by admin | May 16, 2017 | HIPAA, Hot Topics
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued its Man-in-the Middle Attacks and “HTTPS Inspection Products” guidance. The OCR warns organizations that have implemented end-to-end connection security on their internet connections using Secure Hypertext Transport Protocol (HTTPS) about using HTTPS interception products to detect malware over an HTTPS connection because the HTTPS interception products may leave the organization vulnerable to man-in-the-middle (MITM) attacks. In an MITM attack, a third party intercepts internet communications between two parties; in some instances, the third party may modify the information or alter the communication by injecting malicious code.
OCR provides a partial list of products that may be affected. Also, OCR provides a method that organizations can use to determine if their HTTPS interception product properly validates certificates and prevents connections to sites using weak cryptography.
OCR emphasized that covered entities and business associates must consider the risks presented to the electronic protected health information (ePHI) transmitted over HTTPS. Further, OCR encouraged covered entities and business associates to review OCR’s recommendations for valid encryption processes to ensure that ePHI is not unsecured and the U.S. Computer Emergency Readiness Team’s recommendations on protecting internet communications and preventing MITM attacks.
HIPAA Enforcement in the News
Below is a round up of the settlements recently in the news related to ePHI.
OCR Announces HIPAA Settlement for Impermissible Disclosure of ePHI, Insufficient Risk Analysis, and Insufficient Risk Management Processes
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its $2.5 million settlement with a wireless health services provider for impermissible disclosure of ePHI. OCR’s investigation revealed that the provider had insufficient risk analysis and risk management processes in place at the time of the impermissible disclosure, including failing to implement policies and procedures regarding ePHI safeguards. The settlement requires the provider to implement a corrective action plan.
OCR Announces HIPAA Settlement for Insufficient Security Management Process for ePHI
OCR announced its $400,000 settlement with a federally qualified health center (FQHC) based on the FQHC’s failure to have a security management process, including risk analyses sufficient to meet the Security Rule’s requirements. The settlement requires the FQHC to implement a corrective action plan. OCR’s announcement also provided a link to its guidance on the Security Rule.
OCR Announces HIPAA Settlement for Failure to Have Business Associate Agreements
OCR announced its $31,000 settlement with a small, for-profit health care provider based on the provider’s failure to produce a signed business associate agreement with its business associate who stored records containing PHI. The settlement requires the provider to implement a corrective action plan.
Employers Ask…
UBA’s question of the month from employers addressed breach notification requirements:
Q. Under what circumstances do HIPAA’s breach notification requirements not apply when a breach of protected health information (PHI) occurs?
A. Generally, breach notification must be provided when a breach of unsecured PHI is discovered. HHS provides only two methods of creating “secured PHI” that would not be subject to the notification requirements if there is a breach:
This means that if PHI/ePHI is encrypted or destroyed and a breach occurs, HIPAA’s notification requirements are not triggered.
By Danielle Capilla
Originally Posted By www.ubabenefits.com
by admin | May 12, 2017 | ACA
On May 4, 2017, the U.S. House of Representatives passed House Resolution 1628, a reconciliation bill aimed at “repealing and replacing” the Patient Protection and Affordable Care Act (ACA). The bill, titled the “American Health Care Act of 2017” or “AHCA,” will now be sent to the Senate for debate, where amendments can be made, prior to the Senate voting on the bill.
It is widely anticipated that in its current state the AHCA is unlikely to pass the Senate. Employers should continue to monitor the text of the bill and should refrain from implementing any changes to group health plans in response to the current version of the AHCA.
The AHCA makes numerous changes to current law, much of which impact the individual market, Medicare, and Medicaid. Some provisions in the AHCA also impact employer group health plans. For example, the AHCA removes both the individual and the employer shared responsibility penalties. The AHCA also pushes implementation of the Cadillac tax to 2025 and permits states to waive essential health benefit (EHB) requirements.
The AHCA removes the $2,500 contribution limit to flexible health spending accounts (FSAs) for taxable years beginning after December 31, 2017. It also changes the maximum contribution limits to health savings accounts (HSAs) to the amount of the accompanying high deductible health plan’s deductible and out-of-pocket limitation. The AHCA also provides for both spouses to make catch-up contributions to HSAs.
The AHCA provides for a “continuous health insurance coverage incentive,” which will allow health insurers to charge policyholders an amount equal to 30 percent of the monthly premium in the individual and small group market, if the individual failed to have creditable coverage for 63 or more days during an applicable 12-month look-back period. This provision is slated to begin in 2019, or in the case of a special enrollment period, beginning in plan year 2018. The AHCA also allows states to obtain a waiver and underwrite policies for individuals who do not maintain continuous coverage.
The AHCA would also return permissible age band rating (for purposes of calculating health plan premiums) to the pre-ACA ratio of 5:1, rather than the ACA’s 3:1. This allows older individuals to be charged up to five times more than what younger individuals pay for the same policy, rather than up to the ACA limit of three times more.
It is unknown at this time if the AHCA can pass the Senate, or what might be changed in the text of the bill in order to earn votes in an attempt to pass the bill.
By Danielle Capilla
Originally Posted By www.ubabenefits.com
by admin | May 10, 2017 | ACA, Group Benefit Plans, Health & Wellness
Workplace wellness programs have increased popularity through the years. According to the most recent UBA Health Plan Survey, 49 percent of firms with 200+ employees offering health benefits in 2016 offered wellness programs. Workplace wellness programs’ popularity also brought controversy and hefty discussions about what works to improve population health and which programs comply with the complex legal standards of multiple institutions that have not really “talked” to each other in the past. To “add wood to the fire,” the Equal Employment Opportunity Commission (EEOC) made public some legal actions that shook the core of the wellness industry, such as EEOC vs. Honeywell International, and EEOC vs. Orion Energy Systems.
To ensure a wellness program is compliant with the ACA, GINA and the EEOC, let’s first understand what each one of these institutions are.
The Affordable Care Act (ACA) is a comprehensive healthcare reform law enacted in March 2010 during the Obama presidency. It has three primary goals: to make health insurance available to more people, to expand the Medicaid program, and to support innovative medical care delivery methods to lower the cost of healthcare overall.1 The ACA carries provisions that support the development of wellness programs and determines all rules around them.
The Genetic Information Nondiscrimination Act of 2008 (GINA) is a federal law that protects individuals from genetic discrimination in health insurance and employment. GINA relates to wellness programs in different ways, but it particularly relates to the gathering of genetic information via a health risk assessment.
The U.S. Equal Employment Opportunity Commission (EEOC) is a federal agency that administers and enforces civil rights laws against workplace discrimination. In 2017, the EEOC issued a final rule to amend the regulations implementing Title II of GINA as they relate to employer-sponsored wellness program. This rule addresses the extent to which an employer may offer incentives to employees and spouses.
Here is some advice to ensure your wellness program is compliant with multiple guidelines.
- Make sure your wellness program is “reasonably designed” and voluntary – This means that your program’s main goal should be to promote health and prevent disease for all equally. Additionally, it should not be burdensome for individuals to participate or receive the incentive. This means you must offer reasonable alternatives for qualifying for the incentive, especially for individuals whose medical conditions make it unreasonably difficult to meet specific health-related standards. I always recommend wellness programs be as simple as possible, and before making a change or decision in the wellness program, identify all difficult or unfair situations that might arise from this change, and then run them by your company’s legal counsel and modify the program accordingly before implementing it. An example of a wellness program that is NOT reasonably designed is a program offering a health risk assessment and biometric screening without providing results or follow-up information and advice. A wellness program is also NOT reasonably designed if exists merely to shift costs from an employer to employees based on their health.
- Do the math! – Recent rules implemented changes in the ACA that increased the maximum permissible wellness program reward from 20 percent to 30 percent of the cost of self-only health coverage (50 percent if the program includes tobacco cessation). Although the final rules are not clear on incentives for spouses, it is expected that, for wellness programs that apply to employees and their spouses, the maximum incentive for either the employee or spouse will be 30 percent of the total cost of self-only coverage. In case an employer offers more than one group health plan but participation in a wellness program is open to all employees regardless of whether they are enrolled in a plan, the employer may offer a maximum incentive of 30 percent of the lowest cost major medical self-only plan it offers. As an example, if a single plan costs $4,000, the maximum incentive would be $1,200.
- Provide a notice to all eligible to participate in your wellness program – The EEOC made it easy for everyone and posted a sample notice online at https://www.eeoc.gov/laws/regulations/ada-wellness-notice.cfm. Your notice should include information on the incentive amount you are offering for different programs, how you maintain privacy and security of all protected health information (PHI) as well as who to contact if participants have question or concerns.
- If using a HRA (health risk assessment), do not include family medical history questions – The EEOC final rule, which expands on GINA’s rules, makes it clear that “an employer is permitted to request information about the current or past health status of an employee’s spouse who is completing a HRA on a voluntary basis, as long as the employer follows GINA rules about requesting genetic information when offering health or genetic services. These rules include requirements that the spouse provide prior, knowing, written, and voluntary authorization for the employer to collect genetic information, just as the employee must do, and that inducements in exchange for this information are limited.”2 Due to the complexity and “gray areas” this item can reach, my recommendation is to keep it simple and to leave genetic services and genetic counseling out of a comprehensive wellness program.
WellSteps, a nationwide wellness provider, has a useful tool that everyone can use. Their “wellness compliance checker” should not substituted for qualified legal advice, but can be useful for a high level check on how compliant your wellness program is. You can access it at https://www.wellsteps.com/resources/tools.
I often stress the need for all wellness programs to build a strong foundation, which starts with the company’s and leaders’ messages. Your company should launch a wellness program because you value and care about your employees’ (and their families’) health and well-being. Everything you do and say should reflect this philosophy. While I always recommend companies to carefully review all regulations around wellness, I do believe that if your wellness program has a strong foundation based on your corporate social responsibility and your passion for building a healthy workplace, you most likely will be within the walls of all these rules. At the end, a workplace that does wellness the right way has employees who are not motivated by financial incentives, but by their intrinsic motivation to be the best they can be as well as their acceptance that we all must be responsible for our own health, and that all corporations should be responsible for providing the best environment and opportunities for employees to do so.
By Valeria S. Tivnan
Originally Posted By www.ubabenefits.com
by admin | May 3, 2017 | ACA, Benefit Management
A Summary of Benefits and Coverage (SBC) is four page (double-sided) communication required by the federal government. It must contain specific information, in a specific order, and with a minimum size type, about a group health benefit’s coverage and limitations. If an employer providing an SBC is a covered entity under the Section 1557 of the Patient Protection and Affordable Care Act (ACA), additional requirements apply.
On April 6, 2016, the Centers for Medicare and Medicaid Services (CMS), the Department of Labor (DOL), and the Department of the Treasury issued the final 2017 summary of benefits and coverage (SBC) template, group and individual market SBC instructions, uniform glossary of coverage and medical terms, a coverage example calculator, and calculator instructions.
The SBC is to be used by all health plans, including individual, small group, and large group; insured and self-funded; grandfathered, transitional, and ACA compliant. The new SBC must be used for plan years with open enrollment periods beginning after April 1, 2017. It will not be used for marketplace plans for the 2017 coverage year.
For fully insured plans, the insurer is responsible for providing the SBC to the plan administrator (usually this is the employer). The plan administrator and the insurer are both responsible for providing the SBC to participants, although only one of them actually has to do this.
For self-funded plans, the plan administrator is responsible for providing the SBC to participants. Assistance may be available from the plan administrator’s TPA, advisor, etc., but the plan administrator is ultimately responsible. (The plan administrator is generally the employer, not the claims administrator.)
Changes
The template includes a new “important question” that asks “Are there services covered before you meet your deductible?” and requires family plans to disclose whether or not the plan has embedded deductibles or out-of-pocket limits. This is reported in the “Why This Matters” column in relation to the question “what is the overall deductible?” and plans must list “If you have other family members on the policy, they have to meet their own individual deductible until the overall family deductible has been met” or alternatively, “If you have other family members on the policy, the overall family deductible must be met before the plan begins to pay.”
Tiered networks must be disclosed and the question “Will you pay less if you use a network provider?” is now included. The SBC also includes language that warns participants that they could receive out-of-network providers while they are in an in-network facility. The SBC also indicates that a consumer could receive a “balance bill” from an out-of-network provider.
The “explanatory coverage page” was dropped from the template.
The coverage examples provided clarify the “having a baby” example and the “managing type 2 diabetes” example, in addition to providing a third example of “dealing with a simple fracture.” The coverage example must be calculated assuming that a participant does not earn wellness credits or participate in an employer’s wellness program. If the employer has a wellness program that could reduce the employee’s costs, the employer must include the following language: “These numbers assume the patient does not participate in the plan’s wellness program. If you participate in the plan’s wellness program, you may be able to reduce your costs. For more information about the wellness program, please contact: [insert].”
The column for “Limitations, Exceptions, & Other Important Information” must contain core limitations, which include:
- When a service category or a substantial portion of a service category is excluded from coverage (that is, the column should indicate “brand name drugs excluded” in health benefit plans that only cover generic drugs);
- When cost sharing for covered in-network services does not count toward the out-of-pocket limit;
- Limits on the number of visits or on specific dollar amounts payable under the health benefit plan; and
- When prior authorization is required for services.
The template and instructions indicate that qualified health plans (those certified and sold on the Marketplace) that cover excepted abortions (such as those in cases of rape or incest, or when a mother’s life is at stake) and plans that cover non-excepted abortion services must list “abortion” in the covered services box. Plans that exclude abortion must list it in the “excluded services” box, and plans that cover only excepted abortions must list in the “excluded services” box as “abortion (except in cases of rape, incest, or when the life of the mother is endangered).” Health plans that are not qualified health plans are not required to disclose abortion coverage, but they may do so if they wish.
By Danielle Capilla
Originally Posted By www.ubabenefits.com
by admin | Apr 28, 2017 | ACA, Benefit Management, Compliance
While the health care affordability crisis has become so significant, questions still linger—will private exchanges become a viable solution for employers and payers, and will they will continue to grow? Back in 2015, Accenture estimated that 40 million people would be enrolled in private exchange programs by 2018; the way we see this model’s growth today doesn’t speak to that. So, what is preventing them from taking off as they were initially predicted? We rounded up a few reasons why the private exchange model’s growth may be delayed, or coming to a halt.
They Are Not Easy to Deploy
There is a reason why customized benefits technology was the talk of the town over the last two years; it takes very little work up-front to customize your onboarding process. Alternatively, private exchange programs don’t hold the same reputation. The online platform selection, build, and test alone can get you three to six months into the weeds. Underwriting, which includes an analysis of the population’s demographics, family content, claims history, industry, and geographic location, will need to take place before obtaining plan pricing if you are a company of a certain size. Moreover, employee education can make up a significant time cost, as a lack of understanding and too many options can lead to an inevitable resistance to changing health plans. Using a broker, or an advisor, for this transition will prove a valuable asset should you choose to go this route.
A Lack of Education and a Relative Unfamiliarity Revolves Around Private Exchanges
Employers would rather spend their time running their businesses than understanding the distinctions between defined contribution and defined benefits models, let alone the true value proposition of private exchanges. With the ever-changing political landscape, employers are met with an additional challenge and are understandably concerned about the tax and legal implications of making these potential changes. They also worry that, because private exchanges are so new, they haven’t undergone proper testing to determine their ability to succeed, and early adoption of this model has yet to secure a favorable cost-benefit analysis that would encourage employers to convert to this new program.
They May Not Be Addressing All Key Employer and Payer Concerns
We see four key concerns stemming from employers and payers:
- Maintaining competitive benefits: Exceptional benefits have become a popular way for employers to differentiate themselves in recruiting and retaining top talent. What’s the irony? More options to choose from across providers and plans means employees lose access to group rates and can ultimately pay more, making certain benefits less. As millennials make up more of today’s workforce and continue to redefine the value they put behind benefits, many employers fear they’ll lose their competitive advantage with private exchanges when looking to recruit and retain new team members.
- Inexperienced private exchange administrators: Because many organizations have limited experience with private exchanges, they need an expert who can provide expertise and customer support for both them and their employees. Some administrators may not be up to snuff with what their employees need and expect.
- Margin compression: In the eyes of informed payers, multi-carrier exchanges not only commoditize health coverage, but perpetuate a concern that they could lead to higher fees. Furthermore, payers may have to go as far as pitching in for an individual brokerage commission on what was formerly a group sale.
- Disintermediation: Private exchanges essentially remove payer influence over employers. Bargaining power shifts from payers to employers and transfers a majority of the financial burden from these decisions back onto the payer.
It Potentially Serves as Only a Temporary Solution to Rising Health Care Costs
Although private exchanges help employers limit what they pay for health benefits, they have yet to be linked to controlling health care costs. Some experts argue that the increased bargaining power of employers forces insurers to be more competitive with their pricing, but there is a reduced incentive for employers to ask for those lower prices when providing multiple plans to payers. Instead, payers are left with the decision to educate themselves on the value of each plan. With premiums for family coverage continuing to rise year-over-year—faster than inflation, according to Forbes back in 2015—it seems private exchanges may only be a band-aid to an increasingly worrisome health care landscape.
Thus, at the end of it all, change is hard. Shifting payers’, employers’, and ultimately the market’s perspective on the projected long-term success of private exchanges will be difficult. But, if the market is essentially rejecting the model, shouldn’t we be paying attention?
By Paul Rooney, Originally Published By United Benefit Advisors
