Document Archive > Imminent Compliance Deadlines

Imminent Compliance Deadlines: Plan Sponsors Must Act
ACA and HIPAA

Although the Patient Protection and Affordable Care Act’s (ACA’s) penalty phase of the Pay or Play requirement has been postponed, the Exchange Notice requirements remain with a deadline for plan sponsors to provide the Notices by October 1, 2013. As to the Health Insurance Portability and Accountability Act (HIPAA), the Department of Health and Human Services (HHS) published the final regulations in January 2013 for the Health Information Technology for Economic and Clinical Health (HITECH) with a plan sponsor compliance date of September 23, 2013.

The purpose of this Memorandum is to provide plan sponsors with an overview of the rules as well as model notices to assist plan sponsors in meeting their compliance obligations under these two areas.

October 1, 2013: ACA’s Exchange Notice Deadline

In May 2013, the Department of Labor (DOL) issued temporary guidance addressing the Exchange notice requirements under the Health Care Reform laws (HCR). Pursuant to these requirements, plan sponsors are required to provide written notice to employees of the availability of the coverage through the Exchanges (or Marketplaces) by October 1, 2013.

§  Notice Content. The notice must include the following content:

o   Information regarding the existence of the new Marketplace;

o   Contact information and a description of the services provided by the Marketplace;

o   A statement that the employee may be eligible for a premium tax credit if the employee purchases a qualified health plan (QHP) through the Marketplace; and,

o   A statement informing the employee that if the employee purchases a QHP through a Marketplace, the employee will lose the employer contribution (if any) to any health benefits plan offered by the employer and that all or a portion of such contribution may be excludable from income for federal income tax purposes.

§  The Forms to Use. Plan sponsors may use the model notices contained in the new guidance. These notices include a model notice for employers who offer a health plan and a model notice for employers who do not offer a health plan. Plan sponsors may use one of these models or develop a modified version as long as it meets the DOL’s content requirements. We recommend that, to the extent possible, employers should use the DOL models.

§  Delivery of the Marketplace Notice. Plan sponsors must provide the notice to employees in writing in a manner calculated to be understood by the average employee and it must be provided automatically and free of charge. Employers may use first-class mail or, alternatively, by electronic means, so long as the DOL’s electronic disclosure safe harbor requirements are met (Safe Harbor). The Guidance has no notice requirements for spouses or dependents. The Notice must also be provided to new employees within 14 days from date of hire.

§  Electronic Delivery Safe Harbor. Generally, the plan sponsor must notify the employee each time a document is provided electronically, the significance of the document, and that a paper copy is available at no charge upon request. In addition, the method of disclosure must be reasonably calculated to ensure actual receipt. The DOL considers the use of return-receipt, notice of undelivered mail features or periodic surveys as permissible ways to confirm receipt.

Participants who have work-related computer access and whose access to the employer’s electronic information system is an integral part of his or her employment duties are not required to consent to the electronic disclosure. However, the employer must obtain consent from employees who do not have work-related computer access (e.g. outside sales people) or whose access is not an integral part of their employment duties, and from other beneficiaries (i.e. covered spouse or COBRA participant).

Covered California

The federal Exchange Notice will apply to all California plans as of October 1, 2013. As far as other California notices, the California legislature (A.B. 792) also requires insurers and Health Care Service Organizations (HMOs) to provide notice about the availability of Covered California and other notices, such as MediCal, to plan participants who lose employer-sponsored health insurance coverage (medical only). This California rule will not apply to self-insured medical plans.

September 23, 2013: HIPAA Compliance Deadline

As noted in detail in our 2013-7 Memorandum, in January 2013, the HHS released final regulations that revised existing regulations under HIPAA. Group health plans that generate Protected Health Information (PHI), whether in hard copy or electronically, must comply with the final regulation by September 23, 2013, including updating the Notice of Privacy Practices (NOPP) and Business Associate Agreements (BAAs).

The following links provide Word versions of our sample revised BAA and NOPP:

§  Sample revised BAA

§  Sample revised NOPP

Revised NOPP. The final regulations require material modifications to existing NOPPs and include special distribution rules for health plans.

§  Website Posting. The revised NOPP (or an explanation of the material changes to the NOPP) must be posted prominently on the group health plan’s website by September 23, 2013. The group health plan must also provide the revised NOPP (or an explanation of the material changes and instructions for receiving a hard copy of the revised NOPP) in its next annual mailing (i.e. open enrollment) to individuals then covered by the plan. It may be permissible for the “annual mailing” to be via email, provided that the employer or plan sponsor complies with the electronic distribution rules that apply to summary plan descriptions.

§  No Website. If the group health plan does not have its own website, the notice (or an explanation of the material changes to the NOPP) must be delivered to participants by November 23, 2013.

§  Reminder. The health plan must be prepared to provide the revised NOPP upon request of a plan participant no later than September 23, 2013

What changes are required?

§  Breach. The NOPP must explain that individuals will be notified by the covered entity following a breach of unsecured PHI.

§  Authorization. The NOPP must explain that the individual’s authorization will be required for: (i) most uses and disclosures of psychotherapy notes (if applicable), (ii) uses and disclosures of PHI for marketing purposes, and (iii) disclosures that constitute a sale of PHI.

§  Genetic Information. If a health plan intends to use or disclose PHI for underwriting purposes, the NOPP must state that the health plan will not use or disclose an individual’s genetic information for such purposes.

§  Fundraising. If a covered entity intends to contact individuals for fundraising purposes, the NOPP must notify individuals of that fact and of their right to opt out of receiving such communications.

§  Restriction on Uses and Disclosures. For health care providers, the revised NOPP must inform individuals that if they pay the full amount of a health care expense out-of-pocket, they can generally prevent the provider from disclosing information about the expense to a health plan.

BAAs Entered Into On or After January 25, 2013. Group health plans should have new Business Associate Agreements (BAAs) entered into on or after January 25, 2013 in place and up to date with the Final Rule’s provisions no later than September 23, 2013.

BAAs Entered Into Before January 25, 2013. Group health plans with BAAs in effect prior to January 25, 2013 have an extra year to amend those BAAs (until September 23, 2014). This transitional relief is applicable only to BAAs, as the parties must comply with the NOPP as well as all other requirements of the Final Rule by September 23, 2013.