting and disclosure requirements throughout the year in connection with their group health plans. The attached Compliance Timeline explains key compliance deadlines for employer-sponsored group health plans for the remainder of the year. In particular, please note the following upcoming deadlines:
Department of Labor Updates COBRA and CHIP Notices
The Department of Labor (DOL) recently updated the model General Notice of COBRA Continuation Rights and the model COBRA Continuation Coverage Election Notice to reflect an updated expiration date of January 31, 2026. The Notices are available here, in both English and Spanish. Plan sponsors should confirm that their COBRA administrators (or in-house administrators) are using the updated notices going forward.
The general (or initial) notice is a general description of a participant’s rights under the Consolidated Omnibus Budget Reconciliation Act (COBRA) and must be provided within the first ninety (90) days of coverage. Group health plans can satisfy this requirement by including the general notice in the plan’s summary plan description (SPD). The election notice describes a qualified beneficiary’s right to COBRA coverage and how to make an election. The election notice must be provided after a qualifying event, and the timing of that notice depends upon the specific qualifying event.
Updated Model CHIP Notice
The DOL also updated the model CHIP notice (English and Spanish versions are available here). The CHIP Notice is typically revised twice annually (January 31 and July 31) to reflect changes in the states that offer premium assistance subsidies, including updated contact information. Plan sponsors should update their annual notice packets, including notices found in enrollment materials, to include the latest model CHIP notice.
As a refresher, the Children’s Health Insurance Program Reauthorization Act of 2009 (CHIPRA) permits states to offer eligible low-income children and their families a premium assistance subsidy to help pay for employer-sponsored group health coverage. CHIPRA imposes an annual notice requirement on employers that maintain group health plans in states that provide premium assistance subsidies under a Medicaid plan or a Children’s Health Insurance Plan (CHIP). An employer is subject to this annual notice requirement if its group health plan covers participants who reside in a state that provides a premium assistance subsidy, regardless of the employer’s location. Employers may use the DOL’s model notice for this disclosure. Employers that fail to send the required notice may be subject to penalties of $137 per day (adjusted annually for inflation).
Biden Administration Issues New Guidance on Ending Public Health Emergency
The ending of the Public Health Emergency (PHE) on May 11th will result in several changes to coverages provided through group health plans, including that of certain COVID-19 products such as vaccinations and home testing kits. In this respect, the Department of Health and Human Services (HHS) recently published a fact sheet specifying what will not be impacted by the ending of the PHE. For example, the coverage of certain COVID-19 treatments such as Paxlovid and Lagevrio, as well as existing emergency use authorizations (EUAs) for COVID-19 products will continue to remain in effect. In addition, new EUAs may be issued when the criteria for issuance are met. The HHS fact sheet is available here. Employers should monitor ongoing developments and work with their carriers and/or third-party administrators to ensure plan documents are amended, as needed, to comport with the new requirements.
District Court Rules that TPAs of Self-insured Medical Plans Must Abide by ACA’s Nondiscrimination Rules When Adjudicating Gender- Affirming Care
Section 1557 of the Affordable Care Act (ACA) prohibits discrimination based on race, color, national origin, sex, age or disability in certain health programs and activities. Section 1557 has been in effect since its enactment in 2010, with the U.S. Department of Health and Human Services’ Office of Civil Rights enforcing the provision. It generally applies to any health program or activity that receives federal financial assistance.
However, the rules and guidance HHS has published to implement Section 1557 have been the subject of numerous lawsuits, dating back to when initial regulations were issued in 2016. The litigation has primarily focused on:
- Which health programs and activities are subject to Section 1557’s nondiscrimination requirements; and
- Whether sex discrimination includes discrimination based on gender identity, sexual orientation and termination of pregnancy.
The most recent court decision in the United States District Court, Western District of Washington concluded that the denial of benefits for gender-affirming care by a third-party administrator administering a self-insured plan violated Section 1557 of the ACA. You may read more about the decision and its implications at the Thomson Reuters Practical Law website here.
Proposed Rule to Expand Access to Contraceptive Coverage
On January 30, 2023, the Departments of Health and Human Services, Labor and the Treasury (Departments) released a proposed rule that would expand access to contraceptive coverage under the Affordable Care Act (ACA).
Under the ACA, most plans are required to offer coverage of certain contraceptive services, including birth control and contraceptive counseling, with no out-of-pocket cost for women who are enrolled in group health plans or individual health insurance. In 2018, final regulations expanded exemptions and optional accommodations for eligible employers with sincerely held religious or moral objections to contraceptive coverage. When an employer qualifies for this exemption (but does not use the optional accommodations process), employees and their dependents do not have access to first-dollar contraceptive coverage through the plan.
The 2023 proposed rules would accomplish the following:
- Eliminate the exemption for employers who object to contraceptive coverage based on moral convictions (but retain the exemption based on religious beliefs); and
- Create a new way for eligible individuals to receive no-cost contraceptive coverage directly through a willing health care provider or facility when they are enrolled in plans that qualify for an exemption and do not use the optional accommodations process. This individual contraceptive arrangement would not require any involvement on the part of an objecting entity. The provider would be able to seek reimbursement for its costs by entering into an agreement with a participating issuer in the ACA Marketplace.
Notably, these rules are only in proposed form, and they have not been finalized and signed into law. The Departments are accepting comments on the proposed rule until April 3, 2023. For more information, please see this fact sheet.
KFF Analysis Shows that Inconsistencies Within Hospital Price Transparency Data Makes Comparisons Difficult
A Kaiser Family Foundation (KFF) analysis has found that the transparency data currently being shared by hospitals to comply with the hospital price transparency rules promulgated by the Centers of Medicare and Medicaid Services (CMS), are “messy, inconsistent, and confusing” for a variety of reasons, but largely due to a lack of standardization and specification in the reporting requirements themselves. Included in their findings were that inconsistencies exist in how the data connects specific services with prices; data quality varied widely; and crucial pieces of information for interpreting the applicability of price are missing, such as contracting method and payer class (Medicare, Medicaid, and commercial). To address some of these issues, CMS has provided suggestions for formatting, validation of data format, and data quality. However, the use of these resources remains voluntary. For more information, read the KFF analysis here.
Texas Judge Vacates Provisions of the No Surprises Act
On February 6th, in the case of Texas Medical Association v. Department of Health and Human Services (HHS), a federal trial court in Texas has vacated key portions of the final regulations implementing the surprise billing independent dispute resolution (IDR) provisions of the Consolidated Appropriations Act, 2021 (CAA, 2021). Related provisions in the interim final regulations had been previously invalidated by the same trial court. The final regulations amended the interim final regulations by eliminating the provisions that had been struck down. The plaintiffs challenged the final regulations, arguing that they continue to conflict with the provisions in the CAA, 2021, and the Texas court agreed. Accordingly, the final regulations were vacated and returned to HHS for further consideration. Subsequently, the Centers for Medicare and Medicaid Services (CMS)’ division of HHS has instructed arbitrators to hold all payment determinations until further notice, and to recall any payment determinations issued after February 6th. To read the Federal trial court’s decision, see here.
HHS’ Annual Report to Congress on 2021 HIPAA Privacy, Data Security, and Breach Notification Compliance
As required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Office of Civil Rights (OCR) has issued its annual report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for the 2021 calendar year.
A summary of its findings found that during 2021, the OCR received 34,077 new complaints alleging violations of HIPAA and the HITECH Act, an increase of 25% from the number of complaints received in 2020. Most of these (78%) were resolved before initiating an investigation. In 714 investigations, the covered entity or business associate took corrective action, 13 were resolved with monetary settlements totaling over $800,000, and two with civil money penalties totaling $150,000.
The OCR also completed 573 compliance reviews and required entities to take corrective action or pay a civil penalty in 475 of these investigations, two of which resulted in Resolution Agreements and Corrective Action Plans, along with monetary payments totaling over $5 million. It is interesting to note, however, that the OCR did not perform any audits in 2021 due to a lack of financial resources.
Plan sponsors of HIPAA covered entities, especially those of self-insured health plans, should continually self-assess their compliance with the HIPAA privacy and data security rules, and the requirements under the HITECH Act. This includes ensuring business associate agreements are current, appropriate safeguards are being maintained, and policies and procedures are up-to-date and being followed.
Read the full report here.
FTC First-time Enforcement of Health Breach Notification Rule
Similar to the breach notification requirements applicable to HIPAA covered entities and business associates, the HITECH Act also requires similar provisions to be implemented and enforced by the Federal Trade Commission (FTC) that apply to vendors of personal health records and their third-party service providers. It dictates how companies share consumers’ online health data with third parties.
Cybersecurity Risks to Online Benefit and Payroll Portals
An employer’s online benefits enrollment platform and payroll system can be particularly attractive for cybercriminals to breach due to the vast amount of sensitive information they contain, including personal identifiable information (PII) and financial data. Employers have a responsibility to protect this information from cyber threats and must ensure that both systems have robust cybersecurity measures in place.
The results of cyberattacks on these platforms can have substantial consequences not just for employers but for employees. There could be significant employer costs associated with detecting the extent of the breach, investigating and managing the incident response. Any theft of PII and other plan assets may result in monetary losses to participants, the plan, and the plan sponsor. The employer’s firm may also experience operational disruption while having to address the ramifications of the cyberattack. HIPAA violations could result if there is a breach of an employee’s protected health information, or PHI.
It is important for employers to understand potential cyberthreats and how to proactively protect sensitive, valuable information. There are many ways an employer can mitigate their risks such as educating employees and properly monitoring technology.
For more detail on the topic, please refer to this New Hampshire Business Review article by McLane Middleton, available here.
President Biden Discusses Employee Benefits in State of the Union Address
On February 7, 2023, President Biden delivered the 2023 State of the Union (SOTU) address. The SOTU address is important for employers as it often provides insight into proposed plans and initiatives relevant to the workplace. This year, the SOTU address focused largely on health care and the economy. Specifically, some items President Biden discussed included the following:
- Making big workplace changes including pushing for the passing of the Protecting the Right to Organize Act, advocating for sick days, proposing nationwide paid family and medical leave and affordable childcare, and banning noncompete agreements, among other items;
- Lowering healthcare costs;
- Tackling the mental health crisis;
- Increasing veteran support;
- Proposing greater protections for reproductive health and equality;
- Addressing the opioid and overdose epidemic;
- “[S]upercharg[ing] the Cancer Moonshot” program (a program aimed at cutting cancer’s death rate by at least half over the next 25 years, among other action items) and further progressing on other cancer initiatives;
- Focusing on economic recovery; and
- Discussing plans to end the COVID-19 national and public health emergencies on May 11th and the ramifications of same.
Employer Action Items
It is important to note that the SOTU serves as a presidential road map or “wish list” for the next year. As a result, employers should look for more details about the SOTU proposals in the coming weeks and months. While some of the discussed initiatives have the potential to significantly affect the workplace, these impacts will not be clear until more information is released. We will keep you apprised of any additional government updates and other pertinent matters.
For more information, read here.
Question of the Month
Question: What are the temporary reporting requirements to address surprise air ambulance bills, and when do the rules become effective?
Answer: Regulations have been jointly proposed by the Internal Revenue Service (IRS), Department of Labor (DOL) and the Department of Health and Human Services (HHS) that outline the timing and content requirements for filing of informational reports to HHS. However, they have not yet been finalized.
The temporary reporting requirement stems from legislation addressing patient protections related to surprise air ambulance bills from nonparticipating providers that requires group health plans and insurers to submit information about the air ambulance services they cover during two calendar years. Under the proposed regulations, the required data would be submitted for calendar year 2022 by March 31, 2023, and for calendar year 2023 by March 30, 2024. However, the regulations have not yet been finalized, so it is unclear at this time when the first report will be required as the due dates will not be established until those regulations are finalized.
According to the proposed regulations, the reporting requirements would apply to self-insured and insured group health plans and insurers, but not to health reimbursement arrangements, excepted benefits, and short-term, limited-duration insurance. An insured plan could satisfy the requirements if its insurer provides the information pursuant to a written agreement. A self-insured health plan could contract with a third-party administrator to report the required information, but the plan would remain responsible for any reporting failures.
For each claim for air ambulance services received or paid for during the reporting period, required data would include certain transport information, such as the aircraft type, loaded miles, pick-up and drop-off locations, whether the transport was emergent or non-emergent, and whether the transport was an inter-facility transport. Plans would also be required to report certain claim adjudication information (including whether the claim was paid, denied, or appealed; denial reason; and appeal outcome) and claim payment information (including submitted charges, amounts paid by each payor, and cost-sharing amount). Source: Thompson Reuters.
The Baldwin Regulatory Compliance Collaborative
This Alert was prepared by the Baldwin Regulatory Compliance Collaborative (the “BRCC”), a partnership of compliance professionals offering client support and compliance solutions for the benefit of the Baldwin Risk Partners organization, which includes: Jason Sheffield, BRP National Director of Compliance; Richard Asensio, Burnham Benefits Insurance Services; Nicole L. Fender, the Capital Group; Bill Freeman, AHT Insurance; Stephanie Hall, RBA/TBA; Caitlin Hillenbrand, AHT Insurance; Paul Van Brunt, Baldwin Krystyn Sherman Partners (BKS); and Natashia Wright, Insgroup.