In This Issue
· Small Health Plan: HHS Clarification
· HIPAA Privacy Rules
· Alert: German Operations Pension Obligation
· Military Service Counts Toward FMLA Eligibility
· Health Care Cost Projections
· Since You Asked — HIPAA Actively-At-Work Provisions
· Disability Benefits Allowed In Employer 401(k) Plan
· States and Insurers Explore Ways to Cut Prescription Costs
· Health Benefits for Retirees Continue to Shrink
· Health Care Study: Quality Improves as Costs Surge
· DOJ: Antitrust Enforcement In the Health Industry
· Change in Dependent Care Tax Credit
______
Small Health Plan: HHS Clarification
Small plans, defined as those with less than $5 million in annual receipts, have an additional year to comply with HIPAA administrative simplification rules. This means that small plans have until October 16, 2003 to comply with the electronic transactions and code sets standards, even without filing for an extension. Small plans also can take until April 14, 2004 to comply with the HIPAA privacy requirements.
The items that constitute an employer-sponsored health plan’s annual receipts determine if the delayed compliance dates apply. Many experts believed that HHS’ initial definition was so ambiguous that even very small plans and employers could not rely on it. Even with the recent HHS comments, questions remained about exactly which items would count as annual receipts.
Then, on September 19, 2002, the HHS issued a clarification which states, in part, that “[f]ully insured health plans should [count as annual receipts] the amount of total premiums which they paid for health insurance benefits during the plan’s last full fiscal year.” We have recommended that plans measure annual receipts by totaling employee and employer contributions toward coverage under the plan (including employer contributions used to pay for insurance coverage), and we continue to support that approach.
With respect to a self-insured plan the guidance is less clear. In its comments, HHS states that such a plan “should [count as annual receipts] the total amount paid for health care claims by the employer, plan sponsor or benefit fund . . . on behalf of the plan during the plan’s last full fiscal year.” We interpret this to mean that whatever amounts are paid out in claims under a self-insured plan should be counted toward annual receipts — even if funded entirely or in part by employee contributions.
HHS’ new response also says that plans providing both insured and self-insured benefits should apply the above measurement methods with respect to each type of benefit and then total the results.
This updated definition expands the number of plans qualifying for the delayed effective dates. For example, based on an annual per-employee coverage cost of less than $10,000, most health plans covering up to 500 employees will qualify as small plans and will be able to rely upon the small plan delayed compliance deadlines. It’s important to note that this new response is not binding on HHS, and it would be prudent to finalize your plan’s extension filing with respect to the electronic transactions and code sets standards even if your plan qualifies as a small plan under the HHS comments.
HIPAA Privacy Rules
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. Among other things, HIPAA required the Department of Health and Human Services (HHS) to adopt rules requiring health plans and others to adopt and implement measures to protect the privacy of health information. The privacy rules initially become effective April 14, 2003, and impose numerous requirements on employer-sponsored health plans.
Almost all employer-sponsored health plans are subject to the privacy rules and the compliance burden generally will fall on the employer that maintains the plan. Fully insured health plans can use a shortcut that will greatly reduce their compliance burden, but only if the employer severely limits its involvement in plan administration. Plans that are not fully insured for this purpose, including self-funded health plans like health flexible spending accounts, will not have the option of using the compliance shortcut.
The following are requirements that apply to these ineligible employer-sponsored health plans. The requirements are described as they apply to the plan as a whole, without trying to identify who among the employer, third party administrator, or other third parties should perform each task. Generally, employers must ensure that their plans meet all of the privacy requirements. While employers can delegate performance of various requirements to third parties, they retain their responsibility to make sure that the delegated requirements are performed.
Basic Rules
Health plans can use and disclose “protected health information” only as specified in the rules. The rules impose conditions, limitations and documentation requirements on virtually every use a health plan might make of an individual’s health information. For example, a health plan cannot disclose protected health information to the employer who sponsors the plan, except in limited circumstances. Protected health information is defined broadly and includes enrollment and claims payment information. Even the fact that an individual is enrolled in an employer-sponsored health plan is considered protected health information.
Individuals can authorize uses and disclosures of their protected health information that are not otherwise permitted under the privacy rules. A health plan generally cannot condition coverage or benefits on whether an individual provides such an authorization. Authorizations must also meet exact criteria, including specifying the information to be used or disclosed.
Health information that is stripped of any data which links the information to a specific individual is no longer subject to the privacy rules. However, this information will be of very limited usefulness to an employer seeking to manage health benefits costs. The privacy rules also provide a way for employers to get information with some identifying geographic information, but employers are allowed to use this information only for purposes of placing or replacing insurance under the plan or determining whether to amend or terminate the plan.
Permissible Uses and Disclosures
A health plan can use or disclose protected health information, without authorization, only in limited circumstances. Most health plan uses and disclosures will be for activities required to decide whether benefits are payable, such as eligibility determinations, utilization review, medical necessity determinations, and purposes like obtaining payments from stop-loss insurers and auditing claims payments for accuracy.
Health plans that engage third parties to provide administrative and other services are allowed to disclose protected health information to those third parties only if the health plan first obtains a legally-enforceable contract in which the third party agrees to protect the privacy of the information. Similarly, employer-sponsored health plans can allow employers to use and disclose health information for plan administration, but must first include plan provisions imposing various privacy obligations on the employer and obtain an employer certification regarding those provisions.
Health plans also are allowed to disclose protected health information as required by law, subject to a number of conditions and restrictions. A plan also may disclose protected health information for a variety of public policy purposes, like reporting crimes and fraud prevention, but, again, subject to numerous conditions and restrictions. The privacy rules include a number of complex provisions regarding use of health information for research purposes, but those have little relevance to health plans.
Verification Requirements
A health plan may always disclose an individual’s protected health information to that individual or to the individual’s personal representative as long as the health plan verifies the identity of the person to whom it is disclosing information. We envision these verifications being made through identification numbers and PINs, in much the same manner as a bank verifies identity before releasing account information. This is a function that will likely become an industry-wide basis over the next several months.
Required Uses and Disclosures
The privacy rules afford individuals a number of rights with respect to health plans and other covered entities that hold their protected health information. Some of these rights require a health plan to allow an individual access to his or her protected health information and to account to the individual for non-routine disclosures the health plan has made of the individual’s information. Health plans also are required to provide protected health information to HHS upon request.
Minimum Necessary Uses and Disclosures
Even when a use or disclosure is permissible and the identity of the recipient of the information has been verified, the privacy rules impose a “minimum necessary” limit on the amount of information that a health plan can disclose or request. Under this rule, a health plan must determine and document the minimum amount of information that is reasonably necessary for its routine uses, disclosures and requests. In addition, the plan must adopt criteria for determining the minimum amount of information reasonably necessary for anticipated non-routine uses, disclosures and requests.
Other Limits and Requirements
Notices: Health plans must distribute notices of their privacy practices to all plan participants, and plans are prohibited from using or disclosing protected health information in any manner that would conflict with the terms of the notice. The notice must specifically describe disclosures of protected health information to the employer, as well as certain other uses and disclosures, in order for those uses and disclosures to be permissible
Agreed-Upon Restrictions: Health plans must allow individuals to request that their protected health information not be used or disclosed in a particular manner. Health plans are not required to agree to these requests, but are bound to comply with them if they agree to do so.
Confidential Means of Communication: Health plans must allow individuals to request that health plans use an alternate means of contacting the individual and, in cases where the individual says failure to do so would endanger the individual, the health plan is required to agree to do so.
Marketing: No use or disclosure of protected health information for marketing purposes is permitted without the individual’s authorization. For example, providing a list of participants in a health plan to an insurer so that it could advertise its supplemental coverage to them is prohibited.
Psychotherapy Notes: Disclosure of psychotherapy notes is generally prohibited without an individual’s authorization.
Policies and Procedures: Plans must adopt explicit, written policies and procedures reflecting the plan’s handling of protected health information and implementation of the rules.
Safeguards: Reasonable physical, technical and administrative safeguards must exist with respect to protected health information to prevent inappropriate use or disclosure.
Sanctions: Appropriate sanctions to third party service providers who do not comply with required privacy protections are mandated.
Complaint Procedure: A complaint and response process with respect to the plan’s privacy policies, procedures and practices must be maintained.
Privacy Officer: A privacy officer and a contact person or office for complaints and inquiries about privacy practices must be established.
Training and Enforcement: Training employees about the plan’s policies and procedures with respect to health information and enforcing those policies and procedures with sanctions when employees fail to follow them is required.
Documentation: The plan’s compliance measures must be documented and kept for at least six years following their last effective date.
Non-retaliation/Non-waiver: Retaliating against those exercising their rights under the privacy rules and requiring waivers of rights under the privacy rules is strictly prohibited.
Alert: German Operations Pension Obligation
The German government recently enacted legislation which requires the immediate attention of employers with operations inside Germany. The new German law requires that employers choose and implement a specific type of 100 percent employee-paid pension plan before December 31, 2002 — or employees will be able to choose their own carrier and pension benefit. In other words, if an employer fails to establish a plan of its choosing by the year-end deadline, the employer will be required to comply with the employees’ demands for pension services. This could lead to an employer’s being obligated to sponsor a multitude of different pension programs — obviously a burdensome and sobering prospect. German employers are scrambling to comply or suffer the administrative/ financial consequences and potential liabilities.
To avoid the complications and unanticipated costs that may be associated with employees dictating the terms of your pension program, consider your compliance options now and contact your Willis representative as soon as possible. Our international benefit practice is available to help you implement a meaningful and cost-effective compliance strategy.
Military Service Counts Toward FMLA Eligibility
After September 11, 2001, many employers faced the temporary loss of some of their employees when military reservists were called to action. Those individuals were protected by the Uniformed Services Employment and Reemployment Rights Act (USERRA), and accorded the same rights that they would have had if they had been continuously employed during that time period. Now, some of those military personnel are returning to work and might need to request Family and Medical Leave (FMLA) related to their own or their family’s circumstances. The DOL released guidance that now requires employers to credit USERRA service time when calculating a worker’s FMLA eligibility.
FMLA leave grants a qualifying employee 12 weeks of leave during a 12-month period because of childbirth, adoption, foster care, or a serious health condition of the employee or certain family members. To be eligible for this unpaid leave, an employee must work for a covered employer for at least 12 months and must have worked at least 1,250 hours for that employer during the 12-month period immediately before the start of the leave.
If an employee is away from work due to military service, it may be impossible for that employee to meet the 1,250-hour requirement in order to qualify for FMLA leave. Because neither USERRA nor the FMLA specifically addressed whether military service would count toward the 1,250-hour requirement in order to qualify for FMLA leave, the Department of Labor issued a memorandum clarifying that an employee’s length of military service (combined with any qualifying time immediately preceding the military service) counts toward the FMLA eligibility requirements.