SCOTUS BLOCKS FEDERAL VACCINE MANDATE
After a long road of legal challenges and in a much-anticipated ruling, moments ago, the United States Supreme Court blocked the COVID-19 Vaccine Mandate.
In the final blow to the sweeping requirements set to impact over 80 million workers across the nation and their employers, SCOTUS found that the Emergency Temporary Standard (ETS) issued by the Occupational Safety and Health Administration (OSHA) exceeded the power given to them by Congress. This means that the requirements for employers with 100+ employees to implement policies that required employees to receive the COVID vaccine or wear masks and test weekly is dead in the water.
"Although Congress has indisputably given OSHA the power to regulate occupational dangers, it has not given that agency the power to regulate public health more broadly," the court's majority said. "Requiring the vaccination of 84 million Americans, selected simply because they work for employers with more than 100 employees, certainly falls in the latter category."
Further, the court ruled that OSHA lacked the authority to impose such a mandate because the law that created OSHA "empowers the Secretary to set workplace safety standards, not broad public health measures."
"Although COVID-19 is a risk that occurs in many workplaces, it is not an occupational hazard in most," the Court ruled. "COVID–19 can and does spread at home, in schools, during sporting events, and everywhere else that people gather. That kind of universal risk is no different from the day-to-day dangers that all face from crime, air pollution, or any number of communicable diseases."
Alongside the ruling on the OSHA ETS case, the U.S. Supreme Court will allow a portion of the CMS mandate impacting an estimated 10 million health care workers to be enforced. The allowable portion of the CMS mandate requires vaccinations for health care workers who treat Medicare and Medicaid patients at facilities that receive federal funding.
In this ruling, the Court noted that "healthcare facilities that wish to participate in Medicare and Medicaid have always been obligated to satisfy a host of conditions that address the safe and effective provision of healthcare, not simply sound accounting."
Please check back with us as we work to source additional information and resources, particularly next steps for employers who may have already implemented requirements for their workforce, and taking the necessary steps to ensure you continue to meet your state requirements in your workplace.
SCOTUS Decision On Vaccine Mandate: How it Works
At 12 a.m. on January 13th, SCOTUS published a post that they would be live blogging as the court released opinions in one or more argued cases from the current term. Many experts quickly jumped to the conclusion that there was a high likelihood that the ruling on both the OSHA and CMS cases may be the highlight only to be very quickly disappointed. This early speculation led to a frustrating letdown today as SCOTUS did not release an opinion on the vaccine mandate.
If like many, you are watching the play-by-play in the news and just want a direct line to the ruling when it comes, here is some information, resources, and quick tips that may help you!
Decision Day
With SCOTUS decisions, it is not as simple as saying we will be able to tune in for X decision on X date. The U.S. Supreme Court does not set dates for releasing opinions but rather posts digitally to a public calendar when opinions will be released without noting what opinions will be included in that release. For example, SCOTUS updated its calendar yesterday for the remainder of January including the note that one new opinion would be released today. Of course, speculation began to fly as to whether the opinion released would be that on the OSHA/ETS cases.
SCOTUS Opinion Releases: How It Works
SCOTUS opinions are often accompanied by a public reading of at least part of the final decision read aloud by the Justice that authored the majority opinion. Opinions are often available for public consumption either via the live SCOTUS blog and/or a live stream (audio and/or video) on the SCOTUS website homepage. Opinion days are posted to the SCOTUS calendar and released at 10am EST on the posted calendar date. If you are watching the releases live there are a couple of good things to know:
- How do I know they have finished releasing opinions for a given day? Opinions are released with an associated number. These are the numbers that correspond to opinions in the left-most column on the court's opinion page. When the court releases multiple opinions on a single day, the R numbers don't appear until the court has released its final opinion of the day. So when an R number DOES appear (as it did for Babcock today), we can be sure the court is done for the day.
- Are there any exceptions? White flags of impatience were being raised across the SCOTUS blog this morning with many expecting and not getting the decision for the OSHA/CMS cases. Given that there are no additional opinion issuance dates on the SCOTUS calendar for the month of January, questions and frustrations began to fly. However, just because you don't see it on the calendar now, doesn't mean a decision is not imminent.
- Opinion issuance days tend to only be scheduled a few days out. And with the opinion announcements purely electronic, we could theoretically get them even when the justices are theoretically on their winter recess -- a change from non-pandemic times.
- Emergency applications are different: Rulings on the vaccine cases could technically come at any time (because they are on the emergency docket, so the court might not announce in advance when they are coming).
Resources to Stay Up-To-Date with SCOTUS
What Employers Should Do While Mandate Is In Limbo?
Make no mistake that both the OSHA ETS and the CMS Healthcare Mandate already have compliance obligations in effect, and you can’t wait until the Court decides in order to act.
While some employers are taking a more conservative approach opting to 'slow roll' plans, policies and issuance of guidance for employees, other employers are moving forward with full compliance anticipating the ETS surviving the Supreme Court. No matter which camp you are in, one of the most vital things needed is consistent and clear communications to your employees on what they can expect in the coming days and where the company stands in regard to implementation and requirements for Vax-or-Test policies.
Currently, OSHA is looking for good faith efforts that employers are beginning to take steps towards compliance with full implementation of the requirements beginning February 1, 2022. To better understand the implications of OSHA's timeline and the definition of 'good faith', please take a look at our more detailed post better outlining what employers need to know.
U.S. Supreme Court Hears Oral Arguments on OSHA ETS
OSHA ETS: Where are we now and what do we know
The United States Supreme Court heard oral arguments today on the legality of the ETS issued by the Occupational and Safety Administration in early November. Since the ETS release, legal challenges have been making their way through the legal system taking employers nationwide on a bit of a see-saw ride on whether the ETS will or will not be instituted come Monday.
Previous to the oral arguments today, on December 17th, a three-judge panel from the 6th Circuit Court of the United States lifted the latest stay and revived the ETS with immediate effect. Within hours of the ruling, an appeal was filed to the US Supreme Court by its challengers and OSHA made announcements on a timeline for enforcement.
Latest ‘Need to Know’ for Employers
Pending any overarching changes that may come from a Supreme Court ruling after oral arguments today, the ETS will take immediate effect on Monday, January 10th. OSHA has announced that it will not issue citations for noncompliance with any requirements of the ETS before January 10th, nor will it issue citations for noncompliance with the standard’s testing requirements before February 9th so long as an employer is exercising reasonable good faith efforts to come into compliance with the standard. Given that these dates are basically upon us, what next steps should an employer be focused on now?
- Determine if you are indeed covered by the ETS. To do so you need to answer the following:
- Is your workplace normally covered by OSHA?
- Do you have more than 100 employees nationwide?
- Are you exempt because you are covered by another ETS or mandate (i.e. Healthcare COVID-19 ETS or Federal Contractor mandate)?
- Gather vaccine status on your workforce.
- Develop the required vaccination roster for employees. Note whether the employee is fully vaccinated (as defined by the ETS).
- Determine if you will mandate vaccines or conduct testing.
- .Develop your vaccine-or-test policy.
- Create the required mandatory vaccine and/or testing/masking policies required under the ETS.
- Be prepared to implement said policy should the OSHA ETS move forward to enforcement or if the Supreme Court ruling does not change the current ETS status.
- Conduct compliance training & educate the workforce.
- Ready communications to inform and educate your workforce about your new policies, including posting necessary notices.
- Offer training for your managers to aid them in proper communication and enforcement of the said policy.
- Prepare a process/procedure for unvaccinated employee testing.
- Keep a roster of unvaccinated employees, as well as documentation of weekly test and test result.
- Provide a clear policy/procedure for testing and submitting test results.
- Keep negative/positive test results documented per employee as employees testing positive within the immediately preceding 90 days do not have to comply with a testing requirement.
- Provide clear policies for employees (vaccinated or unvaccinated) who may test positive for COVID-19.
- Handling exemptions:
- Federal law requires that you still need to consider and possibly accommodate valid medical and religious accommodation requests to a vaccination requirement.
- Ensure your policies provide provisions explaining how employees can request exemptions, including providing access to necessary paperwork, timelines for submission, and any additional policies or procedures that may impact exempt employees (such as remote work requirements, etc).
What’s Next?
Again, we wait to see what the justice system concludes. While many assumptions and predictions are being made, we simply don’t know what we don’t know. The only facts currently are, as of today (January 7, 2022):
- The OSHA ETS is due to take effect on Monday, January 10, 2022
- The oral arguments to both the employer mandate and the CMS rule have concluded. The US Supreme Court is expected to either institute a stay to allow additional time to review the arguments and make a ruling or, and less likely, issue an immediate ruling on the legality of the OSHA ETS and its implementation. Should a stay be issued by the high court, it is widely expected to be announced sometime over the weekend before the ETS can take effect on Monday.
Stay Tuned next week for more details as we monitor this developing situation.
Bots Help Government Tackle COVID-19 Challenges
As many are fighting the battle with various programming software applications, at this time it is helping various agencies with coronavirus data collection. Read this blog post to learn more.
The war against the coronavirus is being fought with science, social distancing, health care … and bots, software applications that run repetitive tasks over the Internet. Public-sector agencies are programming bots to speed the collection and analysis of data about coronavirus infection rates, transform paper-based procurement processes into digital ones, and help employees conduct business when in-person contact is no longer an option.
Robotic Process Automation in the Public Sector
Federal agencies are deploying robotic process automation (RPA) to overcome process or administrative hurdles. The General Services Administration (GSA) used the technology—which automates manual, repetitive tasks through the use of bots—to help track the spread of COVID‑19 in counties across the United States where the GSA has buildings.
Jim Walker, director of public-sector services for UiPath, a New York-based RPA platform provider, said the GSA used bots to gather and update COVID-19 infection data when agency employees became overwhelmed as infection counts rapidly rose. Walker said the GSA has trained about 50 of its employees in the use of RPA to create bots for the agency.
In another case, a government agency in Ireland used RPA to help process the burgeoning number of unemployment benefit claims. When laid-off workers submit an unemployment claim, a bot conducts optical character recognition on data and determines where a person has been employed. When employment and benefits eligibility are confirmed, the bot can deposit benefit funds directly into employee bank accounts.
The U.S. Centers for Medicare & Medicaid Services (CMS) deployed a bot to check on employees working from home. "Previously, the CMS would send out e-mails to confirm the health and welfare of its remote workers but would receive many thousands of e-mails a day in return," Walker said. "A small CMS team was tasked with reviewing those e-mails and creating regular status reports, but it became hard to keep up."
CMS deployed a bot that automatically checks the databases employees regularly access to perform their work. If an employee hasn't logged on for a specified period of time, the bot triggers a welfare check, Walker said.
Creating and Deploying Bots
Experts say RPA platforms can often be quickly installed. Because many basic RPA bots are of the "no-code" or "low-code" variety—meaning they require little or no software coding skills but rather, they function in drag-and-drop fashion—they often can be created, tested and rolled out in a matter of weeks, depending on the use case.
But experts say RPA platforms still require enterprise-grade security protections and the oversight of a designated team to manage bot development and deployment across the organization.
"If the automation challenge is COVID‑19-related, you don't have months or in some cases even weeks to get automation in place," said Keith Nelson, senior director of public-sector services for Automation Anywhere, an RPA platform provider in Arlington, Va. "Organizations often need immediate relief. In the case of HR, once a bot is created, users often simply have to send an e‑mail with a specified subject line to a certain address to activate it. In many cases, there's no need for any coding."
Automation Anywhere recently partnered with Microsoft to create a bot to help process COVID‑19 case forms for the National Health Service in the United Kingdom. Nelson said the initiative was in response to a directive from the World Health Organization to collect clinical data and case forms for coronavirus patients to identify infection trends more quickly.
Expanding Uses of RPA
Some government agencies have turned to bots to help them with onboarding. In this use, RPA can be programmed to verify a candidate's information, fill in and process new-hire forms, transfer that information into HR databases, send required paperwork to new hires, and help provision equipment such as laptops.
HR and IT functions are using automation for such tasks as creating and distributing remote-working agreements for employees, and transforming emergency funding requests from paper to digital formats.
"Many government agencies didn't have work-from-home agreements or support response agreements until COVID‑19 hit," said Steve Witt, director of public sector for Nintex, a Seattle-based automation and process management company. "Many procurement and other processes had been conducted on paper before, where people would sign forms and hand them off to HR or to a manager."
HR functions are also using no-code automation platforms to quickly create digital forms for such tasks as tracking essential employees coming to and leaving work. For example, to track exposure and risk to employees, the forms might sit on a kiosk at a reception desk and request details about where employees have recently traveled.
"If HR needs to quickly build out a digital form, they can do it without requiring support from IT," Witt said. "That's helpful during the COVID crisis because IT is often scrambling to keep up with the technical-support demands of employees now working from home."
Companies are using RPA with popular collaboration platforms like Microsoft Teams, and there are concerns that RPA will replace HR or IT jobs after the COVID‑19 crisis begins to recede. Experts say that, to date, the technology more often has replaced tasks, not entire jobs.
"A government employee might have 50 things to do every day but can only get to 40 of them," Walker said. "If you can automate those 10 tasks with bots, you haven't taken a job away but rather helped that worker do his or her job more efficiently."
SOURCE: Zielinski, D. (27 April 2020) "Bots Help Government Tackle COVID-19 Challenges" (Web Blog Post). Retrieved from https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/bots-help-government-tackle-covid19-challenges.aspx
Reminder: Medicare Part D Notices Are Due to CMS by Feb. 29
The federal Centers for Medicare & Medicaid Services (CMS) require disclosures regarding coverage that is either "creditable" or "non-creditable" each calendar year. The notice and disclosure deadline for those who provide prescription drug coverage is due February 29, 2020. Read this blog post to learn more about the Medicare Part D notice.
Each year, group health plan sponsors that provide prescription drug coverage to individuals eligible for Medicare Part D must disclose to the federal Centers for Medicare & Medicaid Services (CMS) whether that coverage is "creditable" or "non-creditable." Prescription drug coverage is "creditable" when it is at least actuarially equivalent to Medicare Part D prescription drug coverage.
The disclosure obligation applies to all plan sponsors that provide prescription drug coverage, even those that offer prescription drug coverage only to active employees and not to retirees. Calendar year plans must submit this year's disclosure by Feb. 29, 2020.
Background
Individuals who fail to enroll in Medicare Part D prescription drug coverage when first eligible may be subject to late enrollment penalties if they go 63 consecutive days or longer without creditable prescription drug coverage. Because of this potential penalty, both Medicare Part D-eligible individuals and the CMS need to know whether a group health plan's prescription drug coverage is creditable or non-creditable.
Plan sponsors that provide prescription drug coverage must furnish Part D-eligible individuals with a notice disclosing the creditable or non-creditable status of their coverage before the beginning of the Medicare Part D annual enrollment period and at certain other times.
Plan sponsors must also disclose to CMS, on an annual basis and at certain other times, whether the coverage they provide is creditable or non-creditable. The submission deadline for this year's disclosure to CMS by calendar year plans is approaching.
Creditable Coverage Disclosures to CMS
Plan sponsors generally must disclose creditable coverage status to CMS within 60 days after the beginning of each plan year. Disclosure is made using the Disclosure to CMS Form on the CMS website. An entity that does not offer outpatient prescription drug benefits to any Part D-eligible individual on the first day of its plan year is not required to complete the CMS disclosure form for that plan year. Plan sponsors that contract directly with Medicare as a Part D plan or that contract with a Part D plan to provide qualified prescription drug coverage are also exempt from the CMS disclosure requirement for individuals who participate in the Part D plan.
In addition to the annual disclosure, plan sponsors must submit a new disclosure form to CMS within 30 days following any change in the creditable coverage status of a prescription drug plan. This includes both a change in the coverage offered so that it is no longer creditable (or non-creditable) and the termination of a creditable coverage option. A new disclosure form must also be submitted to CMS within 30 days after the termination of a prescription drug plan.
The disclosure requirement applies to all plan sponsors that provide prescription drug coverage to Part D-eligible individuals, even those that do not make prescription drug coverage available to retirees.
Calendar year plans must submit this year's disclosure to CMS by Feb. 29, 2020.
Is disclosure required If an employer doesn't offer retiree coverage? | ||
All Part D-eligible individuals covered under an employer's prescription drug plan — regardless of whether the coverage is primary or secondary to Medicare Part D — should be included in the disclosure. "Part D-eligible individuals" are generally age 65 and older or under age 65 and disabled, and include active employees and their dependents, COBRA participants and their dependents, and retirees and their dependents. Even employers without retiree coverage may need to file the disclosure. |
Information Needed to Complete Disclosure
In preparing the disclosure to CMS, plan sponsors need to:
- Identify the number of prescription drug options offered to Medicare-eligible individuals. This is the total number of benefit options offered, excluding any benefit options the plan sponsor is claiming under the retiree drug subsidy (RDS) program (i.e., benefit options for which the plan sponsor is expected to collect the subsidy) or that are employer group waiver plans (EGWPs).
For example, a plan sponsor with a PPO and an indemnity option covering actives and an option for retirees for which it is receiving RDS would report two prescription drug options. - Determine the number of benefit options offered that are creditable coverage and the number that are non‑creditable.
- Estimate the total number of Part D-eligible individuals expected to have coverage under the plan at the start of the plan year (or, if both creditable and non-creditable coverage options are offered, estimate the total number of Part D-eligible individuals expected to enroll in each coverage category). This includes Part D-eligible active employees, retirees, and disabled individuals and any of their Part D-eligible dependents and any individuals on COBRA who are Part D eligible.
The estimate should not include any Part D-eligible retirees being claimed under the RDS program or retirees in an EGWP (because that coverage is Medicare Part D coverage).
Individuals who will become Part D eligible after the start of the plan year should not be included in the count for that year. However, they must be provided a notice of creditable or non-creditable coverage prior to their initial Part D enrollment period. - Provide the most recent calendar date on which the required notices of creditable or non-creditable coverage were provided.
Why doesn't the disclosure requirement apply to EGWPs or retiree plans where employer is receiving RDS payments? | ||
Employers that provide prescription drug coverage through a Medicare Part D employer group waiver plan are exempt from the disclosure requirement because an EGWP is Medicare Part D coverage.
An employer participating in the retiree drug subsidy program must have already certified to CMS that its drug coverage is creditable. |
In Closing
Plan sponsors should review the instructions carefully before completing the Disclosure to CMS Form to make sure that they have all necessary information, and calendar year plans should report the information by Feb. 29, 2020.
Richard Stover, FSA, MAAA, is a principal at HR advisory firm Buck. Leslye Laderman, JD, LLM, is a principal in the Knowledge Resource Center at Buck. This article originally appeared in the Feb. 5, 2020 issue of Buck's For Your Information. © 2020 Buck Global LLC. All rights reserved. Republished with permission.
SOURCE: Stover, R.; Laderman, L. (06 February 2020) "Reminder: Medicare Part D Notices Are Due to CMS by Feb. 29" (Web Blog Post). Retrieved from https://www.shrm.org/resourcesandtools/hr-topics/benefits/pages/reminder-medicare-part-d-notices-due-to-cms.aspx
CMS delays enforcement of health plan identifiers in HIPAA transactions
Originally posted by Alden Bianchi on EBN on November 6, 2014.
In a surprise move, the Centers for Medicare & Medicaid Services (CMS) announced an indefinite delay in enforcement of regulations pertaining to “health plan enumeration and use of the Health Plan Identifier (HPID) in HIPAA transactions” that would have otherwise required self-funded employer group health plans (among other “covered entities”) to take action as early as November 5, 2014.
The CMS statement reads as follows:
Statement of Enforcement Discretion regarding 45 CFR 162 Subpart E – Standard Unique Health Identifier for Health Plans
Effective Oct. 31, 2014, the CMS Office of E-Health Standards and Services (OESS), the division of the Department of Health & Human Services that is responsible for enforcement of compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) standard transactions, code sets, unique identifiers and operating rules, announces a delay, until further notice, in enforcement of 45 CFR 162, Subpart E, the regulations pertaining to health plan enumeration and use of the Health Plan Identifier (HPID) in HIPAA transactions adopted in the HPID final rule (CMS-0040-F). This enforcement delay applies to all HIPAA covered entities, including health care providers, health plans, and healthcare clearinghouses.
On Sept. 23, 2014, the National Committee on Vital and Health Statistics (NCVHS), an advisory body to HHS, recommended that HHS rectify in rulemaking that all covered entities (health plans, health care providers and clearinghouses, and their business associates) not use the HPID in the HIPAA transactions. This enforcement discretion will allow HHS to review the NCVHS’s recommendation and consider any appropriate next steps.
The CMS statement followed, but was not anticipated by, a recent series of FAQs that provided some important and welcome clarifications on how employer-sponsored group health plans might comply with the HPID requirements.
Background
Congress enacted the HIPAA administrative simplification provisions to improve the efficiency and effectiveness of the health care system. These provisions required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. As originally enacted, HIPAA directed HHS to establish standards for assigning unique health identifiers for each individual, employer, health plan, and health care provider. The Affordable Care Act modified and expanded these requirements to include an HPID. On Sept. 5, 2012, HHS published final regulations adopting HPID enumeration standards for health plans (“enumeration” is the process of getting an HPID).
For the purposes of HPID enumeration, health plans are divided into controlling health plans (CHPs) and sub-health plans (SHPs). Large CHPs (i.e., those with more than $5 million in annual claims) would have been required to obtain HPIDs by Nov. 5, 2014. Small controlling health plans had an additional year, until November 5, 2015.
The Issue(s)
While we have no idea what led the NCVHS to recommend to CMS that it abruptly suspend the HPID rules, we can make an educated guess—two guesses, actually.
What is it that is being regulated here?
The HIPAA administrative simplification rules apply to “covered entities.” i.e., health care providers, health plans, and health care data clearing houses. Confusingly, the term health plan includes both group health insurance sponsored and sold by state-licensed insurance carriers and employer-sponsored group health plans. Once HHS began issuing regulations, it became apparent that this law was directed principally at health care providers and health insurance issuers or carriers. Employer-sponsored group health plans were an afterthought. The problem for this latter group of covered entities is determining what, exactly, is being regulated. The regulatory scheme treats an employer’s group health plan as a legally distinct entity, separate and apart from the employer/plan sponsor. This approach is, of course, at odds with the experience of most human resource managers, employees and others, who view a company’s group health plan as a product or service that is “outsourced” to a vendor. In the case of an insured plan, the vendor is the carrier; in the case of a self-funded plan, the vendor is a third-party administrator.
The idea that a group health plan may be treated as a separate legal entity is not new. The civil enforcement provisions of the Employee Retirement Income Security Act of 1974 (ERISA) permit an employee benefit plan (which includes most group health plans) to be sued in its own name. (ERISA § 502(d) is captioned, “Status of employee benefit plan as entity.”) The approach taken under HIPAA merely extends this concept. But what exactly is an employee benefit plan? In a case decided in 2000, the Supreme Court gave us an answer, saying:
“One is thus left to the common understanding of the word ‘plan’ as referring to a scheme decided upon in advance . . . Here the scheme comprises a set of rules that define the rights of a beneficiary and provide for their enforcement. Rules governing collection of premiums, definition of benefits, submission of claims, and resolution of disagreements over entitlement to services are the sorts of provisions that constitute a plan.” (Pegram v. Herdrich, 530 U.S. 211, 213 (2000).)
Thus, what HHS has done in the regulations implementing the various HIPAA administrative simplification provisions is to impose rules on a set of promises and an accompanying administrative scheme. (Is there any wonder that these rules have proved difficult to administer?) The ERISA regulatory regime neither recognizes nor easily accommodates controlling health plans (CHPs) and subhealth plans (SHPs). The FAQs referred to above attempted to address this problem by permitting plan sponsors to apply for one HPID for each ERISA plan even if a number of separate benefit plan components (e.g., medical, Rx, dental, and vision) are combined in a wrap plan. It left in place a larger, existential problem, however: It’s one thing to regulate a covered entity that is a large, integrated health care system; it’s quite another to regulate a set of promises. The delay in the HPID enumeration rules announced in the statement set out above appears to us to be a tacit admission of this fact.
Why not permit a TPA to handle the HPID application process?
One of the baffling features of the recently suspended HPID rules is CMS’ rigid insistence on having the employer, in its capacity as group health plan sponsor, file for its own HPID. It was only very recently that CMS relented and allowed the employer to delegate the task of applying for an HPID for a self-funded plan to its third party administrator. By cutting third party administrators out of the HPID enumeration process, the regulators invited confusion. The reticence on CMS’ part to permit assistance by third parties can be traced to another structural anomaly. While HIPAA views TPAs in a supporting role (i.e., business associates), in the real world of self-funded group health plan administration, TPAs function for the most part autonomously. (To be fair to CMS, complexity multiplies quickly when, as is often the case, a TPA is also a licensed carrier that is providing administrative-services-only, begging the question: Are transmissions being made as a carrier or third party administrator?)
HIPAA Compliance
That the HPID enumeration rules have been delayed does not mean that employers which sponsor self-funded plans have nothing to do. The HIPAA privacy rule imposes on covered entities a series of requirements that must be adhered to. These include the following:
Privacy Policies and Procedures: A covered entity must adopt written privacy policies and procedures that are consistent with the privacy rule.
Privacy Personnel: A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
Workforce Training and Management: Workforce members include employees, volunteers, and trainees, and may also include other persons whose conduct is under the direct control of the covered entity (whether or not they are paid by the entity). A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must also have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.
Mitigation: A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.
Data Safeguards: A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.
Complaints: A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice. Among other things, the covered entity must identify to whom individuals at the covered entity may submit complaints and advise that complaints also may be submitted to the Secretary of HHS.
Retaliation and Waiver: A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.
Documentation and Record Retention: A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.
The HIPAA security rule requires covered entities to conduct a risk assessment, and to adopt policies and procedures governing two dozen or so security parameters.
Reminder: CMS Online Disclosure Due by March 1, 2014
This requirement is nothing new. In the past health plan sponsors have been required to complete an annual online disclosure form with the Centers for Medicare and Medicaid Services (CMS), to show whether the prescription drug coverage offered under the sponsor's plan/plans are "creditable" (at least as good as Medicare Part D's prescription drug benefit) or "noncreditable" (not as good). The plan sponsor must complete the disclosure within 60 days after the beginning of the plan year.
Who Is Exempt From this Process?
As an employer if you do not offer drug coverage to any Medicare-enrolled employee, retiree or dependent at the beginning of the plan year are exempt from filing. Similarly, employers who qualified for the Medicare Part D retiree drug subsidy are exempt from filing with CMS, but only with respect to the individuals and plan options for which they claimed the subsidy. If an employer offers prescription drug coverage to any Medicare-enrolled retirees or dependents not claimed under the subsidy, the employer must complete an online disclosure for plan options covering such individuals.
Filing with CMS is due by March 1, 2014.
A CMS filing is also required within 30 days of termination of a prescription drug plan and for any change in a plan's creditable coverage status. As described above some plans are exempt from the filing requirement.
Instructions related to the online filing discuss the types of information that are required, including the total number of Part D eligible individuals, the number of prescription drug options and which options are creditable and noncreditable. Click to access the instructions. Please save any documentation of this filing for your records.
Click to access the online portal that is used to complete the submission.