By: Andrew Silverio, Esq.
In December 2020, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released the findings of an extensive audit of Covered Entities and Business Associates, performed in 2016 and 2017 for compliance with various HIPAA requirements. This data, available at https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf, provides valuable insight into what Covered Entities are doing right, and what they’re doing wrong, when it comes to HIPAA compliance (of the Covered Entities audited, 90% were health care providers, 9% were health plans, and 1% were health care clearinghouses).
Rather than a general audit for compliance with all of HIPAA’s requirements, the audit focused on seven provisions. It looked at compliance with the notice of privacy practices and content requirements, provision of notice – electronic notice (website posting), and right of access requirements (from the Privacy Rule), the timeliness of notification and content of notification requirements (from the Breach Notification Rule), and the security management process – risk analysis and risk management requirements (from the Security Rule). For Business Associates, the scope of the audit was more narrow, focusing only on the notification by a business associate requirements (from the Breach Notification Rule), and the security management process – risk analysis and risk management requirements (from the Security Rule).
Overall, the audit found that compliance with requirements that come into play after a security issue or breach occur, such as breach notification requirements, is generally good. Compliance with the requirement to make the applicable Notice of Privacy Practices online was also good. However, the results were less positive in regard to other requirements which represent more of the “groundwork” in setting up proper safeguards and procedures. For example, “… OCR also found that most covered entities failed to meet the requirements for other selected provisions in the audit, such as adequately safeguarding protected health information (PHI), ensuring the individual right of access, and providing appropriate content in their NPP. OCR also found that most covered entities and business associates failed to implement the HIPAA Security Rule requirements for risk analysis and risk management.”
These findings make sense from an intuitive standpoint – it’s easy to simply not think about HIPAA’s requirements until a problem arises. However, this audit underscores the importance of creating proper safeguards proactively – doing so can result in less damage when and if a breach occurs, both financially and when it comes to preserving client and participant good will.
Recently, the Department of Health and Human Services released updated guidance outlining some permissible uses of Protected Health Information (PHI) under HIPAA in regard to recovered COVID-19 patients (available at www.hhs.gov/sites/default/files/guidance-on-hipaa-and-contacting-former-covid-19-patients-about-plasma-donation.pdf). This guidance, which applies to health care providers, health plans, and their business associates, is an expansion of previous guidance which applied only to health care providers.
In essence, the guidance provides that these entities can use PHI to identify and contact individuals who have recovered from COVID-19 in order to inform them about how to donate their plasma, which will contain antibodies to SARS-CoV-2 which are useful in potentially treating COVID-19 patients. This activity has been classified as falling within the category of “health care operations,” and thus PHI can be used for this purpose without an individual’s authorization.
HHS outlines that these activities constitute “health care operations” in that “facilitating the supply of donated plasma would be expected to improve the covered health care provider’s or health plan’s ability to conduct case management for patients or beneficiaries that have or may become infected with COVID-19.” In regard to a health plan (as opposed to a particular provider who may use collected plasma itself to treat other patients), this justification’s connection to the “health care operations” of the specific covered entity seems tenuous. It is difficult to see how, for a health plan as opposed to a provider, an interest in increasing the availability of antibody-containing plasma generally actually furthers the “health care operations” goals of the particular plan. However, the public interest rationale here is crystal clear.
The guidance does come with an important caveat – the use of PHI for this purpose is only permitted to the extent that the outreach does not constitute marketing, which HHS outlines as “a communication about a product or service that encourages the recipient of the communication to purchase or use the product or service.” This should not be an issue for plans, but providers likely have to walk a fine line when they provide the services in question.
By: Kevin Brady, Esq.
Earlier this month, the U.S. Department of Labor (DOL) and the Internal Revenue Service (IRS) jointly issued a Final Rule extending a number of deadlines and timeframes relevant to group health plans. The Final Rule recognizes that as a result of the National Emergency, plan participants “may encounter problems in exercising their health coverage portability and continuation coverage rights, or in filing or perfecting their benefit claims. As such, the stated purpose of the Final Rule is “to minimize the possibility of individuals losing benefits because of a failure to comply with certain pre-established timeframes.”
The Final Rule essentially requires plans to disregard a designated period of time when determining whether certain deadlines or timeframes are satisfied. Consistent with the Final Rule’s stated purpose, the extension of these timeframes will provide additional opportunities for employees and their dependents to maintain existing, or enroll in, coverage as well as provide additional opportunities for participant’s to submit and appeal claims. This designated period of time is succinctly described as the “Outbreak Period” which entails “the period from March 1, 2020 until sixty (60) days after the announced end of the national emergency period or such other date announced by the Agencies in a future notification.”
Under HIPAA, employees who experience certain special enrollment events generally have a limited period of time (following the event) to request coverage under their employer’s plan. Under the Final Rule, the Outbreak Period must be disregarded when considering whether a HIPAA special enrollment request is timely.
Electing Continuation Coverage
Plan participants who experience “qualifying events” are generally eligible for continued coverage under COBRA subject to certain conditions. After receipt of the COBRA election notice, “qualified beneficiaries” have 60 days to elect continuation coverage. Under the Final Rule, plans must disregard the Outbreak Period when determining whether a qualified beneficiary’s election is timely.
Timely Payment of Premiums
After electing COBRA continuation coverage, qualified beneficiaries must pay their first premium payment with 45 days of their election. Furthermore, qualified beneficiaries must pay premiums in a timely fashion (a premium is considered paid timely “if it is made not later than 30 days after the first day of the period for which payment is being made.” Under the Final Rule, the Outbreak Period cannot be considered when determining whether payment of the premium is timely.
Notice of Qualifying Event
Under certain circumstances (generally divorce or a child losing dependent status), plan participants will bear the responsibility for notifying the group health plan of the qualifying event under COBRA. While COBRA typically requires this notice to be provided within 60 days, the Final Rule requires plans to disregard the Outbreak Period when determining whether notice is timely.
Claims and Appeals
Filing of Claims
Group health plans will generally limit the period of time in which a claim may submitted and considered eligible for coverage. Under the Final Rule, plans must disregard the Outbreak Period when considering whether a claim has been timely filed. This will undoubtedly lead to additional, and potentially significant exposure, for plans as claims that could have been properly denied previously, may now be payable under the plan.
Appealing an Adverse Benefit Decision
Group health plans must provide participants at least 180 days to appeal an adverse benefit decision. Whether a plan provides the required 180 days, or more, plans must disregard the Outbreak Period when determining this deadline. Similar to the extension of the deadline for filing claims, this extension may also lead to additional, and potentially significant, exposure for plans.
For claimants enrolled in non-grandfathered group health plans, those claims which are otherwise eligible for external review (only certain types of appeals are eligible), are entitled to additional time to request an external review under ERISA’s appeals procedure rules. Under the Final Rule, the Outbreak Period is disregarded when considering the deadline to file an external review.
Further, if a claimant’s external review request is not “complete” (meaning that the request for review is not sufficient to be considered by the Independent Review Organization) the claimant is typically limited to the duration of the filing period to perfect the request. However, the Final Rule also requires the plan to disregard the Outbreak Period when determining whether additional information, provided to perfect a request for external review, is timely.
By: Brady Bizarro, Esq.
Let’s face it: fax machines are horrible and outdated. From busy signals to unreadable printouts to incorrect destinations, it is no wonder most industries abandoned them last century. In our industry, which deals extensively with providers, it’s the primary way to communicate. Understanding why can give you a glimpse into the broader problems with healthcare policy in this country today; a misalignment of economic incentives.
Almost all providers have digitized their own patient records. This was done largely thanks to the Obama administration. In 2009, as part of the stimulus bill, the government passed the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), which included nearly $30 billion to encourage providers to switch to electronic records. Statistics reveal that the number of hospital systems using electronic records went from nine percent in 2008 to eighty-three percent in 2015. So far so good. So, what went wrong? Why is the fax machine still the primary way doctor’s offices communicate?
The issue is not digitizing records: the issue is sharing them. When doctors want to retrieve patient records from another doctor’s office, they turn to the fax machine. They print out records, fax them over to the other provider, and that office scans them into their digital system. Needless to say, this is inefficient, and a misreading of economic incentives is to blame.
The government, at the time, assumed that providers would volunteer to share patient data amongst themselves. This data, however, is considered proprietary and an important business asset to most providers. If other hospital systems could easily access and share your medical record, you could more easily switch providers. Switching providers may be a good thing for a patient who is shopping for better value care, but most providers perceive this ability as a threat to steerage. After all, hospital systems compete with one another for steerage.
As in the case of other healthcare policy problems, chief among them out-of-control spending, doctors, nurses, patients, lawmakers, everyone is frustrated; yet, a solution has thus far been out of reach. The proposed solutions divide policymakers among ideological lines as is often the case with healthcare spending: some feel that more government regulation is needed; others feel that fewer regulations are needed. The Trump administration has so far proposed deregulation in this area and giving patients more control over their own medical records. This is one of the four priorities recently accounted by the Department of Health and Human Services (“HHS”). Time will tell if this approach will finally lead to the demise of one of the most despised pieces of technology in medicine.
By: Kelly Dempsey, Esq.
In past blogs, we’ve looked at eligibility issues from the perspective of leaves of absence, continuation of coverage, and the subsequent gaps that can arise if the plan language is not clear. For this blog, we’ll back up a bit and look at the bigger picture.
Eligibility issues are typically very fact specific – meaning employers and TPAs have to look at the details of an individual’s situation in order to determine if someone can join the plan, modify enrollment, and/or leave the plan during the plan year. Joining the plan involves HIPAA special enrollment rights and plan obligations – the requirements are clearly defined. Special enrollment rules also come into play when an employee’s life situation changes and the employee seeks to add dependents to the plan. At first thought leaving the plan seems to be a no brainer situation – if the employee wants to leave, let them leave…right? Not so fast.
More often than not, health plan contributions are made pre-tax through a cafeteria plan. If a cafeteria plan is involved, the situation can get complicated with the additional consideration of permitted election change rules. Section 125 permitted election change rules can limit an employee’s ability to leave the plan or make other modifications to elections, such as changing the amount of an FSA contribution. To add one more layer, Section 125 is essentially a ceiling and not a floor – meaning it is up to the employers whether or not to include only some of the permitted election changes instead of all permitted election changes available under Section 125.
Now an employer and TPA not only have to review specific facts, but they have to apply two sets of rules and two plan documents (the medical plan and the cafeteria plan). For example, an employee asks the employer to drop health plan coverage saying that “it’s too expensive.” Without a change in status, cost change, or other situation outlined in the permitted election change rules, the employee could very well be stuck in the “web.”
It can be tricky to reconcile rules that overlap each other (side note, overlapping rules happen a lot in this industry…). If you need an extra set of eyes (since we aren’t spiders and don’t have 8), don’t hesitate to reach out to The Phia Group – our consulting team can help get you untangled.
Who knew eligibility could be so difficult?
By: Kelly Dempsey, Esq.
The last few weeks have been difficult for several states and U.S. territories. Hurricanes Harvey and Irma have caused significant flooding and damage. In addition to the loss of power, many people are homeless and corporations/employers are without a place to conduct business. Depending on the level of damage, it may take a long time for different areas of the country to rebound and rebuild. Chances are that employee benefits, specifically the health plan, are the last thing on employers’ and employees’ minds, but there are some very important considerations. So what do Hurricanes Harvey and Irma mean for employers, employer sponsored health plans, TPAs, and employees?
Self-funded health plans are required to comply with various federal laws that carry different responsibilities including, but not limited to, ERISA, COBRA, FMLA, HIPAA, and the ACA. These federal laws come with a wide array of notice requirements and time frames for processing claims and appeals and other requests for documents or information. As such, the Department of Labor and the Department of Health and Human Services (collectively referred to as “the Departments”) have issued press releases and bulletins that provide general guidance and limit exposure to penalties. These press releases were specifically issued after Hurricane Harvey; however, it’s likely that additional releases will be issued to address Hurricane Irma. Below are links to important press releases; however, the following is one of the key summary statements:
The guiding principle for plans must be to act reasonably, prudently and in the interest of the workers and their families who rely on their health plans for their physical and economic well-being. Plan fiduciaries should make reasonable accommodations to prevent the loss of benefits in such cases and should take steps to minimize the possibility of individuals losing benefits because of a failure to comply with pre-established time-frames.
Health plans and their supporting vendors will likely need to review situations on a case by case basis to determine what is reasonable for each plan and employer.
If you’ve listened to any recent Phia Group webinars, presentations or podcasts, or read our blog or published articles, you already know we’ve been focusing on leaves of absence and gaps between handbooks and plan documents. You’re probably thinking, “Yes, I know, so what’s your point?” With all the damage to homes and job sites, it is possible employees may seek leaves of absence and/or employees will ask questions about existing leaves of absence and how the leave is impacted if an employer ceases operations. While FMLA is generally not available for employees to use as time off to attend to personal matters such as cleaning up debris, flood damage, home repair, etc., FMLA may come into play if an employee or their family member suffers a serious health condition as a result of the hurricane. For those employees that were already out on FMLA, if an employer ceases operations, the time operations are stopped would not count towards FMLA leave. As always, FMLA and other leave situations should also be reviewed on a case by case basis.
In summary, the Departments have issued guidance specifically related to Hurricane Harvey; however, we anticipate additional guidance associated with Irma as well. The bottom line is that employers, health plans, and applicable vendors will need to act reasonably when administering the health plans (i.e., processing claims and appeals, issuing notices such as COBRA notices, etc.) and take into consideration the locations and entities that were impacted and allow grace periods or other relief as applicable.
Important Press Releases and Relevant Guidance:
- U.S. Department of Labor Issues Compliance Guidance For Employee Benefit Plans Impacted by Hurricane Harvey
- Secretary Acosta Joins Vice President Pence in Texas
- FAQs for Participants and Beneficiaries Following Hurricane Harvey
- Hurricane Harvey & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Declared Emergency
By: Kelly Dempsey, Esq.
The last 7 years have been a wild ride and it’s not quite over yet. As noted in many other posts and articles, the rules will be changing under the new administration and in recent weeks we’ve seen a clearer picture of how the rules will be changing, but there are still more steps in the process before TPAs and employers can start making changes to their processes and health plans. Many are focused on the modifications to the requirements to offer and/or have coverage (i.e., the employer mandate and individual mandate) and it’s no doubt these provisions have had a large impact on how employers offer coverage and what they offer, as well as the costs to employers, individuals, and insurers.
To counteract the rising costs of healthcare due to ACA and other factors, like high medical and drug costs, many in the self-funded industry have explored other options and learned how to expand and better utilize the flexibility and dynamics afforded to self-funded plans in the cost containment realm. From telemedicine, to medical tourism, to other incentive programs, and exploring other provider payment options like direct primary care, employers with self-funded plans have more opportunities to explore cost containment options and implement the options that can help the plan and employer save money, while tailoring their health plans to the needs of their employees. Some cost containment programs, however, have added additional complications for a variety of reasons.
The birth of new cost containment programs includes reviewing current rules and applying those rules as we know them to the health plans. If these programs are offered outside of the self-funded health plan, do the programs themselves become stand-alone health plans? If yes, what rules are applicable? Can these new programs qualify as excepted benefits and be excluded from certain (or all) provisions of ERISA, HIPAA, ACA, and other federal laws? Are these programs compatible with IRS rules related to HSA qualified high deductible health plans (HDHPs)? Do the answers change if the programs are implemented within the self-funded health plan? Unfortunately, in many cases, the rules are not clear.
We know the new administration has big plans for modifications to current rules and creation of new rules and guidelines. In addition to the employer and individual mandates, another key change we’ve heard about repeatedly is the modification to HSA rules. If the new administration is modifying certain HSA rules to encourage employers and individuals to utilize HSAs, will the administration and agencies issue clarifying rules that address these questions? Sadly this is another unknown and we’re stuck in this holding pattern with more questions than answers.
In some ways it feels like we’re right back where we started back in 2010 – waiting to see what rules and changes actually make their way through the approval process. For time being, we have to buckle up and hold on until the ride comes to a complete stop. As such, until we have finalized new rules with effective dates and clear guidance, it’s best to keep things status quo and maintain compliance with the rules as we know them today until the rules are implemented, finalized, and effective.