Federal Departments Announce No Enforcement Action Regarding Drug Manufacturer Coupons Counting Toward Out-of-Pocket Maximums
HHS’s 2020 Notice of Benefit and Payment Parameters (“NBPP”) provides that a group health plan does not have to count drug manufacturer coupons for brand-name drugs towards an annual out-of-pocket maximum if there is a medically appropriate generic equivalent. Many questions were raised by this rule, including (i) how it interacted with health savings account guidance and (ii) what types of arrangements and/or plans to which it applied. The DOL, HHS, and the Treasury Department (collectively, the “Departments”) announced in an FAQ (available here) that the Departments will not initiate any enforcement action if a group health plan does not count the value of drug manufacturer coupons toward an out-of-pocket maximum. This no enforcement policy lasts until HHS’s 2021 NBPP becomes effective, and the 2021 NBPP should clarify how this rule affects employer-sponsored group health plans.
The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced a $2.5 million HIPAA privacy and security settlement with CardioNet, a wireless health services provider and covered entity under HIPAA, based on CardioNet’s impermissible disclosure of unsecured electronic protected health information (“EPHI”). The disclosure occurred when a laptop computer belonging to a member of CardioNet’s workforce, which contained the unsecured EPHI of 1,391 individuals, was stolen from a parked vehicle outside of the workforce member’s home. CardioNet reported the breach to OCR and an investigation ensued, pursuant to which OCR determined that (i) CardioNet did not have a sufficient risk analysis and risk management process in place at the time of the theft, (ii) CardioNet had never actually implemented its draft policies and procedures for compliance with HIPAA’s security rules, and (iii) CardioNet was unable to produce any final policies or procedures regarding the implementation… Continue Reading
Section 1557 of the Affordable Care Act (the “ACA”) prohibits discrimination in certain health care programs and activities on the basis of race, color, national origin, sex, age, or disability. HHS recently issued final rules under Section 1557, which specify gender identity discrimination and sexual stereotyping as forms of sex discrimination. However, these rules only apply to “covered entities” as defined for this purpose. The term “covered entity” includes health care systems or providers that accept Medicare Part A or Medicaid and insurance carriers and/or third party administrators (“TPA”) that receive federal funding through participation in the public insurance marketplace, which will also have to comply with respect to benefits offered to their own employees. While HHS interprets the rule to impact an insurance carrier’s and/or a TPA’s entire book of business, a TPA is not responsible for discrimination due to a plan sponsor’s self-insured plan design decisions beyond the… Continue Reading
HHS recently entered into a Resolution Agreement with North Memorial Health Care of Minnesota (“North Memorial”) to settle charges that North Memorial potentially violated HIPAA by failing to (1) enter into a business associate agreement with a major contractor and (2) implement a comprehensive risk analysis with respect to the security of its patients’ protected health information. OCR launched an investigation of North Memorial after an unencrypted laptop was stolen from the vehicle of an employee of its business associate. As part of the settlement, North Memorial agreed to pay HHS $1.55 million and to a corrective action plan under which North Memorial must, among other conditions, review and revise its HIPAA policies, procedures, and training as well as develop an organization-wide risk analysis and risk management plan. The Resolution Agreement is available here.
The U.S. Department of Health and Human Services (“HHS”) recently entered into a Resolution Agreement with St. Elizabeth’s Medical Center (“SEMC”) to settle charges that SEMC violated HIPAA by failing to implement sufficient security measures to safeguard protected health information (“PHI”) when using certain Internet-based document sharing applications. In addition, SEMC allegedly failed to timely respond to, and mitigate damages caused by, the breach of unsecured PHI on an employee’s personal laptop and thumb drive. As part of the settlement, SEMC agreed to pay HHS nearly $220,000 and to a corrective action plan under which SEMC must, among other things, review and revise its HIPAA policies, procedures, and training; retrain its workforce who have access to PHI; and submit to certain other reporting and record retention requirements. Employers that sponsor group health plans, in consultation with legal counsel, should undertake a review to ensure full compliance with HIPAA’s privacy and… Continue Reading