21st Century Cures Act Impacts Employers with 50 or More Employees
Employers with 50 or more employees need to watch developments under the 21st Century Cures Act (“Cures”) because in addition to the establishment of the small employer health reimbursement accounts so small employers may set up funds to reimburse employees purchasing health insurance on a marketplace beyond 2016, it also impacts non-small employers in a number of ways. Cures includes “clarifications” to HIPAA Privacy requirements and a new mental health parity enforcement initiative worth noting. with it.
Mental Health Parity Enforcement Changes in 21st Century Cures Act Health Plans Should Note- Enforcement to Shine a Light on Non-compliance in a New Way
Expect more enforcement of the Mental Health Parity and Addiction Equity Act (“MHPAEA”) in the coming months. Cures provides for more enforcement coordination and sharing of information on enforcement efforts. The various enforcing agencies will share their enforcement results and those will be posted as an educational tool with the individually identifiable health information redacted. Cures requires the regulating agencies for the MHPAEA to jointly issue a “compliance program guidance document” within 12 months of Cures enactment or by December 13, 2017.
The “compliance program guidance document” will compile “illustrative examples” of previous findings of non-compliance with respect to any noncompliance with non-quantitative treatment limitations providing sufficient detail to fully explain such finding, including full description of criteria to approve benefits. Note Cures only requires the individual information to be redacted from the disclosure of the enforcement efforts, there is no protection of the plan name or the plan sponsor involved or implicated by the enforcement action. The examples will have protected health information or individually identifiable health information redacted, but there is no mandate to redact the plan sponsor or plan name from the disclosure of the violations. Perhaps not all publicity is good…
This publication of enforcement results with explanatory details is intended to enhance compliance, but plans should be aware that there may be other consequences to being listed because there is no statutory mandate that any plan or plan sponsor name be redacted. The compliance program guidance document is required to be updated every two years. The Department of Health and Human Services will also be developing outreach materials on MHPAEA compliance for individuals.
Cures further provides that if a group health plan or health insurance issuer has determined to have 5 violations of the MHPAEA, then the appropriate governing agency shall audit the plan’s document in the plan year following the determination that 5 violations exist to improve compliance. Curious that the plan’s document is audited in the subsequent years when the “substantially all” and “predominant” standards of MHPAEA require reviewing claim data and utilization.
Cures also clarified that if a health plan covers treatment of an eating disorder, it must provide coverage for this disorder as if it is protected under the MHPAEA and all of the required testing related to such disorder. In a FAQ 34 released in October 2016, the DOL emphasized that a large group health plan should substantiate its compliance with the “substantially all” and “predominant” requirements to test compliance with the MHPAEA using first its own data. The FAQ further stated that insurers and group health plans should not use data from the insurer’s book of business to demonstrate a plan’s compliance with the MHPAEA requirements, if there is sufficient data within the group health plan, or if there was a significant change in the health plan design or a significant change in the workforce impacting health plan claims, then there may be a reason to not use the plan’s data. Employers with health plans subject to the MHPAEA should check with their plan’s claims adjudicator and obtain the data demonstrating the plan’s compliance with MHPAEA review it to verify compliance and retain the data reports in the plan’s files.
MHPAEA was enacted in 2008 and was not part of the ACA, so any potential repeal efforts with the change in administration may not alter the MHPAEA mandates.
Cures MHPAEA Clarification on Eating Disorder Coverage
Cures clarified that if a group health plan subject to the MHPAEA provides coverage for eating disorder benefits, including residential treatment, such benefit coverage must be provided consistent with the MHPAEA. Congress may have been trying to mandate that the coverage of the treatment of eating disorders be covered as if those were mental health or addiction treatments. This particular section and the title in which it is contained in Cures does not have an effective date, instead there are effective dates and deadlines specific to certain provisions, such as the QSEHRA below. Since the section is couched as a “clarification”, absent other guidance, there is no delay in the effective date of the clarification. Cures was signed into law on December 13, 2016 as Public Law 114-255.
Group health plans that are subject to the MHPAEA should review their plan terms regarding how they cover the treatment of eating disorders and residential treatment in light of Cures section 13007
HIPAA Privacy Change from Cures
Cures requires guidance by December 13, 2017 which relaxes the requirements for communications with caregivers of adults with a serious mental illness in order to facilitate treatment. While portions of Cures talk of this solely in reference to health care providers, other provisions refer to this as applying to covered entities in general which would include group health plans. This would permit communication with family members, caregivers and others involved in the care of the individual with the mental illness. It also permits communicating with law enforcement and others when the patient presents a serious and imminent threat of harm to himself or others and permits communications with family members and care givers and law enforcement upon admission of a patient and release of a patient from a facility for an emergency psychiatric hold or involuntary treatment.
Group health plans will need to watch to see the extent to which the guidance may impact their HIPAA Privacy Notice, policies or procedures. It will be a busy year ahead.
Cures Adds Qualified Small Employer Health Reimbursement Arrangements
The 21st Century Cures Act added Qualified Small Employer Health Care Reimbursement Arrangements ("QSEHRA") as permanent options for small employers to reimburse health insurance costs of employees without violating the ACA's coverage mandates. QSEHRAs are not treated as group health plans under ERISA. This summary, incorporates to the extent appropriate to its scope, the subsequent FAQs issued addressing QSEHRAs regarding integration with single and family coverage under the ACA, for as long as that requirement survives.
QSEHRAs may only be sponsored by employers with fewer than 50 full time employees who do not offer any group health plan. Small employers with between 20 and 50 employees on the average business day in the prior calendar year may find their QSEHRA subject to Medicare Secondary Payer requirements if the amount of health insurance reimbursed exceeds $5,000 per year.
To be a QSEHRA the arrangement must not reimburse in excess of $4,950 for an individual or $10,000 for family coverage. The Center for Medicare and Medicaid Services issued a memorandum which excluded health reimbursement arrangements which reimburse less than or equal to $5,000 from application of the Medicare Secondary Payer requirements. This means an employer does not need to use an employee who qualifies as working aged’s QSEHRA to pay claims the individual incurs first before Medicare pays and amount and the employer does not need to report on the QSEHRA to Medicare as long as the coverage is below the limit and meets other requirements.
QSEHRAs are not group health plans for purposes of the Cadillac tax under Code §4980I.
QSEHRAs are only to reimburse the cost of coverage after the employee provides proof of payment for health insurance coverage. QSEHRAs are required to be provided on the same terms to all eligible employees, must be funded solely by employer contributions, must only reimburse medical expenses under Code §213(d) and must not reimburse more than $4,950 for an individual or $10,000 for a family. The only variation in reimbursements permitted is due to age of the employee or the number of family members covered. Just how much the amount may be varied is not defined, but employers considering such variations need to also consider the Medicare Secondary Payer exemption requirements as well.
Since the QSEHRAs are not group health plans under ERISA, that mean the COBRA notice requirements under ERISA do not apply . This also exempts them from the Women's Health and Cancer Rights Act and the QMCSO requirements.
QSEHRAs are not group health plans for purposes of Code §9831 and the Code . This means QSEHRAs are also not group health plans under the Code for purposes of the ACA requirements for group health plan. HIPAA’s portability provisions, Mental Health Parity and Addiction Equity Act, Mothers and Newborns Health Protection Act, COBRA, Medicare Secondary Payer's enforcement provision in the Code, mandated coverage of students on medically necessary leaves (Michelle's Law), and the ACA market reforms.
In order to maintain a QSEHRA, the employer must notify all employees at least 90 days prior to the beginning of the plan year about the QSEHRA. For the initial year of enactment the notice must be provided within 90 days of enactment on December 13, 2016 or by March 13, 2017. QSEHRAs are effective after December 31, 2016.
DOL Issues New Claims Procedures for Disability Based Claims
Effective for claims and appeals filed on or after January 1, 2018, claims for benefits based upon a disabled status must be adjudicated in a manner consistent with the new requirements which require the plan to ensure independence and impartiality of the persons involved in making the decision. A disability based claim would include not only claims for long or short term disability benefits, but also claims for disability retirement or other special rights attached to a disabled status, such as waiver of premiums under a life insurance policy when the covered individual is disabled, if the life insurance policy includes such a provision.
The requirements that the adjudication of the disability based claims be done in a manner that ensures independence and impartiality means decisions regarding hiring, compensating, terminating, promoting or similar matters with respect to anyone involved in adjudicating claims must not be based on the likelihood the individual will deny claims. The amended disability claim regulations do not change the timing of when a claim or appeal based on a disability must be decided, but instead the amended regulations add additional protections and disclosure requirements.
The amended disability claim regulation requires expanded explanations in the claim decision of why they disagree with the claimant’s healthcare professionals or the Social Security Administration decision on disabled status as well as disclosure of the guidelines used in making the decision upon request. The amended procedures require the claim adjudicator to provide the claimant with any new or additional information considered by the claim adjudicator. If a new rationale is used in the decision making the new rationale must be provided to the claimant as soon as possible and sufficiently in advance of the deadline for the decision so that the claimant a reasonable opportunity to respond to the new rationale.
The amended procedures require that the notice of the decision include any limitation period in the insurance contract or plan and include the date on which the contractual limitation period expires for the claim. The decision must discuss and explain the reasons the decision of the claimant’s healthcare provider and experts were not followed and if the decision was based on a medical necessity, experimental or similar exclusion, include an explanation of the clinical judgment or criteria or guidelines used.
If the plan fails to strictly follow the amended claim procedures, the claimant/participant may pursue remedies in court without needing to exhaust administrative appeals, unless the plan can show its error was de minimis not causing to harm the claimant, and the failure to strictly follow the procedures occurred in an ongoing, good faith exchange of information about the claim, provided there is no pattern or practice of violations by the plan in this area. The claimant can request and must be provided a written explanation of the violation within 10 days. Disability based benefit claim denials and appeal denials each must contain specific information and explanations. Disability based benefit claim denials and appeal denials must be written in a culturally and linguistically appropriate manner.
If a participant takes his claim to court alleging the plan failed to strictly comply with the claim and appeal procedures and the court denies the participant, the plan must reinstate the disability based benefit claim as refiled upon notice of the court's decision.
Employers need to review their benefit plans to determine which may include disability based claims and commence working toward revising their claim and appeal procedures (or work with their vendors for such plans) to meet the new requirements for claims and appeals filed on and after January 1, 2018.
Loss of Flashdrive Leads to $2.2 M Penalty and Imposing Correction Plan
The Office for Civil Rights (“OCR”) is busy enforcing HIPAA Privacy and Security reminding all covered entities to remain vigilant in their security risk management. An insurer self-reported a breach due to loss of a flash drive from the IT department that contained certain elements of PHI for 2,209 individuals. The OCR imposed a $2.2 M penalty on the organization and via a resolution agreement required the covered entity to conform to a corrective action plan which included conducting a risk analysis and implementing a risk management plan within a specified time period.
This included an enterprise wide risk analysis of ePHI security risks and vulnerabilities considering all electronic equipment, data systems, programs and applications utilized by the insurer and its workforce, including employees, independent contractors and consultants with access to ePHI. This risk analysis must include a complete inventory of all electronic equipment, including portable media devices and data systems and applications that contain or store ePHI. This risk analysis is required to be approved by the Department of Health and Human Services. After approval a risk management plan must be adopted to address and mitigate security risks and vulnerabilities identified in the risk analysis. The covered entity is required to annually conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI and to document the security measures implemented to reduce the identified risks and vulnerabilities.
The covered entity is also required to assess environmental risks as well and also to revise its Privacy and Security Policies and Procedures to address the new risk management plan. The updated policies and procedures must be distributed to all members of the workforce with access to ePHI with the workforce members acknowledging that they have read, understood and agree to abide by such policies.
The covered entity is required to notify HHS in the event any of those policies and procedures are not followed by a workforce member within 30 days of making such a determination. All workforce members must be retrained within 60 days of HHS’s approval of the new privacy and security policies and procedures. Implementation reports must be provided to HHS on the entity’s compliance with the correction plan along with documentation of the steps.
Annual reports to HHS are required for 3 years regarding the covered entity’s compliance with the required correction plan with specified content and attestations from the owners or officers regarding certain aspects of the compliance.
If your health plan has not fully documented its compliance with both HIPAA Privacy and Security requirements, it is best to do so well before you need to deal with a breach and before any inquiring governmental agency arrives. It is important not only to document the policies and procedures adopted, but also the training and the periodic risk analysis of the IT system and related procedures for risk management.
District Court Enjoins Enforcement of Transgender and Related Mandates in ACA Section 1557
Health care providers and others who received federal financial assistance (as defined under section 1557 of the Affordable Care Act) were required by such section to not discriminate against an individual with respect to their gender identity and health care services related to such status and certain other related services as well as pregnancy termination services. A federal District Court in the Eastern District of Texas issued a preliminary injunction ordering the Department of Health and Human Services to not enforce such provision on a nationwide basis. This is only a preliminary injunction. enforcing such provision and only one court in which the issue is being considered.
This did not impact the regulations issued requiring federal contractors to not discriminate against persons based upon gender identity or gender dysphoria. The regulations impacting federal contractors were issued by the OFCCP as final regulations in 2016.
Marsha Clarke (Admitted in MO and IL)
Disclaimer: Content contained within this news alert provides information on general legal issues and is not intended to provide advice on any specific legal matter or factual situation. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel.