e3 Compliance Navigator™ Logine3 Financial News Archive For September / October 2009
CMS/ Medicare Disclosure Deadline (Nov 15th)
Oct 29, 2009
You may recall that Medicare Part D includes requirements for employers offering group prescription drug coverage, as you do under your group medical plan(s). To assist you in complying with those requirements, we offer these friendly reminders:
You must send a Notice of Creditable (or Non-Creditable) Coverage to ALL Medicare Part D eligible individuals currently covered under your group medical plan by November 15th of each year.
• The Notice of Creditable Coverage is appropriate for anyone enrolled in an HMO, POS or traditional PPO plan. The Notice of Non-Creditable Coverage is appropriate for anyone enrolled in an HSA-compatible high deductible PPO plan.
• Because Part D eligible individuals may include dependents and COBRA participants, we advise you to send the Notice via regular mail to ALL participants covered under your group medical plan. If dependents reside at the same address as the employee, the envelope may be addressed to "(Employee Name) and All Covered Dependents".
• Please contact us for model notices provided by the Center of Medicare & Medicaid Services (CMS), which we have modified to make them more user-friendly. For example, we've replaced the term "Entity" with "Name of Employer's Group Health Plan". (If you wish to review the original model notices, please visit: https://www.cms.hhs.gov/CreditableCoverage/).
You also must provide a disclosure of creditable coverage status to CMS by completing the online Disclosure to CMS Form. This should be done within 60 days after the end of your group medical plan year. If that deadline has passed, complete the Disclosure as soon as possible.
• Completing the online Disclosure to CMS Form requires only three steps and should take no more than five minutes:
o Step 1 -Enter the Disclosure Information
o Step 2 -Verify and Submit Disclosure Information
o Step 3 -Receive Submission Confirmation
• Step 1 will ask you to provide an estimate - and only an estimate! - of the number of Part D eligible individuals covered under your group medical plan as of the beginning of your plan year. You must also state the latest date on which you sent the Notice of Creditable (or Non-Creditable) Coverage to Part D eligible individuals.
• Here is the link to the required Disclosure to CMS Form:
https://www.cms.hhs.gov/CreditableCoverage/45_CCDisclosureForm.asp
• Once you have answered all of the questions, print a copy of your group's disclosure information and submission confirmation for your records.
If you have not already done so, we encourage you to complete the above items as soon as possible. If you need any assistance, please contact your Experience Manager or Client Advocate at 949-724-1964.
New Genetic Information Nondiscrimination Act (GINA) Guidance: Health Risk Assessment
Oct 14, 2009
On Oct.1, three federal agencies issued a lengthy package of regulations under the Genetic Information Nondiscrimination Act of 2008 (GINA). Though it will take some time to digest this entire package, one point is abundantly clear: Health plan sponsors and their insurers should think twice - if not three or four times - before including questions concerning an individual's family medical history in any health risk assessment (HRA).
Among other things, GINA bars a group health plan or insurer from discriminating on the basis of genetic information. This prohibition extends to collecting genetic information if that information will be used for underwriting purposes. GINA's statutory language made clear that family medical history falls within the definition of genetic information. Accordingly, GINA makes it impermissible to ask for family medical history before enrolling an individual in a health plan.
What many found surprising in the recent regulations, however, is a flat-out prohibition on asking for family medical history in even post-enrollment HRAs if employees will be rewarded for completing the assessment (or penalized for not doing so). Here is the rationale put forth by the government agencies for adopting this more stringent approach:
Under GINA, the definition of underwriting is broader than merely activities relating to rating and pricing a group policy. These interim final regulations clarify that underwriting purposes includes changing deductibles or other cost-sharing mechanisms, or providing discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment (HRA) or participating in a wellness program.
So what does this all mean? At a minimum, it means that HRAs may not ask for family medical history in either of the following two circumstances:
1. Before an individual is enrolled in a plan (or even before reenrollment, if the information may affect that reenrollment), or
2. At any time, if a reward will be given for providing this information (including a penalty for not doing so).
These prohibitions apply to plan years beginning after Dec. 7, 2009 - or as of Jan. 1, 2010, for calendar-year plans.
Now that many employers are beginning their annual enrollment season, employers, insurers and wellness vendors may need to respond immediately in order to delete from their HRAs any questions concerning family medical history. It may also be necessary to add language to open-ended questions stating that, in answering those questions, individuals should not provide any genetic information (including family medical history). The regulations impose this requirement in order to take advantage of an "incidental collection exception."
Fortunately, the regulations contain a number of examples that help to illustrate what may or may not be done in this regard. Those examples make clear that the following practices will pass muster under GINA (though they may still run afoul of other laws - including more stringent state laws):
1. Offering a financial incentive to complete an HRA, but excluding from that HRA any questions concerning family medical history.
2. Including questions concerning family medical history, but offering no financial incentive to complete the HRA (and deferring the HRA until after enrollment).
3. Offering a financial incentive to complete an HRA that requests no family medical history, and then including an addendum that requests such history - clearly stating that employees who leave the addendum blank will still receive the financial incentive for completing the rest of the HRA.
Keep in mind, though, that to effectively omit questions concerning family medical history, an HRA must plainly state that such history should not be provided in response to open-ended questions.
Kenneth A. Mason, Partner
Spencer Fane Britt & Browne LLP
HHS Issues Interim Final Rule Issued on HIPAA Breach Notification
Oct 06, 2009
As reported in a March 2009 Alert, the Health Information Technology for Economic and Clinical Health (HITECH) Act created a new notification requirement in the event of a breach involving protected health information (PHI). The Department of Health and Human Services (HHS) recently published interim final regulations clarifying when and how such breach notices must be provided.
Perhaps the most interesting aspect of this new guidance is its clarification of the term “breach.” The regulations define a breach as the acquisition, use or disclosure of PHI that compromises the security or privacy of PHI. The security or privacy of PHI is compromised only if the breach “poses a significant risk of financial, reputational, or other harm to the individual.”
This standard will require a covered entity to conduct a risk assessment and document its analysis with respect to whether a breach has occurred. For example, the inadvertent disclosure of an individual’s admission to the hospital may not be considered a breach for purposes of requiring notification, but the inadvertent disclosure of an individual’s admission to the hospital for substance abuse treatment might be considered a breach.
According to the regulations, this notice requirement applies only to “unsecured” PHI. Unsecured PHI is defined as PHI that is “not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Department of Health and Human Services in published guidance.” HHS issued such guidance in April of this year, indicating that the only two approved methods of securing PHI are encryption (for both electronic data “at rest” and data “in motion”) and destruction (by shredding or purging). From a practical perspective, this appears to mean that any PHI that is maintained in a paper format would be considered unsecured for purposes of the breach notification rule, since it cannot be rendered secured until it has been destroyed.
As noted in our earlier article, the HITECH Act also extended this breach notification requirement to business associates of covered entities. Once they become subject to this requirement (by no later than Feb. 17, 2010), business associates whose actions result in a breach of unsecured PHI will be required to notify the covered entity of that breach without unreasonable delay, but in any event within 60 days of the discovery of the breach. They will also have to provide the names of the individuals whose PHI was the subject of the breach.
The new breach notification rules became effective as to covered entities on Sept. 23, 2009, but HHS has stated that it will use its enforcement discretion not to impose sanctions for failure to provide the required notifications for breaches discovered before Feb. 22, 2010. Nonetheless, given the complexities inherent in this area, covered entities (and their business associates) should not rely on this non-enforcement policy as an excuse to delay implementing the breach notification rules.
Julia M. Vander Weele, Partner
Spencer Fane Britt & Browne LLP
COBRA Subsidy Recipients and Notifying Former Employers to Avoid Penalties
Sep 09, 2009
Individuals who have qualified and received the 65 percent subsidy for COBRA health insurance, due to involuntary termination from a prior job, should notify their former employer if they become eligible for other group health coverage.
The American Recovery and Reinvestment Act of 2009 provides a subsidy of 65 percent of the COBRA health insurance premium for employees who are involuntarily terminated from September 30, 2008, to December 31, 2009. The subsidy requires only 35 percent of the premium to be paid for COBRA coverage for individuals, and their families, who have involuntarily lost their job and do not have coverage available elsewhere. The IRS announced the subsidy in a February 26, 2009, information release, IR-2009-15.
If an individual becomes eligible for other group health coverage, they should notify their plan in writing that they are no longer eligible for the COBRA subsidy. The notice that the United States Department of Labor sent to the individual advising them of their right to subsidized COBRA continuation payments includes the form individuals should use to notify the plan that they are eligible for other group health plan coverage or Medicare.
If an individual continues to receive the subsidy after they are eligible for other group health coverage, such as coverage from a new job or Medicare eligibility, the individual may be subject to the new IRC § 6720C penalty of 110 percent of the subsidy provided after they became eligible for the new coverage.
Taxpayers who fail to notify their plan that they are no longer eligible for the COBRA subsidy may wish to self-report that they are subject to the penalty by calling the IRS toll-free at 800-829-1040. In addition, taxpayers will need to notify their plan that they are no longer eligible for the COBRA premium subsidy.
Anyone who suspects that someone may be receiving the subsidy after they become eligible for group coverage or Medicare may report this to the IRS by completing Form 3949-A, Information Referral (PDF).
References/Related Topics
COBRA Health Insurance Continuation Premium Subsidy
