by admin | Nov 3, 2017 | Group Benefit Plans, HIPAA, Human Resources
Employers who are designing a health and welfare benefit plan for their employees often wonder about the rules relating to setting premiums for employees. Employers generally have significant flexibility in this part of their plan’s design. Common structures contemplated by employers include, but are not limited to:
- Charging all employees a flat amount for their health plan
- Charging employees a percentage of the premium for the health plan, with the percentage changing as employees move between tiers (self, self plus one, self plus family)
- Giving employees a set dollar amount that they can use to offset the cost of whatever plan and plan tier they enroll in
Employers are also interested in setting different contribution structures for different groups of employees. Sometimes this is due to a geographic difference between employees, job types, staff versus management, and more. Employers may wish to give lower-paid employees more employer-provided money; sometimes employers wish to give managers or executive staff more employer-provided money.
Employers should be aware that there are different nondiscrimination requirements to consider.
Generally, under HIPAA non-discrimination rules, employers have discretion when structuring their benefits plans and may make distinctions among employee populations regarding access to and the level of benefits offered. Plans may differ among employees only on “bona fide employment-based classifications” consistent with the employer’s usual business practice. Examples that would satisfy this requirement include salaried, hourly, full-time, part-time, type of job, geographic location, date of hire, division, subsidiary, business unit, and profit center distinctions.
If an employer’s proposed structure meets these basic HIPAA requirements, then the employer needs to review the applicable nondiscrimination requirements under Internal Revenue Code Section 125 (for cafeteria plans) and Section 105(h) (for self-funded plans). If the employer’s plan is subject to these rules, at a most basic level, the plan cannot favor highly compensated individuals. Sometimes an innocent plan design can lead to an employer failing the nondiscrimination requirements under Section 125 or 105(h) without the employer intentionally favoring the highly compensated employees. Many employers also erroneously assume that none of their employees fall into the “highly compensated” category, so the rules do not apply to them. As a best practice, any time an employer has a plan design with different levels of employer contributions, the employer should run the applicable testing to ensure its plan is compliant.
Under Section 125, benefit plans cannot discriminate in favor of highly compensated individuals or key employees.
By Danielle Capilla
Originally Published By United Benefit Advisors
by admin | Sep 6, 2017 | Compliance, HIPAA, Human Resources
When it comes to Employee Assistance Programs, confidentiality is a concern for both employers and employees. As an employer, it is helpful to understand the terms and processes your EAP uses to keep information confidential and ensure that your employees and your workplace are safe.
The Health Insurance Portability and Accountability Act (HIPAA) rules apply to EAPs and their affiliate providers. All information that is obtained during an EAP session is maintained in confidential files. The information remains confidential except in the following circumstances:
- An employee/client provides written permission/consent for the release of specific information. This can be done using a Consent to Inform or Release of Information form.
- The life or safety of the client or others is seriously threatened.
- Child abuse has occurred.
- EAP records are the subject of a court order (subpoena).
- Other disclosures required by applicable law.
Depending on the situation, an employee may use EAP services through a self-referral, guided-referral or mandated-referral
Voluntary or self-referrals are the most common. When an employee seeks EAP services voluntarily, all of the employee’s information, including whether he or she contacted the EAP or not, is confidential and cannot be released without written permission.
Guided referrals are an opportunity for the employer to encourage the employee to use EAP services when the employer senses there is a problem that needs to be addressed. This may occur when the employer identifies an employee who may be having personal or work-related difficulties but it is not to the point of mandating that the employee use an EAP. In the case of guided referrals, information disclosed by the employee is still kept confidential.
Mandatory or formal referrals usually occur when substance abuse or other behaviors are impacting productivity or safety. An employer’s policy may allow for putting the employee on a performance improvement plan and may even include a “last chance” agreement that states what an employee must do in order to keep their job. In these cases, employees are mandated by the employer to contact the EAP and a Release of Information is signed so the EAP can exchange information with the employer about employee attendance, compliance and recommendations.
In some cases, it may be advised to send the employee for a Fitness for Duty Evaluation or similar assessment to determine the employee’s ability to physically or mentally perform essential job duties, or assess for a potential threat of violence. These evaluations are performed by specially trained professionals and will come with an additional cost. If the employee has provided written consent, limited information may be released to the employer regarding the results of these evaluations.
By Kathryn Schneider
Originally Published By United Benefit Advisors
by admin | May 16, 2017 | HIPAA, Hot Topics
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued its Man-in-the Middle Attacks and “HTTPS Inspection Products” guidance. The OCR warns organizations that have implemented end-to-end connection security on their internet connections using Secure Hypertext Transport Protocol (HTTPS) about using HTTPS interception products to detect malware over an HTTPS connection because the HTTPS interception products may leave the organization vulnerable to man-in-the-middle (MITM) attacks. In an MITM attack, a third party intercepts internet communications between two parties; in some instances, the third party may modify the information or alter the communication by injecting malicious code.
OCR provides a partial list of products that may be affected. Also, OCR provides a method that organizations can use to determine if their HTTPS interception product properly validates certificates and prevents connections to sites using weak cryptography.
OCR emphasized that covered entities and business associates must consider the risks presented to the electronic protected health information (ePHI) transmitted over HTTPS. Further, OCR encouraged covered entities and business associates to review OCR’s recommendations for valid encryption processes to ensure that ePHI is not unsecured and the U.S. Computer Emergency Readiness Team’s recommendations on protecting internet communications and preventing MITM attacks.
HIPAA Enforcement in the News
Below is a round up of the settlements recently in the news related to ePHI.
OCR Announces HIPAA Settlement for Impermissible Disclosure of ePHI, Insufficient Risk Analysis, and Insufficient Risk Management Processes
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its $2.5 million settlement with a wireless health services provider for impermissible disclosure of ePHI. OCR’s investigation revealed that the provider had insufficient risk analysis and risk management processes in place at the time of the impermissible disclosure, including failing to implement policies and procedures regarding ePHI safeguards. The settlement requires the provider to implement a corrective action plan.
OCR Announces HIPAA Settlement for Insufficient Security Management Process for ePHI
OCR announced its $400,000 settlement with a federally qualified health center (FQHC) based on the FQHC’s failure to have a security management process, including risk analyses sufficient to meet the Security Rule’s requirements. The settlement requires the FQHC to implement a corrective action plan. OCR’s announcement also provided a link to its guidance on the Security Rule.
OCR Announces HIPAA Settlement for Failure to Have Business Associate Agreements
OCR announced its $31,000 settlement with a small, for-profit health care provider based on the provider’s failure to produce a signed business associate agreement with its business associate who stored records containing PHI. The settlement requires the provider to implement a corrective action plan.
Employers Ask…
UBA’s question of the month from employers addressed breach notification requirements:
Q. Under what circumstances do HIPAA’s breach notification requirements not apply when a breach of protected health information (PHI) occurs?
A. Generally, breach notification must be provided when a breach of unsecured PHI is discovered. HHS provides only two methods of creating “secured PHI” that would not be subject to the notification requirements if there is a breach:
This means that if PHI/ePHI is encrypted or destroyed and a breach occurs, HIPAA’s notification requirements are not triggered.
By Danielle Capilla
Originally Posted By www.ubabenefits.com
by admin | Feb 16, 2017 | Compliance, Employee Benefits, Hot Topics, Human Resources
Recently, the Department of Labor (DOL), Department of Health and Human Services (HHS), and the Treasury (collectively, the Departments) issued FAQs About Affordable Care Act Implementation Part 35. The FAQ covers a new HIPAA special enrollment period, an update on women’s preventive services that must be covered, and clarifying information on qualifying small employer health reimbursement arrangements (QSE HRAs).
HIPAA Special Enrollment Period
Under HIPAA, if an individual loses eligibility for coverage in the individual market, then that individual is entitled to special enrollment in group health plan coverage.
The coverage eligibility loss may include coverage purchased through a Marketplace (other than coverage eligibility loss due to failure to pay premiums on a timely basis or termination of coverage for cause, such as making a fraudulent claim or an intentional misrepresentation of material fact). Further, the individual is entitled to special enrollment in group health plan coverage for which the individual is otherwise eligible, regardless of whether the individual may enroll in other individual market coverage, through or outside of a Marketplace.
To be clear, if an individual has Marketplace coverage and the carrier is discontinuing the plan, the discontinuation event is not a loss of eligibility for coverage; in this case, the individual is not entitled to a special enrollment period.
Women’s Preventive Services
The Health Resources and Services Administration (HRSA) updated its Women’s Preventive Services Guidelines on December 20, 2016, to recommend preventive services and items.
Non-grandfathered group health plans and health insurance issuers must cover, without cost sharing, women’s preventive services consistent with the updated guidelines for plan years beginning on or after December 20, 2017. Until that date, non-grandfathered group health plans and health insurance issuers are required to provide coverage without cost sharing consistent with the previous HRSA guidelines and the Public Health Services Act for recommended services and items.
Generally, under the HRSA guidelines and other federal laws, group health plans established or maintained by religious employers (and group health insurance coverage provided with these plans) are exempt from the requirement to cover contraceptive services.
Qualified Small Employer Health Reimbursement Arrangements
On December 13, 2016, the 21st Century Cures Act (Cures Act) introduced a new type of tax-preferred arrangement called the Qualified Small Employer Health Reimbursement Arrangement (QSE HRA) that small employers may use to help their employees pay for medical expenses.
Under the Cures Act, the QSE HRA is not a group health plan. A QSE HRA is an arrangement offered by an eligible employer that meets the following criteria:
- The arrangement is funded solely by an eligible employer, and no salary reduction contributions may be made under the arrangement.
- The arrangement provides, after the employee provides proof of coverage for the payment to, or reimbursement of, an eligible employee for medical care expenses incurred by the employee or the employee’s family members (as determined under the terms of the arrangement).
- The amount of annual payments and reimbursements do not exceed $4,950 ($10,000 for family) with amounts to be indexed for increases in cost of living.
- The arrangement is provided on the same terms to all eligible employees of the eligible employer.
To be an eligible employer that may offer a QSE HRA, the employer may not be an applicable large employer (ALE) and may not offer a group health plan to any of its employees.
The Departments’ prior guidance concluded that employer payment plans (EPPs) and non-integrated health reimbursement arrangements (HRAs) are group health plans that fail to comply with the group market reform requirements that prohibit annual dollar limits and that require the provision of certain preventive services without cost sharing.
Because a QSE HRA is statutorily excluded from the definition of a group health plan, the group market reform requirements do not apply to a QSE HRA. With respect to EPPs and HRAs that do not qualify as QSE HRAs, the Departments’ prior guidance continues to apply.
The statutory exclusion of QSE HRAs from the group health plan definition is effective for plan years beginning after December 31, 2016. With respect to plan years beginning on or before December 31, 2016, the Cures Act provides that the relief under IRS Notice 2015-17 applies.
Under the extension provided by the Cures Act, for plan years beginning on or before December 31, 2016, the tax penalty will not be asserted for any failure to satisfy the market reforms by EPPs that pay, or reimburse employees for, individual health policy premiums or Medicare Part B or Part D premiums, with respect to employers otherwise eligible for the relief under Notice 2015-17. These employers are not required to file IRS Form 8928 solely because they had such an arrangement for the plan years beginning on or before December 31, 2016.
The Cures Act’s extension of the relief is limited to EPPs and does not extend to stand-alone HRAs or other arrangements to reimburse employees for medical expenses other than insurance premiums. Also, as an employer-provided group health plan, coverage by an HRA or EPP that is not a QSE HRA and that is eligible for the extended relief under the Cures Act would be minimum essential coverage. This means that a taxpayer would not be allowed a premium tax credit for the Marketplace coverage of an employee, or an individual related to the employee, who is covered by an HRA or EPP other than a QSE HRA.
Practically speaking, the Departments’ prior regulations and guidance continue to apply to EPPs and HRAs that do not qualify as QSE HRAs, including arrangements offered by employers that are not eligible employers as defined under the Cures Act, such as ALEs.
By Danielle Capilla, Originally Published By UBA