Archive | Compliance RSS feed for this section

Frequently Misunderstood Health Savings Account Issues

March 7, 2019


Christopher Beinecke is the Employee Health & Benefits National Compliance Leader for Marsh & McLennan Agency. 
Jennifer Stanley is a Compliance Consultant in the Employee Health & Benefits Compliance Center of Excellence for Marsh & McLennan Agency.

The health savings account (HSA) eligibility and contribution rules are often misunderstood, which can result in potential adverse consequences for participating employees.[1] This article focuses on certain employer-provided benefits that may unexpectedly affect an employee’s ability to make or receive HSA contributions as well as certain rules that affect the contribution amounts a participant can make and/or receive during the year.

Unexpected Disqualifying Other Coverage and Potential Solutions

In order to be eligible to make or receive HSA contributions, an individual must participate in a qualified high deductible health plan (HDHP) and have no other disqualifying coverage. Some common employer-provided benefits may unexpectedly be disqualifying other coverage, and we’ll address three of the most common “gotcha’s” below.

1. Account-Based Plans (FSAs and HRAs)
General purpose health FSAs and HRAs that may be used to reimburse for a broad range of qualifying medical expenses are generally disqualifying other coverage and disqualify an individual from making or receiving HSA contributions for the entire plan year. This is also true if the FSA or HRA is your spouse’s and can be used to reimburse for your medical expenses (whether or not this actually happens).

HSA Eligibility Solutions for Account-Based Plans –
Employers should consider the following HSA compatible FSA plan design options when offering an account-based plan and an HDHP (these are often referred to as “HSA compatible FSAs”):

  • Offer a limited-purpose FSA or HRA that may only be used to reimburse for dental and vision expenses;
  • Offer a post-deductible FSA or HRA that may only be used to reimburse for general medical expenses after the individual has met their annual HDHP deductible; or
  • An employer can actually offer an FSA or HRA that combines both features by being limited to dental and vision expenses until the annual HDHP deductible is met and can then be used to reimburse for general medical expenses afterwards.

Run-Out Periods, Grace Periods, and Carryover Provisions – FSAs usually operate with a run-out period allowing participants to submit claims after a plan year ends and may also include either a grace period or carryover provision (but not both). We’ll describe how these can affect HSA eligibility when used in a general purpose FSA:

  1. Run-Out Period When we say run-out period, we mean a participant has some period of time after the end of the plan year to submit claims that were incurred during the plan year. For
    example, a calendar year FSA may allow participants until March 31st to submit claims incurred by or before December 31, 2018. If I enroll in an HDHP during annual enrollment, an FSA with a run-out period does not interfere with my ability to make or receive HSA contributions at the start of the next plan year. In this example, I am eligible to make or receive HSA contributions on January 1, 2019.
  2. Grace Period When we say grace period, we mean a participant has some period of time after the end of the plan year to submit claims that were incurred during the plan year OR during the grace period. For example, a calendar year FSA may allow participants until March 31st to submit claims incurred by or before March 15, 2019. If I enroll in an HDHP during annual enrollment, an FSA with a grace period can interfere with my ability to make or receive HSA contributions until the first of the month after the grace period is over. In this example, if I have an FSA balance as of December 31, 2018, I would not be eligible to make or receive HSA contributions until April 1, 2019.The issue is whether I have an FSA balance at plan year end. If I have a zero FSA balance at plan year end (December 31, 2018 in our example), I am HSA eligible at the start of the next plan year without regard to the FSA’s grace period.
  3. Carryover Provision An FSA might include a carryover provision permitting participants to carry over the lesser of: (i) their unspent FSA account balance as of the end of the plan year; or (ii) $500 as a contribution toward their FSA balance for the next plan year. Amounts carried over do not count toward an individual’s annual FSA contribution limit ($2,700 for 2019). If funds are carried over into the following year and can be used to reimburse for general medical expenses, an individual will be ineligible to make or receive HSA contributions for the entire year.An employer can provide employees with options to avoid losing HSA eligibility for the following year:
  • The rules allow FSA funds to carry over from a general purpose FSA into an HSA compatible FSA plan. An employer could design the carryover feature to automatically carry over a balance from a general purpose FSA into an HSA compatible FSA when an individual elects HDHP coverage. This option obviously requires the employer also maintain an HSA compatible FSA.
  • An employer could allow affected employees to decline or waive a carryover at the end of the FSA plan year. An employer that doesn’t provide an HSA compatible FSA might choose this option.

2. Clinics (both onsite and offsite clinics)

In terms of HSA compatibility, clinics can be divided into two categories:

HSA Conflict

A clinic will cause an HSA conflict if all of the following is true:

  • The clinic provides medical services other than first aid, dental or vision care, preventive services, or certain disease management or wellness services;
  • The clinic provides the general medical services before an individual has met their annual HDHP deductible; and
  • The individual does not pay for the fair market value (FMV) of the general medical services before meeting their annual HDHP deductible.

No HSA Conflict

A clinic does not cause an HSA conflict if any of the following is true:

  • The clinic’s services are limited to first aid, dental or vision care, preventive services, or certain disease management or wellness services;
  • The clinic does not provide other medical services before an individual has met their annual HDHP deductible; or
  • The individual pays for the FMV of other medical services before meeting their annual HDHP deductible.

3. Telemedicine

There is much debate over whether telemedicine is a group health plan that is disqualifying other coverage for the purposes of HSA eligibility. We believe most telemedicine programs are disqualifying other coverage despite claims by some that telemedicine benefits should qualify for an exception available to employee assistance programs (EAPs).

The Myth of the EAP Exception for Telemedicine – IRS Notice 2004-50, Q/A #10 indicates that coverage under an EAP, disease management program, or wellness program isn’t other disqualifying coverage if the benefits do not provide significant medical care and provides an example of short-term counseling available through an EAP as meeting this standard. We’ll ignore for now whether a telemedicine benefit can be considered an EAP and agree there may be some wiggle room to do so.

The EAP exception is not a blanket exception for all EAPs without regard to their plan designs, and the real issue is whether the telemedicine benefit offers significant medical care. Some believe the medical care or treatment provided by a telemedicine benefit should not be considered significant because of the narrow range of available services that might be performed within a single telemedicine visit. We disagree. We can infer that a determination of significant medical care or treatment shouldn’t be limited to a single episode of care or the example of the permissible EAP in IRS Notice 2004-50, Q/A #10 wouldn’t bother describing the available counseling as “short-term.” Instead, the language used by the IRS strongly suggests that an EAP providing many or an unlimited number of visits would be considered other disqualifying coverage.

EAPs generally provide for a limited number of visits per year. By contrast, telemedicine programs tend to provide for an unlimited number of participant visits. In addition, telemedicine programs can usually write prescriptions which are not available through most traditional EAPs.

This view is also consistent with statements made by the Departments of Labor, Treasury, and Health & Human Services during the rulemaking process creating the EAP exception under the Affordable Care Act in which the agencies suggested an EAP providing for many or an unlimited number of visits would not qualify.

Potential HSA Eligibility Solutions for Clinics and Telemedicine

It is reasonable to assume that many telemedicine and clinic benefits will be considered other disqualifying coverage and cause an HSA eligibility issue without some sort of solution to resolve the conflict:

  1. Limit the scope – The benefits could be limited in scope to services that do not interfere with HSA eligibility, such as preventive services, dental or vision care, first aid (in the case of the clinic), or other services deemed insignificant care by the IRS such as immunizations and providing non-prescription pain relievers.This solution falls into the category of legally correct but not particularly useful, as limiting the scope of telemedicine and/or onsite health clinic benefits in this manner can defeat the purpose of meaningfully lowering the cost of the employer’s medical plan.
  2. Provide only post-deductible benefits – If the benefits are restricted to an HDHP participant until after he or she has met their HDHP deductible, there is no HSA conflict. This solution also falls into the category of legally correct but not particularly useful and can be both difficult and impractical to administer.
  3. Charge fair market value for the services – If the HDHP participants pay the FMV for the services received, there is no HSA conflict. While unpleasant, this is often the most practical solution to implement. There is no guidance explicitly directing how to calculate FMV for these benefits, which should make several approaches reasonable:(a) Use the Medicare reimbursement rate for the given service;
    (b) Use the in-network usual, customary, and reasonable charge for the given service; and
    (c) Develop standard rates for services/bundles of services based on the expected cost of providing them through the telemedicine or clinic benefit.

Flat rates are very common for telemedicine and clinic visits with additional charges for labs, tests, or prescriptions. An employer (particularly a healthcare system) may determine a discount is appropriate when determining the appropriate rates to take into account the lower cost of providing the services through a clinic or via telemedicine compared to general medical facilities. It is also not unusual for third-party administrators to have developed standard rates for services using the methods described above that employers can implement. If there is a monthly cost for access to the telemedicine or clinic benefit, that could be factored into the FMV fee calculation.

HSA contributions can be used to offset the cost of services for the telemedicine and clinic benefits, and employers can provide HSA contributions to assist. No fee needs to be charged for limited scope services (e.g., preventive, dental, vision, etc.). Although it adds a layer of administrative complexity, it is also true that the clinic does not need to charge anything once the individual has met the HDHP deductible for the year.

If point-of-service charges are limited to HDHP participants, it does raise a potential nondiscrimination issue under the Tax Code. However, if there is a reasonable mix of both highly and non-highly compensated participants in the HDHP and other medical plan options, this should not present an issue.

Certain Rules Affecting Annual HSA Contribution Limits

In general, an individual’s annual HSA contribution limit is pro-rated based on the number of months an individual is eligible to make or receive HSA contributions with HSA eligibility determined as of the first of each given month. This general rule has a lot of moving parts and is subject to several modifications.

  1. Aggregation Under the health FSA rules, the annual contribution limit ($2,700 for 2019) is based solely on the employee’s own contributions, excluding carryovers. By contrast, all contributions made or received to an individual’s HSA count toward the individual’s annual HSA contribution limit ($3,500 self-only; $7,000 family for 2019), with the exception of rollovers.
  2. The Last Month Rule – While eligibility and contribution limits are generally pro-rated monthly, an individual who is HSA eligible on December 1st can make or receive HSA contributions up to their full annual limit provided he or she remains HSA eligible through the end of the following calendar year. If the individual does not remain eligible throughout this period, the individual’s annual HSA contribution limit for the year is retroactively determined using the pro-rata method and will usually lead to adverse tax consequences. An employer is not required to administer the last month rule for payroll deduction purposes. If an employer does not administer this, the employee is still free to take advantage by contributing the additional amounts to the HSA bank on an after-tax basis (usually by writing a check) and taking a deduction on their personal income tax return using IRS Form 8889.
  3. A Special Rule for Spouses A husband and wife cannot establish a joint HSA, but each spouse can set up their own HSA if eligible. If either spouse has family coverage in an HDHP, both spouses are treated as having family coverage and are limited to the annual HSA family contribution limit split between them. This limit is divided equally unless they agree on a different division. Spouses can demonstrate they’ve agreed to a different division by electing unequal contributions toward their HSAs.A break for domestic partners – This special rule for spouses does not apply to domestic partners. Each domestic partner could contribute up to the annual HSA family contribution limit in this instance, because the contribution limit is not tied to tax dependent status. That said, an individual cannot use their HSA to pay for the medical expenses of a domestic partner on a tax free basis (or without penalty) unless the domestic partner is also the individual’s tax dependent. The individual could avoid the penalty if the individual was already age 65 or older.
  4. Catch-up Contributions HSA eligible individuals who are age 55 or older by the end of the calendar year may contribute an additional $1,000 for that year and every year thereafter so long as they remain HSA eligible.[2] If both spouses are over age 55 or older and HSA eligible, both are able to make catch-up contributions to their separate HSAs.

Putting it all together Chris (56 years old) is married to Jennifer (50 years old). Jennifer has enrolled in employee + children HDHP coverage through her employer and Chris has enrolled in employee-only HDHP coverage through his employer. Jennifer’s employer makes an HSA contribution of $1,000 to her HSA on January 1, 2019. Chris’ employer does not make a contribution to his HSA.

  • For 2019, Jennifer could normally contribute up to $7,000 to her HSA and Chris could normally contribute up to $3,500 to his HSA. Due to the special rule for spouses, Jennifer and Chris begin with a combined annual HSA contribution limit of $7,000.
  • Chris can contribute up to $3,500 plus an additional $1,000 catch-up contribution.
  • Assuming Chris does contribute $4,500, Jennifer’s annual contribution limit is $3,500. Her employer has already contributed $1,000, meaning Jennifer can only contribute an additional $2,500 herself.
  • Alternatively, Chris could limit his HSA contribution to his $1,000 catch-up contribution and Jennifer would be free to contribute $6,000 to her HSA in addition to the $1,000 received from her employer.

[1] We address the consequences of ineligible contributions in the “Mistaken HSA Contributions” article appearing later in this newsletter.

[2] Remember that an individual enrolled in Medicare is not HSA eligible.

Continue reading...

Automatic Enrollment Given a Boost

February 5, 2019


U.S. Department of Labor (DOL) Issues Letter Indicating ERISA Preemption Applies to State Payroll Withholding Laws

On December 4, 2018, the DOL issued a letter in response to an inquiry from the American Council of Life Insurers (ACLI) about the interaction of ERISA and state wage withholding laws that require an affirmative written election before payroll deductions may be taken as contributions toward coverage in an employer-sponsored benefit plan.

ACLI’s inquiry related to employer-provided disability coverage, but the DOL responded more broadly and indicated that ERISA preempts (overrides) such a state law. This generally means that, unless an employee has waived coverage, an employer with an ERISA-covered benefit plan may automatically enroll employees in coverage and deduct the required contributions from employee paychecks. This letter does not actually represent a change in the DOL’s position or introduce any new guidance, but it is a welcome clarification that allows employers flexibility to increase group plan participation, spreading risk, and expanding protection for their workers.

ERISA Preemption Primer

Basically, the legal doctrine of ERISA preemption provides that a benefit plan subject to ERISA may generally ignore any conflicting state law that may relate to the benefit plan with certain limited exceptions. The most significant exception allows states to regulate insurance within their borders, and state laws regulating insurance are “saved” from ERISA preemption. This is why state insurance mandates apply to fully-insured ERISA plans while self-insured ERISA plans may choose to ignore them.

In support of its position for the preemption of state wage withholding laws in connection with enrollment in an ERISA plan, the DOL cited various court cases and previous Advisory Opinions addressing circumstances in which state laws have been found to relate to an ERISA benefit plan. To the extent an applicable state law is interpreted to regulate or limit an employer’s ability to enroll employees or to make plan-related payroll deductions, it is the DOL’s position that such state law will be preempted and will not apply to the employer’s ERISA plan.

Note: The DOL’s letter did not address any of the exceptions to ERISA preemption such as the exception saving state insurance laws. As a result, the letter shouldn’t be viewed as sanctioning other actions an employer might want to take with respect to a fully-insured benefit plan.

Notes and Practical Issues

If an employer wants to implement an automatic enrollment policy, there are a few additional considerations that should be taken into account. For example, ERISA imposes certain fiduciary obligations on an employer in its role as plan administrator. Among other things, this requires comprehensive communications pieces about any plan terms and conditions as well as a clear explanation of the employee’s right to decline coverage and the exact procedures and timeframes for doing so.

We realize that the inquiry dealt specifically with disability coverage and that many employers provide ancillary coverage such as basic life, AD&D, and disability at no cost to employees. It’s also worth noting that disability was a tricky example to use, as many self-insured short term disability programs may not actually be eligible for ERISA preemption.1 The DOL letter did not address whether the required contributions for benefits subject to automatic enrollment could be taken pre-tax or post-tax, which is really an IRS matter, but either should be permissible.2 This contribution approach should be included in the communication material described earlier.

The DOL’s response does support the use of an automatic enrollment approach with respect to medical/Rx coverage, although an employer may not wish to do so for various reasons including the higher required employee contributions for these benefits compared to ancillary coverage like life and disability coverage. Also, the Affordable Care Act’s employer shared responsibility requirement can be met merely by offering coverage without regard to whether an employee actually enrolls.  In any event, the employee must be given the opportunity to waive coverage.

1 Many employer-provided self-insured short term disability programs will fall within ERISA’s payroll practice exception, and ERISA’s preemption rules will not apply to them.
2 An employer may prefer disability contributions to be taken post-tax so that the disability benefits will be tax free when paid to participants.

Continue reading...

Slowly Filling in the Blanks

January 2, 2019


IRS Releases Guidance on Qualified Transportation Fringe Benefits for Tax-Exempt Organizations

The Tax Cuts and Jobs Act (the “Act”), enacted in December 2017, eliminated the business deduction employers received for providing qualified transportation fringe benefits (“fringe benefits”) to their employees beginning January 1, 2018. The Act did not affect the employee exclusion, which enables the amount of qualified transportation fringe benefits provided by employers to be excluded from employee gross income up to specified monthly limits ($260 in 2018; $265 in 2019). Since the loss of the business tax deduction would not affect a tax-exempt organization, Congress included a provision in the Act that requires tax-exempt organizations to add the amount of these fringe benefits provided to their employees to its unrelated business taxable income (UBTI). However, the Act didn’t specify exactly how to calculate the disallowed deduction or UBTI amount, particularly for qualified parking expenses.

The Internal Revenue Service released Notice 2018-99 that fills in this gap by describing how to calculate the disallowed deduction amount for taxable organizations or UBTI for tax-exempt organizations. The Department of the Treasury and the IRS will eventually publish proposed regulations but, in the meantime, IRS Notice 2018-99 may be relied upon for fringe benefit amounts paid or incurred after December 31, 2017. Essentially, the calculation will depend upon whether the employer pays a third party for parking, or if the employer owns or leases a parking facility.

We believe the ultimate result is that employers will move away from or limit providing reserved parking spaces to employees for reasons that will become clear later in this article.

Employer Pays a Third Party for Parking Space 

If an employer pays a third party so their employees may park in the third party’s garage or lot, the disallowed deduction or UBTI amount is generally the total annual cost paid to the third party. Keep in mind that if the amount exceeds the monthly exclusion limit ($260 in 2018; $265 in 2019), the excess amount must also be treated as taxable compensation to the employee. Fortunately, this excess amount will not be included in the UBTI calculation.

Employer Owns or Leases All or Part of a Parking Facility

Until further guidance is released, employers may use any reasonable method to calculate the disallowed deduction or UBTI amount if the employer owns or leases a portion of a parking facility. The IRS specifically noted that “using the value of employee parking to determine expenses allocable to employee parking in a parking facility owned or leased by the taxpayer is not a reasonable method.”

If the employer owns or leases more than one parking facility in a single geographic location, the employer may aggregate the number of spaces in those parking facilities using this process. If the parking facilities are in multiple geographic areas, the employer cannot aggregate the spaces. For those who prefer firmer guidance, Notice 2018-99 provided steps an employer may follow to calculate that amount. Yes, this is really what the guidance says.

Step 1: Reserved Employee Spaces

The employer must first calculate the amount attributable for reserved employee spaces. This is done by determining the percentage of reserved employee spaces in relation to total parking spaces and multiplying that by the employer’s total parking expenses for the parking facility. “Total parking expenses” is defined in the Notice and does not include a deduction for depreciation or expenses paid for items near the parking facility, such as landscaping or lighting. The resulting amount is the disallowed deduction or the amount that will be added to a tax-exempt organization’s UBTI. The IRS will allow employers that have reserved employee spots until March 31, 2019 to change their parking arrangements to decrease or eliminate the number of reserved employee spots retroactive to January 1, 2018.

Step 2: Primary Use Test

The employer must next identify the remaining spaces and determine whether they are primarily used for the general public or for its employees. The IRS defines “primary use” as greater than 50% of actual or estimated usage during normal hours on a typical work day. If parking space usage significantly varies, the employer can use any reasonable method to determine the average usage. The portion of expenses not attributable to the general public’s use is the disallowed deduction or amount included in a tax-exempt organization’s UBTI.

Step 3: Reserved Non-Employee Spots

If the primary use of the employer’s remaining parking spaces is not for the general public, the employer must identify the number of spaces exclusively reserved for non-employees (such as “Customer Only” parking). Spaces reserved for partners, sole proprietors and 2% shareholders are also included in this category. If the employer has reserved non-employee spaces, it needs to determine the percentage of reserved non-employee spaces in relation to the remaining total spaces. That amount is multiplied by the employer’s remaining total parking expenses. This is the amount of the disallowed deduction or amount included in a tax-exempt organization’s UBTI.

Step 4: Determine Remaining Use and Allocable Expenses

If there are any leftover parking expenses left over, the employer must reasonably determine employee use (either actual or estimated usage) of the remaining spaces during normal work hours and the related expenses for those spaces. The amount of expenses attributable to employee use is the disallowed deduction or amount included in in a tax-exempt organization’s UBTI.

IRS Notice 2018-99 does provide some helpful examples of this four step process illustrating how the calculation works in different situations. If tax-exempt organizations have $1,000 or more of UBTI they will need to report using Form 990-T.  Those tax-exempt organizations with less than $1,000 in UBTI are not required to file and are not subject to the tax.

Continue reading...

Texas Federal Court Rules ACA Unconstitutional

December 18, 2018


Given the heavy media attention, you are probably aware that a Texas federal district court issued a decision on December 14, 2018, declaring the entire Affordable Care Act (ACA) unconstitutional. The final outcome will take a while, and the ACA remains in effect as this case moves through the appeals process. Employers (and their group health plans) should continue to comply with the ACA in the meantime.

2018 FORM 1094/1095 REPORTING.

Texas v. Azar

In its 2012 National Federation of Independent Businesses (NFIB) v. Sebelius decision that preserved most of the ACA as originally written,[1] the U.S. Supreme Court held that Congress had the authority to implement the individual mandate and its penalty under the taxing power given to it by the U.S. Constitution. The individual mandate penalty was reduced to zero effective January 1, 2019, by the Tax Cut and Jobs Act of 2017 triggering the Texas v. Azar lawsuit over the continuing constitutionality of the ACA. This case was ultimately joined by thirty-six states and the District of Columbia giving it a distinctive red versus blue feel.

In his decision, Judge O’Connor determined that the elimination of the individual mandate penalty meant the individual mandate itself could no longer be viewed as a valid exercise of Congress’ taxing power. Judge O’Connor also determined that the individual mandate was so essential to and inseparable from the ACA that this renders the entire ACA unconstitutional.

Predicting the Future

Judge O’Connor’s ruling did not include an injunction, meaning the ACA is still in effect pending the appeals process. This fact was verbally repeated by the Trump administration. It is probably foolish to attempt to predict the future of Texas v. Azar, but if we had to:

    1. The 5th Circuit – This is a coin flip, but the U.S. Court of Appeals for the 5th Circuit overrules the district court opinion. While the court agrees that the individual mandate is unconstitutional, the 5th Circuit is unable to conclude that the individual mandate cannot be severed from the rest of the ACA. Whatever the outcome, the side that comes up short appeals to the U.S. Supreme Court.
    2. Congress – If the 5th Circuit finds the ACA unconstitutional, lawmakers work in earnest to draft legislation preserving ACA protections that are popular with voters and to avoid massive disruption in the insurance industry. One of these bills will have enough bipartisan support to be enacted by Congress and signed into law by the President should the Supreme Court declare the ACA unconstitutional.
    3. The Supreme Court The U.S. Supreme Court agrees to hear the case and preserves the ACA again by holding that the individual mandate is severable from the remainder of the ACA and/or for other reasons. Remember, the appointments of Justices Gorsuch and Kavanaugh notwithstanding, the five justices who ruled in favor of the ACA in NFIB v. Sebelius in that 5-4 opinion are still present.

We’ll keep you updated as this progresses.

[1] If you’ll recall, the mandate for all states to participate in the Medicaid expansion was struck down.

Continue reading...

Do the HIPAA Privacy and Security Rules Apply to My Organization?

November 27, 2018


This article is the second in a two-part series addressing whether and how the Privacy and Security Rules (the “Rules”) under the Health Insurance Portability and Accountability Act (HIPAA) apply to various legal entities. Part One addressed Covered Entities and appeared in our October 2018 newsletter. This article addresses Business Associates of Covered Entities that are self-insured group health plans.[1]

Quick Recap

Covered Entities are the key stakeholders in the delivery and payment of health care, but they frequently partner with other organizations for assistance. Many of these organizations will need to come into contact with Protected Health Information (PHI) to assist the Covered Entity. Remember, PHI is:

  • Information about a past, present, or future health condition, treatment for a health condition, or payment for the treatment of a health condition;
  • Identifiable to a specific individual;
  • Created and/or received by a Covered Entity or Business Associate acting on behalf of a Covered Entity; and
  • Maintained or transmitted in any form.

What’s a Business Associate?

In the group health plan context, HIPAA defines a Business Associate as a third party that requires PHI to perform some function or service on behalf of a group health plan. In other words, a third party that helps make your health plan go but needs PHI to do it. The third party might create, receive, store, or transmit[2] the PHI in this role, but it must be “PHI sticky” in at least one of those ways to be considered a Business Associate. Many of HIPAA’s Privacy and Security requirements apply directly to Business Associates.

Typical Business Associates for a Self-Insured Group Health Plan



Maybe So

  • Third party administrator (TPA) including pharmacy benefit manager
  • COBRA administrator (more about this below)
  • Broker/consulting firm
  • Actuaries
  • Record keepers (e.g. Iron Mountain or other third parties storing physical electronic records with PHI)
  • Other cloud service providers such as Google if Gmail is used as the email system
  • Plan sponsor/employer
  • Stop-loss carrier (more about this below)


  • External legal counsel
  • Accountants if will see PHI in connection with an audit or review





COBRA Administrators
If a COBRA administrator merely receives enrollment and disenrollment information from the employer (as plan sponsor), the information it receives is not PHI and the COBRA administrator is not technically a Business Associate of the group health plan. The nature and source of the information provided is easily blurred between the employer and group health plan, and it’s common for COBRA administrators to agree to be treated as Business Associates.

The Curious Case of Stop-Loss
The Rules indicate that stop-loss carriers are not Business Associates of a group health plan when the stop-loss policy insures the plan itself. The Rules are less clear about the more likely scenario where the stop-loss policy insures the employer/plan sponsor directly.  In practice, stop-loss carriers are often reluctant to be treated as Business Associates and are frequently excluded.  We recommend employers enter into robust non-disclosure agreements with stop-loss carriers not treated as Business Associates.

Business Associate Contracts

Your organization’s group health plan is required to enter into a contractual agreement with all of your Business Associates outlining how the Business Associate may use and disclose PHI, how it will secure PHI, and other rights and obligations the parties have under the Rules.[3] The Department of Health and Human Services (DHHS) has provided sample  business associate contract language. Among other items, the contract must include language addressing the parties’ responsibilities when unsecured PHI is improperly used or disclosed (a “breach”). Your organization has a limited amount of time to investigate and respond to a breach.

As a practical matter, it is the employer (as plan sponsor) who must secure the contract for all of the plan’s Business Associates, but Business Associates will often supply their version of this contract to the employer without being prompted. It is in each party’s best business interest to use a standardized contract for administrative ease rather than having to honor the commitments of contracts from different sources, so there is a natural tension between the parties who each favor their own contracts. The requirements for a Business Associate contract are pretty standard, but it is not unusual for the contract to be more favorable toward the drafting party or to include additional contractual terms beyond what the Rules require, so it is important to have this reviewed by your legal counsel.

Sometimes Business Associates contract with other organizations to perform one or more functions the Business Associate was hired to perform for the group health plan (“subcontractors” who are also PHI sticky), and there is no direct relationship between the health plan and the subcontractor. Your Business Associate must represent in the Business Associate contract that they have with your organization that it has a contract in place with its subcontractor that provides for all of the same protections under the Rules with respect to any PHI related to your health plan.

Example – A self-insured medical plan engages a TPA for claims administration and other services. One of these services is claims monitoring to reduce fraud, waste, and abuse.  The claims monitoring services are actually provided by a subsidiary of the TPA, and the medical plan does not have a direct contract with the claims monitoring subsidiary. The TPA is a Business Associate of the medical plan. The claims monitoring entity is a Business Associate of the TPA and should be addressed as a subcontractor within the Business Associate contract between the medical plan and the TPA.

Next Steps

You should always know who your Business Associates are and should make sure you have a list of all the current vendors who provide services related to your health plans. Of these vendors, which ones use PHI to perform a function on behalf of a group health plan?

These are your Business Associates, and you should maintain current Business Associate contracts with all of them. Don’t forget to make this an implementation step when adding a new vendor who will be a Business Associate to your health plan(s).

[1] In Part One, we addressed that insurance carriers are the Covered Entities for fully-insured group health plans and that employers/plan sponsors generally have few obligations under the Rules for those plans.

[2] A third party that only transmits PHI without accessing or storing it may qualify for an exception as a mere conduit of the information.

[3] A failure to enter into the contract does not mean the third party is not your Business Associate and just subjects you to potential penalties for non-compliance.

Continue reading...

Better Late Than Never

November 16, 2018


The Internal Revenue Service released Revenue Procedure 2018-57 today, which contains the 2019 cost-of-living adjustments for various employee benefit plans including employer sponsored health care flexible spending accounts, qualified transportation fringe benefits, and adoption assistance programs. The following provides a summary of the annual limits for these specific benefit programs along with a summary of the 2019 high deductible health plan and health savings accounts limits announced earlier this year.

Each of the limits described below are applicable for taxable years beginning in 2019. If you have any questions or need further details about the tax limits and how they will impact your employee benefit programs, please contact your account team.

Health Care Flexible Spending Accounts
Employees will be allowed to contribute up to $2,700 per plan year.

Qualified Transportation Fringe Benefit
The monthly dollar limit on employee contributions has increased to $265 per month for the value of transportation benefits provided to an employee for qualified parking. The combined transit pass and vanpooling expense limit will also increase to $265 per month.

Adoption Credit/Adoption Assistance Programs
In the case of an adoption of a child with special needs, the maximum credit allowed under Code Section 23 is increased to $14,080. The income threshold at which the credit begins to phase out is increased to $211,160. Similarly, the maximum amount that an employer can exclude under Code Section 137 from an employee’s income for adoption assistance benefits is increased to $14,080.

HDHP and Health Savings Account (HSA) Amounts
Earlier this year, the IRS released Revenue Procedure 2018-30 which included the 2019 minimum deductible and maximum out-of-pocket limits for high deductible health plans (HDHPs) and the maximum contribution levels for HSAs.

  • The minimum annual deductible for a plan to qualify as a HDHP will remain at $1,350 for self-only coverage and $2,700 for family coverage;
  • The maximum annual out-of-pocket limits allowable under an HDHP will increase to $6,750 for self-only coverage and $13,500 for family coverage; and
  • The 2018 maximum allowable annual contribution employees may make to their HSAs will increase to $3,500 for an individual with self-only coverage and increase to $7,000 for an individual with family coverage.

The HSA catch-up contribution limit for participants who are 55 or older on December 31, 2019, remains an additional $1,000 per year.

Continue reading...

Health Reimbursement Arrangements Poised for a Facelift

November 2, 2018


The President signed an Executive Order on October 12, 2017, directing the U.S. Departments of Labor, Treasury, and Health and Human Services (collectively, the “Agencies”) to consider rules expanding the availability and permitted uses for Health Reimbursement Arrangements (HRAs). The clear intent was to ultimately enable employers to offer HRAs to employees that can be used to purchase individual insurance policies. The Agencies issued a set of proposed regulations addressing this and related issues on October 23, 2018.

The Bottom Line
We’ll address the proposed rules in more depth under Some Details About Individual Insurance HRAs below, but the main takeaways are:

  1. Premiums – Employers will be able to offer HRAs to employees that can be used to pay for individual health insurance coverage premiums. These will be referred to as “Individual Insurance HRAs” in this article.
  2. Employer mandate – Individual Insurance HRAs can be used to avoid employer mandate penalties under the Affordable Care Act (ACA).
  3. It’s one or the other – An employer can offer traditional group health coverage to a class of employees or an Individual Insurance HRA, but not both.

So, When Exactly?
The proposed effective date is for plan years beginning on or after January 1, 2020. The comment period for the proposed regulations will last through the remainder of 2018. The proposed regulations cannot be relied upon as a safe harbor. The final regulations will probably not appear before mid-2019 and may not differ much from the details described below.

Some Details About Individual Insurance HRAs

Item Guidance


Employees (including former employees) and dependents who are enrolled in major medical coverage purchased in the individual insurance market[1]

Coverage for any part of a month for which a premium is due qualifies

Classes of Employees


Employers may divide their workforces into the following classes of employees:

  1. Full-time employees
  2. Part-time employees
  3. Seasonal employees
  4. Employees covered by a collective bargaining agreement
  5. Employees eligible for the employer’s traditional group health coverage, but who are in a waiting period
  6. Employees who are under age 25 at the beginning of the Individual Insurance HRA plan year
  7. Foreign employees working abroad with no U.S.-sourced income
  8. Employees primarily employed in the same insurance community rating area

If an Individual Insurance HRA is offered to a class, it must be offered on the same terms to all employees within the class[2] (benefit levels may only vary based on age and family size within a class)

If an employer offers an Individual Insurance HRA to a class of employees, it may not offer its traditional group health coverage to that class[3]

Note: There are no other permitted classes such as hourly versus salaried employees.

ACA and the Employer Mandate


An Individual Insurance HRA automatically qualifies as minimum essential coverage and is an “offer of coverage” for the purposes of satisfying the ACA’s employer mandate

An Individual Insurance HRA (with its individual major medical insurance policy) is automatically deemed to satisfy the ACA’s minimum value requirement

An Individual Insurance HRA is deemed “affordable coverage” if the difference between the monthly premium for the lowest cost available silver plan and 1/12th of the annual Individual Insurance HRA contribution is equal to or less than the applicable affordability safe harbor percentage.

Affordable Coverage Example

In 2020, an employer makes an annual contribution of $3,600 to an employee’s Individual Insurance HRA. The monthly premium for the lowest cost available silver plan is $400.

$400 – ($3,600/12) = $100/month

The Individual Insurance HRA is an affordable offer of coverage for the employee if $100/month is within an affordability safe harbor for that employee in 2020



Employees are required to substantiate enrollment in individual coverage (including for any dependents) each time a request for reimbursement is submitted

An employer may rely on the employee’s attestation of coverage or require reasonable proof of enrollment (such as an ID card)



Employees must be permitted to waive participation annually, although the Individual Insurance HRA may still be considered an offer of affordable, minimum value coverage by the employer
ERISA Status, etc.


The Individual Insurance HRA itself is an employer-sponsored group health plan

The individual insurance coverage reimbursed by the HRA will not be considered an ERISA plan offered by the employer so long as the employer does not sponsor it or play a role in its selection

Cafeteria Plan Option


An employer may allow employees to pay for any remaining premium for the individual insurance policy through the employer’s cafeteria plan, but this is not available for coverage purchased through the public insurance exchange
Notice Requirements


Employers must provide eligible employees with a notice describing the terms of the Individual Insurance HRA and the affect it may have on the employee’s eligibility for a subsidy in the public insurance marketplace

[1] This does not currently include short-term, limited duration insurance.

[2] An employer can offer an Individual Insurance HRA to some former employees within a class and not others so long as the terms are uniform.

[3] Employees are not treated as having been offered group health coverage while in a waiting period.

And for Good Measure…
The Agencies also created another category of HRA known as an “Excepted Benefit HRA” that may be offered on a standalone basis exempt from the ACA’s mandates if all of the following is true:

  • The employer offers traditional group health coverage to the employee (this means the employee cannot also be offered an Individual Coverage HRA);
  • The maximum annual reimbursement is $1,800 (indexed);
  • Reimbursements are limited to general medical expenses and premiums for COBRA, short-term limited duration insurance, and other excepted benefits coverage (this can include many types of non-major medical health coverage); and
  • The Excepted Benefit HRA is available on a uniform basis to all similarly situated employees.[4]

[4] This is based on HIPAA’s “similarly situated groups” rule and is not tied to the permitted classes of employees under the Individual Insurance HRA.

Continue reading...

Do the HIPAA Privacy and Security Rules Apply to My Organization?

October 22, 2018


This article is the first in a two-part series addressing whether and how the Privacy and Security Rules (the “Rules”) under the Health Insurance Portability and Accountability Act (HIPAA with one P and two As, always) apply to various legal entities. This article addresses Covered Entities. Part two will address Business Associates.

What’s a Covered Entity?

There are three types of Covered Entities under the Rules. We’ll describe all three below, although the remainder of this article focuses on the Rules as they relate to employer-provided group health plans.

  1. Health care providers that engage in certain types of electronic transactions – Health care providers generally include what you’d expect, such as hospitals, clinics, pharmacies, nursing homes, health care practices, individual health care professionals, etc.To be a Covered Entity, the health care provider has to engage in certain types of electronic transactions including determinations of eligibility, billing, payment, and the coordination of benefits. Even in the rare instance that a health care provider is not subject to the Rules, other federal and state law likely affects how the provider may access or use personal health information.
  2. Health care clearinghouses – These have nothing to do with sweepstakes prizes and usually operate invisibly in the background as a go-between health care providers and health plans. A health care clearinghouse receives health information from an entity and processes the health information into a format usable by another entity. The best example we can give you occurs when a health care provider transmits billing information to a third party, the third party reprices the claims and formats the information into a new data set, and transmits the data set to a third party administrator or insurance carrier enabling it to process and pay the claims. The third party repricing and formatting the billing information in this example is a health care clearinghouse.
  3. Health plans – A health plan is a plan that provides or pays for the cost of medical care. Simple, right?

Group Health Plans

There are many types of benefits that involve personal health information. A plan is only a Covered Entity under the Rules if it is a health plan that provides or pays for the cost of medical care. Covered Entity status transforms a lot of personal health information that may be held or used by or on behalf of the health plan into Protected Health Information.[1]

In a nutshell, Protected Health Information (PHI) is:

  • Information about a past, present, or future health condition, treatment for a health condition, or payment for the treatment of a health condition;
  • Identifiable to a specific individual;
  • Created and/or received by a Covered Entity or Business Associate acting on behalf of a Covered Entity; and
  • Maintained or transmitted in any form.

We’re focusing on employer-provided group health plans and will provide an overview of their obligations under “Group Health Plan Responsibilities Under the Rules” below.

Is it a Group Health Plan?



Maybe So

  • Medical
  • Prescription drug
  • Dental
  • Vision
  • Health FSAs
  • HRAs
  • EAPs (if not just a referral service)
  • AD&D
  • Business travel accident
  • Leave administration (e.g. FMLA)
  • Life
  • Stop-loss
  • Workers’ Compensation insurance
  • Onsite clinics
  • Long-term care
  • Wellness programs


[1] Even though a benefit plan may not be subject to the Rules, personal information created or used by the plan may still be protected under other federal or state law.  For example, leave administration and disability insurance are not generally subject to the Rules, but limitations under the Americans with Disabilities Act or other laws may apply.

A group health plan is exempt from the Rules if it covers less than 50 current and/or former employees and is self-administered by the employer without the assistance of a third party administrator or insurance carrier. This is hard to meet, but some small health flexible spending account (health FSA) or health reimbursement arrangement (HRA) plans may qualify.

Unlike ERISA, the Rules contain no exception for church or governmental plans.

What Did You Mean by “Maybe So?”

  • Onsite clinics – This feels like a trick. At first glance, you’d think an employer-provided onsite clinic might be a Covered Entity both as a health care provider and as a group health plan, but what seems obvious isn’t necessarily so.First, an onsite clinic might be operated in such a way that it doesn’t engage in any of the electronic transactions that would cause it to be a Covered Entity as a health care provider.  As a precaution, we recommend an employer seek the assistance of legal counsel before taking the position the Rules do not apply to its onsite clinic. Again, even though the Rules may not apply, personal information may still be protected by other federal or state law. Second, an onsite clinic that merely provides first aid-type services is not a health plan at all under the Rules. Third, an odd exception under the Rules seems to exclude onsite clinics that are health plans, even when the onsite clinic is integrated into other group health plan coverage (but see “It’s a bird, it’s a plane” below).
  • Long-term care – A long-term care policy is a group health plan unless it is limited to nursing home fixed indemnity coverage.
  • Wellness programs – Wellness programs can include programs that include medical care (e.g. biometric screenings and targeted health coaching) and those that do not (e.g. general education and activity challenges). If a wellness program does not include any medical care services, it is not subject to the Rules. In many instances, a wellness program will include both medical care and non-medical care services and/or be integrated into an employer’s medical plan (please see “It’s a bird, it’s a plane” below).

Does Self-Insured vs. Fully-Insured Matter?

It must, or we wouldn’t have a section addressing it, right? If a group health plan is self-insured, it is generally subject to all of the compliance obligations under the Rules. If a group health plan is fully-insured, many of the compliance obligations under the Rules belong to the insurance carrier if the plan (through its plan sponsor acting on the plan’s behalf) is “hands off” PHI.

  • “Hands Off” PHI – The plan sponsor does not create or receive PHI other than enrollment/disenrollment information or summary health information for the purposes of obtaining premium bids or modifying, amending, or terminating the plan. Many fully-insured group health plans qualify as “hands off” PHI.We can hear the howls of protest, but self-insured group health plans cannot qualify for “hands off” PHI relief under the Rules no matter how little the plan sponsor may be involved with their administration.
  • “Hands On” PHI – This applies if the plan sponsor is not “hands off” PHI and can access or receive specific information about claims information or payment.

We will provide an overview of the responsibilities for self-insured group health plans and fully-insured plans that are “hands off” or “hands on” PHI under “Group Health Plan Responsibilities Under the Rules” below.

It’s a Bird, it’s a Plane…

Sometimes, a legal entity may include parts that are subject to the Rules and others that are not. The Rules refer to this as a “hybrid entity” and examples include:

  • A welfare benefit “wrap plan” that incorporates both medical and non-medical care benefits such as medical, dental, vision, group term life, accidental death & dismemberment, business travel accident, and long-term disability benefits;
  • A standalone wellness program that includes both medical and non-medical care benefits such as biometric screenings, targeted health and nutritional counseling, general education, and step and/or healthy eating challenges; and
  • A Walgreen’s or CVS store that includes a pharmacy.

Left as is, the entire “hybrid entity” must comply with the Rules. However, the Rules allow a “hybrid entity” to separate itself for compliance purposes by designating which parts make up the Covered Entity and which do not. The Rules appear to only require this designation in the Covered Entity’s HIPAA Privacy and Security policies and procedures, but it wouldn’t be the worst idea ever to also include this in the corresponding plan document.[2]

Group Health Plan Responsibilities Under the Rules

A plan/plan sponsor can generally reduce its liability by limiting its contact with PHI. Many of the responsibilities in this section can be delegated to third parties, but the plan remains responsible for compliance with the Rules.

[2] The plan document will need to include certain HIPAA Privacy and Security language anyway, and the designation can go there.

Self-Insured Group Health Plan
and Fully-Insured Group Health Plan that is “Hands On” PHI[3]

  • €Appoint a HIPAA Privacy and Security officer (they can be different people in your organization)
  • €Identify the Covered Entity workforce (people in your organization that work with PHI to help administer your plan)
  • €Address all the administrative, physical and technological standards of the Security Rule
  • €Draft HIPAA Privacy and Security policies and procedures indicating how the plan complies with the Rules
  • €Train your Covered Entity workforce on your policies to safeguard PHI
  • €Identify all the plan’s Business Associates and enter into Business Associate Agreements with them
  • €Maintain a notice of privacy practices and distribute as required
  • €Create procedures to investigate potential breaches and address breach notification requirements
  • €Create a complaint process and designate a complaint contact
  • €Maintain processes for requesting restrictions, confidential communications and amendments to health information
  • €Amend plan document to comply with certain HIPAA Privacy and Security Rule requirements


Fully-Insured Group Health Plan that is “Hands Off” PHI

The plan may not:

  • Intimidate or retaliate against participants who exercise their rights under the Rules; or
  • €Require participants to waive their rights under the Rules
  • The plan has to comply with a limited number of safeguards under the Security Rule:[4]
  • €Appoint a HIPAA Security officer
  • €Perform a periodic risk analysis (this will document all PHI is in the hands of third parties such as the insurance carrier or a business associate and not the plan/plan sponsor)
  • €Document that the risk management procedures for PHI used by the insurance carrier are adopted by the plan and that the plan requires no additional measures to reduce risk
  • €Identify all the plan’s Business Associates, if any, and enter into Business Associate Agreements that comply with the HIPAA Security Rule requirements
  • €Amend plan document to comply with certain HIPAA Security Rule requirements

[3] We realize these are generally overlooked and likely present little risk.

[4] From a compliance perspective, the differences between the two types of plan are minor.

Continue reading...