group health plan |

Verify ERISA Bonding Compliance

November 25, 2025

Health, retirement and other employee benefit plan fiduciaries, sponsors and service providers should confirm and document that all plan fiduciaries, service providers and other plan workforce members are properly bonded to protect the plan against fraud and dishonesty, as well as avoid incurring liability for breaching the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (“ERISA”).

ERISA Requires Fidelity Bonding

ERISA imposes fidelity bonding requirements under ERISA §412 and 29 C.F.R. Part 2580 to protect plan assets against loss due to fraud or dishonesty. ERISA §412(a) requires that every fiduciary of an employee benefit plan and every person who ‘handles funds or other property’ of the plan must be bonded against loss resulting from fraud or dishonesty. The Department of Labor (“DOL”) regulations at 29 C.F.R. §2580.412‑6 define handling of funds to include physical contact, power to transfer, ability to sign checks, or supervisory authority over those who handle plan assets.

As ERISA’s bonding requirements are part of ERISA’s fiduciary responsibilities, failure to maintain bonding required by ERISA §412 constitutes a fiduciary breach under ERISA §404(a)(1)(A)-(B), which exposes fiduciaries breaching these obligations to DOL civil penalties, personal liability for losses arising from non‑compliance, and other liabilities.

Who Must Be Bonded

ERISA’s fidelity bonding requirement applies to two categories of persons:

Plan fiduciaries, and

Non‑fiduciaries who ‘handle’ plan funds within the meaning of 29 C.F.R. §2580.412‑6.

For purposes of determining the individuals and entities subject to ERISA’s bonding requirement, keep in mind that ERISA functionally defines a “fiduciary” as including any person that:

Exercises any discretionary authority or discretionary control respecting management of the plan or the management or disposition of its assets,
Renders investment advice for a fee or other compensation, direct or indirect, with respect to any moneys or other property of such plan, or has any authority or responsibility to do so, or
Has any discretionary authority or discretionary responsibility in the administration of such plan. See ERISA Section 3(21).

Consequently, if an individual or entity functionally possesses or exercises authority or responsibility over the plan or its assets, it is a fiduciary subject to the bonding and other fiduciary requirements of ERISA regardless of whether that party is a named fiduciary or disclaims fiduciary status in an agreement.

Likewise, the ERISA bonding requirement for parties that handle funds also is based on the functional realities. Under DOL Regulations, a person is deemed to handle plan assets if their role creates a risk of loss due to fraud or dishonesty. Examples include:

Physical possession of cash, checks, or assets.
Power to transfer assets or negotiate instruments.
Authority to sign checks or initiate electronic fund transfers.
Supervisory authority over individuals who handle assets.

Non‑fiduciary service providers and other members of the plan workforce who do not handle plan funds are not subject to ERISA §412. For instance, DOL Field Assistance Bulletin 2008‑04 states that third‑party administrators that do not control or possess plan assets and cannot authorize disbursements are not required to be bonded. Similarly, other nonfiduciary contractors providing legal, actuarial, consulting, claims‑processing, or IT services fall outside the bonding requirement unless they have direct authority over plan assets. See also 29 C.F.R. §2509.75‑8 without discretionary authority over plan assets generally does not ‘handle’ funds and therefore are not subject to ERISA §412 bonding unless they otherwise are named or function as fiduciaries.

When applying these distinctions for purposes of ERISA’s bonding rules, plan fiduciaries and service providers should look beyond contractual characterizations of the character and nature of the service provider and based their decision regarding whether to require and acquire a bond based on the functional realities. While non‑fiduciary service providers are only required to be bonded if they handle plan funds as defined by ERISA §412 and the DOL regulations, functionally evaluated, certain non‑fiduciary service providers sometimes become subject to bonding if their activities constitute functional “handling” of plan funds. For example:

A payroll vendor that transmits employee contributions is handling assets.
A recordkeeper with authority to initiate distributions must be bonded.

Conversely, a TPA adjudicating claims but without power to pay benefits is not required to be bonded. service providers and others granted functional authority that exposes plan assets to risk of loss are required to be bonded as individuals that handle funds.

When evaluating whether a service provider or other party “handles funds” for purposes of assessing the applicability of the ERISA bonding requirement in investigations or audits, the DOL usually asks if the party or its employees have:

Physical possession of Plan assets?
The power to obtain physical possession of plan assets?
The power to transfer assets?
The authority to disburse Plan funds directly or indirectly?
The authority to endorse checks?
The authority to make investments?

The DOL Enforcement Manual indicates that “handling” of Plan funds is indicated and bonding is required for each individual or party that (a) has any of these authorities or (b) if the assets are held by a corporate trustee, for any service provider or other party that can direct the payment of benefits or direct the investments to be made by the corporate trustee.

Bond Amount and Coverage Requirements

Where ERISA requires a fidelity bond, ERISA §412(a) and 29 C.F.R. §2580.412‑11 require that the fidelity bond must be at least 10% of the amount of plan funds handled by the individual in the preceding plan year, with a minimum of $1,000 and a default maximum of $500,000 per plan (or $1,000,000 for plans holding employer securities under §412(g)).

An ERISA fidelity bond is a specific type of insurance that protects the plan against losses caused by acts of fraud or dishonesty. The fidelity bond required under ERISA specifically insures a plan against losses due to fraud or dishonesty (e.g., theft) by persons who handle plan funds or property. Fraud or dishonesty includes, but is not limited to, larceny, theft, embezzlement, forgery, misappropriation, wrongful abstraction, wrongful conversion, willful misapplication, and other acts. Deductibles or other similar features are prohibited for coverage of losses within the maximum amount for which the person causing the loss is required to be bonded. While obtaining fiduciary liability insurance also generally is recommended, the bonding requirement is not satisfied by the purchase of fiduciary liability.

The fidelity bond purchased must fulfill the specific requirements of ERISA. For instance, the bond should be issued by a bonding company listed in Treasury Circular 570 and must cover the Plan for loss due to fraud or dishonesty as defined in 29 C.F.R. §2580.412‑9. Fiduciaries should confirm the bond provides for payment to the Plan in the event of loss, name the Plan as an “insured” and have the pay over rider attached unless the Plan is the sole insured under the bond. The definition of employee in the bond must cover all persons who “handle” funds including officers, directors, trustees, employees and the other parties required to be covered by the bond. If the bond contains a deductible, an elimination of deductible rider with the respect to the plan also is needed. Since bonds purchased by third party administrators, financial advisors or other plan service providers to meet state law or professional standards generally do not fulfill these and other ERISA requirements, plans generally should require specific contractual assurances to comply with the ERISA bonding requirements and should obtain and confirm the adequacy of the bonds for service providers and others subject to ERISA bonding requirements.

Liability For ERISA Bonding Violations

Failure to secure a fidelity bond under ERISA can lead to significant legal and financial consequences. Plan sponsors and fiduciaries are required by ERISA to obtain a fidelity bond to protect employee benefit plans from losses due to fraud or dishonesty. Noncompliance can lead to a range of consequences, including auditors’ admonitions, court mandates for removal as plan fiduciaries, plan fiduciary personally liability for losses that should have been covered by a fidelity bond, and EBSA administrative penalties for breach of fiduciary duty. See DOL’s Protect Your Employee Benefit Plan With A Fidelity Bond; Getting It Right: Know Your Fiduciary Responsibilities.

Managing Bonding And Bonding Risks

To avoid violating the bonding requirements, fiduciaries and service providers should both review service agreements and the functional realities to confirm whether any party “handles” funds and to ensure compliance with ERISA bonding requirements.

Service providers that engage in the performance of activities that involve or are likely to be recharacterized as involving the exercise of discretion or the handling of funds should give serious consideration to arranging to maintain a fidelity bond that meets ERISA’s requirement, whether or not the service provider acknowledges or disclaims its status as a fiduciary or handler of plan funds.

Since noncompliance with the bonding requirement is a breach of the fiduciary responsibility requirements of ERISA that could render the fiduciary personally liable for unbonded losses, plan fiduciaries generally should conduct and retain a documented analysis capturing their consideration of whether they and other fiduciaries, service providers, and other members of the plan workforce ar required to be bonded and if so, the actions taken to require and monitor compliance with applicable bonding requirements. Examples of best practices include:

Include bonding requirements in plan documents and contracts;
Conduct and maintain a documented assessment of the applicability of the bonding requirements when appointing or renewing the appointment of a fiduciary, third party service provider or workforce member to participate in the management or operations of the plan or its assets; and
Obtain and review bonds obtained to cover fiduciaries and service providers to verify their currency and adequacy;

When the factual realities raise the possibility that an individual or a party might possess or exercise fiduciary discretion or handle funds, fiduciaries generally will want to err in favor of requiring bonding to protect the plan and to protect themselves against the personal liability that can arise under ERISA Section 502(l) for violation of the bonding requirements, unbonded plan losses arising from fraud or loss by the service provider or both.

About the Author

Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on health and other employee benefits, insurance, healthcare, workforce, HIPAA and other data and technology and other compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.

Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer is nationally recognized for her decades of leading edge experience on the design, sponsorship, administration and defense of health and other employee benefit, workforce, insurance, healthcare , data and technology and other operations to promote legal and operational compliance, reduce regulatory and other liability and promote other operational goals.

Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is recognized for her contributions to strengthening health care policy and charitable and community service resolving health care challenges performed under PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.

Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also frequently speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see http://www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press™

Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2025 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press.™ For information about licensing for republication, please contact the author directly. All other rights reserved.

Comments Off on Verify ERISA Bonding Compliance | 401(k), Corporate Compliance, ERISA, Fiduciary Responsibility, group health plan, health plan, Health Plans, retirement plan, Retirement Plans, Retirements, self insured health plan | Tagged: business, Finance, investing, personal-finance, retirement-planning | Permalink
Posted by Cynthia Marcotte Stamer

2025 Surprise Billing Fees Unchanged But Clear Cache Weekly To Stay Updated

December 27, 2024

2025 surprise billing independent dispute resolution fees applicable to health plans, health insurers and health care providers will remain are holding steady.

On December 27, 2024, the Department of Health and Human Services (“HHS”), the Department of Labor (“DOL”), and the Department of the Treasury (collectively, the “Departments”) updated the No Surprises Act (NSA) website to reflect updated certified IDR entity fees in accordance with the Federal Independent Dispute Resolution (IDR) Process Administrative Fee and Certified IDR Entity Fee Ranges Final Rule (IDR Fees Final Rule).

The IDR Fees Final Rule, effective as of January 22, 2024, set forth the 2024 IDR entity fee ranges. The Departments announced these fees will remain unchanged for 2025.

The 2025 IDR entity fees now published on the NSA website are effective for disputes initiated on or after January 1, 2025. For these disputes, the administrative fee amount is $115 per party per dispute, and the certified IDR entity fee ranges are $200-$840 for single determinations and $268-$1,173 for batched determinations. The website now includes information on the fee set by each certified IDR entity within these ranges.

Along with confirming the 2025 fees, the Departments caution plans and providers to monitor the website for updates to the IDR web form to accommodate guidance-related and system enhancements. The Departments ask plans and providers who have initiated an IDR dispute previously, to clear their computer’s cache or open the IDR initiation web form in a private or incognito window at least once a week to see all the new features. The Departments warn to clear the cache or open this form in private/incognito mode could result in additional follow-up with certified IDR entities or system errors.

The author of this update, Cynthia Marcotte Stamer is an American College of Employee Benefits Counsel Fellow and attorney board certified in Labor and Employment Law by the Texas Board of Legal Specialization, who has decades of experience advising health plans and insurers, third party administrators, managed care and other health care payers and providers with surprise billing and other claims, payment and other design, administration, regulatory and other enforcement, dispute resolution, compliance, risk management and operational matters. If you have questions or need advice or help evaluating or addressing these or other compliance, risk management, or other concerns, contact her.

For More Information

We hope this update is helpful. For more information about the or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452-8297.

Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.

About the Author

Ms. Stamer’s work throughout her career has focused heavily on working with businesses domestically and internationally on employment, benefits, Federal Sentencing Guidelines and other workforce management, regulatory and public policy and other legal and operational concerns.

Author of many highly regarded compliance, training and other resources on health and other employee benefits, health care, insurance, workforce and other risk management and compliance, Ms. Stamer is widely recognized for her thought leadership and advocacy on these matters.

In addition, Ms. Stamer serves as a Scribe for the American Bar Association (“ABA”) Joint Committee on Employee Benefits annual agency meetings with OCR and shares her thought leadership as International Section Life Sciences Committee Vice Chair, and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press, Inc.™ resources.

NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at the particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often rapidly evolves, subsequent developments that could impact the currency and completeness of this discussion are likely. The author and Solutions Law Press, Inc. disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

©2024 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on 2025 Surprise Billing Fees Unchanged But Clear Cache Weekly To Stay Updated | Claims, Claims Administration, compliance, Consumer Protection, Direct Primary Care, Employee Benefits, Employer, Employers, ERISA, Fiduciary Responsibility, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, health insurance, health insurance marketplace, health plan, Health Plans, Human Resources, Managed Care, Surprise Billing, Tax, Technology | Tagged: Health Care, Health Plans, Solutionslawyer, Surprise Billing | Permalink
Posted by Cynthia Marcotte Stamer

$2.7 Million FCA Cyber Liability Settlement Shows New Tool In Government’s Strategy To Fight Cyber Insecurity By Holding Businesses & Leaders Accountable

May 4, 2024

The $2.7 million settlement government contractor Insight Global LLC, (“Insight”) is paying to settle a Justice Department (“DOJ”) False Claims Act civil suit for lax cybersecurity shows government contractors now must add possible False Claims Act prosecution to the already substantial and ever-widening potential consequences all organizations and leaders when their organizations experience a cyber incident.

Supplementing the strength and reach of existing cybersecurity laws by using the False Claims Act, federal securities, employee benefit fiduciary responsibility. and other laws as tools to pressure organizations and their leaders to strengthen their cybersecurity compliance and defenses is a key component of the National Cybersecurity Strategy the Administration announced in March, 2023 to battling the ongoing pandemic of cyber incidents. As National Cybersecurity Strategy states, “Continued disruptions of critical infrastructure and thefts of personal data make clear that market forces alone have not been enough to drive broad adoption of best practices in cybersecurity and resilience. … We must hold the stewards of our data accountable for the protection of personal data; drive the development of more secure connected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.

The National Cyber Security Strategy goes on to warn, “We will use Federal purchasing power and grant-making to incentivize security.”

With holding businesses and their leaders accountable a key component of the Federal government’s National Cybersecurity Strategy, government contractors specifically and all businesses and their leaders generally should heed the use of the DOJ’s use of the False Claims Act as another tool in its expanding arsenal for holding businesses experiencing cyber breaches accountable as proof of their own growing imperative to manage their own cyber security and liability in response to exploding strains of cyber threats and liabilities.

Government Contractor False Claims Act Cyber Risk

DOJ’s adoption of the False Claims Act as a tool for imposing liability against government contractors experiencing a cyber breach is part of a broader effort to persuade organizations and their leaders to tighten their cyber security defenses and responses by ratcheting up the liability and other consequences organizations and their leaders face when their organizations experience a cyber incident. The False Claims Act imposes treble damages and penalties on those who knowingly and falsely claim money from the United States or knowingly fail to pay money owed to the United States.

A Civil Cyber-Fraud Initiative announced by DOJ on October 6, 2021 adds potential False Claims Act civil lawsuits by DOJ or private whistleblowers to the already significant and expanding consequences government contractors and grant holders can face for failing to fulfill requirements to properly secure protected health information or other sensitive data as required in their government contracts.

According to DOJ’s May 1, 2024 announcement, Insight will pay $2.7 million to resolve DOJ False Claims Act charges for failing to have adequate cybersecurity measures to protect health information obtained during COVID-19 contact tracing under the new of the Settlement shows DOJ is following through on its promise.

$2.7 Million Insight FCA Cyber Settlement

The $2.7 million Settlement settles a whistleblower lawsuit, United States ex rel. Seilkop v. Insight Global LLC, No. 1:21-cv-1335 (M.D. Pa.). Filed under the whistleblower provisions of the False Claims Act that permit private parties to sue on behalf of the government when they believe that defendants submitted false claims for government funds and to receive a share of any recovery, DOJ intervened in the suit. Whistleblower, Terralyn Williams Seilkop, a former Insight Global staff member who worked on the contact tracing at issue, will receive a $499,500 share of the $2.7 million settlement amount.

The lawsuit alleged the Pennsylvania Department of Health hired Insight to provide staffing for COVID-19 contact tracing and paid Insight using federal funds from the U.S. Centers for Disease Control and Prevention. Although keeping personal health information of contact tracing subjects confidential and secure was part on its contractual duties, Insight failed to secure the protected health information. Instead, DOJ claimed, for example, Insight transmitted certain personal health information and/or personally identifiable information of contact tracing subjects in the body of unencrypted emails, stored and transmitted the information using Google files not password protected, making them potentially accessible to the public via internet links and allowed staff to use shared passwords to access that information.

DOJ additionally alleged that from November 2020 through January 2021, Insight managers received complaints from Insight staff that protected health information was unsecure and potentially accessible to the public, but failed to start remediating the issue until April 2021 after deficiencies came to light.

When Insight eventually began remediating these cybersecurity breaches and deficiencies in 2021, the announcement states Insight cooperated with the DOJ investigation of the cause and scope of the incident. It also took steps to remedy cybersecurity deficiencies by strengthening internal controls and procedures, adding more data-security resources and issuing a public notice regarding the scope of the potential exposure and offering free credit monitoring and identity protection services to those affected. FOJ also reports Insight also cooperated with the United States’ investigation.

DOJ’s Insight settlement announcement warns other government contractors of DOJ’s “continuing commitment to ensure that government contractors fulfill their cybersecurity obligations.” Its announcement quotes Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division as stating, “The Justice Department will hold accountable those contractors who knowingly fail to satisfy cybersecurity requirements.”

Meanwhile, Special Agent in Charge Maureen R. Dixon of the Department of Health and Human Services Office of Inspector General (HHS-OIG) is quoted as stating “Contractors for the government who do not follow procedures to safeguard individuals’ personal health information will be held accountable.”

Cyber Risk Implications For Government Contractor & Other Organizations

Potential False Claims Act liability under the DOJ False Claims Act Civil Cyber-Fraud Initiative add additional liability risks for government contractors to already substantial and growing federal and state regulatory, contractual, and civil and criminal liabilities and other consequences that cyber breaches and other cybersecurity weaknesses create for business and other organizations, their health plans and their leaders. Examples of these other exposures that lax privacy, data security, data breach and other cybersecurity practice may create include:

Business operating losses from resulting operational disruptions and damages to customer, business partner, shareholder and public trust;
Federal Sentencing Guidelines organizational criminal liability arising from violations of electronic crime and other federal criminal data privacy and security laws;
Federal Trade Commission Act and state unfair business practices liability for deceiving customers about privacy practices;
Security and Exchange Commission (“SEC”) criminal and civil actions and shareholder lawsuits under the Security and Exchange Act;
Health Insurance Portability & Accountability Act civil monetary penalty and criminal exposures for health plans, health care providers, health care clearinghouses and their business associates;
Employee Benefit Security Act fiduciary liability for health fiduciaries;
Liability for violation of Fair and Accurate Transaction Act, Internal Revenue Code, or other federal privacy or confidentiality laws;
damages and other penalties and judgments arising under state identity theft, data security, privacy and other state statutory, contractual and tort laws; and
More.

These and other constantly emerging exposures show the imperative for government contractors and all other organizations and their leaders to ensure their organizations take adequate, well-documented efforts to protect their systems and data and fulfill all otherwise applicable cybersecurity rules.

With new cyber attacks and strains of cyber liability, emerging constantly, organizations, and their leaders increasingly must change the way they think about and address their own cyber security and other technology, budgets and management. The escalation of cyber incidents and risks necessitates that organizations and their leaders to treat cybersecurity as critical components of their operational and business plans and priorities.

Amid the pandemic of constantly evolving cyber threats, even the most diligent efforts to secure systems and data cannot guarantee the prevention of a breach or other cyber incident. Given this challenge, organizations and their leaders must focus both on taking meaningful steps to adequately secure their systems and data against a cyber breach or incident as well as position their organizations and leaders to defend their actions and mitigate exposures through appropriate strategic planning, documented oversight and risk assessment, monitoring and response of threats and safeguards; preparation and timely response to cyber events using attorney-client privilege and other evidentiary tools to promote the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making.

As the availability of funding can radically impact the effectiveness of these and other risk mitigation efforts when a cyber incident occurs, these preparations also should incorporate insurance and other arrangements to provide for breach investigation funding and response.

For Additional Information

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

If you need have questions or need assistance with this or other cybersecurity, health, benefit, payroll, investment or other data, systems or other privacy or security related risk management, compliance, enforcement or management concerns, to inquire about arranging for compliance audit or training, or need legal representation on other matters, contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of cybersecurity, workforce, technology and other compliance, risk management and mitigation, incident and other investigations,regulatory and government affairs, and other strategic, operational, regulatory and legal and consulting management work for government contractors and other public and private businesses; managed care and other health and life science, insurance, technology, and other performance and data dependent organizations,

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership with healthcare and life sciences, employment and employee benefits, managed care and insurance, data and technology and other related industries and organizations. Known for her skill combined use of her extensive legal and operational knowledge to help these and other clients develop, operationalize and defend employment, employee benefits, compensation and other staffing and workforce; data, systems and other technology; heath benefit and other healthcare and life science, managed care and insurance; employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational actions and practices. She speaks and publishes extensively on these and other related compliance issues.

Ms. Stamer’s work throughout her career has focused heavily on working with health care and managed care, life sciences, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Author of a multitude of highly regarded publications on HIPAA and other medical record and data privacy and scribe for the ABA JCEB Annual Meeting with the HHS Office of Civil Rights, her experience includes extensive involvement throughout her career in advising health care and life sciences and other clients about preventing, investigating and defending EEOC, DOJ, OFCCP and other Civil Rights Act, Section 1557 and other HHS, HUD, banking, and other federal and state discrimination investigations, audits, lawsuits and other enforcement actions as well as advocacy before Congress and regulators regarding federal and state equal opportunity, equity and other laws.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here.

IMPORTANT NOTICE

NOTICE: These statements and materials are for general informational and educational purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstances at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules make it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access to this publication.

Comments Off on $2.7 Million FCA Cyber Liability Settlement Shows New Tool In Government’s Strategy To Fight Cyber Insecurity By Holding Businesses & Leaders Accountable | Antitrust, Attorney-Client Privilege, Banking, board of directors, Brokers, Civil Monetary Penalties, Claims, compliance, Corporate Compliance, corporate governance, Cybercrime, Cybersecurity, Data Breach, Data Security, Department of Defense, DFAR, Disaster, Educational Privacy, Emergency, Employee Benefits, Employer, Employers, Employment, Employment Policies, enforcement, ERISA, false claims act, FTC, Government Accountability, Government Contractors, government employer, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, health plan, Health Plans, HIPAA, HR, Human Resources, Identity Theft, Insurance, insurers, Internal Controls, Internal Investigations, Managed Care, OFCCP, Personal Health Records, Personal Health Recordss, Physician, Plan Admistrator, Protected Health Information, Provider, self insured health plan, Technology, third party administrators, tpa, Whistleblower | Tagged: Corporate Compliance, Cyber, Data Breach, Data Security, Employee Benefits, Employer, Employers, Employment, ERISA, fca, Federal Sentencing Guidelines, government contractor, Health Insurance, Health Plans, HIPAA, Human Resources, Insurance, Insurer, Privacy, Risk Management, Technology, Worker Classification | Permalink
Posted by Cynthia Marcotte Stamer

Manage Health Plan HIPAA, ERISA & Other Exposures From Change Healthcare Ransomware Attack

March 17, 2024

What Health Plans, Their Fiduciaries, Vendors & Sponsors Should Be Doing Now

Health plans, their fiduciaries, health plan sponsors and insurers, and their administrative and other service providers should move quickly to understand and act to mitigate the exposures likely to arise under the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, the claims, notice and fiduciary responsibilities under the Employee Retirement Income Security Act of 1974 (ERISA), state contract, prompt pay and other duties to health care providers or other responsibilities in response to disruptions created by the Blackcat1234 ransomware attack (CH/UHG Attack) experienced by UnitedHealthcare Group (UHG) subsidiary Change Healthcare.

Change Healthcare Ransomware Attack

On February 21, 2024, a ransomware attack executed by the Blackcat1234 ransomware group took control of and shut down the payment, revenue cycle management and related tools and systems of UHG Subsidiary Change Healthcare. Well-known for stealing sensitive data and demanding ransom for not publishing it, and other public and private cybersecurity monitoring and tracking organizations have warned heath care and other system operators to guard against Blackcat1234 and related ransomware attack risks since at least 2022. See, e.g., #StopRansomware: ALPHV Blackcat | CISA.

The Change Health shutdown resulting from the Blackcat1234 ransomware attack has created widespread disruptions to key care authorization, billing and other pharmacy, provider and other plan and provider transactions within health care and health benefit systems nationwide due to the widespread use of the Change Health tools.

Due to the widespread use of the Change Healthcare tools and systems as a financial clearinghouse for connecting pharmacy benefit managers, health care providers, and other key plays and health plans throughout the health care and health benefits industry, the attack has and continues to disrupt key billing, care-authorization, payment and other transactions between health plans, health care payers and pharmacies, physicians and other health care providers and health care payers and their partners across the health care industry.

As UHG has worked to recover from the Change Health attack, the resulting shutdown and disruption to electronic payment and medical claims systems incorporating the compromised Change Healthcare tools create various legal and operational headaches for many health plans and other health care payers by preventing or obstructing the submission and processing of health care claims and other transactions between health care providers and health plans. While UHG works to remediate and restore the operability and security of the Choice Health tools and systems, health plans, and insurers, their fiduciaries, plan sponsors, and fiduciaries should take timely and prudent steps in response to the breach and resulting disruptions to mitigate the exposure of their health plans, and themselves under HIPAA and ERISA.

HIPAA Security & Breach Notification Responsibilities

While most health care providers and health plans expect Change Health and other UHG entities to face potential data breach and breach notification responsibilities and liabilities under HIPAA and other federal and state data privacy and cybersecurity laws, many health plan fiduciaries, sponsors, insurers, and administrative or other service providers have given limited consideration to how the February 21, 2024, cyber event impacted their HIPAA responsibilities and exposures. Guidance published by the U.S. Department of Health and Human Services Office for Civil Rights (OCR) on March 13, 2023, alerts health plans and health insurers, their fiduciaries and plan sponsors, health care providers, health care clearinghouses, and their business associates (covered entities) against overlooking their own potential HIPAA responsibilities arising from the February 21 Choice Health attack or other similar events.

HIPAA requires covered entities and their business associates to protect the privacy and security of protected health information, to have and enforce HIPAA-compliant business associate agreements, to conduct timely documented risk assessments in response to known or foreseeable security threats, and to provide notice of a breach to OCR, affected individuals and for breaches affecting more than 500 individuals.

Under the HIPAA Security Rule, covered entities must conduct documented risk assessments to evaluate and monitor their electronic personal health information (EPHI) and associated systems for potential breaches and other threats that expose EPHA to unauthorized use, access, disclosure, destruction or other compromise.

To fulfill this requirement, the Security Rule requires covered entities and business associates to conduct documented risk assessments impacting their EPHI and to update these risk assessments in response to internal or external events impacting the adequacy of their risk assessments or security safeguards.

While the responsibility of covered entities and business associates to protect EPHI against unauthorized use, access and disclosure from cybercriminals and others receives the most attention, the Security Rule also includes often less discussed responsibility to protect EPHI and related operating systems against destruction or other disruptions from a wide range of threats including ransomware attacks.

OCR guidance makes clear that OCR views safeguarding EPHI against ransomware and other cybersecurity threats as encompassed in this duty. As part of these efforts, OCR and other cybersecurity agencies have recommended among other things that covered entities and business associates:

Routinely take inventory of assets and data to identify authorized and unauthorized devices and software;
Prioritize remediation of known exploited vulnerabilities’
Enable and enforce multifactor authentication with strong passwords;
Close unused ports and remove applications not deemed necessary for day-to-day operations.

See e.g., #StopRansomware: ALPHV Blackcat | CISA.

Furthermore, when a breach of results in an unauthorized use, access, disclosure or destruction of EPHI, the HIPAA Breach Notification Rule requires covered entities and their business associates to provide timely notification of the breach to subjects of the breached EPHI and OCR, and if the breach affects more than 500 subjects, to the media. Concurrently, the HIPAA Security Rule requires health plans and other covered entities to evaluate through documented risk assessments and take appropriate timely action to update their EPHI security as necessary to respond to breaches, potential breaches and other evolving threats to their EPHI and related systems.

On March 13, 2024, the Office of Civil Rights (OCR) released a “Dear Colleague letter” that warns the February 21, 2024 CH/UHG data breach is likely to trigger HIPAA obligations and investigations for Choice Health and UHG as well as other HIPAA-covered health plans, heath care providers, heath care clearinghouses and business associates. While stating the investigation currently focuses on Change Healthcare and UHC, for instance, the Dear Colleague Letter warns that OCR anticipates that its response to the February 21, 2024 CH/UHG Attack eventually also will include “secondary” investigations of other health plans, health care providers, health care clearinghouses and business associates “tied to or impacted by this attack.”

In light of these anticipated secondary investigations, OCR’s Dear Colleague letter warns health plans, health care providers, health care clearinghouses, business associates to ensure they timely and properly handle their own potential HIPAA responsibilities arising from the CH/UHG Attack. The Dear Colleague letter expressly alerts health plans, health care providers and other covered entities and business associates “that have partnered with Change Healthcare and UHG” in anticipation of OCR’s expected secondary investigations to ensure that their own ability to demonstrate their organization meet all required HIPAA responsibilities including that:

All required “business associate agreements are in place;
All required breach notifications are provided to HHS, affected persons and in the event of a large breach affecting more than 500 individuals, to the media; and
All security and other HIPAA responsibilities are met.

The Dear Colleague Letter also directed covered entities and their business associates to the following previously released OCR resources for assistance in understanding their responsibilities for guarding EPHI against ransomware and other cybersecurity threats:

The OCR HIPAA Security Rule Guidance Material webpage;
OCR Video on How the HIPAA Security Rule Protects Against Cyberattacks;
OCR Webinar on HIPAA Security Rule Risk Analysis Requirement;
HHS Security Risk Assessment Tool;
Factsheet: Ransomware and HIPAA; and
Healthcare and Public Health (HPH) Cybersecurity Performance Goals.

Standing alone, the Dear Colleague Letter makes clear that all covered entities partnered with or impacted by disruptions from the CH/UHG attack need to take documented steps to reevaluate and tighten the adequacy of their existing security safeguards as well as their processes for monitoring and responding to evolving ransomware and other cybersecurity threats in anticipation of becoming the target of potential “secondary” OCR investigations arising from the CH/UHG Attack.

While the Dear Colleague Letter specifically references covered entities and business associates “partnered” with Choice Health, OCR’s previously issued guidance warning all covered entities and their business associates to safeguard their EPHI against ransomware and other cybersecurity threats, strongly suggest that all covered entities and business associates should consider the advisability of reevaluating the adequacy of their own EPHI safeguards in light of the heightened ransomware and other cyber threat illustrated by the CH/UHG Attack. Consequently, all covered entities and business associates partnered with or impacted by the CH/UHG Attack or its resulting distributions specifically, as well as covered entities and business associates generally should work with experienced legal counsel to conduct documented risk assessments of their systems, exposures, responsibilities and risks taking into account these developments as soon as possible in anticipation of complaint or audit driven investigations arising from the Choice Health and other malware events and threats.

ERISA-Covered Health Plan Data Security & Breach Related Fiduciary Duties

In addition to any applicable HIPAA responsibilities, fiduciaries and sponsors of employer or union sponsored health plans subject to the Employee Retirement Income Security Act (ERISA) also should consider whether the CH/UHG Attack or the heightened ransomware and other cyber security threats any additional actions are prudently necessary to protect the health plan data, assets or operations.

ERISA generally requires individuals or entities named as fiduciaries or otherwise possessing functional discretionary authority or responsibility or authority over a plan or its assets (fiduciaries) to act prudently to protect and administer the plan and its assets. Department of Labor Employee Benefit Security Administration (EBSA) guidance published in April, 2021 first officially confirmed its interpretation of ERISA’s duty of prudence as including a duty to utilize prudent cybersecurity safeguards. Since EBSA published this cybersecurity guidance EBSA also has also added cybersecurity inquiries to its plan fiduciary audits. As a result, in addition to complying with HIPAA, ERISA-covered health plan fiduciaries and sponsors also should be prepared to demonstrate plan fiduciaries acted prudently to comply with HIPAA as well as the following actions to safeguard health and other employee benefit plan data and systems against cybersecurity threats:

Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.

Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

In light of this OCR and EBSA guidance, health plan sponsors, fiduciaries and vendors and other HIPAA covered entities and business associates are urged to take documented steps to audit and strengthen as needed their safeguards against hacking and other cybersecurity threats including:

In the case of any health plan or health plan vendor, taking well documented steps to assess and tighten as necessary their health plan systems and data security to meet or exceed the recommendation outlined in the EBSA cybersecurity guidance or otherwise necessary to prudently guard their plans and plan data and systems against cybersecurity threats.
Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Because susceptibilities in systems, software and other vendors of business associates, covered entities and their business associates should use care to assess and manage business associate and other vendor associated risks and compliance as well as tighten business associate and other service agreements to promote the improved cooperation, coordination, management and oversight required to comply with the new breach notification and other HIPAA requirements by specifically mapping out these details.

Furthermore, while the preemption provisions of ERISA generally insulate health plans and their sponsors from responsibility or liability for complying with state insurance, data security, breach notification or other state law cybersecurity and cyber breach and breach notification laws and rules, health insurers and other health plan service providers generally remain subject to these state law requirements. Consequently, health insurers, administrative service providers and other health plan vendors also should act promptly to evaluate and ensure their fulfillment of all applicable cybersecurity and data breach mandates under relevant state law.

Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards. Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations and the Employee Benefit Security Administration recently has issued guidance recognizing prudent data security practices as part of the fiduciary obligations of health plans and their fiduciaries.

Finally, health plans and other covered entities are reminded that appropriate strategic planning and use of attorney-client privilege and other evidentiary tools can critically impact the defensibility of pre-breach, breach investigation and post-breach investigation and decision-making. Because HIPAA, EBSA and other rules typically require prompt investigation and response to known or suspected hacking or other cybersecurity threats, health plans and other covered entities or business associates should seek the assistance of experienced legal counsel to advise and assist in these activities to understand the potential availability and proper use of these and other evidentiary rules as part of the compliance planning process as well as to prepare for appropriate use in the event of a known or suspected incident to avoid unintentional compromise of these protections.

ERISA & Other Risks From Untimely Timely Acceptance & Processing of Health Plan Eligibility & Benefit Provisions

Since Change Health shut down its tools and systems CH/UHG Attack has created and continues to cause nationwide disruptions in the ability of pharmacy, physician and other health care providers to submit, and health plans and insurers to receive and process a wide range of health care billing, claims and other transactions because of the widespread integration and use of Choice Health tools in systems health care providers and payers use for the submission, receipt, and processing of health care provider eligibility, billing and other health benefits.

Along with the liabilities and headaches that the ransomware attack and resulting disruptions create for Choice Healthcare and UHG, delays and other disruptions in the handling of health benefit eligibility, claims processing, notifications and payment by health plans and their administrative services providers arising from can create a host of additional liability headaches health plans, health insurers, their fiduciaries and administrative services providers in addition to those arising directly from the HIPAA and other cybersecurity breach itself.

For ERISA-covered health plans, ERISA generally holds health plans and their fiduciaries accountable for the prudent, timely administration of health plan eligibility, claims and other administrative functions in accordance with the terms of the plan and within the applicable time frames and other requirements of ERISA’s reasonable claims procedure and adverse benefit determination rules. Health plans and their ERISA plan administrators generally must receive and process claims transactions required by the adverse claim determination regulations and provide participants or beneficiaries with detailed written notifications for any claims not processed and paid within the relevant 72-hour, 15-day or 30-day time period specified by the adverse claim determination rules. Noncompliance with these requirements both undermines the defensibility of the health plan’s denial of coverage and subjects the plan administrator to liability for EBSA penalties and/or discretionary awards of penalties plus attorneys’ fees and other costs of enforcement to plan participants or beneficiaries for failures to deliver timely notification of the denial. To the extent that EBSA or a court determines that the failure to timely and appropriately process and pay benefits resulted from a lack of prudence or other breach of ERISA fiduciary duties, fiduciaries are at risk for incurring personal liability for actual damages to the plan or its participants plus attorneys’ fees and other costs of enforcement; EBSA penalties for engaging in a breach of fiduciary duty under ERISA section 502(l); or both.

Beyond these ERISA-related risks, delays in processing and payment of health care provider claims also create potential additional liability for health insurers, health plans and their administrators to the extent the disruptions prevent the timely payment and processing of health benefit claims in violation of health care provider rights under managed care or other provider contracts, prompt pay and surprise billing or other provider legal rights. Unlike member claims assigned to providers, ERISA generally does not preempt these nonderivative provider rights and claims or the additional state law damages, penalties or other remedies arising under state law against health insurers, health plans and plan administrators found to violate these rules. Consequently, delays in payments to providers also could substantially increase the costs and liabilities that health insurers, health plans, their fiduciaries, administrators, and employers and other sponsors obligated under the plan terms or vendor contracts to pay these costs.

In light of these and other potential risks, health insurers and health plans, their employer, union and other sponsors, fiduciaries, administrative services providers and other vendors should act quickly to investigate and ensure proper management of the fallout from the CH/UHG Attack and the heightened ransomware and other cybersecurity threats it represents.

Along with working with qualified legal counsel to address the potential HIPAA, ERISA and other responsibilities the health plan or insurer, its fiduciaries, service providers and sponsor bear from the CH/UHG Attack and other cyber risks, most parties also will want to evaluate obligations to notify cybersecurity and other liability insurers, seek indemnification from Choice Healthcare, UHG or other potentially culpable parties and evaluate other sensitive data and strategies for mitigation of their health plan and their own resulting liabilities, costs and other consequences.

For Additional Information

About the Author

Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35 plus years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications.

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Laws Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Comments Off on Manage Health Plan HIPAA, ERISA & Other Exposures From Change Healthcare Ransomware Attack | Association Health Plan, Corporate Compliance, group health plan, health Care, Health Care Sharing Ministries, health insurance, health plan, Health Plans, HIPAA, Public Policy, self insured health plan, tpa | Tagged: change healthcare, Cyber Security, Cybersecurity, ERISA, Fiduciary Responsibility, Health Care, Health Insurance, Health Plans, HIPAA, ransomware, Security | Permalink
Posted by Cynthia Marcotte Stamer

$160K HIPAA Penalty Warns Health Plans & Other Covered Entities Deliver Timely Protected Health Information Access

January 8, 2024

Health plans, health care providers and health care clearinghouses (“Covered Entities”) treat the Department of Health and Human Service Office of Civil Right (“OCR”) announcement of its 46^th enforcement action under the Health Insurance Portability & Accountability Act (“HIPAA”) Right of Access Rule as a warning to confirm their own organization’s timely delivery of records and other compliance with the Rule. Coupled with OCR’s Right of Access Rule settlement agreement with United Health Insurance Group last August, the latest settlement agreement sends a strong message to health plans and other Covered Entities about the risks of failing to deliver protected health information as required by the Right of Access Rule.

HIPAA Right of Access Rule

The HIPAA Right of Access Rule guarantees individuals the right to access a broad array of health information about themselves maintained by or for health plans and other Covered Entities. Under the Right of Access Rule, Covered Entities generally must provide individuals or their personal representatives copies or other acceptable access to the individual’s protected health information in a Covered Entity’s “designated record set” for a reasonable cost as soon as possible and within 30 days of receiving a request for a reasonable cost. However, the Right of Access Rule does not grant any right for an individual to access protected health information that is not part of a designated record set because the information is not used to make decisions about individuals.

The request for protected health information triggering the duty for a Covered Entity to provide access to the protected health information may come from the individual who is the subject of the protected health information or from the “personal representative” of that individual. When considering a request for protected health information from an individual other than the subject of the protected health information, health plans and other Covered Entities also must use care to verify that the requesting party, in fact, qualifies as the individual’s “personal representative” as defined for purposes of HIPAA.

Once a health plan or other Covered Entity receives a request protected health information from the individual or his personal representative, the Right of Access Rule requires the Covered Entity to provide access to all requested protected health information within any “designated record set” within 30 days unless the requested information falls within one of two exceptions to the Rule.

For this purpose, a “designated record set” generally is defined at 45 CFR 164.501 as any item, collection, or grouping of information that includes protected health information that is maintained, collected, used, or disseminated by or for a Covered Entity that comprises the:

Medical records and billing records about individuals maintained by or for a covered health care provider;
Enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
Other records that are used, in whole or in part, by or for the covered entity to make decisions about individuals. This last category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access.

However, the Right of Access Rule only requires the delivery of protected health information that is part of a designated record set. It does not require health plans or other Covered Entities to provide protected health information that the Covered Entity does not use to make decisions about the individual, since this information is not considered part of a designated record set. Examples of such records of protected health information might include protected health information in certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records the Covered Entity uses for business decisions more generally rather than to make decisions about the subject individual. Before refusing to provide information not part of a designated record set, however, the health plan or other Covered Entity does not also use or possess that information for making decisions about the subject individual or that disclosure is not otherwise required under another law. For example, even if the Right of Access Rule does not require disclosure of protected health information because it is not considered part of a designated record set, a health plan still be required to disclose the record if required by the adverse benefit determination rules of the Patient Protection and Affordable Care Act (“ACA”), claims and appeals rules of the Employee Retirement Income Security Act or other applicable law, regulation or another law.

Even where the information falls within the definition of a designated record set, however, HIPAA expressly excludes two categories of information from the Right of Access right:

Psychotherapy notes, which are the personal notes of a mental health care provider documenting or analyzing the contents of a counseling session maintained separately from the rest of the patient’s medical record as described in 45 CFR 164.524(a)(1)(i) and 164.501.
Information complied in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding described under 45 CFR 164.524(a)(1)(ii).

However, it is critical that Covered Entities not overestimate the reach of either of these two exceptions. The exception only applies to the narrow range of records meeting the requirements of the exception. The underlying protected health information from the individual’s medical or payment records or other records used to generate the above types of excluded records or information remains part of the designated record set and is subject to access by the individual under the Right of Access Rule. Providers and other Covered Entities should use care to comply with the Right of Access Rule without providing more information than allowed as HIPAA liability can arise from failing to timely deliver access to all protected health information required by the Right of Access Rule or from sharing protected health information with an individual who is not either the individual or personal representative when the disclosure otherwise is not allowed by HIPAA To help negotiate these requirements, Covered Entities should become familiar with and process all requests for protected health information following the latest Right of Access Rule guidance. When in doubt, Covered Entities should seek the advice of experienced legal counsel within the scope of attorney-client privilege about proper fulfillment of their obligations under the Right of Access Rule in coordination with any other applicable responsibilities the Covered Entities has to provide access, disclose, or prevent disclosure of the requested information under otherwise applicable federal or states laws and regulations, ethical or other professional standards, contractual or other medical, insurance, financial, employee benefit or other rules relating to the requested records.

Optum Settlement 46^th Right Of Access Enforcement Settlement

The Optum settlement resulted from OCR’s investigation of six complaints in the Fall of 2021 that Optum violated the Right of Access Rule by failing to provide timely access to medical records when requested by an adult patient or by the parents of minor patients.

In February 2022, OCR initiated investigations of these Right of Access complaints. The investigation revealed that patients received their requested records between 84 and 231 days after submitting their respective requests. Since the Right of Access Rule requires that Covered Entities deliver the records no later than 30 days from receiving the individual’s requests, those timeframes fell well outside of the deadline for delivery required by the HIPAA Right of Access Rule. Accordingly, OCR concluded that Optum’s failure to provide timely access to the requested medical records was a potential violation of HIPAA.

Under the Resolution Agreement reached with Optum, Optum agreed to pay $160,000 to OCR as well as implement a corrective action plan that requires workforce training, reporting records requests to OCR, and reviewing and revising as necessary its right of access policies and procedures to provide timely responses to requests. Under the plan, OCR will monitor Optum Medical Care for one year.

Right Of Access Remains OCR Investigation & Enforcement Priority

The Optum enforcement action and settlement is the latest reminder to all Covered Entities that investigation and enforcement remains a top OCR priority. See e.g. OCR Sanction Of 44th Health Care Provider For Violating HIPAA Right of Access Rules Warning To Other Covered Entities. Because access to medical records empowers patients and their families to make decisions about their health care and improve their health overall, OCR views access to medical records “a fundamental right under HIPAA. For this reason, OCR believes it “critical that providers follow the law.” Accordingly, OCR Director Melanie Fontes Rainer has warned that health care providers “must proactively respond to record requests and ensure timely access” and “make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority.” See e.g., HHS’ Office for Civil Rights Settles Multiple HIPAA Complaints with Optum Medical Care Over Patient Access to Records (January 4, 2024).

While health care providers are the most common target of OCR’s Right Of Access complaints and enforcement, OCR’s August, 2023 Right of Access settlement against United Health Insurance Group (“UHIG”) confirms health plans also are targets. That settlement arose from OCR’s investigation of a March 2021 complaint alleging that UHIC did not respond to an individual’s request for a copy of their medical record. The investigation showed the individual first requested a copy of their records on January 7, 2021, but did not receive the records until July 2021, after OCR initiated its investigation. Movrover, the March, 2021 complaint was the third complaint OCR received from the complainant against UHIC alleging failures to respond to his right of access. These findings led OCR to conclude UHIC’s failure to provide timely access to the requested medical records was a potential violation of the HIPAA right of access provision. In OCR’s announcement of UHIG’s agreement to pay $80,000 to resolve these potential charges, OCR Director, Melanie Fontes Rainer warned, “Health insurers are not exempt from the right of access and must ensure that they are taking steps to train their workforce to ensure that they are doing all they can to help members’ access to health information.” See, UnitedHealthcare Pays $80,000 Settlement to HHS to Resolve HIPAA Matter over Patient Medical Records Request.

Manage Right of Access Rule Exposure

Despite OCR’s warnings about the responsibility to comply with the Right of Access Rule, many health plans and other Covered Entities continue to violate the Rule. OCR has and continues to receive thousands of Right of Access Rule complaints each year. In response to these persistent compliance issues, OCR continues to make enforcement of the Right of Access Rule a key enforcement priority through its Right Of Access Initiative.

In light of OCR’s commitment to continue to investigate and enforce compliance with the Right of Access Rule, health care providers and other Covered Entities and their business associates are urged to review their existing practices for receiving and processing patient record requests to confirm their own organizations’ compliance with the Right of Access Rule and other applicable federal and state statutory regulatory and contractual requirements. To reduce risks of violations, all health care providers and other Covered Entities should seek assistance from experienced legal counsel within the scope of attorney-client privilege to audit their past and current Right of Access Rule compliance for any necessary or advisable steps to prevent future violations and mitigate potential liabilities arising from potential past or future violations of the Right of Access Rule. Aside from confirming documented timely responses to past requests for protected health information, among other things, most Covered Entities will want to consider:

Verifying that their current policies, privacy practices notices, training and other materials are updated to comply with all applicable policies and properly identify and provide current contact information for the Privacy Officer or other party responsible for receiving and responding to protected health information requests;
Appropriate procedures are in place to ensure that the Covered Entity can produce required documentation showing the individuals are appropriately notified of the Right of Access and other HIPAA rules, and that the Covered Entity captures the necessary documentation to show its receipt of all requests, and timely investigation and response to such requests;
Appropriate and documented processes for collecting, investigating, or resolving any potential concerns, complaints, or other issues, their evaluation, and resolution;
Appropriate workforce, business associates, and other policies, training, oversight, and enforcement to require and enforce compliance with applicable laws and policies; and
Appropriate processes, procedures, and training to ensure that staff fully understands and complies with both the specific processes and procedures of the Covered Entity for complying with the Right of Access Rule, as well as related procedures necessary to manage risks and responsibilities arising under verification of identity, personal representative, disclosure, recordkeeping or other HIPAA’ rules; medical, insurance, financial, or other data or privacy; licensure and market conduct; civil rights and nondiscrimination; fiduciary; licensure; marketing or other rules.

When confirming compliance with the Right of Access Rule, health plans and other Covered Entities also should reevaluate their organization’s exposure to other HIPAA associated risks. See, e.g., Health Plans Warned To Prevent Phishing By 1st Phishing-Related HIPAA Settlement; New HIPAA Resolution Agreement Warns Health Plans & Other HIPAA-Covered Entities To Manage Media Relations, Access & Disclosure; $80,000 Penalty Confirms Health Plans Exposure For Violating HIPAA Access Rights; $350K Settlement Highlights Need For Plans & Plan Service Providers To Ensure Security, Business Associate & Other HIPAA Requirements Met. Health plans take documented, prudent steps to reconfirm the adequacy of their own, and their business associates’ policies, processes, training, documentation and other compliance with these and other medical and other plan records and data maintenance, security, use, access and disclosure.

Aside from the direct exposures for these and other HIPAA violations arising under HIPAA, health plans, their fiduciaries, insurers, plan sponsors and administrators should keep in mind that the Employee Benefit Security Administration views potential data breaches and other HIPAA violations as a potential source of fiduciary liability under the Employee Retirement Income Security Act.

While involving outside consultants or other service providers generally is valuable if not required to conduct some of these tasks, Covered Entities are encouraged to use experienced outside legal counsel to help plan, conduct, evaluate and decide, and implement responses to findings from these compliance and risk management activities both to benefit from legal counsel’s substantive legal expertise and experience and to take advantage of the opportunity to conduct sensitive discussions within the protection of attorney-client privilege or other evidentiary rules. Experienced outside legal counsel can guide Covered Entities about the best way to work with consulting and other vendors to maximize these benefits. Where legal advice is provided to health plan fiduciaries, health plans, their fiduciaries, insurers, sponsors, and service providers also should keep in mind that advice and work product performed on behalf of a health plan or plan fiduciary may not enjoy the same protection against discovery under attorney-client privilege and work product rules.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management, or public policy developments, please get in touch with the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy

About the Author

A Fellow in the American College of Employee Benefit Counsel, Co-Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee and Vice-Chair Elect of its International Employment Law Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading-edge work, scholarship and thought leadership on heath benefit and other healthcare and life science, managed care and insurance and other workforce and staffing, employee benefits, safety, contracting, quality assurance, compliance and risk management, and other legal, public policy and operational concerns in the healthcare and life sciences, employee benefits, managed care and insurance, technology and other related industries. She speaks and publishes extensively on these and other related compliance issues.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

Solutions Law Press, Inc.™ provides human resources and employee benefit and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested in reviewing some of our other Solutions Law Press, Inc.™ resources available here, such as:

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Comments Off on $160K HIPAA Penalty Warns Health Plans & Other Covered Entities Deliver Timely Protected Health Information Access | Association Health Plan, Civil Monetary Penalties, Claims Administration, Corporate Compliance, Cybercrime, Data Breach, Data Security, Electronic Medical Record, employee, Employee Benefits, ERISA, Fiduciary Responsibility, group health plan, health plan, Health Plans, HIPAA, Protected Health Information, Reporting & Disclosure, self insured health plan | Tagged: Cybersecurity, Employee Benefits, Employer, ERISA, group health plan, Health Benefits, Health Insurance, Health Plan, Health Plans, healthcare, HIPAA, Human Resources, Insurance, medical information, medical records, Privacy, Security | Permalink
Posted by Cynthia Marcotte Stamer

Tri-Agencies Announce New Surprise Billing IDR Fees While Continuing IDR Suspension After Federal Court Ruling

August 11, 2023

Group health plans and individual and group health insurance subject the federal No Surprises Act (“NSA”) are likely to experience continued delays in their ability to finalize certain claims liability determinations and pay providers for health claims submitted for arbitration under the NSA-established Federal Independent Dispute Resolution (“IDR”) medical claims review process as a result of an August 3, 2023 federal court ruling even as the federal agencies responsible for implementing and enforcing those rules announce new fees for seeking IDR dispute resolution under those rules.

The current rules governing the IDR process are defined by regulations implementing the NSA jointly issued by the Department of Health and Human Services (HHS), the Department of Labor (DOL), and the Department of the Treasury (collectively, the “Departments”). These rules define the process for out-of-network providers, facilities, and providers of air ambulance services, and group health plans, health insurance issuers in the individual and group markets, and Federal Employee Health Benefits (“FEHB”) carriers (“disputing parties”) to determine the out-of-network rate for out-of-network emergency services and certain items and services provided by out-of-network providers at in-network facilities and out-of-network air ambulance services under the NSA.

IDR Process Suspended

The IDR process currently is suspended following the August 3 , 2023 ruling by the United States District Court for the Eastern District of Texas in Texas Medical Association v. United States Department of Health and Human Services, Case No. 6:23-cv-59-JDK, vacating certain portions of 45 C.F.R. § 149.510, 26 C.F.R. § 54.9816-8T, and 29 C.F.R. § 2590-716-8, which are parallel provisions governing the Federal IDR.

The Court granted summary judgement on August 3, 2023 to the Texas Medical Association and other provider plaintiffs challenging these federal IDR rules for arbitration of health coverage disputes between payers and providers under the No Surprises Act. The Court agreed with the health care providers that the rules violated federal law by failing to take into account the full range of factors Congress directed be considered when enacting the IRO rules as part of the NSA.

Immediately following the Court’s entry of the order, the Departments temporarily suspended the federal IDR medical claims review process including the ability to initiate new disputes and directed certified IDR entities to pause all IDR-related activities in response an the ruling. As a result of the suspension, the Patient-Provider Dispute Resolution Portal also temporarily ceased accepting new initiated disputes.

When announcing the suspension, the Departments said they would review the court’s decision to evaluate changes to current IDR processes, templates, and system updates necessary to comply with the court’s order. The Departments said they will issue updates to these processes in the near future and will provide specific directions to certified IDR entities for resuming all IDR-related activities in a manner consistent with the court’s judgment and order “soon.” Until then, arbitration of disputes between payers and providers under covered employment based group health plans and individual and group health insurance subject to the law will be delayed.

New IDR Fees Announced Amid Suspension

Despite the suspension, the Departments today (August 11, 2023) jointly published the No Surprises Act (NSA) Independent Dispute Resolution (IDR) Administrative Fee Frequently Asked Questions (FAQs).

The FAQs are not announcing the reopening of the Federal IDR portal to initiate new disputes. Accordingly, the IDR process remains in suspension pending further action by the Departments. In the meantime, however, the FAQs clarify the administrative fee amount that each disputing party will be required to pay to engage in the Federal IDR process when the IDR process suspension resumes as a result of the Texas Medical Association opinion and order.

What To Do Now

For health plans and their sponsors and administrators, for example, delays due to the suspension obviously delay payments to providers as many self-insured health plans, their sponsors, fiduciaries, administrators and stop-loss reinsurers approaching year end. Many stop-loss policies and other funding arrangements limit or exclude coverage for plan claims not paid with the policy period or, if the policy includes run off coverage, that brief period following the policy year end. Delays in payment also could complicate year end underwriting for renewals. Employers and unions, their brokers, administrators, fiduciaries and reinsurers should evaluate, monitor and begin strategizing about their response to these developments to prepare for their upcoming renewals and enrollment seasons.

For More Information

We hope this update is helpful. For more information about these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

We hope this update is helpful. Solutions Law Press, Inc. invites you to receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy Group.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 35+ years of health industry and other management work, public policy leadership and advocacy, coaching, teachings, and publications. As a significant part of her work, Ms. Stamer has worked extensively domestically and internationally with business, government and community leaders to prepare for and deal with pregnancy, disability and other discrimination, leave, health and safety, and other workforce, employee benefit, health care and other operations planning, preparedness and response for more than 35 years. As a part of this work, she regularly advises businesses and government leaders on an on-demand and ongoing basis about preparation of workforce, health care and other business and government policies and practices to deal with management in a wide range of contexts ranging from day to day operations, through times of change and in response to complaints, investigations and enforcement.

Author of a multitude of other highly regarded publications and presentations on MHPAEA and other and health and other benefits, workforce, compliance, workers’ compensation and occupational disease, business disaster and distress and many other topics, Ms. Stamer has worked with health plans, employers, insurers, government leaders and others on these and other health benefit, workforce and performance and other operational and tactical concerns throughout her adult life.

A former lead advisor to the Government of Bolivia on its pension privatization project, Ms. Stamer also has worked domestically and internationally as an advisor to business, community and government leaders on health, severance, disability, pension and other workforce, health care and other reform, as well as regularly advises and defends organizations about the design, administration and defense of their organization’s workforce, employee benefit and compensation, safety, discipline and other management practices and actions.

Board Certified in Labor and Employment Law By the Texas Board of Legal Specialization, Scribe for the ABA JCEB Annual Agency Meeting with OCR, Chair-Elect of the ABA TIPS Medicine and Law Committee, Chair of the ABA International Section Life Sciences Committee, and Past Group Chair and current Welfare Plan Committee Chair of the ABA RPTE Employee Benefits & Other Compensation Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

©2023 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on Tri-Agencies Announce New Surprise Billing IDR Fees While Continuing IDR Suspension After Federal Court Ruling | Association Health Plan, Claims, Claims Administration, compliance, Corporate Compliance, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, group health plan, health benefit, Health Benefits, health Care, health care transparency, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, health reform, Human Resources, Managed Care, Plan Admistrator, PPO, Surprise Billing, Surprise Billingn, third party administrators, tpa | Permalink
Posted by Cynthia Marcotte Stamer

Surprise Billing IDR Health Plan Dispute Resolution Suspension After Federal Court Ruling Could Impact Plan Renewal Underwriting and Stop-Loss Coverage

August 4, 2023

Group health plans and individual and group health insurance subject the federal No Surprises Act may experience delays in their ability to finalize liability determinations and pay providers for health claims submitted for arbitration under federal surprise billing rules as a result of an August 3, 2023 federal court ruling.

Effective August 3, 2023, the Departments of Health and Human Services Centers for Medicare and Medicaid Services, Department of Labor Employee Benefit Security Administration and Department of Treasury (“Departments”) temporarily suspended the Federal Independent Dispute Resolution (IDR) medical claims review process including the ability to initiate new disputes and directed certified IDR entities to pause all IDR-related activities in response an August 3, 2023, federal court ruling. As a result of the suspension, the Patient-Provider Dispute Resolution Portal also temporarily ceased accepting new initiated disputes.

Earlier in the day, the U.S. District Court for the Eastern District of Texas issued a judgment and order in Texas Medical Association, et al. v. United States Department of Health and Human Services, Case No. 6:23-cv-59-JDK (TMA IV), vacating certain portions of 45 C.F.R. § 149.510, 26 C.F.R. § 54.9816-8T, and 29 C.F.R. § 2590-716-8, which are parallel provisions governing the Federal IDR.

The order of the Court grants summary judgement to the Texas Medical Association and other provider plaintiffs challenge to federal rules for arbitration of health coverage disputes between payers and providers under the No Surprises Act. The Court agreed with the health care providers that the rules violated federal law by failing to take into account the full range of factors Congress directed be considered when enacting the IRO rules as part of the No Surprises Act.

When announcing the suspension, the Departments said currently they are reviewing the court’s decision and evaluating current IDR processes, templates, and system updates necessary to comply with the court’s order. The Departments say they will issue updates in the near future and will provide specific directions to certified IDR entities for resuming all IDR-related activities in a manner consistent with the court’s judgment and order.  

Until then, arbitration of disputes between payers and providers under covered employment based group health plans and individual and group health insurance subject to the law will be delayed.

A lengthy delay in the Departments’ correction of their rules could spell headaches for both payers and providers. Delays in claim resolutions due to the suspension obviously delays determination of plan liabilities can particularly impact self-insured health plans, their sponsors, fiduciaries, administrators and stop-loss reinsurers of plans approaching year end. Many stop-loss policies and other funding arrangements limit or exclude coverage for plan claims not paid with the policy period or, if the policy includes run off coverage, that brief period following the policy year end. Delays in payment also could complicate year end underwriting for renewals. Employers and unions, their brokers, administrators, fiduciaries and reinsurers should evaluate, monitor and begin strategizing about their response to these developments to prepare for their upcoming renewals and enrollment seasons.

For More Information

About the Author

About Solutions Law Press, Inc.™

Comments Off on Surprise Billing IDR Health Plan Dispute Resolution Suspension After Federal Court Ruling Could Impact Plan Renewal Underwriting and Stop-Loss Coverage | Association Health Plan, Claims, Claims Administration, compliance, Corporate Compliance, Employee Benefits, Employers, ERISA, Fiduciary Responsibility, group health plan, health benefit, Health Benefits, health Care, health care transparency, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, health reform, Human Resources, Managed Care, Plan Admistrator, PPO, Surprise Billing, Surprise Billingn, third party administrators, tpa | Permalink
Posted by Cynthia Marcotte Stamer

$1.25 Million Cybersecurity Breach Settlement & Other Heightening Enforcement Warn Health Plans & Others To Fix Cybersecurity

February 4, 2023

Phoenix-based nonprofit health system Banner Health and its affiliates (“Banner Health”) paid $1.25 million and agreed to take corrective actions to resolve its exposure to potentially much greater Health Insurance Portability and Accountability Act (HIPAA) Security Rule civil monetary penalty exposure for a 2016 cyber hacking breach that compromised the person health information of 2.81 million consumers. OCR used its February 2 announcement of the Banner Health settlement to warn health plans, health care providers, health care clearing houses (“covered entities”) and business associates covered by HIPAA to guard their own system containing protected health information against breach by cyber hacking even as the Department of Labor and other agencies are stepping up their cybersecurity rules, oversight and enforcement.

Banner Health Settlement

Banner Health is one of the largest non-profit health systems in the country, with over 50,000 employees and operating in six states. Banner Health is the largest employer in Arizona, and one of the largest in northern Colorado.

In November 2016, OCR initiated an investigation of Banner Health following the receipt of a breach report stating that a threat actor had gained unauthorized access to electronic protected health information, potentially affecting millions. The hacker accessed protected health information that included patient names, physician names, dates of birth, addresses, Social Security numbers, clinical details, dates of service, claims information, lab results, medications, diagnoses and conditions, and health insurance information.

OCR’s investigation found evidence of long term, pervasive noncompliance with the HIPAA Security Rule across Banner Health’s organization, a serious concern given the size of this covered entity. Organizations must be proactive in their efforts to regularly monitor system activity for hacking incidents and have measures in place to sufficiently safeguard patient information from risk across their entire network.

The potential violations specifically include: the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, insufficient monitoring of its health information systems’ activity to protect against a cyber-attack, failure to implement an authentication process to safeguard its electronic protected health information, and failure to have security measures in place to protect electronic protected health information from unauthorized access when it was being transmitted electronically.

Under the Resolution Agreement and Corrective Action Plan negotiated to resolve these potential violations, Banner Health paid $1,250,000 to OCR. Banner Health also agreed to implement a corrective action plan, which identifies steps Banner Health will take to resolve these potential violations of the HIPAA Security Rule and protect the security of electronic patient health information that will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Under the corrective action plan, Banner has agreed to take the following steps:

Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization
Develop and implement a risk management plan to address identified risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
Develop, implement, and distribute policies and procedures for a risk analysis and risk management plan, the regular review of activity within their information systems, an authentication process to provide safeguards to data and records, and security measures to protect electronic protected health information from unauthorized access when it is being transmitted electronically, and
Report to HHS within thirty (30) days when workforce members fail to comply with the HIPAA Security Rule.

OCR Warns Other HIPAA-Covered Entities

In the health care sector, hacking is now the greatest threat to the privacy and security of protected health information. OCR’sannouncement of the serrlement reports 74 percent (74%) of the breaches reported to OCR in 2021 involved hacking/IT incidents.

The announcement also notes OCR offers an array of resources to help health care organizations bolster their cybersecurity posture and comply with the HIPAA Rules,

The settlement and OCR’s announcement warn other covered entities and business associates to use these and other necessary resources to protect their systems with protected health information from cyber hacking and other breaches.

In conjunction with reminding other covered entities of these resources, the settlement announcement quotes OCR Director Melanie Fontes Rainer as warning, ‘Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals, … It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. … Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

OCR’s enforcement record confirms these are not idyl threats. Breaches of the Security or Breach Notification Rules often result in significant civil monetary penalty assessments or negotiated settlements to mitigate civil liability exposures arising out of such breaches. See e.g., Clinical Laboratory Pays $25,000 To Settle Potential HIPAA Security Rule Violations (May 25, 2021); Health Insurer Pays $5.1 Million to Settle Data Breach Affecting Over 9.3 Million People (January 15, 2021); Aetna Pays $1,000,000 to Settle Three HIPAA Breaches(October 28, 2020); Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (September 25, 2020); HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individual – (September 23, 2020); Lifespan Pays $1,040,000 to OCR to Settle Unencrypted Stolen Laptop Breach (July 27, 2020); Small Health Care Provider Fails to Implement Multiple HIPAA Security Rule Requirements (July 23, 2020).

Alerts issued by OCR regarding heightened security risks in recent months and a growing tide of highly publicized breaches send a strong warning to other covered entities and their business associates to reconfirm the adequacy of their own HIPAA privacy, security, breach notification and other procedures and protections by among other things:

Reviewing and monitoring on a documented, ongoing basis the adequacy and susceptibilities of existing practices, policies, safeguards of their own organizations, as well as their business associates and their vendors within the scope of attorney-client privilege taking into consideration data available from OCR, data regarding known or potential susceptibilities within their own operations as well as in the media, and other developments to determine if additional steps are necessary or advisable.
Updating policies, privacy and other notices, practices, procedures, training and other practices as needed to promote compliance and defensibility.
Renegotiating and enhancing service provider agreements to detail the specific compliance, audit, oversight and reporting rights, workforce and vendor credentialing and access control, indemnification, insurance, cooperation and other rights and responsibilities of all entities and individuals that use, access or disclose, or provide systems, software or other services or tools that could impact on security; to clarify the respective rights, procedures and responsibilities of each party in regards to compliance audits, investigation, breach reporting, and mitigation; and other relevant matters.
Verifying and tightening technological and other tracking, documentation and safeguards and controls to the use, access and disclosure of protected health information and systems.
Conducting well-documented training as necessary to ensure that members of the workforce of each covered entity and business associate understand and are prepared to comply with the expanded requirements of HIPAA, understand their responsibilities and appropriate procedures for reporting and investigating potential breaches or other compliance concerns, and understand as well as are prepared to follow appropriate procedures for reporting and responding to suspected
violations or other indicia of potential security concerns.
Tracking and reviewing on a systemized, well-documented basis actual and near miss security threats to evaluate, document decision-making and make timely adjustments to policies, practices, training, safeguards and other compliance components as necessary to identify and resolve risks.
Establishing and providing well-documented monitoring of compliance that includes board level oversight and reporting at least quarterly and sooner in response to potential threat indicators.
Establishing and providing well-documented timely investigation and redress of reported
violations or other compliance concerns.
Establishing contingency plans for responding in the event of a breach.
Establishing a well-documented process for monitoring and updating policies, practices and other efforts in response to changes in risks, practices and requirements.
Preparing and maintaining a well-documented record of compliance, risk, investigation and other security activities.
Pursuing other appropriate strategies to enhance the covered entity’s ability to demonstrate its compliance commitment both on paper and in operation.

Beyond these HIPAA exposures, breaches and other HIPAA noncompliance carries other liability risks. Leaders of covered entities or their business associates also are cautioned that while HIPAA itself does not generally create any private right of action for victims of breach under HIPAA, breaches may create substantial liability for their organizations or increasingly, organizational leaders. For instance, the Department of Health & Human Services has warned health care providers participating in Medicare or other federal programs and Medicare Advantage health plans that HIPAA compliance is a program term of participation.

Health care providers and health insurers can face liability under state data privacy and breach, negligence or other statutory or common laws. In addition, physicians and other licensed parties may face professional discipline or other professional liability for breaches violating statutory or ethical standards.

Health plans also face a myriad of other exposures from failing to use appropriate cyber safeguards. Plan fiduciaries of employment based health plans covered by the Employee Retirement Income Security Act (“ERISA”} risk liability under ERISA’s fiduciary responsibility rules. The Department of Labor Employee Benefit Security Administration (“EBSA”) now audits the adequacy of the cybersecurity and other HIPAA compliance of health plans and their third party administrators and other business associates as part of EBSA’s oversight and enforcement of ERISA. Department of Labor Assistant Secretary for EBSA Lisa Gomez confirmed audit and enforcement of cybersecurity obligations is a key priority in EBSA’s current work plan in her February 4, 2023 comments to the American bar Association.

Meanwhile, the Securities and Exchange Commission has indicated that it plans to pursue enforcement against leaders of public health care or other public companies that fail to use appropriate care to ensure their organizations comply with privacy and data security obligations.

Furthermore, appropriate cyber security practices also may be advisable elements for organizations to include in their Federal Sentencing Guideline Compliance Programs to mitigate potential organization liability risks under federal electronic crime and related laws.

In the face of these risks and warnings, all covered entities and their business associates should reassess and confirm the adequacy of their and their business associates’ cyber security defenses and breach response preparations.

More Information

We hope this update is helpful. For more information about the these or other health or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health, health plan and managed care industry legal, public policy and operational concerns.

Ms. Stamer’s work throughout her 35 year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As an ongoing component of this work, she regularly advises, represents and defends HIPAA covered entities, business associates and other organizations on HIPAA and other cyber, privacy and data security concerns and has published and spoken extensively on these concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication.

Comments Off on $1.25 Million Cybersecurity Breach Settlement & Other Heightening Enforcement Warn Health Plans & Others To Fix Cybersecurity | Association Health Plan, Civil Monetary Penalties, Corporate Compliance, Cybercrime, Cybersecurity, Data Breach, Data Security, Electronic Medical Record, Emploeyrs, employee, Employee Benefits, Employer, Employers, Federal Sentencing Guidelines, FTC, Government Contractors, government employer, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, Health IT, health plan, Health Plans, HIPAA, HR, Human Resources, insurers, Internal Controls, Internal Investigations, Managed Care, Mental Health, pbm, Personal Health Records, Personal Health Recordss, pharmacy, Physician, Plan Admistrator, PPO, Professional Liability, Protected Health Information, Provider, provider contracting, Retaliation | Permalink
Posted by Cynthia Marcotte Stamer

DOJ Withdrawal of “Outdated” Health Care Antitrust Policies Leaves Federal Health Industry Competition & Antitrust Policy Ambiguous

February 3, 2023

With health industry consolidation and competition continuing to draw public and lawmaker scrutiny, the Department of Justice Antitrust Division today (February 3, 2022) signaled the Biden Administration plans to redirect health care antitrust policy by withdrawing three healthcare antitrust policy statements it says are outdated.

The withdrawn policy statements are three statements of antitrust principles adopted more than a decade ago by the DOJ and Federal Trade Commission (“FTC”) defining the agencies principles for interpreting and enforcing antitrust law in the healthcare industry:

Department of Justice and FTC Antitrust Enforcement Policy Statements in the Health Care Area (Sept. 15, 1993);
Statements of Antitrust Enforcement Policy in Health Care (Aug. 1, 1996); and
Statement of Antitrust Enforcement Policy Regarding Accountable Care Organizations Participating in the Medicare Shared Savings Program (Oct. 20, 2011).

The withdrawal of the statements follows growing activity by DOJ in challenging certain other health industry conduct as anticompetitive under Fdderal antitrust laws in recent years as well as new policies challenging noncompetition and other workforce practices used widely within the health care industry. (These developments were discussed in a September, 2022 Joint Committee on Employee Benefits webinar on Department of Justice Enforcement Update webinar moderated by Cynthia Marcotte Stamer.)

Following an uptake in DOJ health care and workforce antitrust enforcement in recent years, the announcement of the antitrust statement withdrawals confirms the Biden Administration led DOJ plans changes to care antitrust and other competition policies and enforcement impacting health care providers, payers, employers and other plan sponsors. In lieu of the principles previously provided by the withdrawn guidelines, DOJ says it will evaluate mergers and conduct in healthcare markets that may harm competition on the case-by-case basis. The announced plan to interpret antitrust law in health care on a case by case basis creates significant uncertainty about the scope of risk and safety of many contracting, business transaction and other activities in the health care industry. All segments of the marketplace should monitor developments and proceed cautiously to avoid inadvertently triggering challenges or liability as a result of the newly created ambiguity.

While employers, providers and others concerned about market power and consolidation among pharmacy benefit management companies (“PBMs”), mega healthcare systems and large health insurers are likely to welcome news of DOJ’s plan to update its policies and enforcement to reflect new market realities, DOJ’s announced plan to proceed on a case-by-case basis raises significant questions about the market participants and practices that will benefit or suffer under this new but undefined policy. Consequently, employer and other health plan sponsors, health industry providers, payers, and others concerned about health industry competition should proceed cautiously and carefully monitor developments at DOJ and FTC. Stay tuned for further developments.

More Information

About the Author

A Fellow in the American College of Employee Benefit Counsel, Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Chair-Elect of the ABA TIPS Section Medicine & Law Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care and employer benefits legal, public policy and operational concerns.

Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. Her work has included ongoing involvement in health industry and workforce competition and antitrust issues.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Comments Off on DOJ Withdrawal of “Outdated” Health Care Antitrust Policies Leaves Federal Health Industry Competition & Antitrust Policy Ambiguous | Antitrust, compliance, conflict of interest, Corporate Compliance, corporate governance, Emploeyrs, Employee Benefits, Employer, Employers, group health plan, health benefit, Health Benefits, Health Industry Consolidation, health plan, Health Plans, Managed Care, pbm | Permalink
Posted by Cynthia Marcotte Stamer

Annual Review of Proposed Medicare Quality Measures Excellent Opportunity For Insight, Input on What Health Care Quality Means

September 15, 2022

Employer and other health plan sponsors, fiduciaries and plan members hear a lot about about health care quality and its measures. However few understand what the quality data and ratings relied upon by health plans, Medicare or Medicaid, accreditation agencies or others making assertions about health care quality or how that data is measured.

While quality measures and meanings take many forms, one key measure used by Medicare, Medicaid and many other health plans, lawmakers, health quality commentators and others evaluating health care provider “quality” is the Department of Health and Human Services Office of the National Coordinator for Healthcare Information (“ONC”) electronic clinical quality measures (“eCQMs”) that the Centers for Medicare & Medicaid Services (“CMS”) requires many health care providers participating in Medicare or Medicaid to report for purposes of program participation and reimbursement.

eCQMs As Measure of HealthCare Quality

Electronic clinical quality measures or “eCQMs” are tools that ONC develops with stakeholder input to help Medicare and Medicaid measure and track the quality of health care services that eligible hospitals and critical access hospitals (CAHs) provide, as generated by a provider’s electronic health record (EHR). CMS Measuring and reporting eCQMs helps to ensure that our health care system is delivering effective, safe, efficient, patient-centered, equitable, and timely care. CMS’ eCQMs measure many aspects of patient care, including:

Patient and Family Engagement
Patient Safety
Care Coordination
Population/Public Health
Efficient Use of Healthcare Resources
Clinical Process/Effectiveness

To successfully participate in the Medicare and Medicaid Promoting Interoperability Programs, the Centers for Medicare and Medicaid Services (“CMS”) requires eligible providers, eligible hospitals, critical access hospitals and dual-eligible hospitals electronically to report on eCQMs determined by CMS that require the use of data from the provider’s certified electronic health record (“EHR”) technology (CEHRT) or other health information technology systems to measure and report quality measures in a standardized manner. For calendar year (CY) 2022, Medicare Promoting Interoperability Program participants arerequired to report on three self-selected eCQMs and the Safe Use of Opioids – Concurrent PrescribingeCQM from the set of nine available for at least three self-selected quarters of CY 2022 data. To report eCQMs successfully, health care providers must use an EHR and adhere to the requirements identified by the CMS quality program. Failing to meet these eCQM reporting requirements can prevent the provider from meeting meaningful use requirements and trigger reductions in reimbursements for care.

Health care quality, credentialing, accreditation, and other provider, health plan and other organizations also use the eCQMs data alone or with other quality measures and tools to set standards and assess and enforce quality goals and performances.

2022 eCQMs Updates

Each year, CMS makes updates to the eCQMs approved for CMS programs to reflect changes in:

Evidence-based Medicine
Code Sets
Measure Logic

Conducted annually as part of OCN’s eCQM Issue Tracker project, the CRP provides eCQM users the opportunity to review and comment on draft changes to the eCQM specifications and supporting resources under consideration by the measure stewards. The goal of the CRP is for eCQM implementers to comment on the potential impact of draft changes to eCQMs so CMS and measure stewards can make improvements to meet CMS’s intent of minimizing provider and vendor burden in the collection, capture, calculation, and reporting of eCQMs.

Every Fall, health care providers, health plans and insurers and other stakeholders concerned about these eCQMs have the opportunity to review and comment on draft changes to the eCQM specifications and supporting resources under consideration by ONC as part of ONC’s 2022 Change Review Process (CRP) for the ONC Project Tracking System. Interested stakeholders must monitor the posting of issues and act quickly to share their feedback, however, as stakeholders have only two weeks to comment after a ONC posts a new proposed eCQm change.

Stakeholders with an account on the ONC Project Tracking System can monitor, review and comment on proposed eCQM changes through the eCQM Issue Tracker project during the two week period following the date the issue is posted in the eCQM Issue Tracker. To participate in the CRP, users must have an ONC Project Tracking System account. New users can create an account via the ONC Project Tracking System website.

The following table reflects the eCQM issues open on the eCQM Issue Tracker as of September 14, 2022 and their scheduled comment closing dates

Issues Open for Public Comment As of 9/14/2022

CMS eCQM Identifier and Measure Title	CRP Issue Title	Issue Number and Link	Issue Type	Goal of Review	Public Comment Open Date	Public Comment Close Date
Multiple measures	Incorporate ‘Diagnosis’ datatype to capture Hospice Care	CQM-5561	Logic; Value Set	Obtain clinical and technical feedback	09/07/2022	09/21/2022
CMS128: Anti-depressant Medication Management; CMS136: Follow-Up Care for Children Prescribed ADHD Medication (ADD); CMS156: Use of High-Risk Medications in Older Adults	Update Cumulative Medication Duration function to calculate maximum daily frequency	CQM-5562	Logic	Obtain technical feedback	09/07/2022	09/21/2022
Multiple measures	Expand codes using ‘Diagnosis’ datatype to capture Palliative Care	CQM-5563	Logic; Value Set	Obtain clinical and technical feedback	09/07/2022	09/21/2022
Multiple measures	Require 2 indications of frailty to meet exclusion	CQM-5564	Header; Logic; Measure Intent Clarification	Obtain clinical feedback	09/07/2022	09/21/2022
CMS127: Pneumococcal Vaccination Status for Older Adults	Expand numerator to allow for pneumococcal vaccination since 19 years of age	CQM-5565	Header; Logic; Measure Intent Clarification	Obtain clinical feedback	09/07/2022	09/21/2022

eCQM Issue Tracker Open Issues As Of September 14, 2022

As proposed eCQM changes are posted for public comment as CRP issues. ONC informs eCQM accountholders of the proposed change or eCQM issue by posting for review in the ONC Project Tracking System. Accountholders only have two weeks after ONC posts a proposed eCQM to comment on the posted issue. Stakeholders interested in commenting on a particular issue must submit their comment in accordance with the directions within this two week period.

Depending on the nature of the proposed change, the proposed changing could impact the meaning, or significance of a eCQM by changing the way it is measured, the level or reporting or other aspects of the data and its magnitude. Consequently, understanding both what a eCQM measures and how that measurement is made and reported is important both to understand what actually is measured and to distinguish between changes in the measure resulting from a change in the actual delivery of the care the measure purports to measure versus changes in the result impacted by changes in measurement or reporting. For this reason, employer and other health plan sponsors, fiduciaries, insurers, administrators and other impacted stakeholders should use care to critically evaluate the eCQM and othe quality claims armed with a clear understanding both of the elements of the measurement and of any changes made to the measures across time that could influence the reported data and its significance in measuring and reporting quality and quality trends.

More Information

About the Author

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Comments Off on Annual Review of Proposed Medicare Quality Measures Excellent Opportunity For Insight, Input on What Health Care Quality Means | Association Health Plan, Corporate Compliance, group health plan, health benefit, Health Benefits, health Care, health care transparency, health centers, health insurance, Health IT, health plan, Health Plans, health reform, self insured health plan | Tagged: quality. | Permalink
Posted by Cynthia Marcotte Stamer

Annual Review of Proposed Medicare Quality Measures Excellent Opportunity For Insight, Input on What Health Care Quality Means

September 15, 2022

Act Promptly To Comment On Proposed Changes To ONC’s Electronic Clinical Quality Measures

eCQMs As Measure of Health Care Quality

Patient and Family Engagement
Patient Safety
Care Coordination
Population/Public Health
Efficient Use of Healthcare Resources
Clinical Process/Effectiveness

2022 eCQMs Updates

Each year, CMS makes updates to the eCQMs approved for CMS programs to reflect changes in:

Evidence-based Medicine
Code Sets
Measure Logic

Issues Open for Public Comment As of 9/14/2022

The following table reflects the eCQM issues open on the eCQM Issue Tracker as of September 14, 2022 and their scheduled comment closing dates:

CMS eCQM Identifier and Measure Title	CRP Issue Title	Issue Number and Link	Issue Type	Goal of Review	Public Comment Open Date	Public Comment Close Date
Multiple measures	Incorporate ‘Diagnosis’ datatype to capture Hospice Care	CQM-5561	Logic; Value Set	Obtain clinical and technical feedback	09/07/2022	09/21/2022
CMS128: Anti-depressant Medication Management; CMS136: Follow-Up Care for Children Prescribed ADHD Medication (ADD); CMS156: Use of High-Risk Medications in Older Adults	Update Cumulative Medication Duration function to calculate maximum daily frequency	CQM-5562	Logic	Obtain technical feedback	09/07/2022	09/21/2022
Multiple measures	Expand codes using ‘Diagnosis’ datatype to capture Palliative Care	CQM-5563	Logic; Value Set	Obtain clinical and technical feedback	09/07/2022	09/21/2022
Multiple measures	Require 2 indications of frailty to meet exclusion	CQM-5564	Header; Logic; Measure Intent Clarification	Obtain clinical feedback	09/07/2022	09/21/2022
CMS127: Pneumococcal Vaccination Status for Older Adults	Expand numerator to allow for pneumococcal vaccination since 19 years of age	CQM-5565	Header; Logic; Measure Intent Clarification	Obtain clinical feedback	09/07/2022	09/21/2022

eCQM Issue Tracker Open Issues As Of September 14, 2022

More Information

About the Author

A Fellow in the American College of Employee Benefit Counsel, Vice Chair of the American Bar Association (“ABA”) International Section Life Sciences and Health Committee, Past Chair of the ABA Managed Care & Insurance Interest Group, Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, past chair of the the ABA RPTE Employee Benefits & Other Compensation Group and current co-Chair of its Welfare Benefit Committee, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and managed care industry legal, public policy and operational concerns.

For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

AHRQ Mental Health Mobile Apps Selection Tips

July 6, 2022

The Agency for Healthcare Research and Quality (AHRQ) issued a brief called “Evaluation of Mental Health Mobile Applications” to help healthcare experts pick out mental health mobile health applications. Along with choosing mental Health applications and other health plan mental health benefit design, plan sponsors, fiduciaries, administrators and insurers also must ensure their overall plan design and all features comply with federal mental health parity mandates.

The report covers three areas: risk and mitigation strategies, functions, and mental health app features.

AHRQ hopes the tips will help providers, patients, and payers in selecting mental health mobile applications and seeking the best fit based on various features.

The report is part of a growing list of resources and enforcement efforts federal and state agencies have initiated over the past year as part of growing concerns about mental health.

Along with educational outreach and tools, the Employee Benefit Security Administration and Department of Health and Human Services also are ratcheting up audits and enforcement of federal mental health parity mandates. Given this heightened scrutiny, employer and other health plan sponsors, fiduciaries, administrators and insurers using mobile applications or other virtual mental health solutions in their health plans should arrange for a compliance review of their health plan compliance with these mandates within the scope of attorney client privilege to mitigate liability risks.

In a recent American Bar Association Joint Committee on Employee Benefits webinar moderated by Cynthia Marcotte Stamer, the EBSA’s Director of Health Plan Compliance and Enforcement Amber Rivers emphasized her agency is prioritizing mental health parity compliance a free recent audits showed widespread noncompliance with the requirement for parity in nonqualitative mental health conditions.

More Information.

For additional information about the requirements or concerns discussed in this article, republication or other related matters, please contact the author, employment lawyer Cynthia Marcotte Stamer via e-mail, via telephone at (214) 452 -8297 or on LinkedIn.

Solutions Law Press, Inc. invites you to receive future updates by registering here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.

About the Author

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, well-known for her extensive work with health and other employee benefits, health care and life sciences, insurance, financial services, technology, and other highly regulated and performance reliant organizations and their leadership, Ms. Stamer works with these and other businesses and their management, employee benefit plans, insurers, health care and life sciences, governments and other organizations deal with all aspects of health care, human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, Form I-9 and other compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, internal controls, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy. her more than 30 years’ of experience encompasses domestic and international businesses of all types and sizes.

Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a practicing attorney, as well as as an industry, policy management consultant, and policy strategist as well through her leadership participation in professional and civic organizations. Examples of her many leadership involvements include service as the Vice President and Executive Director of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; Vice Chair of the ABA International Law Section Life Sciences and Health Committee; Vice Chair of the ABA Tort & Insurance Practice Section Medicine and Law Committee and former Vice Chair of its Employee Benefits Committee and its Worker’s Compensation Commitee; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, current Welfare Committee Co-Chair and past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy and others.

Ms. Stamer also is a widely published author, highly popular lecturer, and serial symposia chair, who publishes and speaks extensively on human resources, labor and employment, employee benefits, compensation, occupational safety and health, and other leadership, performance, regulatory and operational risk management, public policy and community service concerns for the American Bar Association, ALI-ABA, American Health Lawyers, Society of Human Resources Professionals, the Southwest Benefits Association, the Society of Employee Benefits Administrators, the American Law Institute, Lexis-Nexis, Atlantic Information Services, The Bureau of National Affairs (BNA), InsuranceThoughtLeaders.com, Benefits Magazine, Employee Benefit News, Texas CEO Magazine, HealthLeaders, the HCCA, ISSA, HIMSS, Modern Healthcare, Managed Healthcare, Institute of Internal Auditors, Society of CPAs, Business Insurance, Employee Benefits News, World At Work, Benefits Magazine, the Wall Street Journal, the Dallas Morning News, the Dallas Business Journal, the Houston Business Journal, and many other symposia and publications. She also has served as an Editorial Advisory Board Member for human resources, employee benefit and other management focused publications of BNA, HR.com, Employee Benefit News, InsuranceThoughtLeadership.com and many other prominent publications and speaks and conducts training for a broad range of professional organizations and for clients on the Advisory Boards of InsuranceThoughtLeadership.com, HR.com, Employee Benefit News, and many other publications.

About Solutions Law Press, Inc.™

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as an admission. The author reserves the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The presenter and the program sponsor disclaim, and have no responsibility to provide any update or otherwise notify any participant of any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.

©2022 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press, Inc.™ For information about republication, please contact the author directly. All other rights reserved.

Comments Off on AHRQ Mental Health Mobile Apps Selection Tips | ACA, Association Health Plan, Data Breach, Data Security, Employee Benefits, Employer, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, Government Accountability, government employer, government plan, group health plan, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, health reform, HIPAA, Joint Employer, Protected Health Information, self insured health plan, tpa | Permalink
Posted by Cynthia Marcotte Stamer

Comment To OCR By 6/6 To Help Shape How OCR Implements HITECH Act Recognized Security Practices Standards For Purposes Of Setting Civil Monetary Penalties Under HIPAA Security Rules.

April 29, 2022

June 6, 2022 is the deadline for health plans, their sponsors, fiduciaries, administrative and other business associates and others to provide input to the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) that OCR says it seeks to help shape how it defines and implements the “recognized security standards” requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), as amended in 2021 for purposes of its administration and enforcement of civil monetary penalty and other provisions of of the Health Insurance Portability and Accountability Act (“”HIPAA”). The regulatory and enforcement decisions that OCR makes could significantly impact the civil monetary penalty liability, compliance, audit and recordkeeping responsibilities that health plans, health care providers, health care clearinghouses and their business associates (“Covered Entities”) face under the HIPAA Security and Breach Notification Rules.

OCR is inviting public input on two issues under the OCR Request for Information on Considerations for Implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act, as Amended (RFI) released April 6, 2022:

The definition and administration of the “recognized security practice” factor the HITECH Act requires OCR to consider when assessing audit results, civil monetary penalty and settlement amounts and other HIPAA Security and Breach Rule enforcement; and
The rules that OCR will follow to determine when and how OCR will share portions of amounts it receives from civil monetary penalties or settlements with individuals harmed by breaches of electronic protected health information,

Recognized Security Practices

Section 13412 of the HITECH Act requires HHS to take into consideration certain recognized security practices of covered entities (health plans, health care clearinghouses, and most health care providers) and business associates1 when determining potential fines, audit results, or other remedies for resolving potential violations of the HIPAA Security Rule pursuant to an investigation, compliance review, or audit.

A primary goal of the requirement, which took effect January 5, 2021, is to encourage covered entities and business associates to do “everything in their power to safeguard patient data.”

The RFI solicits comment on how covered entities and business associates are implementing “recognized security practices,” how they anticipate adequately demonstrating that recognized security practices are in place, and any implementation issues they would like OCR to clarify through future guidance or rulemaking.

Civil Money Penalty (CMP) and Settlement Sharing

Section 13410(c)(3) of the HITECH Act requires HHS to establish by regulation a methodology under which an individual harmed by a potential violation of the HIPAA Privacy, Security, and/or Breach Notification Rules may receive a percentage of any CMP or monetary settlement collected with respect to that offense.

Section 13140(d)(1) of HITECH requires that OCR base determinations of appropriate penalty amounts on the nature and extent of the violation and the nature and extent of the harm resulting from such violation. The HITECH Act does not define “harm,” nor does it provide direction to aid HHS in defining the term.

The RFI solicits public comment on the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, discusses potential methodologies for sharing and distributing monies to harmed individuals, and invites the public to submit alternative methodologies.

Comments Due 6/6

Health plan and other Covered Entity input could significantly impact how OCR implements and administers these two important aspects of the HIPAA Security Rule going forward. As these decisions are likely to significantly impact the policies, practices, recordkeeping, breach investigation and other obligations that Covered Entities would need to meet in the event of an audit, breach or other investigation or enforcement, timely, thoughtful input from all Covered Entities and affected stakeholders is important. In addition, its decisions on how to distribute CMPs.

For more information about the RFI or instructions for submitting comments, see here.

Health Plan Security & Breach Exposures Beyond HIPAA

Beyond the significant exposures health plans and their business associates may face under HIPAA, recent Department of Labor Employee Benefit Security Administration (“EBSA”) guidance also signals growing risks for health plans and their fiduciaries under the Employee Retirement Income Security Act of 1974. See e.g., HIPAA & ERISA Fiduciary Rules Drive Imperative To Protect Health Plan Data & Systems From Hacking & Other Cyber Threats.

These are just some of the emerging health plan compliance risks and responsibilities that health plan, their fiduciaries, sponsors, administrators, service providers and insurers need to watch and manage. Amber M. Rivers, Director of the Employee Benefit Security Administration Office of Health Plan Standards and Compliance will discuss these and other risks during the “Department of Labor Health Plan Compliance and Enforcement Update” at a virtual program hosted by the American Bar Association Joint Committee on Employee Benefits from Noon to 1:30 p.m. Central Time on May 5, 2022 to be moderated by Solutions Law Press, Inc. author and publisher, attorney Cynthia Marcotte Stamer will moderate the program.

For additional information about or to register for this program, see here.

More Information.

About the Author

As part of these involvements, Ms. Stamer is scheduled to moderate the discussion of “Department of Labor Health Plan Compliance and Enforcement Update” with Amber M. Rivers, Director of the Employee Benefit Security Administration Office of Health Plan Standards and Compliance that the ABA Joint Committee on Employee Benefits is hosting on May 5, 2022. For additional information about or to register for this program, see here.

About Solutions Law Press, Inc.™

Comments Off on Comment To OCR By 6/6 To Help Shape How OCR Implements HITECH Act Recognized Security Practices Standards For Purposes Of Setting Civil Monetary Penalties Under HIPAA Security Rules. | ACA, Association Health Plan, Data Breach, Data Security, Employee Benefits, Employer, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, Government Accountability, government employer, government plan, group health plan, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, health reform, HIPAA, HIPAA, Joint Employer, Protected Health Information, self insured health plan, tpa | Permalink
Posted by Cynthia Marcotte Stamer

Exchange Enrollment Reaches All Time High

April 26, 2022

The Health Insurance Marketplaces 2022 Open Enrollment Report (“Report”) published by the Centers for Medicare and Medicaid Services last month reveals the 2022 Open Enrollment Period (“2022 OEP”) produced the highest enrollment in health care marketplace plans since passage of the Patient Protection and Affordable Care Act (“ACA”) 12 years ago.

A review of the data reveals a number of possible explanations for the increased enrollment including but not limited to Biden Administration emphasis on outreach, the expansion of the enrollment period and availability of subsidies, and more. Businesses sponsoring health plans, insurers and other payers, government and community leaders, taxpayers and other others may wish to evaluate this data and these implications further to assess their short term and long term implications on their health plan concerns and existing and proposed practices, governmental policy proposals and other planning considerations.

Reported Key Findings

The Report found that 14.5 million consumers selected or automatically re-enrolled in marketplace health care coverage through HealthCare.gov during the 2022 OEP, 2.5 million more consumers than signed up for marketplace coverage during the 2021 OEP. This reflects a 21 percent increase in enrollment over 2021 OEP enrollment.

Other findings highlighted in the Report include the following:

In HealthCare.gov states, 10.3 million consumers enrolled in health coverage during the 2022 OEP between November 1, 2021 and January 15, 2022.
Across the 18 SBMs, 4.3 million enrollees signed up for health coverage during the 2022 OEP from November 1, 2021 through the end of their respective reporting periods.
Nationwide, the number of new consumers signing up for Marketplace coverage during the 2022 OEP increased by 20 percent, to 3.1 million, from 2.5 million in the 2021 OEP.
Among consumers who attested to a race or ethnicity, 19 percent identified as Hispanic/Latino in the 2022 OEP, compared to 18 percent in the 2021 OEP, and the percent of consumers with a known race or ethnicity who identified as Black increased to 9 percent in the 2022 OEP, from 8 percent in the 2021 OEP.
Nationwide, 2.8 million more consumers are receiving APTC in 2022 compared to 2021. Additionally, 1.1 million consumers reported household incomes over 400% FPL during the 2022 OEP, who would not have been eligible for APTC without the American Rescue Plan (ARP). The average monthly premium after APTC fell by 19 percent, from $164 in 2021 to $133 in 2022, and 28 percent of consumers selected a plan for $10 or less per month after APTC during the 2022 OEP.
The percentage of all Marketplace consumers who received costsharing reductions (CSRs) increased slightly from the 2021 OEP to the 2022 OEP, from 47 percent to 49 percent, respectively.
The average monthly 2022 premium for HealthCare.gov enrollees was $111. If consumers had not received the additional APTC provided by the ARP, the average monthly premium after APTC for HealthCare.gov consumers would have been 53 percent higher, or $170.

The Report findings summarize data about health plan selections through the individual Marketplaces during the 2022 2022 OEP and includes OEP data for the 33 states with Marketplaces that use the HealthCare.gov eligibility and enrollment platform for the 2022 plan year (HealthCare.gov states), as well as for the 18 State-based Marketplaces (SBMs) that use their own eligibility and enrollment platforms. For purposes of the Report, the 2022 OEP for the Health Insurance Marketplaces ran between November 1, 2021 and January 15, 2021 for the 33 states that used HealthCare.gov. For the 18 State-based Marketplace (SBMs) states using their own platforms, the reporting period reflects plan selection and Marketplace activity from the beginning of OE on November 1, 2021, to the end of each SBM’s respective OEP and any run-out period. Any renewals processed before November 1, 2021, are also included.

Data Underlying Report

For those interested in evaluating the 2022 OEP enrollment results and trends, CMS has prepared a number of Public Use Files (PUFs) summarizing plan selection activity during the applicable OEPs in more detail including:

2022 OEP State-Level Public Use File: The state-level PUF includes total health plan selections in all 50 states plus the District of Columbia. The PUF provides state-level data on metrics such as average monthly premium, financial assistance, age, gender, metal level, self-reported race and ethnicity, rural location, household income as a percent of the federal poverty level (FPL), and plan switching behavior among consumers with a plan selection. In addition, the state-level PUF includes data on dental plan selections and Basic Health Plan (BHP) enrollments. Certain data elements are only available for the 33 HC.gov states in 2022.
2022 OEP State, Metal Level, and Enrollment Status Public Use File: The state, metal level, and enrollment status PUF contains data with stratifications by state, metal level and enrollment status. It includes total health plan selections in all 50 states plus the District of Columbia and state, metal level, and enrollment status-level data on enrollment status, average monthly premium, financial assistance, age, gender, self-reported race and ethnicity, rural location, metal level, and household income as percent FPL. Certain data elements are only available for the 33 HC.gov states in 2022.
2022 OEP County-Level Public Use File: The county-level PUF includes total health plan selections, as well as data such as average monthly premium, financial assistance, age, gender, metal level, self-reported race and ethnicity, household income as a percent of the FPL, and plan switching behavior. In addition, the county-level PUF includes data on dental plan selections. This PUF only includes data for consumers with a plan selection in the 33 states that used the HC.gov platform in 2022.
2022 OEP ZIP Code-Level Public Use File: The ZIP code-level PUF includes total health plan selections, the count of consumers with APTC, and average APTC among consumers with APTC. This PUF only includes data for consumers with a plan selection in the 33 states that used the HC.gov platform in 2022.
2022 OEP Snapshot Public Use File: The Snapshot PUF presents data that CMS released during the 2022 OEP. It includes total health plan selections, including a breakdown of new and returning consumers, consumers on submitted applications, call center volume, and website usage. State-level health plan selection counts are also included.
Supplemental HC.gov Data: Data on availability and plan selections of Health Savings Account (HSA)-eligible plans and average and median deductibles of plans selected during the 2014-2022

To access these data files, see here.

Amber M. Rivers, Director of the Employee Benefit Security Administration Office of Health Plan Standards and Compliance will discuss “Department of Labor Health Plan Compliance and Enforcement Update” at a virtual program hosted by the American Bar Association Joint Committee on Employee Benefits from Noon to 1:30 p.m. Central Time on May 5, 2022. Solutions Law Press, Inc. author and publisher Cynthia Marcotte Stamer will moderate the program.

During the program, Ms. Rivers will the provide updates on the health plan eligibility, COVID emergency orders, surprise billing, mental health parity and other Department of Labor regulatory, compliance, audit, enforcement priorities and other health plan projects and developments.

For additional information about or to register for this program, see here.

More Information.

About the Author

About Solutions Law Press, Inc.™

Comments Off on Exchange Enrollment Reaches All Time High | ACA, Association Health Plan, Employee Benefits, Employer, Employers, Government Accountability, government employer, government plan, group health plan, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, health reform, self insured health plan | Permalink
Posted by Cynthia Marcotte Stamer

2022 ACA Marketplace Open Enrollment Up 21% Over 2021 Open Enrollment

April 26, 2022

Reported Key Findings

Other findings highlighted in the Report include the following:

In HealthCare.gov states, 10.3 million consumers enrolled in health coverage during the 2022 OEP between November 1, 2021 and January 15, 2022.
Across the 18 SBMs, 4.3 million enrollees signed up for health coverage during the 2022 OEP from November 1, 2021 through the end of their respective reporting periods.
Nationwide, the number of new consumers signing up for Marketplace coverage during the 2022 OEP increased by 20 percent, to 3.1 million, from 2.5 million in the 2021 OEP.
Among consumers who attested to a race or ethnicity, 19 percent identified as Hispanic/Latino in the 2022 OEP, compared to 18 percent in the 2021 OEP, and the percent of consumers with a known race or ethnicity who identified as Black increased to 9 percent in the 2022 OEP, from 8 percent in the 2021 OEP.
Nationwide, 2.8 million more consumers are receiving APTC in 2022 compared to 2021. Additionally, 1.1 million consumers reported household incomes over 400% FPL during the 2022 OEP, who would not have been eligible for APTC without the American Rescue Plan (ARP). The average monthly premium after APTC fell by 19 percent, from $164 in 2021 to $133 in 2022, and 28 percent of consumers selected a plan for $10 or less per month after APTC during the 2022 OEP.
The percentage of all Marketplace consumers who received costsharing reductions (CSRs) increased slightly from the 2021 OEP to the 2022 OEP, from 47 percent to 49 percent, respectively.
The average monthly 2022 premium for HealthCare.gov enrollees was $111. If consumers had not received the additional APTC provided by the ARP, the average monthly premium after APTC for HealthCare.gov consumers would have been 53 percent higher, or $170.

Data Underlying Report

2022 OEP State-Level Public Use File: The state-level PUF includes total health plan selections in all 50 states plus the District of Columbia. The PUF provides state-level data on metrics such as average monthly premium, financial assistance, age, gender, metal level, self-reported race and ethnicity, rural location, household income as a percent of the federal poverty level (FPL), and plan switching behavior among consumers with a plan selection. In addition, the state-level PUF includes data on dental plan selections and Basic Health Plan (BHP) enrollments. Certain data elements are only available for the 33 HC.gov states in 2022.
2022 OEP State, Metal Level, and Enrollment Status Public Use File: The state, metal level, and enrollment status PUF contains data with stratifications by state, metal level and enrollment status. It includes total health plan selections in all 50 states plus the District of Columbia and state, metal level, and enrollment status-level data on enrollment status, average monthly premium, financial assistance, age, gender, self-reported race and ethnicity, rural location, metal level, and household income as percent FPL. Certain data elements are only available for the 33 HC.gov states in 2022.
2022 OEP County-Level Public Use File: The county-level PUF includes total health plan selections, as well as data such as average monthly premium, financial assistance, age, gender, metal level, self-reported race and ethnicity, household income as a percent of the FPL, and plan switching behavior. In addition, the county-level PUF includes data on dental plan selections. This PUF only includes data for consumers with a plan selection in the 33 states that used the HC.gov platform in 2022.
2022 OEP ZIP Code-Level Public Use File: The ZIP code-level PUF includes total health plan selections, the count of consumers with APTC, and average APTC among consumers with APTC. This PUF only includes data for consumers with a plan selection in the 33 states that used the HC.gov platform in 2022.
2022 OEP Snapshot Public Use File: The Snapshot PUF presents data that CMS released during the 2022 OEP. It includes total health plan selections, including a breakdown of new and returning consumers, consumers on submitted applications, call center volume, and website usage. State-level health plan selection counts are also included.
Supplemental HC.gov Data: Data on availability and plan selections of Health Savings Account (HSA)-eligible plans and average and median deductibles of plans selected during the 2014-2022

To access these data files, see here.

More Information.

About the Author

About Solutions Law Press, Inc.™

Comments Off on 2022 ACA Marketplace Open Enrollment Up 21% Over 2021 Open Enrollment | ACA, Association Health Plan, Employee Benefits, Employer, Employers, Government Accountability, government employer, government plan, group health plan, health benefit, Health Benefits, health Care, health insurance, health insurance marketplace, health plan, Health Plans, health reform, self insured health plan | Permalink
Posted by Cynthia Marcotte Stamer

DOL Invites Employer Input On Youth Employee Mental Health Needs

February 17, 2022

Employers should put managing legal and operational demands for mental health accommodation for youth and other workers and their risk management agenda this year.

The Surgeon General’s recent release of an advisory report, “Protecting Young People’s Mental Health,” is one of a series of studies and guidance that the federal government has released in recent months on the impacts of the pandemic on mental health issues. The recently released Surgeon General report discusses impacts of the pandemic on mental health needs of young people. In connection with these findings, the United States Department of Labor is inviting employers and other interested persons to respond to a brief questionnaire from the National Youth Employment Coalition to help understand how workforce providers are grappling with this crisis. The DOL says this input will provide insight into the youth employment field’s current capacity to screen, connect, and serve youth with mental health needs. however, employers contemplating responding should note that the survey template requests that they respond it be identified by providing their name and other information. It is not clear whether the provision of this information may be used to target the employer for subsequent scrutiny.

The deadline for responding to the survey is March 11, 2022. To learn more, see here.

More Information

Want to know more? The author of this update, employment lawyer Cynthia Marcotte Stamer, conducted a briefing on these and other federal COVID-19 vaccination and other workforce requirements as a panelist on the “COVID-19 Vaccination Mandates & Incentives” virtual seminar the American Bar Association Joint Committee on Employee Benefits hosted on November 12, 2021. To purchase a recording of the program, see here. For information about obtaining Ms. Stamer’s slides, email here.

Solutions Law Press, Inc. also invites you to receive future updates by registering here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. For specific information about the these or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

For help developing, administering or defending your organization’s workforce, employee benefits, compensation or compliance practices, contact the author. Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: Erisa & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for management work, coaching, teachings, and publications.

Ms. Stamer works with businesses and their management, employee benefit plans, governments and other organizations deal with all aspects of human resources and workforce, internal controls and regulatory compliance, change management and other performance and operations management and compliance. Her day-to-day work encompasses both labor and employment issues, as well as independent contractor, outsourcing, employee leasing, management services and other nontraditional service relationships. She supports her clients both on a real-time, “on demand” basis and with longer term basis to deal with all aspects for workforce and human resources management, including, recruitment, hiring, firing, compensation and benefits, promotion, discipline, compliance, trade secret and confidentiality, noncompetition, privacy and data security, safety, daily performance and operations management, emerging crises, strategic planning, process improvement and change management, investigations, defending litigation, audits, investigations or other enforcement challenges, government affairs and public policy.

Well-known for her extensive work with health, insurance, financial services, technology, energy, manufacturing, retail, hospitality, governmental and other highly regulated employers, her nearly 30 years’ of experience encompasses domestic and international businesses of all types and sizes.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her thought leadership, experience and advocacy on these and other concerns by her service as a management consultant, business coach and consultant and policy strategist as well through her leadership participation in professional and civic organizations such her involvement as the Vice Chair of the North Texas Healthcare Compliance Association; Executive Director of the Coalition on Responsible Health Policy and its PROJECT COPE: Coalition on Patient Empowerment; former Board President of the early childhood development intervention agency, The Richardson Development Center for Children; former Gulf Coast TEGE Council Exempt Organization Coordinator; a founding Board Member and past President of the Alliance for Healthcare Excellence; former board member and Vice President of the Managed Care Association; past Board Member and Board Compliance Committee Chair for the National Kidney Foundation of North Texas; a member and policy adviser to the National Physicians’ Council for Healthcare Policy; current Vice Chair of the ABA Tort & Insurance Practice Section Employee Benefits Committee; current Vice Chair of Policy for the Life Sciences Committee of the ABA International Section; Past Chair of the ABA Health Law Section Managed Care & Insurance Section; ABA Real Property Probate and Trust (RPTE) Section former Employee Benefits Group Chair, immediate past RPTE Representative to ABA Joint Committee on Employee Benefits Council Representative, and Defined Contribution Committee Co-Chair, past Welfare Benefit Committee Chair and current Employee Benefits Group Fiduciary Responsibility Committee Co-Chair, Substantive and Group Committee member, Membership Committee member and RPTE Representative to the ABA Health Law Coordinating Council; past Chair of the Dallas Bar Association Employee Benefits & Executive Compensation Committee; a former member of the Board of Directors, Treasurer, Member and Continuing Education Chair of the Southwest Benefits Association and others.

About Solutions Law Press, Inc.™

If you or someone else you know would like to receive future updates about developments on these and other concerns, please provide your current contact information and preferences including your preferred e-mail by creating or updating your profile here.

Comments Off on DOL Invites Employer Input On Youth Employee Mental Health Needs | ADA, Corporate Compliance, COVID-19, Disability, Disability Discrimination, Disability Plans, Discrimination, Drug & Alcohol, EEOC, Employee Benefits, Employer, Employers, Employment, Employment Discrimination, Employment Policies, group health plan, health benefit, Health Benefits, health Care, Health Plans, Mental Health, Mental Health Parity | Tagged: Discrimination, Mental Health, youth employment | Permalink
Posted by Cynthia Marcotte Stamer

Federal Agencies Take Aim At Businesses, Benefit Plan Fiduciaries & Service Providers & Others With Lax CyberSecurity & CyberBreach Compliance; Build Defenses By Strengthening Internal & External Controls & Risk Managment

October 19, 2021

Businesses, their employee benefit plan fiduciaries, their employer and other sponsors, their record keepers, financial advisors and other service providers and other business partners face growing pressure to shore up cyber security and cyber breach compliance and other safeguards to defend against a slew of new and ongoing federal cyber security and breach regulatory and enforcement the Biden-Harris Administration is rolling out in its effort to stem the rising tide of cybersecurity incidents.

Agencies Targeting Businesses, US Entities & Their Leaders For CyberSecurity & CyberBreach Regulation & Enforcement

On October 6, 2021, Deputy Attorney General Lisa O. Monaco announced plans to civilly prosecute federal government contractors that fail to follow required cyber security standards under the False Claims Act under a new Civil Cyber-Fraud Initiative to be led by DOJ’s Civil Division’s Commercial Litigation Branch, Fraud Section. While adding new exposures to the already substantial exposures federal government contractors and grant recipients already face for failing to comply with applicable cybersecurity and cyberbreach notifications under federal and state laws, the Civil Cyber-Fraud Initiative also provides more evidence that the Biden-Harris Administration is serious about moving forward on its broader strategy to stem the recurrent waves of disruptive cyber breaches and other security incidents buffeting U.S. public and private institutions and citizens by ramping up cybersecurity regulations, oversight and enforcement against all U.S. organizations. See e.g., New DOJ Civil Cyber-Fraud Initiative Pressures Federal Contractors & Grant Recipients To Tighten Cybersecurity Controls, Training & Other Safeguards. May 12, 2021 Executive Order on Improving the Nation’s Cybersecurity; July 28, 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.

The DOJ Civil Cyber-Fraud Initiative is the latest in a growing list of new regulatory and enforcement programs placing pressure on U.S. businesses and their leaders to get serious about cybersecurity. Examples of some of the more far reaching of these new or continuing programs include:

Government Contractors.

Under the Civil Cyber-Fraud Initiative, DOJ plans to use the False Claims Act to prosecute pursue cyber security related fraud by government contractors and grant recipients. According to DOJ, the initiative will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cyber security products or services, knowingly misrepresenting their cyber security practices or protocols, or knowingly violating obligations to monitor and report cyber security incidents and breaches. Federal contractors and grant recipients submitting claims for federal funds will be considered to have filed a false claim in violation of the False Claims Act if their cyber security and cyber breach practices are not compliant with applicable federal requirements when the payment is requested.

Federal Health Program Participating Health Care Providers And Plans.

The DOJ Cyber-Fraud Initiative follows a similar interpretation of the Department of Health & Human Services (“HHS”) Office Inspector General (“OIG”) about the cybersecurity and cyberbreach compliance requirements health care providers and health plan issuers participating in Medicare and certain other federally funded health care programs (“Medicare Participating Providers”) are accountable to meet under the Conditions of Participation for those programs. HHS OIG’s construction of these Conditions of Participation as including cybersecurity and cyberbreach compliance signs that Medical Participating Providers with deficient cybersecurity practices now may risk program disqualification and False Claims Act liability along with their already well-known exposure to civil monetary penalties under the Health Insurance Portability & Accountability Act (“HIPAA”) protected health information privacy, security and data breach rules.

Health & Other Employee Benefit Plans.

Health plans and other employee benefit plans, their fiduciaries, record keepers and service providers also face growing cybersecurity responsibilities and risks. While HHS Office of Civil Rights (“OCR”) continues to clarify and expand its interpretation, investigation and enforcement of HIPAA privacy, security and data breach rules against health plans, health care providers, health care clearinghouses and their business associates, the Department of Labor Employee Benefit Security Administration is turning up the heat on employee benefit plan fiduciaries to prudently protect their employee benefit plan assets and participants against cyberthreats.

On April 14, 2021, the Department of Labor Employee Benefit Security Administration (“EBSA”) made official its interpretation of the duty of prudence applicable to employee benefit plan fiduciaries under Section 404 of the Employee Retirement Income Security Act (“ERISA”) includes a duty for ERISA-covered employee benefit plan fiduciaries to take “appropriate precautions” to mitigate risks to plan participants and assets from both internal and external cybersecurity threats. The April 14 announcement makes official EBSA’s interpretation of the duty of prudence applicable to fiduciaries of ERISA-covered employee benefit plans as extending to a duty to act prudently to safeguard plan assets and plan participants against cybersecurity threats.

Concern about cyberthreats to private employee benefit plans covered by ERISA, their participants and beneficiaries has soared as massive data breaches Federal Thrift Savings Plan, Anthem, Capital One, the Public Employees Retirement Association of New Mexico and other employee benefit plans, their vendors and service providers increasingly have impacted millions of employee benefit plans, their accounts and participants.

While Congress chose to subject health plans to the detailed health privacy, security and breach rules of HIPAA and financial and certain other employee benefit plan service providers to consumer financial disclosure and data information security requirements of laws like Gramm-Leach-Bliley Act and the Fair and Accurate Credit Transactions Act, and even employers and others conducting background and other credit checks to the Fair Credit Reporting Act, growing awareness of the cyberthreat to employee benefits has not prompted Congress to date to extend those laws or otherwise to enact express statutory requirements for employee benefit plans and their fiduciaries. However, private litigants and others increasingly have speculated that a fiduciary duty to safeguard plan asset against cyberthreats might be subsumed in the obligation of fiduciaries under Section 404 of ERISA at all times to act with “the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.” See, e.g., See Record $16M Anthem HIPAA Settlement Signals Need to Tighten Your Health Plan HIPAA Compliance & Risk Management.

While EBSA has worked to formulate its recently announced positions, private litigants increasingly have begun debating the applicability and effect of ERISA on cyberbreaches involving ERISA regulated plans. See e.g., In re Anthem, Inc. Data Breach Litig., No. 15-CV-04739-LHK, 2015 WL 7443779, at *1 (N.D. Cal. Nov. 24, 2015)(holding Anthem entitled under ERISA to remove claims to federal court and refusing employee benefit plan participants’ motion to remand to state court state claims arising from data breach); In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783 (N.D. Cal. May 27, 2016)(refusing to dismiss participant claims against non-Anthem defendants for lack of standing), motion reconsideration denied In re Anthem, Inc. Data Breach Litig., No. 15-CV-04739-LHK, 2016 WL 324386 (N.D. Cal. Jan. 27, 2016); Bartnett v. Abbott Lab’ys, No. 20-CV-02127, 2021 WL 428820, at *5 (N.D. Ill. Feb. 8, 2021) (dismissing breach of fiduciary duty claim based on inadequate evidence); In re: Premera Blue Cross Customer Data Sec. Breach Litig., No. 3:15-MD-2633-SI, 2017 WL 539578, at *21 (D. Or. Feb. 9, 2017). While mostly unsuccessful to date for procedural or factual sufficiency reasons, the preemption issues argued in many of these cases support concerns that under the proper circumstances ERISA could apply to breaches involving plans or their participants. As these and other actions continue to wind their way through the courts, EBSA also has begun to acknowledge that ERISA plan fiduciaries duties of prudence include cybersecurity responsibilities.

EBSA’s first official recognition of a cybersecurity responsibility by plan fiduciaries appears in the Default Electronic Disclosure by Employee Pension Benefit Plans Under ERISA Final Rule (the “Electronic Disclosure Rule”), which took effect July 27, 2020 . In the discussion of its requirements regarding website-based electronic disclosures in Subpart (e)(3), the Electronic Disclosure Rule requires that “[T]he administrator must take measures reasonably calculated to ensure that the website protects the confidentiality of personal information relating to any covered individual.” Similarly, the requirements for using e-mail to provide electronic disclosures in Subsection (k)(4) of the Electronic Disclosure Rule require the plan administrator to take “measures reasonably calculated to protect the confidentiality of personal information relating to the covered individual.” While recognizing these cyber security responsibilities in the Electronic Disclosure Rule, however, EBSA explained in the Preamble to the Electronic Disclosure Rule that it decided not to include more cumbersome cybersecurity requirements in the Electronic Disclosure Rule out of concern over the cost and other burdens of such requirements. Nevertheless, the Electronic Disclosure Rule imposed a responsibility by plan fiduciaries of employee benefit plans making electronic disclosures to ensure that electronic recordkeeping systems have in place reasonable controls, adequate records management practice, and other measures calculated to protect Personally Identifiable Information.

EBSA’s April 14, 2021 reflects EBSA now views the fiduciary responsibilities of ERISA-covered employee benefit plan fiduciaries generally as including the responsibility to take “appropriate precautions” to mitigate risks to plan participants and assets from both internal and external cybersecurity threats. Beyond acknowledging a duty to take prudent steps to protect plans assets and participants against internal and external cybersecurity threats, EBSA also shared the following three resources to help plan sponsors, fiduciaries and participants to safeguard benefit plans and personal information against emerging cyber threats:

Tips for Hiring a Service Provider: Helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks.
Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.
Participants in Securities Markets, Market Infrastructure Providers & Vendors.

Meanwhile the Securities and Exchange Commission (“SEC”) also has made clear its expectation that all firms participating in the securities markets, market infrastructure providers and vendors will appropriately monitor, assess and manage their cybersecurity risk profiles, including their operational resiliency. Consistent with the shared understanding of best cybersecurity practices shared with the agencies, the SEC guidance makes clear its market involved and impacting regulated entities are accountable for maintaining and enforcing appropriate internal and external controls to prevent, detect and redress cybersecurity threats, including appropriate board governance and risk management, access rights and controls, data loss prevention,mobile security, incident response and resiliency, vendor management, training and awareness and other practices. See SEC Office of Compliance Inspections and Examinations Cybersecurity and Resiliency Observations. Recently announced enforcement actions demonstrate that the SEC is acting on its promise to go after SEC regulated entities that breach these expectations. See, e.g., SEC Announces Three Actions Charging Deficient Cybersecurity Procedures.

These and other recently announced federal regulatory and enforcement developments send a clear message to businesses and their leadership, employee benefit plan sponsors, fiduciaries, record keepers and other vendors, SEC securities market involved organizations and others to clean up their cybersecurity compliance and risk management. Beyond the governmental enforcement risks these developments signal, these and other emerging regulatory developments provide added fuel for the already substantial private litigant and government complaints, investigations and prosecutions against businesses, their leaders, their employee benefit plan fiduciaries, record keepers and other service providers,and others. and their leaders unable to defend the adequacy of their cybersecurity related practices.

Raise Cybersecurity Compliance & Defenses To Mitigate Risks & Liabilities

In the face of these developments, all businesses, employee benefit plan fiduciaries, their employer and other sponsors, record keepers and other vendors and their leaders should prioritize cybersecurity compliance, risk management, oversight and controls. As part of these efforts, organizations and their leaders should move quickly to position themselves to defend against potential investigation and enforcement risks created by these emerging policies. These efforts should seek to ensure compliance with all applicable statutory, regulatory and contractual requirements as well as institutionalize the necessary operational controls to protect systems, data and operations from cyber breaches and other threats, to detect and redress cyber events promptly, and to ensure that the organization otherwise can demonstrate both their compliance efforts, as well as their timely prudent detection, investigation, reporting, mitigation and remediation in response to actual or suspected cyber threats or other compliance breaches.

Efforts should begin by taking carefully crafted, well-documented documented steps to prudently evaluate and strengthen cybersecurity and breach safeguards and compliance, as well as prudently to assess and verify those of their vendors and others involved with their employee benefit plans or their administration within the scope of attorney-client privilege.

Assessments should take into account all existing required statutory, regulatory, and contractual controls and practices, documentation and other procedures. In addition, organizations should consider the advisability of adopting other “best practice” safeguards or actions taking into account relevant agency guidance and resources, government or other contracts, other industry or related standards, known and suspected breaches, “red flags” and threats, their own, their vendor and business partner and other risk profiles and experience, and other factors likely to be viewed as prudent under the circumstances.

In assessing, designing and administering the cybersecurity processes, organizations and their leaders should give due attention to assessing and addressing the adequacy of their internal and external controls to ensure the adequacy of their systems, processes, oversight and response practices and capabilities as of the time of the assessment and on an ongoing basis. Beyond establishing required policies and formal controls, organization should ensure that their organizations have in place the necessary policies and practices to monitor and control cyberthreats arising from conduct and risks created by employees and other internal workforce, vendors and other parties interacting with the business and its operations. As part of these efforts, most organizations will need to evaluate their contractual obligations and requirements for vendors, suppliers and others interacting with their businesses. Beyond general contractual compliance obligations, organizations should weigh requiring contractors, suppliers and other business partners to make specific commitments to maintain and monitor compliance and other risks, to provide timely notice and reports, to cooperate with audits and investigations necessary or advisable to respond to private or government complaints, government or other investigation, reporting or other requirements, their own compliance and risk assessments, audits and investigations and other compliance and risk management efforts. Organizations also should give careful attention and review the adequacy of protections and responsibilities arising from contractual cybersecurity and breach notice, investigation, cooperation, indemnification, insurance and other associated protections and cooperation.

Organizations also should consider establishing and administering processes for independent monitoring of regulatory, news, and other reports that could provide early warning of potential cybersecurity weaknesses, threats and breaches.

All processes should include appropriate governance, oversight and reporting to provide for ongoing monitoring and oversight necessary to identify and respond to evolving risks arising in the course of their operations as well as consistent practices for carefully documenting their compliance and risk management compliance efforts.

Because of the frequently high cost of breach investigation, response and mitigation, most organizations will want to consider securing cyber liability or other coverage, require vendors and other business partners to provide cyber liability indemnifications backed up with insurance or other adequate assurance of their ability to fulfill these financial responsibilities.

More Information

We hope this update is helpful. For more information about or assistance with these or other workforce, internal controls and compliance or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, and author of the “Medical Privacy” Chapter in the BNA/ERISA Litigation Treatise, the “Other Torts Chapter” in the BNA/ABA E-Heath & Other Torts Treatise, “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other highly regarded data privacy and security, workforce and health care change and crisis management and other highly regarded publications and presentations, Ms. Stamer is widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns.

A Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with private and public employer, health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. In the course of this work, she has had extensive involvement in the design, administration and defense of payroll, employee benefit, insurance, securities, trade secret and other confidential information and other internal and external record and data systems and processes as well as investigation, reporting, redress and mitigation of cyber and other incidents.

As a part of this work, she has continuously and extensively worked with domestic and international health and other employee benefit plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies. She also has extensive experience dealing with OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting, current RPTE Welfare Benefit Committee Co-Chair and former Chair of its Fiduciary Responsibility, Plan Terminations and Distributions and Defined Contribution Plan Committees, a former JCEB Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former SHRM Consultants Board and Region IV Chair, former Texas Association of Business Board, BACPAC Board and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas.

Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstance at any time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any situation and does not necessarily address all relevant issues. Because developments could impact the currency and completeness of this discussion, the author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein. ©2021 Cynthia Marcotte Stamer. Limited non-exclusive right to republish granted to Solutions Law Press, Inc.™.

Comments Off on Federal Agencies Take Aim At Businesses, Benefit Plan Fiduciaries & Service Providers & Others With Lax CyberSecurity & CyberBreach Compliance; Build Defenses By Strengthening Internal & External Controls & Risk Managment | Association Health Plan, Corporate Compliance, corporate governance, Cybercrime, Cybersecurity, Data Breach, Data Security, EBSA, Employee Benefits, Employer, Employers, ERISA, fiduciary duty, Fiduciary Responsibility, Government Accountability, Government Contractors, government employer, government plan, group health plan, health benefit, Health Benefits, health Care, Health Care Fraud, Health Care Sharing Ministries, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, health reform, HIPAA, HIPAA, Medicare Part D, multiple employer plan (Meps), Personal Health Records, Personal Health Recordss, Privacy, Protected Health Information, Public Policy, Retirement Plans, SEC | Permalink
Posted by Cynthia Marcotte Stamer

Agencies Release of 3rd Surprise Billing Reminder Time Short For Health Plans To Prepare For 2022 Compliance Deadline; Learn More in 10/17 Briefing

September 30, 2021

Yesterday’s release by the Departments of Labor, Health and Human Services, Treasury and the Office of Personnel Management (“Agencies”) release yesterday (September 30, 2021) an a third interim final rule (“3rd Rule”) implementing requirements applicable to health plans and health care providers enacted under the No Surprises Act (the “Act) warns health plans, their employer and other sponsors, insurers, fiduciaries and service providers time is running out to update their plans, contracts and practices to prepare to meet comply with the Act when its rules take effect in 2022.

The release of the 3rd Rule yesterday follows the Agencies’ issuance of an interim final rule on consumer protections against surprise billing (“1st Rule”) in July and a proposed rule to help collect data on the air ambulance provider industry (“2nd Rule”) earlier in September, both of which take effect on January 1, 2022.The rules implement the Act’s ban on surprise billing for emergency services and ancillary care at in-network facilities, and limit high out-of-network cost sharing for emergency and non-emergency services by prohibiting them from being higher than if such services were provided in-network. In addition to the Act’s requirements implemented by these three rule packages, health plans and health providers also need to begin preparing to comply with new rules regarding prescription drug coverages and various other requirements of the Act, as well as a plethora of regulatory and market changes impacting health plans and their administration that have emerged over the past year.

Solutions Law Press, Inc. is hosting a complimentary briefing by Cynthia Marcotte Stamer on key requirements of the Act expected to impact health plans and their administration on Monday, October 18, 2021 from 11:30 a.m. to 1:00 p.m. Central Time. Registration is limited. Persons interested in attending should e-mail here to request registration as soon as possible.

Act’s Surprise Billing Ban

The Act seeks to protect patients from surprise bills and remove them from the middle of payment disputes between out-of-network providers, facilities, or providers of air ambulance services and health plans or issuers.

The 1st Rule published on July 1, 2021 states that, beginning in 2022, patients will only be required to pay cost sharing based on in-network rates for certain out-of-network emergency services, out-of-network non-emergency services at in-network facilities and out-of-network air ambulance services.

The 3rd Rule builds on this work and details how the total payment to an out-of-network provider or facility will be determined. In some cases – based on the law – state law or application of a state All-Payer Model Agreement will determine this amount. Where neither applies, the rule sets forth the federal process that will apply for determining the amount. When a payment dispute for items/services that fall under surprise billing protections occur, either a provider, facility, or air ambulance provider or plan/issuer may initiate a 30-day open negotiation period. If open negotiation fails, either party may initiate the federal independent dispute resolution process. This rule details how this process initiates, what is eligible for this process and how independent dispute resolution entities should consider factors when determining a payment amount.

Self Pay Patient’s Good Faith Estimate Requirements

In added consumer protections, today’s 3rd Rule also outlines key requirements related to uninsured (or self-pay) individuals. Self-pay individuals are individuals who have coverage but do not choose to have their care billed to their health plan or issuer. When individuals schedule an item or service with certain providers and facilities, those providers and facilities will be required to inquire about the individual’s health coverage status, and if the individual wants their care billed to their health plan or issuer.

The provider or facility must provide a good faith estimate of expected charges for the care they are scheduling for individuals deemed uninsured (or self-pay). An uninsured (or self-pay) individual may also request a good faith estimate, without scheduling an item or services. The rule also establishes a process for uninsured (or self-pay) individuals to initiate a payment dispute resolution process if they are ultimately billed substantially in excess of the good faith estimate they received.

Time Running Short To Complete Compliance Preparations

The Act’s restrictions on balance billing of out of network and self pay services, along with new rules regarding prescription drug coverage and various other health benefit rules are scheduled to take effect under the Act beginning in January, 2022 as well as a host of other statutory, regulatory and market changes impacting health benefit programs for the upcoming year. Aside from the complexities of meeting the direct requirements of the rules, health plans and their sponsors, fiduciaries, administrators and advisors working to update their plans also will need to determine and decide how to respond to state law regulatory surprise billing and other price transparency and balance billing rules that the Act and its implementing regulations incorporate. Employer and other health plan sponsors, health plan fiduciaries and their service providers need to confirm the necessary arrangement are prepared in a timely fashion to ensure their health plans are designed and administered to comply with these requirements. In addition to updating plan documents, contracts, and processes, health plans, their sponsors, fiduciaries, administrative service providers and others likely need to review budget forecasts, stop loss and other insurance, participant and provider communications, systems, and a host of other operating features of their programs. Given the emerging nature of the guidance, meeting current deadlines are likely to prove challenging. Accordingly health plan sponsors, administrators, fiduciaries, insurers, and advisors should move quickly to begin preparations.

More Information

About the Author

Scribe for the ABA JCEB Annual Agency Meeting with HHS-OCR, Vice Chair of the ABA International Section Life Sciences Committee, past Chair of the ABA Health Law Section Managed Care & Insurance Interest Group and the ABA RPTE Employee Benefits & Other Compensation Group, Ms. Stamer is most widely recognized for her decades of pragmatic, leading edge work, scholarship and thought leadership on health and other privacy and data security and other health industry legal, public policy and operational concerns. Ms. Stamer’s work throughout her 30 plus year career has focused heavily on working with health care and managed care, health and other employee benefit plan, insurance and financial services and other public and private organizations and their technology, data, and other service providers and advisors domestically and internationally with legal and operational compliance and risk management, performance and workforce management, regulatory and public policy and other legal and operational concerns. As a part of this work, she has continuously and extensively worked with domestic and international health plans, their sponsors, fiduciaries, administrators, and insurers; managed care and insurance organizations; hospitals, health care systems, clinics, skilled nursing, long term care, rehabilitation and other health care providers and facilities; medical staff, accreditation, peer review and quality committees and organizations; billing, utilization management, management services organizations, group purchasing organizations; pharmaceutical, pharmacy, and prescription benefit management and organizations; consultants; investors; EHR, claims, payroll and other technology, billing and reimbursement and other services and product vendors; products and solutions consultants and developers; investors; managed care organizations, self-insured health and other employee benefit plans, their sponsors, fiduciaries, administrators and service providers, insurers and other payers, health industry advocacy and other service providers and groups and other health and managed care industry clients as well as federal and state legislative, regulatory, investigatory and enforcement bodies and agencies.

This involvement encompasses helping health care systems and organizations, group and individual health care providers, health plans and insurers, health IT, life sciences and other health industry clients prevent, investigate, manage and resolve sexual assault, abuse, harassment and other organizational, provider and employee misconduct and other performance and behavior; manage Section 1557, Civil Rights Act and other discrimination and accommodation, and other regulatory, contractual and other compliance; vendors and suppliers; contracting and other terms of participation, medical billing, reimbursement, claims administration and coordination, Medicare, Medicaid, CHIP, Medicare/Medicaid Advantage, ERISA and other payers and other provider-payer relations, contracting, compliance and enforcement; Form 990 and other nonprofit and tax-exemption; fundraising, investors, joint venture, and other business partners; quality and other performance measurement, management, discipline and reporting; physician and other workforce recruiting, performance management, peer review and other investigations and discipline, wage and hour, payroll, gain-sharing and other pay-for performance and other compensation, training, outsourcing and other human resources and workforce matters; board, medical staff and other governance; strategic planning, process and quality improvement; meaningful use, EHR, HIPAA and other technology, data security and breach and other health IT and data; STARK, ant kickback, insurance, and other fraud prevention, investigation, defense and enforcement; audits, investigations, and enforcement actions; trade secrets and other intellectual property; crisis preparedness and response; internal, government and third-party licensure, credentialing, accreditation, HCQIA and other peer review and quality reporting, audits, investigations, enforcement and defense; patient relations and care; internal controls and regulatory compliance; payer-provider, provider-provider, vendor, patient, governmental and community relations; facilities, practice, products and other sales, mergers, acquisitions and other business and commercial transactions; government procurement and contracting; grants; tax-exemption and not-for-profit; privacy and data security; training; risk and change management; regulatory affairs and public policy; process, product and service improvement, development and innovation, and other legal and operational compliance and risk management, government and regulatory affairs and operations concerns. to establish, administer and defend workforce and staffing, quality, and other compliance, risk management and operational practices, policies and actions; comply with requirements; investigate and respond to Board of Medicine, Health, Nursing, Pharmacy, Chiropractic, and other licensing agencies, Department of Aging & Disability, FDA, Drug Enforcement Agency, OCR Privacy and Civil Rights, Department of Labor, IRS, HHS, DOD, FTC, SEC, CDC and other public health, Department of Justice and state attorneys’ general and other federal and state agencies; JCHO and other accreditation and quality organizations; private litigation and other federal and state health care industry actions: regulatory and public policy advocacy; training and discipline; enforcement; and other strategic and operational concerns.

Author of “Privacy and the Pandemic Workshop” for the Association of State and Territorial Health Plans, as well as a multitude of other health industry matters, workforce and health care change and crisis management and other highly regarded publications and presentations, the American Bar Association (ABA) International Section Life Sciences Committee Vice Chair, a Scribe for the ABA Joint Committee on Employee Benefits (JCEB) Annual OCR Agency Meeting and a former Council Representative, Past Chair of the ABA Managed Care & Insurance Interest Group, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, and past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, and a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation, Ms. Stamer also shares her extensive publications and thought leadership as well as leadership involvement in a broad range of other professional and civic organizations. For more information about Ms. Stamer or her health industry and other experience and involvements, see www.cynthiastamer.com or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

NOTICE: These statements and materials are for general informational and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation in light of the specific facts and circumstances presented in their unique circumstance at any particular time. No comment or statement in this publication is to be construed as legal advice or an admission. The author and Solutions Law Press, Inc.™ reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law is rapidly evolving and rapidly evolving rules makes it highly likely that subsequent developments could impact the currency and completeness of this discussion. The author and Solutions Law Press, Inc.™ disclaim, and have no responsibility to provide any update or otherwise notify anyone any such change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication. Readers acknowledge and agree to the conditions of this Notice as a condition of their access of this publication. Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.

Comments Off on Agencies Release of 3rd Surprise Billing Reminder Time Short For Health Plans To Prepare For 2022 Compliance Deadline; Learn More in 10/17 Briefing | Balance Billing, Corporate Compliance, group health plan, health benefit, Health Benefits, health Care, health care transparency, health insurance, health insurance marketplace, Health IT, health plan, Health Plans, health reform, out-of-network, Surprise Billing, Surprise Billingn, transparency | Permalink
Posted by Cynthia Marcotte Stamer

IRS Gives Employers Guidance On Claiming ARP Tax Credits For Paid COVID Leave

April 27, 2021

Small and midsize employers and government employers interested in claiming refundable tax credits allowed by the American Rescue Plan Act of 2021 (“ARP”) to reimburse the employer for the cost of providing ARP-mandated paid sick and family leave to their employees due to COVID-19 (“COVID Leave”) between April 1, 2021 and September 30, 2021 should review the new fact sheet designated FS-2021-09 (“FS-2021-9”) published by the Internal Revenue Service on April 21, 2021.

ARP Paid Sick And Family Leave For Which Tax Credits Can Be Claimed

The Families First Coronavirus Response Act (“FFCRA”) required employers with 500 or fewer employees to provide employees with paid sick leave (“COVID Paid Leave”) or expanded family and medical leave (“COVID Unpaid Leave”) for specified reasons (“COVID Events”) related to COVID-19 through December 31, 2020, but provided for Covered Employers to be reimbursed for these expenditures through employment tax credits claimed by the employer.

Although the FFCRA COVID Paid Leave mandate expired on December 31, 2021 and was not revived or extended by ARP, ARP preserved and extended the availability of the employment tax credits for eligible employers opting to voluntarily continue to provide COVID Paid Leave for all employees between December 31, 2021 and September 30, 2021. Thus, ARP authorizes employers of 500 or fewer employees that voluntarily provide COVID Paid Leave for all employees to claim a tax credit against their employment taxes.

While the FFCRA mandate was in effect, Covered Employers generally were required to excuse from work and pay the a percentage of the employee’s regular pay up to the specified statutory cap (“COVID Pay”) to any employee unable to work due to a COVID Event until the first work shift that begins on or after the earlier of the following dates:

The termination of the need for the COVID Paid Leave; or
The date the employee exhausts his maximum entitlement to Paid COVID Leave.

Employers Eligible To Claim ARP Tax Credit

The ARP tax credits generally are available to any eligible employer that voluntarily pays the COVID Paid Leave previously mandated by FFCRA through September 30, 2021. An eligible employer is any business, including a tax-exempt organization, with fewer than 500 employees. An eligible employer also includes a governmental employer, other than the federal government and any agency or instrumentality of the federal government that is not an organization described in section 501(c)(1) of the Internal Revenue Code. Self-employed individuals also are eligible for similar tax credits. FS-2021-9 clarifies how employers that provide COVID Paid Leave can claim the ARP employment tax credits.

ARP Tax Credit Amounts

The ARP paid leave credits are tax credits against the employer’s share of the Medicare tax. The tax credits are refundable, which means that the employer is entitled to payment of the full amount of the credits if it exceeds the employer’s share of the Medicare tax.

The tax credit for paid sick leave wages is equal to the sick leave wages paid for COVID-19 related reasons for up to 80 hours for full-time employees (or for each part-time employee, up to the average number of hours such employee works over a 2-week period), limited to $511 per day and $5,110 in the aggregate, at 100 percent of the employee’s regular rate of pay. The tax credit for paid family leave wages is equal to the family leave wages paid for up to twelve weeks, limited to $200 per day and $12,000 in the aggregate, at 2/3rds of the employee’s regular rate of pay. The amount of these tax credits is increased by allocable health plan expenses and contributions for certain collectively bargained benefits, as well as the employer’s share of social security and Medicare taxes paid on the wages (up to the respective daily and total caps).

Claiming The Credit

Eligible employers may claim tax credits for sick and family leave paid to employees, including leave taken to receive or recover from COVID-19 vaccinations, for leave between April 1, 2021, through September 30, 2021.

Eligible employers report their total paid sick and family leave wages (plus the eligible health plan expenses and collectively bargained contributions and the eligible employer’s share of social security and Medicare taxes on the paid leave wages) for each quarter on their federal employment tax return. Form 941, Employer’s Quarterly Federal Tax Return is used by most employers to report income tax and social security and Medicare taxes withheld from employee wages, as well as the employer’s own share of social security and Medicare taxes.

In anticipation of claiming the credits on the Form 941, FS-2021-9 confirms eligible employers can keep the federal employment taxes that they otherwise would have deposited, including federal income tax withheld from employees, the employees’ share of social security and Medicare taxes and the eligible employer’s share of social security and Medicare taxes with respect to all employees up to the amount of credit for which they are eligible. The Form 941 instructions explain how to reflect the reduced liabilities for the quarter related to the deposit schedule.

If an eligible employer does not have enough federal employment taxes set aside for deposit to cover amounts provided as paid sick and family leave wages (plus the eligible health plan expenses and collectively bargained contributions and the eligible employer’s share of social security and Medicare taxes on the paid leave wages), the eligible employer may request an advance of the credits by filing Form 7200, Advance Payment of Employer Credits Due to COVID-19. The eligible employer will account for the amounts received as an advance when it files its Form 941for the relevant quarter.

FS-2021-9 states that self-employed individuals may claim comparable tax credits on their individual Form 1040, U.S. Individual Income Tax Return.

Reminder About Complying With ARP COVID-19 Premium Subsidy Mandates

Employers also should keep in mind that while ARP made paying COVID Paid Leave voluntary, compliance with ARP’s COVID Premium Subsidy rule is mandatory for covered group health plans and their sponsors. Covered group health plans generally include all group health plans sponsored by private-sector employers or employee organizations (unions) subject to the COBRA rules under the Employee Retirement Income Security Act of 1974 (ERISA); group health plans sponsored by State or local governments subject to the continuation provisions under the Public Health Service Act and group health insurance required to comply with state mini-COBRA laws.

ARP’s COBRA Premium Subsidy rules dictate that covered group health plans offer and allow individuals previously enrolled in employee or dependent coverage who qualify as “assistance eligible individuals” to reinstate if necessary and continue health benefits by enrolling in continuation coverage under the Consolidated Omnibus Reconciliation Act (“COBRA Coverage”) at no charge during their applicable Premium Subsidy Period, but simultaneously allows employer or other sponsors of these group health plans to claim an employment tax credit to reimburse the employer or other health plan sponsor for the amount of the foregone COBRA premiums.

Assistance eligible individuals generally are COBRA qualified beneficiaries who lost coverage under the group health plan due to an involuntary reduction in hours or termination of employment enrolled in COBRA Coverage between April 1, 2021 and September 31, 2021 including those qualifying event was an involuntary employment loss occurring during the 18-month period (29-months for individuals qualifying for extended COBRA eligibility due to disability) prior to April 1, 2021 not enrolled in COBRA as of April 1, 2021. This generally includes COBRA qualified beneficiaries whose loss of group health coverage results from an involuntary employment reduction or loss for a reason other than gross misconduct after ARP’s enactment on March 11, 2021 as well as qualified beneficiaries whose involuntary employment loss happened before the effective date who but for their previous failure to elect COBRA or to maintain COBRA Coverage would still be entitled to COBRA Coverage because less than 18 months (29 months for qualified beneficiaries disabled on the date of coverage loss who qualify for extension of the disability coverage period) has elapsed since their employment loss and an event has not occurred following the coverage termination that would terminate their COBRA eligibility before the end of such otherwise applicable maximum COBRA eligibility period. Group health plans must offer a second opportunity to enroll in COBRA Coverage with COBRA premium assistance to qualified beneficiaries eligible for premium assistance not enrolled in COBRA Coverage as of April 1, 2021.

Assistance eligible individuals who timely enroll in COBRA Coverage with premium assistance generally must receive COBRA Coverage free of charge from the group health plan for any coverage period during the period that begins on or after April 1, 2021 until the earliest of the following dates (the “Premium Subsidy Period”):^[1]

The date the qualified beneficiary is eligible ^[2] for coverage under any other group health plan (other than coverage consisting of only excepted benefits,^[3] coverage under a health flexible spending arrangement under Code Section 106(c)(2), coverage under a qualified small employer health reimbursement arrangement under Code Section 9831(d)(2) or eligible for benefits under the Medicare program under title XVIII of the Social Security Act;
The date of the expiration of the otherwise applicable maximum period of COBRA continuation coverage under Code Section 4980B (other than due to a failure to elect or discontinuation of coverage for nonpayment of COBRA premium that occurred before April 1, 2021).

To implement these rules, ARP also requires that no later than May 31, 2021, covered group health plan administrators notify eligible qualified beneficiaries eligible to obtain COBRA coverage due to a reduction in hours or termination of employment with premium assistance during their Premium Subsidy Period. In addition to notifying employees and dependents experiencing employment loss related terminations of group health plan coverage of these rules on or after April 1, 2021, the ARP COBRA Premium Subsidy rules also require covered group health plans to notify certain former covered employees or dependents that lost coverage due to a loss of reduction in hours of employment within the last 18 (or in the case of an individual disabled on the date of the loss of coverage meeting certain other rules, potentially 29) months prior to April 1, 2021 qualify to enroll in COBRA coverage at no cost from April 1, 2021 through the end of the Premium Subsidy Period. Group health plans also are required to send a notification to assistance eligible individuals that elect to enroll using the COBRA Premium Subsidy when their COBRA Premium Subsidy Period expiration is impending.

Regulatory guidance released by the Employee Benefit Security Administration on April 7, 2021 includes model notices and other preliminary guidance on the COBRA Premium Assistance Rules.

Compliance with these requirements is critical for group health plans and their employer or other sponsors. Plans and their administrators can face administrative sanctions, lawsuits brought by assistance eligible individuals or the Department of Labor or both. Additionally, as COBRA is one of the 40 laws listed in Internal Revenue Code section 6039D, employer or other plan sponsors of noncompliant plans could become responsible for self-identifying, reporting, self-assessing and paying excise taxes if the violation is not corrected by the due date of their business tax return (without extensions).

To mitigate the impact of complying with the COBRA Premium Subsidy rule, the employer or other entity that bears the cost of providing the COBRA Premium Subsidy should investigate and, if applicable, claim the ARP authorized employment tax credit. Section 6432 of ARP authorizes the following party to claim a quarterly tax credit toward the employment taxes under Internal Revenue Code section 3111(b), or so much of the taxes imposed under section 3221(a) as attributable to the rate in effect under section 3111(b), for each calendar quarter. The amount of the available tax credit is equal to the premiums paid on behalf of the assistance eligible individuals for COBRA Coverage under the COBRA Premium Subsidy rule:

If the group health plan is a “multiemployer plan” under ERISA section 3(37), the plan;
If the group health plan is not a multiemployer plan and either (a) subject to COBRA or (b) is a plan under which some or all of the coverage is not provided by insurance, and (c), is not a multiemployer plan, the employer; and
In the case of any group health plan not described in paragraph (1) or (2), the insurer providing the coverage under the group health plan.

The credit allowed under these provisions for any calendar quarter can’t exceed the tax imposed under those sections for the calendar quarter (reduced by any credits allowed against such taxes under sections 3131, 3132, and 3134) on the wages paid with respect to the employment of all employees of the employer. Rather, ARP provides that if the amount of the credit allowed exceeds the amount of tax due for that calendar quarter, such excess is treated as an overpayment refundable under Code sections 6402(a) and 6413(b). Moreover, ARP allows for the credit, including the refundable portion under subparagraph (A),to be advanced, according to forms and instructions provided by the Secretary through the end of the most recent payroll period in the quarter and authorizes the Secretary of Treasury to waive any penalty under section 6656 for any failure to make a deposit of the employment taxes tax imposed by section 3111(b) or section 3221(a) where the failure was due to the anticipation of the credit allowed under this section.

ARP includes various other rules regarding the calculation and claiming of the credits and for handling situations where assistance eligible individuals make payments which should have been waived. The Department of Treasury is expected to issue guidance about these and other details of regarding the COBRA Premium Subsidy rules tax credit provisions soon. Stay tuned for added guidance.

More Information

If you need assistance or would like additional information about these or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

Solutions Law Press, Inc. also invites you receive future updates by registering here and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here. For specific information about the these or other legal, management or public policy developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.

About the Author

Recognized by her peers as a Martindale-Hubble “AV-Preeminent” (Top 1%) and “Top Rated Lawyer” with special recognition LexisNexis® Martindale-Hubbell® as “LEGAL LEADER™ Texas Top Rated Lawyer” in Health Care Law and Labor and Employment Law; as among the “Best Lawyers In Dallas” for her work in the fields of “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law” by D Magazine, Cynthia Marcotte Stamer is a practicing attorney board certified in labor and employment law by the Texas Board of Legal Specialization and management consultant, author, public policy advocate and lecturer widely known for 30+ years working as an on demand, special project, consulting, general counsel or other basis with domestic and international business, charitable, community and government organizations of all types, sizes and industries and their leaders on labor and employment and other workforce compliance, performance management, internal controls and governance, compensation and benefits, regulatory compliance, investigations and audits, change management and restructuring, disaster preparedness and response and other operational, risk management and tactical concerns.

Most widely recognized for her work with workforce, health care, life sciences, insurance and data and technology organizations, she also has worked extensively with health plan and insurance, employee benefits, financial, transportation, manufacturing, energy, real estate, accounting and other services, public and private academic and other education, hospitality, charitable, civic and other business, government and community organizations. and their leaders.

Ms. Stamer has extensive experience advising, representing, defending and training domestic and international public and private business, charitable, community and governmental organizations and their leaders, employee benefit plans, their fiduciaries and service providers, insurers, and others has published and spoken extensively on these concerns. As part of these involvements, she has worked, published and spoken extensively on these and other federal and state wage and hour and other compensation, discrimination, performance management, and other related human resources, employee benefits and other workforce and services; insurance; workers’ compensation and occupational disease; business reengineering, disaster and distress; and many other risk management, compliance, public policy and performance concerns.

A former lead advisor to the Government of Bolivia on its pension project, Ms. Stamer also has worked internationally and domestically as an advisor to business, community and government leaders on these and other legislative, regulatory and other legislative and regulatory design, drafting, interpretation and enforcement, as well as regularly advises and represents organizations on the design, administration and defense of workforce, employee benefit and compensation, safety, discipline, reengineering, regulatory and operational compliance and other management practices and actions.

Ms. Stamer also serves in leadership of a broad range of professional and civic organizations and provides insights and thought leadership through her extensive publications, public speaking and volunteer service with a diverse range of organizations including as Chair of the American Bar Association (“ABA”) Intellectual Property Section Law Practice Management Committee, Vice Chair of the International Section Life Sciences and Health Committee, Past ABA RPTE Employee Benefits & Other Compensation Group Chair and Council Representative and current Welfare Benefit Committee Co-Chair, Past Chair of the ABA Managed Care & Insurance Interest Group, past Region IV Chair and national Society of Human Resources Management Consultant Forum Board Member, past Texas Association of Business BACPAC Chair, Regional Chair and Dallas Chapter Chair, former Vice President and Executive Director of the North Texas Health Care Compliance Professionals Association, past Board President of Richardson Development Center (now Warren Center) for Children Early Childhood Intervention Agency, past North Texas United Way Long Range Planning Committee Member, past Board Member and Compliance Chair of the National Kidney Foundation of North Texas, a Fellow in the American College of Employee Benefit Counsel, the American Bar Foundation and the Texas Bar Foundation and many others.

For more information about these concerns or Ms. Stamer’s work, experience, involvements, other publications, or programs, see www.cynthiastamer.com or contact Ms. Stamer via e-mail here.

About Solutions Law Press, Inc.™

Comments Off on IRS Gives Employers Guidance On Claiming ARP Tax Credits For Paid COVID Leave | 4980D, 6039D, American Rescue Plan Act, Brokers, COVID-19 Paid Leave, FMLA, group health plan | Permalink
Posted by Cynthia Marcotte Stamer

ERISA Requires Fidelity Bonding

Who Must Be Bonded

Bond Amount and Coverage Requirements

Liability For ERISA Bonding Violations

Managing Bonding And Bonding Risks

About the Author

About Solutions Law Press™

For More Information

About the Author

About Solutions Law Press, Inc.™

Government Contractor False Claims Act Cyber Risk

$2.7 Million Insight FCA Cyber Settlement

Cyber Risk Implications For Government Contractor & Other Organizations

For Additional Information

About the Author

About Solutions Laws Press, Inc.™

IMPORTANT NOTICE

What Health Plans, Their Fiduciaries, Vendors & Sponsors Should Be Doing Now

Change Healthcare Ransomware Attack

HIPAA Security & Breach Notification Responsibilities

ERISA-Covered Health Plan Data Security & Breach Related Fiduciary Duties

ERISA & Other Risks From Untimely Timely Acceptance & Processing of Health Plan Eligibility & Benefit Provisions

For Additional Information

About the Author

About Solutions Laws Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

HIPAA Right of Access Rule

Optum Settlement 46th Right Of Access Enforcement Settlement

Right Of Access Remains OCR Investigation & Enforcement Priority

Manage Right of Access Rule Exposure

For More Information

IDR Process Suspended

New IDR Fees Announced Amid Suspension

What To Do Now

For More Information

About the Author

About Solutions Law Press, Inc.™

For More Information

About the Author

About Solutions Law Press, Inc.™

Banner Health Settlement

OCR Warns Other HIPAA-Covered Entities

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Act Promptly To Comment On Proposed Changes To ONC’s Electronic Clinical Quality Measures

eCQMs As Measure of Health Care Quality

2022 eCQMs Updates

Issues Open for Public Comment As of 9/14/2022

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

More Information

About the Author

Agencies Targeting Businesses, US Entities & Their Leaders For CyberSecurity & CyberBreach Regulation & Enforcement

Raise Cybersecurity Compliance & Defenses To Mitigate Risks & Liabilities

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Act’s Surprise Billing Ban

Self Pay Patient’s Good Faith Estimate Requirements

Time Running Short To Complete Compliance Preparations

More Information

About the Author

About Solutions Law Press, Inc.™

IMPORTANT NOTICE ABOUT THIS COMMUNICATION

Email Subscription

Pages

Recent Posts

Optum Settlement 46^th Right Of Access Enforcement Settlement