In a consequential decision for Health Insurance Portability and Accountability Act (HIPAA)-regulated entities, on June 20, 2024, the US District Court for the Northern District of Texas ruled that the US Department of Health and Human Services Office for Civil Rights exceeded its authority in certain respects in sub-regulatory guidance. The guidance concerned HIPAA’s application to cookies and other online tracking technologies on HIPAA-regulated entities’ unauthenticated webpages.
The Biden administration recently released its Spring 2024 Unified Agenda (a few months late), which lists all the regulations that the administration plans to issue by the end of the year and beyond.
In this update, Jeffrey Davis previews new regulations that could impact the health and welfare benefits industry related to the No Surprises Act, new standards for the exchange of health information under the Health Insurance Portability and Accountability Act, the finalization of new Mental Health Parity and Addiction Equity Act rules, and more.
On April 26, 2024, the Federal Trade Commission (FTC) issued a final rule to amend its Health Breach Notification Rule (HBN Rule). The HBN Rule works as a compliment and counterpart to the breach notification requirements established under the Health Insurance Portability and Accountability Act (HIPAA) for HIPAA-regulated entities. Specifically, the HBN Rule requires that vendors of personal health records (PHRs) and related entities that are not covered by HIPAA notify individuals, the FTC and, in some cases, media outlets of a breach of unsecured personally identifiable health data. Stakeholders should carefully review the final rule to understand how organizations will be impacted.
In a recent article in Managed Healthcare Executive, Peter Wehrwein examines the trend of self-funding of group health benefits by smaller employers who used to depend mainly or entirely on fully insured programs.
The shift to self-funding, the article explains, is grounded in the Employee Retirement Income Security (ERISA), which exempts self-funded plans from state health insurance mandates, and in the Affordable Care Act, which strictly regulates small group and individual health insurance policies. Wehrwein presents the issues from the perspective of state and federal policymakers and regulators, which the article characterizes as “worrisome.” But what of the perspective of small employers?
Healthcare costs are rising at rates that are well in excess of the growth of real gross domestic product. This appears unsustainable, but these costs nevertheless keep climbing inexorably. For employers, the pressure to do something is compelling.
The article claims that self-funding is more expensive than fully insured coverage. But compared to what fully insured coverage, exactly? By definition, many small employers can only purchase coverage in the small-group market. This is, however, the very market these same employers are fleeing, and they are doing so precisely because it is too expensive. Indeed, the prohibitive cost of small-group market coverage is why individual coverage Health Reimbursement Arrangements have failed to gain widespread acceptance, particularly in large urban environments.
Wehrwein correctly identifies two options for self-funding: group medical captives and level funding, both of which he views as problematic. Small employers appear to disagree, however, based on their actions. In their view, these options instead represent viable options in their quest to provide competitive group health coverage to their employees. The two options for self-funding identified in the article are fundamentally different solutions that are appropriate for different cohorts of small employers.
Group Medical Captives (50 – 200 Covered Lives)
The term “captive” insurer traditionally referred to a “single parent” captive, which is a subsidiary of an operating company/parent that insures the risks of the operating company/parent and in some instances its affiliates. Historically, single-parent captives insured property and casualty risks and workers’ compensation, but they have more recently been pressed into service to cover employee welfare plan risks.
A group captive allows a group of unrelated employers to form a collective insurance company to manage some portions of their risks. Where, as is the case here, the risk is most often medical stop-loss coverage, the arrangement is referred to colloquially as a “medical stop-loss group captive.” For an extended discussion of medical stop-loss group captive funding arrangements and their accompanying legal and regulatory issues, please see our Special Report.
There is some debate over what size employer might most benefit from participation in a medical stop-loss group captive. While the conventional wisdom is that 200 covered lives is the sweet spot, credible estimates go as low as 50 covered lives. Whatever the appropriate number, medical stop-loss captives can in the right circumstances offer substantial savings when compared to fully insured coverage. [...]
Continue Reading
The US Department of Health and Human Services Office for Civil Rights (OCR) recently reached a $4.75 million settlement with a New York City hospital for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA).
According to OCR, in 2013, a former hospital employee sold the electronically protected medical records of 12,517 patients to an identity theft group, and the NYC hospital did not detect or report the breach to OCR until 2015. OCR’s investigation found several potential HIPAA violations, and in addition to the settlement, the hospital agreed to conduct a thorough security risk assessment, revise HIPAA policies, provide additional training to staff, begin recording and tracking all electronic health record (EHR) activity to monitor who is accessing patient information, and create a risk management plan. OCR will also monitor the hospital for two years for compliance with HIPAA.
Companies are taking a fresh look at their privacy policies in the wake of Dobbs v. Jackson Women’s Health Organization. According to this Law360 article, policymakers are putting more pressure on companies to tighten their restrictions on collecting and disclosing personal health and location data.
What are the opportunities and challenges of digital health wellness programs? In a recent discussion, McDermott Partners Scott A. Weinstein and Sarah G. Raaii discussed a wide range of issues, including accessibility to employees, navigating the health plan regulatory landscape, budgetary constraints and the reality of rising healthcare costs.
The Biden administration previously announced its intent to end the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) on May 11, 2023 (read our series introduction for more information). On April 10, 2023, President Biden signed a resolution moving up the end of the NE to April 10, 2023 (the PHE ended on May 11). The US Departments of Labor (DOL), Health and Human Services, and the Treasury (the Departments) issued a set of FAQs (available here) on March 29, 2023 (FAQs), which anticipated that the NE would end on May 11, 2023 (see our prior article explaining the FAQs). Plan sponsors should continue to treat May 11 as the end of the NE consistent with the FAQs until the Departments say otherwise.
During the COVID-19 pandemic, the Departments provided relief from certain benefit plan deadlines, including:
This article discusses how the affected tolled deadlines will be phased out and what actions employers may need to take.
BACKGROUND
EBSA Disaster Relief Notice 2020-01, later extended by EBSA Disaster Relief Notice 2021-01, provided that the deadline by which action needs to be taken for the events described above was tolled until the earlier of: (i) one year from the date the deadline would have first started running for that individual or (ii) sixty (60) days from the end of the NE (the Outbreak Period). This guidance created a tolling deadline specific to each affected individual. Where the individual has not reached the one-year anniversary of the date of the initial deadline, timeframes will begin to run again sixty (60) days after the end of the NE (i.e., July 10, 2023).
The FAQs released by the Departments at the end of March provided much-needed clarification and various helpful examples for employers of how the outbreak period should be taken into consideration when calculating the tolled deadlines. For example, if an employee experiences a qualifying event under COBRA and loses coverage on April 1, 2023, the deadline for the individual to make a COBRA election is tolled until the earlier [...]
Continue Reading
The My Health My Data Act in Washington State (the Act) is expected to be signed into law by Governor Jay Inslee this year, after being passed by both the Washington Senate and House in different versions. Unlike recent state privacy laws, the Act specifically targets consumer health data that is not covered by the Health Insurance Portability and Accountability Act (HIPAA). It includes provisions that apply to processors and third parties who may handle a broadly defined set of consumer health data, beyond healthcare-adjacent businesses. The Act could have a significant impact on various entities, including advertisers, mobile app providers, wearable device manufacturers, healthcare companies and their data processors who handle non-HIPAA-regulated health information.
The Biden administration has announced its intention to end the COVID-19 National Emergency (NE) and the COVID-19 Public Health Emergency (PHE) on May 11, 2023 (read our series introduction for more information).
On March 29, 2023, the US Departments of Labor, Health and Human Services, and Treasury (the Departments) issued a set of Frequently Asked Questions (available here), which answered questions from stakeholders relating to the various laws, regulations and other guidance enacted or adopted in connection with the NE and PHE. The FAQs include eight questions related to the anticipated end of the “Outbreak Period” on July 10, 2023, which is 60 days after the end of the NE and PHE on May 11 (rules regarding the Outbreak Period are set forth in our earlier articles here and here). Below are the highlights:
To keep employers apprised of the rules and to assist with providing notice to plan participants of the changes that will accompany the end of the NE and PHE, the Department of Labor has issued two blog posts, which are available here and here.
Action Items: We urge plan sponsors to pay particular attention to notifying employees of the upcoming changes that will accompany the end of the PHE and NE and to ensure that participants covered under an HDHP understand that they may continue to contribute to their HSAs. Employers should consider communicating these changes to their employees.
For any questions regarding the end of the PHE and/or NE, please contact your regular McDermott lawyer or one of the authors.
Subscribe
