As noted in our prior post here, the U.S. Departments of Labor and Treasury recently issued a notice requiring all employee health and welfare benefit plans to disregard the period from March 1, 2020 until 60 days after the announced end of the COVID-19 National Emergency (or other announced date) when determining the deadline to request HIPAA special enrollment, elect COBRA coverage, make a COBRA premium payment, notify the plan of a COBRA qualifying event or determination of a disability, file a benefit claim or appeal, or request an external review of a benefit claim denial. Although the notice did not address whether plan participants needed to be notified of these extended deadlines, plan administrators should be aware that they likely have a fiduciary duty to accurately convey this information to participants. For example, a COBRA election notice that states a deadline to elect or make premium payments without mentioning… Continue Reading
On April 29, 2020, the U.S. Departments of Labor and the Treasury (together, the “Departments”) issued a notice (the “Notice”) requiring that all group health plans, disability and other types of employee welfare benefit plans, and employee pension benefit plans, subject to ERISA and the Internal Revenue Code, must disregard the period from March 1, 2020 until 60 days after the announced end of the COVID-19 National Emergency or such other date as announced by the Departments in a future notice (the “Outbreak Period”) for the following periods and dates: The 30-day period (or 60-day period, if applicable) to request HIPAA special enrollment; The 60-day election period for COBRA continuation coverage; The date for making COBRA premium payments; The date for individuals to notify the plan of a COBRA qualifying event or determination of disability; The date within which individuals may file a benefit claim under the plan’s claims procedures;… Continue Reading
The DOL and the IRS Jointly Provide Relief from Certain Timeframes Applicable to Health and Welfare and Pension Plans
On April 28, 2020, the IRS and DOL issued a Final Rule extending certain timeframes under ERISA and the Internal Revenue Code for group health, disability and other welfare plans, pension plans, and the participants and beneficiaries under those plans. The timeframe extensions include, among other things, the time to elect COBRA and pay premiums, special enrollment timeframes under HIPPA and CHIPs, claims procedure timeframes, and certain external review process timeframes. Applicable plans must disregard the period from March 1, 2020 until 60 days after the announced end of the COVID-19 National Emergency for all plan participants, beneficiaries, qualified beneficiaries, or claimants wherever located in determining the enumerated time periods and dates and for providing COBRA election notices. In addition, Disaster Relief Notice 2020-01 was issued addressing the timeframe relief and addressing certain other COVID-19 relief. The Final Rule is available here: https://www.dol.gov/sites/dolgov/files/ebsa/temporary-postings/covid-19-final-rule.pdf. Disaster Relief Notice 2020-01 is available here: https://www.dol.gov/agencies/ebsa/employers-and-advisers/plan-administration-and-compliance/disaster-relief/ebsa-disaster-relief-notice-2020-01.
On March 27, 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security Act (the “CARES Act”). This historic $2 trillion relief package received bipartisan support and is part of the third wave of federal government support as the nation copes with the acute economic fallout from the coronavirus (COVID-19) pandemic. Some of the key provisions of the CARES Act that apply to health and welfare plans, educational assistance programs, retirement plans, executive compensation programs, and employment and payroll taxes are outlined below. Health and Welfare Plans Q1. What COVID-19 testing and treatment is our company’s employer-sponsored group health plan required to cover? The Families First Coronavirus Response Act (“FFCRA”) requires an employer-sponsored group health plan (including a grandfathered plan under the Affordable Care Act (“ACA”)) (a “Plan”) to provide coverage for COVID-19 diagnostic testing and services related to the diagnostic testing without any cost sharing (including deductibles, copayments, and… Continue Reading
In light of the recent economic developments stemming from the COVID-19 pandemic, many employers are evaluating their employee benefit plans and how employee and employer costs will be impacted. The following summary provides a list of questions we have been receiving from clients over the past week, along with action items to help employers address these issues. Health and Welfare Plans and Fringe Benefits Should benefits coverage continue while an employee is on an unpaid furlough? If so, how would the employee pay the employee’s portion of the premium? Could the employee elect to drop coverage due to the reduction in hours of active service? Could the employer pay for coverage for some or all of its furloughed employees? Continued eligibility for benefits will depend on whether the employer treats the furlough as a termination of employment or as an unpaid leave of absence. The terms of the plan, including… Continue Reading
The HHS Office for Civil Rights (“OCR”), which is the agency responsible for enforcement of the HIPAA privacy, security, and breach notification rules (“HIPAA Rules”), announced a recent $2.175 million settlement with a covered entity under HIPAA (the “Covered Entity”) for the Covered Entity’s failure to properly notify HHS of a breach of unsecured protected health information (“PHI”) as required by the HIPAA Rules, and other potential violations. Background OCR had investigated the Covered Entity in response to an individual complaint it received that alleged the Covered Entity had sent correspondence to the individual containing another person’s PHI. OCR’s investigation determined that the Covered Entity had mailed correspondence containing the PHI of 577 individuals to the wrong addresses. In some of the correspondence, the PHI consisted of the names and account numbers of the individuals and their dates of medical service. The Covered Entity had reported this incident to HHS… Continue Reading
HHS recently issued a final rule (the “HHS Rule”) that sets out the inflation-adjusted civil monetary penalty (“CMP”) amounts that HHS is authorized to assess or enforce, including for violations of the HIPAA privacy and security rules. The adjusted CMP amounts are applicable to HIPAA violations by a HIPAA covered entity or business associate that occur after November 2, 2015, for which a CMP is assessed on or after November 5, 2019 The HHS Rule is available here.
HHS’s Office for Civil Rights(“OCR”), which is the government agency responsible for enforcement of the HIPAA privacy, security, breach notification, and enforcement rules (the “HIPAA Rules”), recently issued a new fact sheet (“Fact Sheet”). The Fact Sheet recaps the provisions in the HIPAA Rules for which a HIPAA business associate may be held directly liable for compliance. HIPAA business associates of an employer-sponsored group health plan, which is a “covered entity” under HIPAA, would include, for example, the health plan’s third-party claims administrator, a health plan consulting firm, a benefits broker, and the health plan’s outside legal counsel, if such persons or entities create, receive, maintain, or transmit HIPAA protected health information (“PHI”) on behalf of the health plan. The Fact Sheet clarified that OCR has authority to take enforcement action against business associates only for certain requirements and prohibitions of the HIPAA Rules as listed in the Fact Sheet,… Continue Reading
An impermissible acquisition, access, use, or disclosure of HIPAA “protected health information” (“PHI”) under an employer’s group health plan (which is a “Covered Entity” under HIPAA) is not uncommon. If such a breach occurs with respect to the PHI of a Covered Entity, the employer needs to know that the Covered Entity may be required by HIPAA’s breach notification rules (the “Breach Rules”) to issue certain notices and perform other tasks. Analysis of the Impermissible Acquisition, Access, Use, or Disclosure of PHI An impermissible acquisition, access, use, or disclosure of PHI is presumed to be a “breach” unless the Covered Entity demonstrates that there is a low probability that the PHI has been compromised. The Breach Rules outline the four-factor risk assessment that a Covered Entity must perform (and document) in order to make such a demonstration. If, after completing the step above, the Covered Entity determines that a “breach”… Continue Reading
OCR Provides Informal HIPAA Guidance Regarding Disposal of Electronic Devices and Media Containing PHI
In a July 2018 newsletter, the Office of Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”), the federal agency responsible for enforcement of the HIPAA privacy, security, and breach notification regulations (collectively, the “HIPAA Rules”), provided informal guidance to HIPAA “covered entities”, such as employer-sponsored group health plans (“Covered Plans”), regarding the disposal of electronic devices and media that house “protected health information” (“PHI”). Examples of such devices and media include desktop and laptop computers, tablets, copiers, servers, smart phones, hard drives, USB drives, and other electronic storage devices. Employer-sponsors of Covered Plans should take note of the following key points raised by the newsletter’s guidance: A covered entity’s performance of a “risk analysis” (which is a required step to comply with the HIPAA Rules) plays a critical role in determining how best to protect PHI stored on electronic devices and media that has reached… Continue Reading