Archive | Compliance RSS feed for this section

Texas Federal Court Rules ACA Unconstitutional

December 18, 2018


Given the heavy media attention, you are probably aware that a Texas federal district court issued a decision on December 14, 2018, declaring the entire Affordable Care Act (ACA) unconstitutional. The final outcome will take a while, and the ACA remains in effect as this case moves through the appeals process. Employers (and their group health plans) should continue to comply with the ACA in the meantime.

2018 FORM 1094/1095 REPORTING.

Texas v. Azar

In its 2012 National Federation of Independent Businesses (NFIB) v. Sebelius decision that preserved most of the ACA as originally written,[1] the U.S. Supreme Court held that Congress had the authority to implement the individual mandate and its penalty under the taxing power given to it by the U.S. Constitution. The individual mandate penalty was reduced to zero effective January 1, 2019, by the Tax Cut and Jobs Act of 2017 triggering the Texas v. Azar lawsuit over the continuing constitutionality of the ACA. This case was ultimately joined by thirty-six states and the District of Columbia giving it a distinctive red versus blue feel.

In his decision, Judge O’Connor determined that the elimination of the individual mandate penalty meant the individual mandate itself could no longer be viewed as a valid exercise of Congress’ taxing power. Judge O’Connor also determined that the individual mandate was so essential to and inseparable from the ACA that this renders the entire ACA unconstitutional.

Predicting the Future

Judge O’Connor’s ruling did not include an injunction, meaning the ACA is still in effect pending the appeals process. This fact was verbally repeated by the Trump administration. It is probably foolish to attempt to predict the future of Texas v. Azar, but if we had to:

    1. The 5th Circuit – This is a coin flip, but the U.S. Court of Appeals for the 5th Circuit overrules the district court opinion. While the court agrees that the individual mandate is unconstitutional, the 5th Circuit is unable to conclude that the individual mandate cannot be severed from the rest of the ACA. Whatever the outcome, the side that comes up short appeals to the U.S. Supreme Court.
    2. Congress – If the 5th Circuit finds the ACA unconstitutional, lawmakers work in earnest to draft legislation preserving ACA protections that are popular with voters and to avoid massive disruption in the insurance industry. One of these bills will have enough bipartisan support to be enacted by Congress and signed into law by the President should the Supreme Court declare the ACA unconstitutional.
    3. The Supreme Court The U.S. Supreme Court agrees to hear the case and preserves the ACA again by holding that the individual mandate is severable from the remainder of the ACA and/or for other reasons. Remember, the appointments of Justices Gorsuch and Kavanaugh notwithstanding, the five justices who ruled in favor of the ACA in NFIB v. Sebelius in that 5-4 opinion are still present.

We’ll keep you updated as this progresses.

[1] If you’ll recall, the mandate for all states to participate in the Medicaid expansion was struck down.

Continue reading...

Do the HIPAA Privacy and Security Rules Apply to My Organization?

November 27, 2018


This article is the second in a two-part series addressing whether and how the Privacy and Security Rules (the “Rules”) under the Health Insurance Portability and Accountability Act (HIPAA) apply to various legal entities. Part One addressed Covered Entities and appeared in our October 2018 newsletter. This article addresses Business Associates of Covered Entities that are self-insured group health plans.[1]

Quick Recap

Covered Entities are the key stakeholders in the delivery and payment of health care, but they frequently partner with other organizations for assistance. Many of these organizations will need to come into contact with Protected Health Information (PHI) to assist the Covered Entity. Remember, PHI is:

  • Information about a past, present, or future health condition, treatment for a health condition, or payment for the treatment of a health condition;
  • Identifiable to a specific individual;
  • Created and/or received by a Covered Entity or Business Associate acting on behalf of a Covered Entity; and
  • Maintained or transmitted in any form.

What’s a Business Associate?

In the group health plan context, HIPAA defines a Business Associate as a third party that requires PHI to perform some function or service on behalf of a group health plan. In other words, a third party that helps make your health plan go but needs PHI to do it. The third party might create, receive, store, or transmit[2] the PHI in this role, but it must be “PHI sticky” in at least one of those ways to be considered a Business Associate. Many of HIPAA’s Privacy and Security requirements apply directly to Business Associates.

Typical Business Associates for a Self-Insured Group Health Plan



Maybe So

  • Third party administrator (TPA) including pharmacy benefit manager
  • COBRA administrator (more about this below)
  • Broker/consulting firm
  • Actuaries
  • Record keepers (e.g. Iron Mountain or other third parties storing physical electronic records with PHI)
  • Other cloud service providers such as Google if Gmail is used as the email system
  • Plan sponsor/employer
  • Stop-loss carrier (more about this below)


  • External legal counsel
  • Accountants if will see PHI in connection with an audit or review





COBRA Administrators
If a COBRA administrator merely receives enrollment and disenrollment information from the employer (as plan sponsor), the information it receives is not PHI and the COBRA administrator is not technically a Business Associate of the group health plan. The nature and source of the information provided is easily blurred between the employer and group health plan, and it’s common for COBRA administrators to agree to be treated as Business Associates.

The Curious Case of Stop-Loss
The Rules indicate that stop-loss carriers are not Business Associates of a group health plan when the stop-loss policy insures the plan itself. The Rules are less clear about the more likely scenario where the stop-loss policy insures the employer/plan sponsor directly.  In practice, stop-loss carriers are often reluctant to be treated as Business Associates and are frequently excluded.  We recommend employers enter into robust non-disclosure agreements with stop-loss carriers not treated as Business Associates.

Business Associate Contracts

Your organization’s group health plan is required to enter into a contractual agreement with all of your Business Associates outlining how the Business Associate may use and disclose PHI, how it will secure PHI, and other rights and obligations the parties have under the Rules.[3] The Department of Health and Human Services (DHHS) has provided sample  business associate contract language. Among other items, the contract must include language addressing the parties’ responsibilities when unsecured PHI is improperly used or disclosed (a “breach”). Your organization has a limited amount of time to investigate and respond to a breach.

As a practical matter, it is the employer (as plan sponsor) who must secure the contract for all of the plan’s Business Associates, but Business Associates will often supply their version of this contract to the employer without being prompted. It is in each party’s best business interest to use a standardized contract for administrative ease rather than having to honor the commitments of contracts from different sources, so there is a natural tension between the parties who each favor their own contracts. The requirements for a Business Associate contract are pretty standard, but it is not unusual for the contract to be more favorable toward the drafting party or to include additional contractual terms beyond what the Rules require, so it is important to have this reviewed by your legal counsel.

Sometimes Business Associates contract with other organizations to perform one or more functions the Business Associate was hired to perform for the group health plan (“subcontractors” who are also PHI sticky), and there is no direct relationship between the health plan and the subcontractor. Your Business Associate must represent in the Business Associate contract that they have with your organization that it has a contract in place with its subcontractor that provides for all of the same protections under the Rules with respect to any PHI related to your health plan.

Example – A self-insured medical plan engages a TPA for claims administration and other services. One of these services is claims monitoring to reduce fraud, waste, and abuse.  The claims monitoring services are actually provided by a subsidiary of the TPA, and the medical plan does not have a direct contract with the claims monitoring subsidiary. The TPA is a Business Associate of the medical plan. The claims monitoring entity is a Business Associate of the TPA and should be addressed as a subcontractor within the Business Associate contract between the medical plan and the TPA.

Next Steps

You should always know who your Business Associates are and should make sure you have a list of all the current vendors who provide services related to your health plans. Of these vendors, which ones use PHI to perform a function on behalf of a group health plan?

These are your Business Associates, and you should maintain current Business Associate contracts with all of them. Don’t forget to make this an implementation step when adding a new vendor who will be a Business Associate to your health plan(s).

[1] In Part One, we addressed that insurance carriers are the Covered Entities for fully-insured group health plans and that employers/plan sponsors generally have few obligations under the Rules for those plans.

[2] A third party that only transmits PHI without accessing or storing it may qualify for an exception as a mere conduit of the information.

[3] A failure to enter into the contract does not mean the third party is not your Business Associate and just subjects you to potential penalties for non-compliance.

Continue reading...

Better Late Than Never

November 16, 2018


The Internal Revenue Service released Revenue Procedure 2018-57 today, which contains the 2019 cost-of-living adjustments for various employee benefit plans including employer sponsored health care flexible spending accounts, qualified transportation fringe benefits, and adoption assistance programs. The following provides a summary of the annual limits for these specific benefit programs along with a summary of the 2019 high deductible health plan and health savings accounts limits announced earlier this year.

Each of the limits described below are applicable for taxable years beginning in 2019. If you have any questions or need further details about the tax limits and how they will impact your employee benefit programs, please contact your account team.

Health Care Flexible Spending Accounts
Employees will be allowed to contribute up to $2,700 per plan year.

Qualified Transportation Fringe Benefit
The monthly dollar limit on employee contributions has increased to $265 per month for the value of transportation benefits provided to an employee for qualified parking. The combined transit pass and vanpooling expense limit will also increase to $265 per month.

Adoption Credit/Adoption Assistance Programs
In the case of an adoption of a child with special needs, the maximum credit allowed under Code Section 23 is increased to $14,080. The income threshold at which the credit begins to phase out is increased to $211,160. Similarly, the maximum amount that an employer can exclude under Code Section 137 from an employee’s income for adoption assistance benefits is increased to $14,080.

HDHP and Health Savings Account (HSA) Amounts
Earlier this year, the IRS released Revenue Procedure 2018-30 which included the 2019 minimum deductible and maximum out-of-pocket limits for high deductible health plans (HDHPs) and the maximum contribution levels for HSAs.

  • The minimum annual deductible for a plan to qualify as a HDHP will remain at $1,350 for self-only coverage and $2,700 for family coverage;
  • The maximum annual out-of-pocket limits allowable under an HDHP will increase to $6,750 for self-only coverage and $13,500 for family coverage; and
  • The 2018 maximum allowable annual contribution employees may make to their HSAs will increase to $3,500 for an individual with self-only coverage and increase to $7,000 for an individual with family coverage.

The HSA catch-up contribution limit for participants who are 55 or older on December 31, 2019, remains an additional $1,000 per year.

Continue reading...

Health Reimbursement Arrangements Poised for a Facelift

November 2, 2018


The President signed an Executive Order on October 12, 2017, directing the U.S. Departments of Labor, Treasury, and Health and Human Services (collectively, the “Agencies”) to consider rules expanding the availability and permitted uses for Health Reimbursement Arrangements (HRAs). The clear intent was to ultimately enable employers to offer HRAs to employees that can be used to purchase individual insurance policies. The Agencies issued a set of proposed regulations addressing this and related issues on October 23, 2018.

The Bottom Line
We’ll address the proposed rules in more depth under Some Details About Individual Insurance HRAs below, but the main takeaways are:

  1. Premiums – Employers will be able to offer HRAs to employees that can be used to pay for individual health insurance coverage premiums. These will be referred to as “Individual Insurance HRAs” in this article.
  2. Employer mandate – Individual Insurance HRAs can be used to avoid employer mandate penalties under the Affordable Care Act (ACA).
  3. It’s one or the other – An employer can offer traditional group health coverage to a class of employees or an Individual Insurance HRA, but not both.

So, When Exactly?
The proposed effective date is for plan years beginning on or after January 1, 2020. The comment period for the proposed regulations will last through the remainder of 2018. The proposed regulations cannot be relied upon as a safe harbor. The final regulations will probably not appear before mid-2019 and may not differ much from the details described below.

Some Details About Individual Insurance HRAs

Item Guidance


Employees (including former employees) and dependents who are enrolled in major medical coverage purchased in the individual insurance market[1]

Coverage for any part of a month for which a premium is due qualifies

Classes of Employees


Employers may divide their workforces into the following classes of employees:

  1. Full-time employees
  2. Part-time employees
  3. Seasonal employees
  4. Employees covered by a collective bargaining agreement
  5. Employees eligible for the employer’s traditional group health coverage, but who are in a waiting period
  6. Employees who are under age 25 at the beginning of the Individual Insurance HRA plan year
  7. Foreign employees working abroad with no U.S.-sourced income
  8. Employees primarily employed in the same insurance community rating area

If an Individual Insurance HRA is offered to a class, it must be offered on the same terms to all employees within the class[2] (benefit levels may only vary based on age and family size within a class)

If an employer offers an Individual Insurance HRA to a class of employees, it may not offer its traditional group health coverage to that class[3]

Note: There are no other permitted classes such as hourly versus salaried employees.

ACA and the Employer Mandate


An Individual Insurance HRA automatically qualifies as minimum essential coverage and is an “offer of coverage” for the purposes of satisfying the ACA’s employer mandate

An Individual Insurance HRA (with its individual major medical insurance policy) is automatically deemed to satisfy the ACA’s minimum value requirement

An Individual Insurance HRA is deemed “affordable coverage” if the difference between the monthly premium for the lowest cost available silver plan and 1/12th of the annual Individual Insurance HRA contribution is equal to or less than the applicable affordability safe harbor percentage.

Affordable Coverage Example

In 2020, an employer makes an annual contribution of $3,600 to an employee’s Individual Insurance HRA. The monthly premium for the lowest cost available silver plan is $400.

$400 – ($3,600/12) = $100/month

The Individual Insurance HRA is an affordable offer of coverage for the employee if $100/month is within an affordability safe harbor for that employee in 2020



Employees are required to substantiate enrollment in individual coverage (including for any dependents) each time a request for reimbursement is submitted

An employer may rely on the employee’s attestation of coverage or require reasonable proof of enrollment (such as an ID card)



Employees must be permitted to waive participation annually, although the Individual Insurance HRA may still be considered an offer of affordable, minimum value coverage by the employer
ERISA Status, etc.


The Individual Insurance HRA itself is an employer-sponsored group health plan

The individual insurance coverage reimbursed by the HRA will not be considered an ERISA plan offered by the employer so long as the employer does not sponsor it or play a role in its selection

Cafeteria Plan Option


An employer may allow employees to pay for any remaining premium for the individual insurance policy through the employer’s cafeteria plan, but this is not available for coverage purchased through the public insurance exchange
Notice Requirements


Employers must provide eligible employees with a notice describing the terms of the Individual Insurance HRA and the affect it may have on the employee’s eligibility for a subsidy in the public insurance marketplace

[1] This does not currently include short-term, limited duration insurance.

[2] An employer can offer an Individual Insurance HRA to some former employees within a class and not others so long as the terms are uniform.

[3] Employees are not treated as having been offered group health coverage while in a waiting period.

And for Good Measure…
The Agencies also created another category of HRA known as an “Excepted Benefit HRA” that may be offered on a standalone basis exempt from the ACA’s mandates if all of the following is true:

  • The employer offers traditional group health coverage to the employee (this means the employee cannot also be offered an Individual Coverage HRA);
  • The maximum annual reimbursement is $1,800 (indexed);
  • Reimbursements are limited to general medical expenses and premiums for COBRA, short-term limited duration insurance, and other excepted benefits coverage (this can include many types of non-major medical health coverage); and
  • The Excepted Benefit HRA is available on a uniform basis to all similarly situated employees.[4]

[4] This is based on HIPAA’s “similarly situated groups” rule and is not tied to the permitted classes of employees under the Individual Insurance HRA.

Continue reading...

Do the HIPAA Privacy and Security Rules Apply to My Organization?

October 22, 2018


This article is the first in a two-part series addressing whether and how the Privacy and Security Rules (the “Rules”) under the Health Insurance Portability and Accountability Act (HIPAA with one P and two As, always) apply to various legal entities. This article addresses Covered Entities. Part two will address Business Associates.

What’s a Covered Entity?

There are three types of Covered Entities under the Rules. We’ll describe all three below, although the remainder of this article focuses on the Rules as they relate to employer-provided group health plans.

  1. Health care providers that engage in certain types of electronic transactions – Health care providers generally include what you’d expect, such as hospitals, clinics, pharmacies, nursing homes, health care practices, individual health care professionals, etc.To be a Covered Entity, the health care provider has to engage in certain types of electronic transactions including determinations of eligibility, billing, payment, and the coordination of benefits. Even in the rare instance that a health care provider is not subject to the Rules, other federal and state law likely affects how the provider may access or use personal health information.
  2. Health care clearinghouses – These have nothing to do with sweepstakes prizes and usually operate invisibly in the background as a go-between health care providers and health plans. A health care clearinghouse receives health information from an entity and processes the health information into a format usable by another entity. The best example we can give you occurs when a health care provider transmits billing information to a third party, the third party reprices the claims and formats the information into a new data set, and transmits the data set to a third party administrator or insurance carrier enabling it to process and pay the claims. The third party repricing and formatting the billing information in this example is a health care clearinghouse.
  3. Health plans – A health plan is a plan that provides or pays for the cost of medical care. Simple, right?

Group Health Plans

There are many types of benefits that involve personal health information. A plan is only a Covered Entity under the Rules if it is a health plan that provides or pays for the cost of medical care. Covered Entity status transforms a lot of personal health information that may be held or used by or on behalf of the health plan into Protected Health Information.[1]

In a nutshell, Protected Health Information (PHI) is:

  • Information about a past, present, or future health condition, treatment for a health condition, or payment for the treatment of a health condition;
  • Identifiable to a specific individual;
  • Created and/or received by a Covered Entity or Business Associate acting on behalf of a Covered Entity; and
  • Maintained or transmitted in any form.

We’re focusing on employer-provided group health plans and will provide an overview of their obligations under “Group Health Plan Responsibilities Under the Rules” below.

Is it a Group Health Plan?



Maybe So

  • Medical
  • Prescription drug
  • Dental
  • Vision
  • Health FSAs
  • HRAs
  • EAPs (if not just a referral service)
  • AD&D
  • Business travel accident
  • Leave administration (e.g. FMLA)
  • Life
  • Stop-loss
  • Workers’ Compensation insurance
  • Onsite clinics
  • Long-term care
  • Wellness programs


[1] Even though a benefit plan may not be subject to the Rules, personal information created or used by the plan may still be protected under other federal or state law.  For example, leave administration and disability insurance are not generally subject to the Rules, but limitations under the Americans with Disabilities Act or other laws may apply.

A group health plan is exempt from the Rules if it covers less than 50 current and/or former employees and is self-administered by the employer without the assistance of a third party administrator or insurance carrier. This is hard to meet, but some small health flexible spending account (health FSA) or health reimbursement arrangement (HRA) plans may qualify.

Unlike ERISA, the Rules contain no exception for church or governmental plans.

What Did You Mean by “Maybe So?”

  • Onsite clinics – This feels like a trick. At first glance, you’d think an employer-provided onsite clinic might be a Covered Entity both as a health care provider and as a group health plan, but what seems obvious isn’t necessarily so.First, an onsite clinic might be operated in such a way that it doesn’t engage in any of the electronic transactions that would cause it to be a Covered Entity as a health care provider.  As a precaution, we recommend an employer seek the assistance of legal counsel before taking the position the Rules do not apply to its onsite clinic. Again, even though the Rules may not apply, personal information may still be protected by other federal or state law. Second, an onsite clinic that merely provides first aid-type services is not a health plan at all under the Rules. Third, an odd exception under the Rules seems to exclude onsite clinics that are health plans, even when the onsite clinic is integrated into other group health plan coverage (but see “It’s a bird, it’s a plane” below).
  • Long-term care – A long-term care policy is a group health plan unless it is limited to nursing home fixed indemnity coverage.
  • Wellness programs – Wellness programs can include programs that include medical care (e.g. biometric screenings and targeted health coaching) and those that do not (e.g. general education and activity challenges). If a wellness program does not include any medical care services, it is not subject to the Rules. In many instances, a wellness program will include both medical care and non-medical care services and/or be integrated into an employer’s medical plan (please see “It’s a bird, it’s a plane” below).

Does Self-Insured vs. Fully-Insured Matter?

It must, or we wouldn’t have a section addressing it, right? If a group health plan is self-insured, it is generally subject to all of the compliance obligations under the Rules. If a group health plan is fully-insured, many of the compliance obligations under the Rules belong to the insurance carrier if the plan (through its plan sponsor acting on the plan’s behalf) is “hands off” PHI.

  • “Hands Off” PHI – The plan sponsor does not create or receive PHI other than enrollment/disenrollment information or summary health information for the purposes of obtaining premium bids or modifying, amending, or terminating the plan. Many fully-insured group health plans qualify as “hands off” PHI.We can hear the howls of protest, but self-insured group health plans cannot qualify for “hands off” PHI relief under the Rules no matter how little the plan sponsor may be involved with their administration.
  • “Hands On” PHI – This applies if the plan sponsor is not “hands off” PHI and can access or receive specific information about claims information or payment.

We will provide an overview of the responsibilities for self-insured group health plans and fully-insured plans that are “hands off” or “hands on” PHI under “Group Health Plan Responsibilities Under the Rules” below.

It’s a Bird, it’s a Plane…

Sometimes, a legal entity may include parts that are subject to the Rules and others that are not. The Rules refer to this as a “hybrid entity” and examples include:

  • A welfare benefit “wrap plan” that incorporates both medical and non-medical care benefits such as medical, dental, vision, group term life, accidental death & dismemberment, business travel accident, and long-term disability benefits;
  • A standalone wellness program that includes both medical and non-medical care benefits such as biometric screenings, targeted health and nutritional counseling, general education, and step and/or healthy eating challenges; and
  • A Walgreen’s or CVS store that includes a pharmacy.

Left as is, the entire “hybrid entity” must comply with the Rules. However, the Rules allow a “hybrid entity” to separate itself for compliance purposes by designating which parts make up the Covered Entity and which do not. The Rules appear to only require this designation in the Covered Entity’s HIPAA Privacy and Security policies and procedures, but it wouldn’t be the worst idea ever to also include this in the corresponding plan document.[2]

Group Health Plan Responsibilities Under the Rules

A plan/plan sponsor can generally reduce its liability by limiting its contact with PHI. Many of the responsibilities in this section can be delegated to third parties, but the plan remains responsible for compliance with the Rules.

[2] The plan document will need to include certain HIPAA Privacy and Security language anyway, and the designation can go there.

Self-Insured Group Health Plan
and Fully-Insured Group Health Plan that is “Hands On” PHI[3]

  • €Appoint a HIPAA Privacy and Security officer (they can be different people in your organization)
  • €Identify the Covered Entity workforce (people in your organization that work with PHI to help administer your plan)
  • €Address all the administrative, physical and technological standards of the Security Rule
  • €Draft HIPAA Privacy and Security policies and procedures indicating how the plan complies with the Rules
  • €Train your Covered Entity workforce on your policies to safeguard PHI
  • €Identify all the plan’s Business Associates and enter into Business Associate Agreements with them
  • €Maintain a notice of privacy practices and distribute as required
  • €Create procedures to investigate potential breaches and address breach notification requirements
  • €Create a complaint process and designate a complaint contact
  • €Maintain processes for requesting restrictions, confidential communications and amendments to health information
  • €Amend plan document to comply with certain HIPAA Privacy and Security Rule requirements


Fully-Insured Group Health Plan that is “Hands Off” PHI

The plan may not:

  • Intimidate or retaliate against participants who exercise their rights under the Rules; or
  • €Require participants to waive their rights under the Rules
  • The plan has to comply with a limited number of safeguards under the Security Rule:[4]
  • €Appoint a HIPAA Security officer
  • €Perform a periodic risk analysis (this will document all PHI is in the hands of third parties such as the insurance carrier or a business associate and not the plan/plan sponsor)
  • €Document that the risk management procedures for PHI used by the insurance carrier are adopted by the plan and that the plan requires no additional measures to reduce risk
  • €Identify all the plan’s Business Associates, if any, and enter into Business Associate Agreements that comply with the HIPAA Security Rule requirements
  • €Amend plan document to comply with certain HIPAA Security Rule requirements

[3] We realize these are generally overlooked and likely present little risk.

[4] From a compliance perspective, the differences between the two types of plan are minor.

Continue reading...