Benefit Plan Design: Charging Employees Different Premiums

Benefit Plan Design: Charging Employees Different Premiums

Employers who are designing a health and welfare benefit plan for their employees often wonder about the rules relating to setting premiums for employees. Employers generally have significant flexibility in this part of their plan’s design. Common structures contemplated by employers include, but are not limited to:

  • Charging all employees a flat amount for their health plan
  • Charging employees a percentage of the premium for the health plan, with the percentage changing as employees move between tiers (self, self plus one, self plus family)
  • Giving employees a set dollar amount that they can use to offset the cost of whatever plan and plan tier they enroll in

Employers are also interested in setting different contribution structures for different groups of employees. Sometimes this is due to a geographic difference between employees, job types, staff versus management, and more. Employers may wish to give lower-paid employees more employer-provided money; sometimes employers wish to give managers or executive staff more employer-provided money.
Employers should be aware that there are different nondiscrimination requirements to consider.
Generally, under HIPAA non-discrimination rules, employers have discretion when structuring their benefits plans and may make distinctions among employee populations regarding access to and the level of benefits offered. Plans may differ among employees only on “bona fide employment-based classifications” consistent with the employer’s usual business practice. Examples that would satisfy this requirement include salaried, hourly, full-time, part-time, type of job, geographic location, date of hire, division, subsidiary, business unit, and profit center distinctions.
If an employer’s proposed structure meets these basic HIPAA requirements, then the employer needs to review the applicable nondiscrimination requirements under Internal Revenue Code Section 125 (for cafeteria plans) and Section 105(h) (for self-funded plans). If the employer’s plan is subject to these rules, at a most basic level, the plan cannot favor highly compensated individuals. Sometimes an innocent plan design can lead to an employer failing the nondiscrimination requirements under Section 125 or 105(h) without the employer intentionally favoring the highly compensated employees. Many employers also erroneously assume that none of their employees fall into the “highly compensated” category, so the rules do not apply to them. As a best practice, any time an employer has a plan design with different levels of employer contributions, the employer should run the applicable testing to ensure its plan is compliant.
Under Section 125, benefit plans cannot discriminate in favor of highly compensated individuals or key employees.
By Danielle Capilla
Originally Published By United Benefit Advisors

Understanding EAP Confidentiality

Understanding EAP Confidentiality

When it comes to Employee Assistance Programs, confidentiality is a concern for both employers and employees. As an employer, it is helpful to understand the terms and processes your EAP uses to keep information confidential and ensure that your employees and your workplace are safe.
The Health Insurance Portability and Accountability Act (HIPAA) rules apply to EAPs and their affiliate providers. All information that is obtained during an EAP session is maintained in confidential files. The information remains confidential except in the following circumstances:

  1. An employee/client provides written permission/consent for the release of specific information. This can be done using a Consent to Inform or Release of Information form.
  2. The life or safety of the client or others is seriously threatened.
  3. Child abuse has occurred.
  4. EAP records are the subject of a court order (subpoena).
  5. Other disclosures required by applicable law.

Depending on the situation, an employee may use EAP services through a self-referral, guided-referral or mandated-referral
Voluntary or self-referrals are the most common. When an employee seeks EAP services voluntarily, all of the employee’s information, including whether he or she contacted the EAP or not, is confidential and cannot be released without written permission.
Guided referrals are an opportunity for the employer to encourage the employee to use EAP services when the employer senses there is a problem that needs to be addressed. This may occur when the employer identifies an employee who may be having personal or work-related difficulties but it is not to the point of mandating that the employee use an EAP. In the case of guided referrals, information disclosed by the employee is still kept confidential.
Mandatory or formal referrals usually occur when substance abuse or other behaviors are impacting productivity or safety. An employer’s policy may allow for putting the employee on a performance improvement plan and may even include a “last chance” agreement that states what an employee must do in order to keep their job. In these cases, employees are mandated by the employer to contact the EAP and a Release of Information is signed so the EAP can exchange information with the employer about employee attendance, compliance and recommendations.
In some cases, it may be advised to send the employee for a Fitness for Duty Evaluation or similar assessment to determine the employee’s ability to physically or mentally perform essential job duties, or assess for a potential threat of violence. These evaluations are performed by specially trained professionals and will come with an additional cost. If the employee has provided written consent, limited information may be released to the employer regarding the results of these evaluations.
By Kathryn Schneider
Originally Published By United Benefit Advisors

Man-in-the-Middle Attacks on ePHI, HIPAA Enforcement in the News

Man-in-the-Middle Attacks on ePHI, HIPAA Enforcement in the News

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued its Man-in-the Middle Attacks and “HTTPS Inspection Products” guidance. The OCR warns organizations that have implemented end-to-end connection security on their internet connections using Secure Hypertext Transport Protocol (HTTPS) about using HTTPS interception products to detect malware over an HTTPS connection because the HTTPS interception products may leave the organization vulnerable to man-in-the-middle (MITM) attacks. In an MITM attack, a third party intercepts internet communications between two parties; in some instances, the third party may modify the information or alter the communication by injecting malicious code.
OCR provides a partial list of products that may be affected. Also, OCR provides a method that organizations can use to determine if their HTTPS interception product properly validates certificates and prevents connections to sites using weak cryptography.
OCR emphasized that covered entities and business associates must consider the risks presented to the electronic protected health information (ePHI) transmitted over HTTPS. Further, OCR encouraged covered entities and business associates to review OCR’s recommendations for valid encryption processes to ensure that ePHI is not unsecured and the U.S. Computer Emergency Readiness Team’s recommendations on protecting internet communications and preventing MITM attacks.
HIPAA Enforcement in the News
Below is a round up of the settlements recently in the news related to ePHI.
OCR Announces HIPAA Settlement for Impermissible Disclosure of ePHI, Insufficient Risk Analysis, and Insufficient Risk Management Processes
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its $2.5 million settlement with a wireless health services provider for impermissible disclosure of ePHI. OCR’s investigation revealed that the provider had insufficient risk analysis and risk management processes in place at the time of the impermissible disclosure, including failing to implement policies and procedures regarding ePHI safeguards. The settlement requires the provider to implement a corrective action plan.
OCR Announces HIPAA Settlement for Insufficient Security Management Process for ePHI
OCR announced its $400,000 settlement with a federally qualified health center (FQHC)  based on the FQHC’s failure to have a security management process, including risk analyses sufficient to meet the Security Rule’s requirements. The settlement requires the FQHC to implement a corrective action plan. OCR’s announcement also provided a link to its guidance on the Security Rule.
OCR Announces HIPAA Settlement for Failure to Have Business Associate Agreements
OCR announced its $31,000 settlement with a small, for-profit health care provider based on the provider’s failure to produce a signed business associate agreement with its business associate who stored records containing PHI. The settlement requires the provider to implement a corrective action plan.
Employers Ask…
UBA’s question of the month from employers addressed breach notification requirements:
Q. Under what circumstances do HIPAA’s breach notification requirements not apply when a breach of protected health information (PHI) occurs?
A. Generally, breach notification must be provided when a breach of unsecured PHI is discovered. HHS provides only two methods of creating “secured PHI” that would not be subject to the notification requirements if there is a breach:

  • Encryption
  • Destruction

This means that if PHI/ePHI is encrypted or destroyed and a breach occurs, HIPAA’s notification requirements are not triggered.
By Danielle Capilla
Originally Posted By www.ubabenefits.com