New OCR Guidance Assigns More HIPAA Homework Health Plans, Providers, Business Associates and Employers

March 5, 2014

Think your health plan, health care organization, health care clearinghouse or their business associates has health care privacy covered?  Think again.

A series of supplemental guidance issued by the Department of Health & Human Services Office of Civil Rights (OCR) in recent weeks is giving health care providers, health plans, health care clearinghouses (Covered Entities) and their business associates even more to do in reviewing and updating their policies, practices and training for handing protected health information (PHI) beyond bringing their policies and practices into line with OCR’s restatement and update to the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule (Omnibus Final Rule) OCR published January 25, 2013.

Covered Entities generally have been required to comply with most requirements the Omnibus Final Rule’s restated regulations restating OCR’s regulations implementing the Health Insurance Portability & Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules to reflect HIPAA amendments enacted by the Health Information Technology for Economic and Clinical Health (HITECH) Act since the Omnibus Final Rule took effect on March 26, 2013 and to have updated business associate agreements in place since September 23, 2013.  Meanwhile, the Omnibus Final Rule generally has required business associates have updated business associate agreements in place and otherwise to have come into compliance with all of the applicable requirements of the Omnibus Final Rule since September 23, 2013.  Although these deadlines are long past, many Covered Entities and business associates have yet to complete the policy, process and training updates required to comply with the rule changes implemented in  the Omnibus Final Rule.

Even if a Covered Entity or business associate completed the updates required to comply with the Omnibus Final Rule, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance on its interpretation and enforcement of HIPAA against Covered Entities and business associates published by OCR since January 1, 2014 alone:

Beyond this 2014 guidance, Covered Entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule such as:

With OCR stepping up both audits and enforcement and penalties for violations higher than ever since the HITECH Act amended HIPAA, Covered Entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.

When conducting these efforts, Covered Entities and business associates not only carefully watch for and react promptly to new OCR guidance and enforcement actions, but also document their commitment and ongoing compliance and risk management activities to help support their ability to show their organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation and take well-documented, reasonable steps to encourage their business associates to do the same.    When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws like the privacy and data security requirements that often apply to personal financial information, trade secrets or other sensitive data under applicable federal and state laws and judicial precedent.

 For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. The scribe for the ABA JCEB Annual Agency Meeting with the Office of Civil Rights (OCR) for the past several years who has worked on medical and other privacy concerns throughout her career, she regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others, defends covered entities and business associates against OCR, FTC and other privacy and data security investigations, serves as special counsel in litigation arising from these concerns and is the author of several highly regarded publications on HIPAA and other privacy and security concerns.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.


Agencies Clarify Applicability of ACA Out-Of-Pocket Versus Deductible Cost Sharing Limitations

March 4, 2014

Non-grandfathered self-insured and large group health plans must comply with the out-of-pocket limits in 2014 but pending further guidance are excused from the duty to comply with deductible limitations imposed by the cost-sharing limitations of the Patient Protection & Affordable Care Act (ACA) according to new guidance jointly published February 20, 2013 by the Departments of Labor (DOL), Health and Human Services (HHS), and the Treasury (collectively, the “Departments”) in “FAQS About Affordable Care Act Implementation (Part XII)” (hereafter, the “FAQ”).  However, the FAQ includes a transitional rule that allows plans to apply separate out-of-pocket maximums to prescription drug coverage and other group health plan for 2014, to allow them time to adjust contracts in response to the requirement.

ACA Cost-Sharing Limits

Public Health Service (PHS) Act § 2707(b), as added by the ACA, requires a group health plan to ensure that any annual cost-sharing imposed under the plan does not exceed the limitations provided for under ACA §§1302(c)(1) and (c)(2). § 1302(c)(1) of ACA requires that group health plans limit out-of-pocket maximums while ACA § 1302(c)(2) limits deductibles for employer-sponsored plans.

ACA Deductible Limits

The FAQ clarifies that pending further guidance, self-insured group health plans and large group health plans currently are not generally required to comply with ACA’s deductible limitations.  According to the FAQ, the Departments currently view the deductible limits as generally applicable only to non-grandfathered small group insurance coverage and qualified health plans offered in the small group market. Additionally, the FAQ notes that pursuant to ACA § 1302(c)(2)(C), small group market health insurance coverage may exceed the annual deductible limit if it cannot reasonably reach a given level of coverage (metal tier) without exceeding the deductible limit.

In contrast, the FAQ states about self-insured and large group health plans, the Departments intend to engage in future rule making to implement PHS Act § 2707(b) with respect to self-insured and large group health plans.  However, the FAQ reports that the Departments continue to believe that only plans and issuers in the small group market are required to comply with the deductible limit described in ACA § 1302(c)(2).

The Departments invite interested parties to submit comments or other input relative to these deliberations no later than April 22, 2013 to e.ohpsca-2707.ebsa@dol.gov.

Until that rule making is promulgated and effective, however, the FAQ states that a self-insured or large group health plan can rely on the Departments’ stated intention to apply the deductible limits imposed by § 1302(c)(2) of the ACA only on plans and issuers in the small group market.  Accordingly, only plans and issuers in the small group market currently must comply with the ACA deductible limitations pending further guidance.

ACA Annual Out-Of-Pocket Maximum

In contrast, the FAQ confirms that all non-exempt, non-grandfathered group health plans – including self-insured and large and small insured group health plans must comply with ACA’s annual limits on out-of-pocket maximums.

The FAQ reaffirms statements in the preamble to the HHS final regulation on standards related to essential health benefits that the Departments read PHS Act § 2707(b) as requiring all non-grandfathered group health plans subject to ACA to comply with the annual limitation on out-of-pocket maximums described in ACA § 1302(c)(1).

While stating all non-grandfathered non-exempt group health plans generally must comply with the out-of-pocket maximum rules, the Departments recognize in the FAQ that the use by many plans of multiple service providers to help administer benefits (such as one third-party administrator for major medical coverage, a separate pharmacy benefit manager, and a separate managed behavioral health organization) may create compliance challenges since separate plan service providers may impose different levels of out-of-pocket limitations and may use different

methods for crediting participants’ expenses against any out-of-pocket maximums. To allow plans time to implement the arrangements to adjust plans and coordinate communications, the FAQ states that only for the first plan year beginning on or after January 1, 2014, where a group health plan or group health insurance issuer uses more than one service provider to administer benefits that are subject to the annual limitation on out-of-pocket maximums under ACA §§ 2707(a) or 2707(b), the Departments will consider the annual limitation on out-of-pocket maximums to be satisfied if the following conditions are satisfied:

  • The plan complies with the requirements with respect to its major medical coverage (excluding, for example, prescription drug coverage and pediatric dental coverage);
  • To the extent the plan or any health insurance coverage includes an out-of-pocket maximum on coverage that does not consist solely of major medical coverage (for example, if a separate out-of-pocket maximum applies with respect to prescription drug coverage), such out-of-pocket maximum does not exceed the dollar amounts set forth in ACA § 1302(c)(1); and
  • The plan complies with existing regulations implementing Mental Health Parity and Addiction Equity Act of 2008 (MHPAEA) which prohibit a group health plan (or health insurance coverage offered in connection with a group health plan) from applying a cumulative financial requirement or treatment limitation, such as an out-of-pocket maximum, to mental health or substance use disorder benefits that accumulates separately from any such cumulative financial requirement or treatment limitation established for medical/surgical benefits.

Accordingly, while the FAQ generally allows plans using separate vendors to separately apply out-of-pocket maximums to prescription drug coverage from medical benefits generally, this is not allowed to be accomplished where the effect would be to impose an annual out-of-pocket maximum on all medical/surgical benefits and a separate annual out-of-pocket maximum on all mental health and substance use disorder benefits in violation of the MHPAEA.

The FAQ is one of many clarifications and other guidance implementing the ACA Rules.  Compliance with these requirements as implemented is critical, as group health plans and insurers, their fiduciaries and sponsors face a myriad of exposures for violating these and other health plan rules.  In the case of these and many other federal health plan rules, this includes an often overlooked obligation imposed under Internal Revenue Code  § 6039D to self-identify, self-report and pay excises taxes under that provision in the event of a violation, as well as traditionally applicable ERISA exposures for violating federal benefit and coverage mandates.  In light of these risks, health insurers, group health plan sponsors, fiduciaries and service providers are urged to act diligently to amend their plans and take other necessary arrangements to administer their programs in accordance with the applicable rules.

For Representation, Training & Other Resources

If you need assistance monitoring these and other regulatory policy, enforcement, litigation or other developments, or to review or respond to these or other workforce, benefits and compensation, performance and risk management, compliance, enforcement or management concerns, the author of this update, attorney Cynthia Marcotte Stamer may be able to help.

Board Certified in Labor & Employment Law, Past Chair of the ABA RPTE Employee Benefit & Other Compensation Arrangements Group, Co-Chair and Past Chair of the ABA RPTE Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Plans Committee, Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 25 years’ experience advising health plan and employee benefit, insurance, financial services, employer and health industry clients about these and other matters. Ms. Stamer has extensive experience advising and assisting health care providers, health plans, their business associates and other health industry clients to establish and administer medical privacy and other compliance and risk management policies, to health care industry investigation, enforcement and other compliance, public policy, regulatory, staffing, and other operations and risk management concerns. She regularly designs and presents HIPAA and other risk management, compliance and other training for health plans, employers, health care providers, professional associations and others.

Ms. Stamer also regularly works with OCR, FTC, USSS, FBI and state and local law enforcement on privacy, data security, health care, benefits and insurance and other matters, publishes and speaks extensively on medical and other privacy and data security, health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her publications and insights appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For instance, Ms. Stamer for the third year will serve as the appointed scribe for the ABA Joint Committee on Employee Benefits Agency meeting with OCR. Her insights on HIPAA risk management and compliance frequently appear in medical privacy related publications of a broad range of health care, health plan and other industry publications Among others, she has conducted privacy training for the Association of State & Territorial Health Plans (ASTHO), the Los Angeles Health Department, the American Bar Association, the Health Care Compliance Association, a multitude of health industry, health plan, insurance and financial services, education, employer employee benefit and other clients, trade and professional associations and others.  You can get more information about her HIPAA and other experience here.

You can review other recent human resources, employee benefits and internal controls publications and resources and additional information about the employment, employee benefits and other experience of the Cynthia Marcotte Stamer, PC here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile www.cynthiastamer.com or by registering to participate in the distribution of these and other updates on our HR & Employee Benefits Update distributions here including:

If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating or updating your profile here. For important information concerning this communication click here©2014 Cynthia Marcotte Stamer. Limited, non-exclusive right to republished granted to Solutions Law Press, Inc. All other rights reserved.