Agencies Propose Revised SBC Template and Uniform Glossary
Original post shrm.org
The federal agencies overseeing the Affordable Care Act announced a 30-day comment period ending on March 28, 2016, regarding proposed revisions to the Summary of Benefits and Coverage (SBC) and related documents that employers must provide to eligible employees for each of their health plans, following the Feb. 26 publication of an official notice in the Federal Register.
The revisions could be effective for employer-provided plan years beginning with the second quarter of 2017.
On Feb. 25, the Departments of Labor (DOL), Treasury, and Health and Human Services (HHS) released the proposed revised SBC template and revised uniform glossary, along with revised instructions for group plans. Under the Affordable Care Act, SBCs and the uniform glossary must be given to new hires and to employees during open enrollment.
The agencies had issued a final rule regarding SBCs and related documents in June 2015. However, revisions to the SBC template and the uniform glossary were delayed to allow the agencies to complete consumer testing and receive additional input from the public and stakeholders.
Providing Plan Details
In an analysis posted at the Health Affairs Blog, Timothy Jost, a professor at the Washington and Lee University School of Law in Lexington, VA., noted that among the proposed changes the revised documents would:
• Better identify services covered before the deductible applies.
• Disclose whether the plan has “embedded” deductibles and out-of-pocket limits (under which enrollees in family coverage can meet individual deductibles or out-of-pocket limits before the family limits are met).
• Disclose more information on tiered networks in relation to coverage of common medical events.
Though it may not provide the clarity employers and employees are looking for, "on the whole, the proposed revised SBC is a distinct improvement over the current SBC,” commented Jost.
‘Where’s My 1095?’ Addressing Tax Filing Confusion
Many employees are confused over how to report that they received health coverage when filing their income tax returns this tax season, the first in which they’re required to affirm that they had Affordable Care Act (ACA)-compliant coverage throughout the year or risk penalties under the individual coverage mandate.
Much of this confusion involves Form 1095-B (Health Coverage) and Form 1095-C (Employer-Provided Health Insurance Offer and Coverage).
“There are two different 1095 forms that an employee or former employee might get, depending on how coverage was provided,” explained Mike Chittenden, a counsel at Miller & Chevalier in Washington, D.C. “If it’s fully insured coverage from a large employer”—with 50 or more full-time employees or equivalents, refered to as an applicable large employer (ALE)—“then they’ll receive a Form 1095-C from their employer and a Form 1095-B from the insurance company. If it’s self-insured coverage from an employer, they’ll just receive a 1095-C that combines the information that would otherwise appear on both forms.”
These forms are also filed with the IRS by large employers; Forms 1094-B and 1094-C are transmittal forms submitted to the IRS along with Forms 1095-B and 1095-C, respectively.
For small businesses with fewer than 50 full-time employers or equivalents that provide employees with an ACA-compliant group plan, the rules are a bit different. If fully insured (as most small companies are), the insurance company that provides coverage is required to send enrollees a copy of Form 1095-B and to submit Forms 1995-B (along with transmittal Form 1094-B) to the IRS in order to report minimum essential coverage.
If a small company is self-insured and provides coverage, it must provide employees and the IRS with Form 1095-B. But small business that offer insurance are not required to send Form 1095-Cs to employees or to the IRS.
Fewer than 50 full-time employees/equivalents (non-ALEs) | 50 or more full-time employees/equivalents (ALEs) | |
No coverage offered | Not subject to reporting | |
Fully insured plan | Insurance company completes Forms 1094-B and 1095-B | Employer completes Forms 1094-C and 1095-C (Parts l and ll only) |
Self-insured plan | Employer completes Forms 1094-B and 1095-B | Employer completes Forms 1094-C and 1095-C (Parts l, ll and lll) |
Originally, these forms were intended to be given to employees or former employees by Feb. 1 (as Jan. 31 fell on a Sunday this year), along with Form W-2. Filers would then use them when completing Line 61 of their individual tax returns, showing that they had qualifying health coverage from their employer—referred to as minimum essential coverage—during the year. The form could be shared with tax preparers and retained with other tax documents.
But as many employers seemed unlikely to meet this deadline, the IRS issued Notice 2016-4 at the end of 2015, extending the due date for providing employees with Forms 1095-B and 1095-C until March 31, and extended other ACA reporting deadlines as well:
Forms | Previous IRS Due Date | New IRS Due Date |
Forms 1095-B and 1095-C due to employees. | Feb. 1, 2016 | March 31, 2016 |
Forms 1094-B, 1095-B, 1094-C and 1095-C to be filed with the IRS if filing on paper (fewer than 250 employees). | Feb. 29, 2016 | May 31, 2016 |
Forms 1094-B, 1095-B, 1094-C and 1095-C to be filed with the IRS if filing electronically. | March 31, 2016 | June 30, 2016 |
Source: ADP, based on IRS Notice 2016-4 and IRS Tax Tip 2016-27. |
Tax Filing Conundrum
The problem is that many employees had been told that they would need these forms to prepare their 2015 income taxes. Many even believed, incorrectly, that Form 1095s were to be filed with their tax returns, along with their Form W-2s.
To mitigate these concerns, in January the IRS updated its webpage with Questions and Answers about Health Care Information Forms for Individuals. In Q&A number 3, the IRS answers the question, “Must I wait to file until I receive these forms?” as follows:
If you are expecting to receive a Form 1095-A [for those enrolled in a nongroup plan through the ACA’s Health Insurance Marketplace], you should wait to file your 2015 income tax return until you receive that form. However, it is not necessary to wait for Forms 1095-B or 1095-C in order to file.
Some taxpayers may not receive a Form 1095-B or Form 1095-C by the time they are ready to file their 2015 tax return. While the information on these forms may assist in preparing a return, they are not required. Individual taxpayers will generally not be affected by this extension and should file their returns as they normally would.
Like last year, taxpayers can prepare and file their returns using other information about their health insurance. You should not attach any of these forms to your tax return.
But employees don’t typically read the latest IRS updates posted online. Employers, therefore, should inform workers to expect these forms by March 31, and assure them they may go ahead and file their taxes—and collect any refunds that may be coming their way—without waiting until the form is in their hands.
Filing Without Form 1095
“While the form is helpful, obviously, in that it gives you all the information you need in one place, most employees won’t need the form to complete their taxes,” Chittenden explained. “For example, if an employee worked for the same company and had coverage all year, then they can go ahead and complete their taxes and check the box that indicates coverage all year. Similarly, if they changed jobs but had coverage under their old and their new employer without a gap, they also can check the box saying ‘yes.’ You don’t have to attach a copy of the form to your return, whether you’re filing paper returns or filing electronically. So you don’t actually need Form 1095-B or Form 1095-C to complete your tax return.”
Given the deadline extension for providing these forms, “employees should be reassured that they don’t need them to complete their taxes, and employers should be telling them that,” Chittenden said.
Employers should also be prepared for questions when employees do receive their 1095s in March. Many who have already submitted their returns may worry that having done so without the form will require filing a corrected return.
Ask HR
If employees think they might have had a gap in health coverage but aren’t sure, they still don’t necessarily need the form. “They could look at their pay stubs to see if they include information about coverage—for example, if there are deductions in each month for coverage, then it’s a pretty safe bet that they probably had coverage in each month,” said Chittenden. “They can also go to the employer and ask HR, which can give them the answer about whether or not they had coverage.”
ACA reporting has been a challenge for many employers, and “they’re doing their best to get these forms out as quickly as they can,” said Chittenden. Due to the rush, “employees may subsequently receive corrected forms, if the employer determines later that they were inaccurate, so that’s something they should be aware may be coming. And employers should be aware that they have an obligation to correct incorrect forms.”
Penalties Reduced If Timely Correction Made
The penalty for not filing an information return with the IRS generally is $250 for each return. The penalty for providing an incorrect statement to employees/enrollees is $250 for each erroneous statement. Since there are separate penalties for returns filed with the IRS and for statements furnished to individuals, filing failures could easily result in “double” penalties.
The IRS has provided short-term relief from reporting penalties for 2015 filings, as long as the employer has made a good faith effort to comply with the reporting requirements, and has filed returns and provided statements on time. However, even employers that were late might be eligible for penalty relief if the IRS determines there was reasonable cause,
IRS extends due dates for ACA information reporting
Original post by Stephen Miller, shrm.org
Employers subject to the Affordable Care Act’s 2015 information reporting requirements now have extra time to give forms to employees and to file them with the government.
In Notice 2016-4, issued by the IRS on Dec. 28, the agency extended these reporting deadlines:
Previous IRS Due Date | New IRS Due Date |
Forms 1095-B and 1095-C were due to employees by Feb. 1, 2016 | March 31, 2016 |
Forms 1094-B, 1095-B, 1094-C and 1095-C were required to be filed with the IRS if filing on paper by Feb. 29, 2016 | May 31, 2016 |
Forms 1094-B, 1095-B, 1094-C and 1095-C were required to be filed with the IRS if filing electronically by March 31, 2016 | June 30, 2016 |
Source: ADP, based on IRS Notice 2016-4. |
• For furnishing employees with the 2015 Form 1095-B (Health Coverage) and Form 1095-C (Employer-Provided Health Insurance Offer and Coverage), the deadline has been extended from Feb. 1, 2016, to March 31, 2016.
• For filing with the IRS the 2015 Form 1094-B (Transmittal of Health Coverage Information Returns), Form 1095-B, Form 1094-C (Transmittal of Employer-Provided Health Insurance Offer and Coverage Information Returns) and Form 1095-C, the deadline has been extended from Feb. 29, 2016, to May 31, 2016 if not filing electronically, and from March 31, 2016, to June 30, 2016 if filing electronically.
Any employer filing 250 or more information returns during the calendar year must file the returns electronically. For employers with fewer than 250 returns, electronic filing is voluntary.
“Earlier guidance would have been preferred, but the last-minute relief will still be helpful for employers that have been working to understand the complexities of compiling all the information needed and completing the forms, or gathering the information needed to work with their reporting vendors,” said Ann Marie Breheny, a senior legislative adviser at Towers Watson in Arlington, Va.
The notice also provides guidance to employees who might not receive a Form 1095-B or Form 1095-C by the time they file their 2015 tax returns.
Employers Sought Extension
Employer groups had been seeking filing extensions. Because instructions for filing the reporting forms were released late in the year, “employers have been struggling with logistical issues” related to reporting, said Chatrane Birbal, the Society for Human Resource Management’s senior advisor for government relations.
The IRS deadline extension “is appreciated and will provide employers relief,” she said. “The ACA reporting forms require specific information on each employee’s insurance coverage—and their spouse’s and dependents’, if applicable—such as employer identification number, taxpayer identification number, addresses, employee’s full-time status and length of full-time status, proof of minimal essential coverage offered, coverage dates, and employees’ share of coverage premium costs. Collecting required information to ensure accurate reporting is an administrative burden for employers.”
While HR professionals have the relevant data requested, she noted, “this information is not contained in a central repository. Most employers will have to use multiple sources to obtain the data necessary to complete the reporting forms, including their benefits carrier or broker, HR information system, payroll company, time-off tracking software and other sources.”
The administrative burden and penalties related to missed deadlines and incorrect filing “will inevitably add to the employer’s cost of providing benefits to employees,” she noted.
Similarly, the American Benefits Council, in a Dec. 24 letter to IRS Commissioner John Koskinen, wrote that employers “have expressed significant concerns about their ability to furnish accurate Forms 1095-C and Forms 1095-B to employees by the Feb. 1, 2016 deadline.”
“The data that needs to be reported—particularly on the Form 1095-C—relates to information that many employers did not previously maintain in a format that facilitated reporting,” said Kathryn Wilber, senior counsel for health policy at the council. “As a result, employers’ attempts to establish systems that can accommodate the reporting requirements have generated logistical complications and we continue to hear about new difficulties from employers on a regular basis.”.
Earlier Filing Encouraged
The IRS said it is still prepared to accept filings of the information returns on Forms 1094-B, 1095-B, 1094-C and 1095-C beginning in January 2016. “Following consultation with stakeholders, however, the Department of the Treasury and the [IRS] have determined that some employers, insurers, and other providers of minimum essential coverage need additional time to adapt and implement systems and procedures to gather, analyze and report this information,” the IRS said in its notice. “Notwithstanding the extensions provided in this notice, employers and other coverage providers are encouraged to furnish statements and file the information returns as soon as they are ready.”
Employers that don’t comply with these extended due dates will be subject to penalties under ACA section 6722 or 6721 for failure to timely furnish and file, the IRS said. The agency added that even if employers or other coverage providers miss the extended due dates, they are still encouraged to furnish and file, “and the service will take such furnishing and filing into consideration when determining whether to abate penalties for reasonable cause.”
“The IRS said it will take a good-faith enforcement approach to this first year of reporting,” said Breheny. “As the deadlines approach, there have been many questions from reporting entities about these complex requirements and the systems involved, so this is a welcome development.”
Stephen Miller, CEBS, is an online editor/manager for SHRM.
IRS Issues Forms and Instructions for ACA Reporting
Originally posted on shrm.org.
In early February 2015, the IRS released draft versions of the forms that employers subject to the Affordable Care Act (ACA) “shared responsibility” mandate—sometimes referred to as “play or pay”—will be required to file in order to show that the health coverage they offer to their employees is compliant with ACA requirements. The forms implement reporting obligations under Internal Revenue Code sections 6055 and 6066, which the ACA added to the tax code.
The forms are not required to be filed by employers for tax year 2014. However, in preparation for the first required filing of these forms (in 2016 for 2015), reporting entities may, if they wish, voluntarily file.
The IRS also released a new brochure Affordable Care Act: Reporting Requirements for Applicable Large Employers, which discusses getting ready for monthly tracking and preparing to fill out new IRS forms in 2016.
The forms include:
• Form 1095-B: Health Coverage. To be filed with the IRS and provided to taxpayers by insurers, as well as by self-insured employers that are not subject to the employer "shared responsibility" mandate, to verify that individuals have minimum essential coverage that complies with the individual coverage requirements.
• Form 1095-C: Employer-Provided Health Insurance Offer and Coverage. To be filed by employers with 50 or more full-time or full-time equivalent employees to verify their compliance with the employer "shared responsibility" mandate. Form 1095-C will also be used to establish employee eligibility for premium tax credits if the employer does not offer affordable and adequate coverage.
• Form 1094-B: Transmittal of Health Coverage Information Returns and Form 1094-C: Transmittal of Employer-Provided Health Insurance Offer and Coverage Information Returns. These are the transmittal forms that insurers and employers will use to transmit the individual 1095-Bs and 1095-Cs to the IRS.
“Insurers and self-insured health plans will provide a Form 1095-B to each of their enrollees and members, and file these forms, together with a transmittal Form 1094-B with the IRS,” explained Timothy Jost, J.D., a professor at the Washington and Lee University School of Law, in an earlier post regarding the draft forms on the Health Affairs Blog. “Large employers must provide a Form 1095-C to each employee, and transmit these, together with a transmittal [Form 1094-C] to the IRS.”
The IRS also issued instructions relating to the above forms:
• Text of Instructions for IRS Forms 1094-B and 1095-B.
• Text of Instructions for IRS Forms 1094-C and 1095-C.
“The instructions for the 1094-C and 1095-C are by far the most complex of the instructions...filling 13 pages with dense, two column, print,” noted Jost in a blog post regarding the draft versions (the final instructions reach 14 pages and are in a smaller type face, and thus even longer). “Most of the complexity derives from the options for complying with the employer mandate and the transition exceptions to that mandate that the administration has created,” Jost explained.
The forms “are identical to the draft forms released in the late summer of 2014,” Jost noted in a February 2015 blog post. “The instructions for the transmittal forms 1094-B and 1095-B are virtually identical to the draft instructions. … The final instructions for forms 1094-C and 1095-C, however, contain a number of changes from the draft instructions and should be reviewed carefully by insurers, employers, and those who advise them.”
“We hoped that the IRS was finding a way to streamline and simplify the reporting forms and instructions that employers will use in connection with the...employer and individual mandates. Those hopes were dashed...when the IRS released the final reporting forms and instructions,” stated a February 2015 alert from Lockton, an insurance brokerage. “The reporting forms and instructions remain detailed and complex, with many caveats, exceptions and special rules. Complicating this, reporting continues to be based on the calendar year, regardless of the year on which an employer’s plan operates.”
The Lockton alert further notes:
The final forms and instructions are labeled as “2014” forms, meaning they would relate to coverage during 2014. It is apparent, however, that these materials were created for the required reporting in 2016 with respect to coverage during 2015. In addition to explicitly stating that reporting with respect to 2014 is voluntary, the instructions explain how to indicate use of various transition rules that apply during 2015.
“As the forms must be filed by Feb. 28 (March 31 if filed electronically) and were just released in final form, it is very unlikely that many employers, insurers, or government programs will file for 2014,” noted Jost. “The 2015 forms are likely to be very similar, however, so it is probably important for employers and insurers to review these forms to ensure that they are on track for 2015 reporting.”
Advised a February 2015 alert from Fox Rothchild LLP, “Bear in mind that there is a considerable amount of time between now and the final filing obligation so there may be additional revisions to these instructions, or at least some further clarification. But in the meantime, read the instructions and familiarize yourself with the reporting obligations.”
Tracking and Reporting Employee Data
Companies with 100 or more full-time equivalent employees must begin complying with the ACA coverage requirements in 2015, although they will have two years to phase up to the requirement that they cover 95 percent of their workers. Companies with 50 to 99 full-time equivalent employees will have another year—until 2016—to start complying. Smaller businesses are exempt.
Under tax code sections 6055 and 6056, employers must compile monthly and report annually numerous data points to the IRS and their own employees. This data will be used to verify the individual and employer mandates under the law.
“Although required reporting under sections 6055 and 6056 will not occur until January 2016 to employees and March 2016 to the IRS, the data being reported is based on what happened during 2015,” according to an August 2014 article in HR Magazine. “Therefore, employers should have the necessary infrastructure in place to gather that information by January 2015 or very soon after.”
Given the cross-functional compliance and reporting requirements, having a multidisciplinary team in place is important, with a written workplan that specifies the responsibilities of HR, payroll, finance and other departments. The chief HR officer and the chief financial officer should coordinate their efforts and those of their staffs. Top-level executive sponsorship should ensure that all functions are working together and doing their part.
“Ideally, technology will take much of the reporting burden off of employers, automating significant portions of the data collection and reporting processes,” observed the Lockton alert, adding:
Unfortunately, technology will not produce accurate reporting without accurate data. In addition, while an employer’s current HR technology solutions may capture the information required for ACA reporting, it is unlikely that the employer has any one system that incorporates all of this information. It is also very likely that gathering the information from various sources and entering it into the required forms will be difficult and time-consuming. Employers that have not done so already will want to discuss with their third-party payroll and benefits administration vendors the extent to which they can handle the required information gathering and reporting.
Reporting Requirement Still Applies to Mid-Size EmployersAlthough mid-size employers (between 50 and 99 full-time employees or equivalents) can take advantage of one year of transitional relief from the employer mandate requirements, delaying compliance until the first day of the employer's 2016 plan year, “these employers are still required to comply with the pay or play reporting requirement and the individual mandate reporting requirement, if the mid-size employer sponsors a self-funded group health plan,” advised law firm Miller Johnson. “In order to qualify for the transitional relief, mid-size employers must certify to the IRS that it meets the necessary requirements. Form 1094-C is used to certify that the mid-size employer meets these requirements.”
The firm added, “The good news is that these forms appear relatively simple to complete. The bad news, however, is that compiling the information necessary to complete these forms will likely impose significant administrative burdens.” |
2015 Monthly Information
“This reporting and disclosure requirement is new for employers and may catch some employers off-guard,” warned an alert by benefits consultancy Hill, Chesson & Woody, which added that the reporting requirements include collecting and disclosing:
- Social Security numbers of employees, spouses and dependents.
- Names and employer ID numbers(EINs) of other employers within the reporting employer’s controlled group of corporations for each month of the calendar year.
- Number of full-time employees for each calendar month.
- Total number of employees (full-time equivalents) for each calendar month.
- Section 4980H transition relief indicators for each calendar month.
- Employees’ share of the lowest-cost monthly premium for self-only, minimum value coverage for each calendar month.
- Applicable Section 4980H safe harbor for each calendar month.
“The first transmittal and returns will not be filed until January 2016, but much of the information must be reported for each calendar month of 2015,” the firm pointed out. “Ensuring internal time and attendance systems, record management, and payroll systems are capable of producing the required information is critical. Although there is much information left to be released by the IRS concerning the Code 6056 reporting requirement, employers subject to this requirement should begin preparing now.”
“The significant amount of information that is required to be reported to both employees and the IRS on these forms may factor in to an employer’s overall strategy for compliance with health care reform’s pay or play penalty requirement,” advised Miller Johnson.
Steps to TakeIn light of the complexity of the new information reporting requirements, employers should take the following actions, advised McGladrey LLP in an alert:
• Learn about the new information reporting requirements and review the IRS reporting forms. • Develop procedures for determining and documenting each employee's full-time or part-time status by month. • Develop procedures to collect information about offers of health coverage and health plan enrollment by month. • Review ownership structures of related companies and engage professionals to perform a controlled/affiliated service group analysis. • Discuss the reporting requirements with the health plan's insurer/third-party administrator and the company's payroll vendor to determine responsibility for data collection and form preparation. • Ensure that systems are in place to collect the needed data for the reports. |
---
Four Steps Required Prior to ACA E-FilingFor calendar year 2015, applicable large employers must file Affordable Care Act Information Returns (Forms 1094-B, 1095-B, 1094-C and 1095-C) via paper returns by Feb. 28, 2016 or via electronic returns by March 31, 2016, reports the International Foundation of Employee Benefit Plans.
Electronic returns will be filed through the new ACA Information Returns (AIR) system. The AIR system is specifically designed for the IRS to process these new ACA forms. Other IRS e-filing systems do not support the ACA Information Returns. Prior to e-filing, applicable large employers must: (1) identify their responsible official(s) and contacts, (2) register with IRS e-services, (3) apply for the ACA Information Return Transmitter Control Code (TCC), and (4) participate in testing. |
ACA Cost-Sharing Limits for 2016
Originally posted by Laura Kerekes on June 4, 2015 on thinkhr.com.
The Affordable Care Act (ACA) requires nongrandfathered group health plans to limit the total cost-sharing (deductibles, co-pays, and co-insurance) paid by participants for in-network essential health benefits in a plan year. For the 2015 plan year, the ACA cost-sharing limits are $6,600 if self-only coverage or $13,200 if other than self-only coverage (i.e., family coverage). Often referred to as “out-of-pocket maximums,” the limits are subject to change for inflation each year.
For 2016, two important changes will take effect. First, the cost-sharing limits will increase to $6,850 and $13,700, respectively. Secondly, the self-only limit of $6,850 will apply to each covered person regardless of whether enrolled for self-only coverage or family coverage.
FAQ XXVII, released jointly by the Departments of Labor, Health and Human Services, and the Treasury, provides that:
- ACA cost-sharing limits apply to nongrandfathered group health plans, including “small” or “large” group policies and self-funded health plans.
- Deductibles, co-pays, and co-insurance, paid by the participant, must be counted toward the annual cost-sharing limits (out-of-pocket maximums). However, plans are not required to count amounts paid for nonessential health benefits, services not covered by the plan, or services received from out-of-network providers.
- For plan years beginning in 2016, the self-only cost-sharing limit applies to each person regardless of whether they have self-only or family coverage. The FAQ provides the following example:
“Assume that a family of four individuals is enrolled in family coverage under a group health plan in 2016 with an aggregate annual limitation on cost sharing for all four enrollees of $13,000 (note that a plan is permitted to set an annual limitation below the maximum . . . aggregate $13,700 limitation for coverage other than self-only for 2016). Assume that individual #1 incurs claims associated with $10,000 in cost sharing, and that individuals #2, #3, and #4 each incur claims associated with $3,000 in cost sharing (in each case, absent the application of any annual limitation on cost sharing). In this case, because, under the clarification discussed above, the self-only maximum annual limitation on cost sharing ($6,850 in 2016) applies to each individual, cost sharing for individual #1 for 2016 is limited to $6,850, and the plan is required to bear the difference between the $10,000 in cost sharing for individual #1 and the maximum annual limitation for that individual, or $3,150. With respect to cost sharing incurred by all four individuals under the policy, the aggregate $15,850 ($6,850 + $3,000 + $3,000 + $3,000) in cost sharing that would otherwise be incurred by the four individuals together is limited to $13,000, the annual aggregate limitation under the plan, under the assumptions in this example, and the plan must bear the difference between the $15,850 and the $13,000 annual limitation, or $2,850.”
Note that the current ACA cost-sharing limits, and the changes for 2016, only affect plans with high out-of-pocket maximums. Many plans are not affected because they have out-of-pocket maximums that are much lower than the amounts allowed by the ACA, or because they already apply reasonable individual maximums for both single and family coverage plans. Group policies issued in certain states also may be subject to lower limits due to state insurance laws. Therefore, many plans may not be affected by the ACA changes for 2016. On the other hand, high deductible health plans (HDHPs) that are designed for compatibility with health savings accounts (HSAs), are likely to be affected by the changes.
HSA-Compatible High Deductible Health Plans
HDHPs that qualify as permissible coverage in connection with an HSA — called HSA-compatible HDHPs — must comply with IRS rules for minimum deductible amounts and maximum out-of-pocket amounts. Most HSA-compatible HDHPs are nongrandfathered health plans, so they are subject to the ACA cost-sharing limits or the IRS maximum out-of-pocket amounts, whichever is less.
For 2016, the maximum out-of-pocket amounts for a HSA-compatible HDHP will be:
- $6,550 if self-only coverage, or
- $13,100 if family coverage.
If, however, the 2016 HDHP is a nongrandfathered health plan, the maximum out-of-pocket amount foreach individual with family coverage will be limited to $6,850 with respect to in-network essential health benefits. For many HDHPs, this will be a significant change for 2016.
Summary
The guidance provided in FAQ XXVII does not affect grandfathered health plans or any plans for plan years before 2016. For nongrandfathered plans, including HSA-compatible HDHPs, employers and benefit advisors are encouraged to review the guidance to ensure compliance with the ACA cost-sharing limits for 2016.
EEOC Proposed Rule on Wellness and the Americans with Disabilities Act – What Employers Need to Know
Originally posted by M. Brian Magargle and Robin E. Shea on April 30, 2015 on www.thinkhr.com.
The employer community has been waiting for years to receive guidance from the Equal Employment Opportunity Commission on wellness programs and how an employer’s obligations under the Americans with Disabilities Act intersect with its rights and obligations under the Health Insurance Portability and Accountability Act (as amended by the Affordable Care Act).
The EEOC finally issued a proposed rule on April 20. The following is what employers need to know in a “Q&A” format.
What problem is the EEOC trying to resolve?
The quick answer is an apparent conflict between the ADA rules on employer “medical inquiries,” on the one hand, and the “wellness program” provisions of the HIPAA/ACA, on the other.
Title I of the ADA (the part of the ADA that applies to private sector employers) generally prohibits employers from making “medical inquiries” of current employees unless the inquiries are “job-related and consistent with business necessity” (for example, to verify the need for a reasonable accommodation). The general rule is that employers are not supposed to be asking for medical information from current employees.
There are some limited exceptions to this rule, including an exception for medical inquiries made in connection with a “voluntary wellness program.”
As employer wellness programs have become more popular, many employers began offering specific rewards or penalties to employees based on whether they participated in the programs and even on whether they achieved certain “results.” As will be discussed in more detail below, the HIPAA and the ACA specifically authorize wellness programs to offer incentives for “participation” and “outcomes” under certain circumstances. However, the question arose whether the use of such incentives would render the wellness program not “voluntary” for ADA purposes. If the wellness program was not voluntary because of the incentives, then any requests for employee medical information made in connection with the wellness program would violate the ADA.
(Title I of the ADA would not have an impact on medical inquiries made, say, to the family member of an employee who might also be eligible to participate in the employer’s wellness program.)
Thus, it was possible that an employer could offer a wellness program that was authorized and lawful under the HIPAA/ACA but still be vulnerable to charges and lawsuits under the ADA. The EEOC’s proposed rule seeks to address this problem, and for the most part, it should be welcomed by employers who offer wellness programs.
What does the proposed rule say, in a nutshell?
The proposed rule says that a wellness program can still be “voluntary” for ADA purposes if the program provides “incentives” for employees (both rewards and penalties), as long as the employer complies with the wellness incentive requirements of the HIPAA/Affordable Care Act.
There are two caveats: The wellness program would have to be associated with a group health plan (either insured or self-insured), and the EEOC proposals do not exactly match the HIPAA/ACA rules, although they are reasonably close.
Can you give us a recap of the HIPAA/ACA requirements?
Under the HIPAA/ACA scheme, there are two types of wellness programs. A “participatory” program is one that rewards employees just for participating and does not require a specific goal to be met. (An example would be an employer who reimburses employees for fitness club memberships.) Under the HIPAA/ACA, participatory programs can be offered without limitation, as long as they’re available to all similarly situated individuals.
The other type of wellness program is a “health-contingent” program. There are two types of “health-contingent” programs: (1) activity-only programs, in which the employee is rewarded for completing an activity but doesn’t have to achieve or maintain an outcome (for example, “we’ll pay you $100 if you walk a mile three days a week for a year”); and (2) outcome-based programs, in which employees are rewarded for achieving or maintaining results (for example, “we’ll pay you $100 if you keep your BMI at or below 25 for a year, or if you quit smoking”).
If the program is health-contingent, employers are allowed to offer incentives (carrots or sticks) if –
- Employees are allowed to try to qualify at least once a year,
- The total reward offered doesn’t exceed 30 percent of the total cost of employee-only coverage under the plan or the total cost of family coverage if dependents are also allowed to participate in the program (“total” means the employee’s and the employer’s share). The percentage is up to 50 percent for tobacco prevention or cessation,
- The program is reasonably designed to promote health or prevent disease,
- The full reward must be available for all similarly situated individuals, and reasonable alternatives must be offered to those who can’t qualify, and
- The availability of reasonable alternatives must be disclosed in plan materials and in any disclosure telling an individual that he or she did not meet an initial outcome-based standard.
Under the HIPAA/ACA, the 30 percent/50 percent incentive limit applies only to “health-contingent” programs. HIPAA and the ACA have no limit on rewards that apply to “participatory” programs (if the programs are available to all similarly situated individuals).
The EEOC’s proposed rule is slightly different.
How does the EEOC proposed rule contrast with the HIPAA/ACA rule?
The EEOC would allow employers to offer incentives for employee participation in wellness programs associated with group health plans if the total reward does not exceed 30 percent of the total cost of employee-only coverage under the plan for both participatory and health-contingent wellness programs. The EEOC proposed rule does not allow a 50 percent reward level for tobacco cessation programs (unless there are no associated disability-related questions or medical exams), and the total cost used in the reward calculations does not take into account family-level coverage, even where dependents can participate in the program.
In addition, the wellness program must be completely voluntary. The EEOC would define “voluntary” as follows:
- Employees aren’t required to participate in the wellness program,
- Health insurance coverage is not denied or made more difficult to get if the employee chooses not to participate (with the exception of the permitted “incentives”), and
- The employer does not take adverse action against an employee for refusing to participate . . .as this employer allegedly did.
The EEOC invites the public to comment on the proposed rule through June 19. The agency is particularly interested in comments pertaining to how much medical information an employee should be required to disclose to be eligible for an incentive, whether the rule should require that the incentives not render health insurance “unaffordable” within the meaning of the ACA, issues related to the “notice” requirement, how to treat wellness programs that are not associated with group health insurance, as well as other topics.
The employer would also be required to provide a notice “that clearly explains what medical information will be obtained, who will receive the medical information, how the medical information will be used, the restrictions on its disclosure, and the methods the covered entity will employ to prevent improper disclosure of the medical information.”
The wellness program would be required to disclose medical information to the employer only in aggregated, non-individually-identifiable form, “except as needed to administer the health plan.”
Are there any other issues to consider under the HIPAA/ACA?
Although the EEOC rule is currently in proposed form, we expect any final version to still be somewhat different from the HIPAA/ACA requirements for wellness programs. For example, one of the primary requirements of a outcome-based program under HIPAA is the ability of an employee to meet a “reasonable alternative standard” to receive the reward. Participants in the program must be clearly informed of that option, and it remains to be seen how that notification will be coordinated with the notice proposed by the EEOC. A related issue is the intersection of the “reasonable alternative standard” under HIPAA with the reasonable accommodation and interactive process obligations under the ADA. The EEOC’s Interpretive Guidance to the proposed rule says that provision of a “reasonable alternative standard” along with the required notification will generally satisfy the employer’s reasonable accommodation obligations under the ADA, but no specifics are given. Moreover, the Interpretive Guidance notes that under the ADA an employer would have to make reasonable accommodations for an employee who could not be in a “participatory” program because of a disability, even though the HIPAA/ACA rules do not require a “reasonable alternative standard” for participatory programs.
Also, details about wellness programs commonly appear in ERISA-governed summary plan descriptions, so will the EEOC rules also have to appear there as well?
There are similarities between the employee benefits issues affecting wellness programs, on the one hand, and the ADA and employee-relations issues, on the other, but the differences are equally important and will hopefully be addressed by the EEOC in the final rules expected to be issued later this year.
What should employers do?
The proposed rule describes certain employer “best practices,” as follows:
- Employers should ensure that employees who handle medical information know their obligations under the laws.
- Employers should adopt privacy policies for collection and handling of employee medical information, assuming that they have not already done so.
- If medical information is stored electronically, it should be encrypted and other security measures implemented such as password protection and firewalls.
- If possible, employees who handle medical information should not be “making decisions related to employment, such as hiring, termination, or discipline.” If this is not possible, then the employer should ensure that there is no discrimination based on an employee’s disability.
- Breaches of confidentiality should be promptly and effectively addressed, and the affected employees should be informed immediately.
- Employers should take appropriate action against an employee who breaches confidentiality, and should “consider discontinuing” their relationships with vendors who breach confidentiality.
Why doesn’t the EEOC proposed rule have a 50-percent incentive for tobacco-related programs, since the HIPAA/ACA does?
The EEOC explained that it did not include the 50 percent incentive for tobacco programs because, it said, most of those programs do not seek employee medical information at all. If not, there would be no ADA issue. But if a tobacco program does seek such information (for example, through testing for nicotine, or monitoring blood pressure), then the tobacco program would have to be included in computing the 30-percent limit for incentives.
Did the proposed rule address the employer’s right to get medical information from an employee’s family members, who may be covered under the employee’s health insurance and might be eligible for participation in the wellness program?
No, because Title I of the ADA applies only to employers and employees. Medical inquiries about an employee’s family member would, of course, be covered under the Genetic Information Nondiscrimination Act, which is also enforced by the EEOC. The EEOC says it will issue guidance on wellness and the GINA “in future EEOC rulemaking.”
Did the proposed rule contain anything else of interest?
Yes. The EEOC has explicitly disagreed with a wellness/ADA decision from the U.S. Court of Appeals for the Eleventh Circuit, Seff v. Broward County. At issue in the Seff case was a $20-per-paycheck penalty that employees had to pay if they chose not to participate in the county’s wellness program. The court found that the county’s program fell within a “safe harbor” in the ADA, which provides that a covered entity is not prohibited “from establishing, sponsoring, observing or administering the terms of a bona fide benefit plan that are based on underwriting risks, classifying risks, or administering such risks that are based on or not inconsistent with State law.” Because the program fell within the safe harbor, the court said, it was irrelevant whether the program was “voluntary” or whether medical inquiries made in connection with the program violated the ADA.
The EEOC’s position is that this “safe harbor” provision in the ADA does not apply to wellness programs.
Employers who operate in the Eleventh Circuit states of Alabama, Florida, or Georgia can continue to follow Seff for the time being. However, employers who operate in other states may choose to follow the EEOC’s position once its proposal becomes final. The conflict between the EEOC and the Eleventh Circuit will probably be resolved eventually by the courts.
Employer HSA contributions falling
Originally posted by Kathryn Mayer on March 25, 2015 on benefitspro.com.
This last year may have seen another big increase in the number of health savings accounts. But it also saw a drop in the amount employers are contributing to those accounts.
Employees saw a 10 percent decrease in their average single HSA employer contribution from the previous year, according to new data from United Benefit Advisors. In 2013, employers contributed an average of $574 per employee but last year that dropped to $515, the report says.
Average family contributions also fell 7 percent during the same period, from $958 to $890.
UBA said the survey results reveal a correlation between enrollment in HSAs and consumer driven health plans, linking higher HSA contributions to increased enrollment in the cost-saving plans.
“Employer HSA funding strategies have changed in recent years in response to the Patient Protection and Affordable Care Act and its impact on employer-sponsored health insurance plans,” says Brian Goff, president and CEO of Insurance Solutions, a UBA partner firm.
“When HSA products were new, the employer could take the premium savings and fully fund the deductible. Now, however, premium reductions are not as great as they once were,” Goff said. “As premiums increase, employers naturally opt to put their contributions toward premiums first and will slowly reduce their HSA funding to the point where, in some cases, it becomes entirely the employee’s responsibility.”
The deductible amount, the employee premium contribution, the out-of-pocket maximum, and whether there are other types of plans offered will also impact an employer’s HSA contribution strategy, says Mark Sherman, Principal of LHD Benefit Advisors, another UBA partner firm.
Devenir said last month that the number of health savings accounts jumped 29 percent as of the end of 2014, reaching 13.8 million.
UBA found that smaller firms are the most generous when it comes to HSA contributions.
Smaller employers (those with 1 to 50 employees) are exceeding the average HSA contribution for singles, while larger employers (50 to 1,000-plus employees) have been less generous, UBA said. Even larger employers, those with 1,000-plus employees, show the lowest average contribution at $426. Similarly, for families, HSA contributions by smaller employers tend to be above the average $890 contribution, while large employers fund an average of $760.
The trend, Goff said, likely stems from smaller companies to make more personal decisions about their employees and benefits.
The UBA survey also found:
- California has the most generous HSA contributions ($808 for singles and $1,316 for families) yet the lowest enrollment in CDHPs: only 11.3 percent of plans in California are CDHP plans and only 8.1 percent of employees are enrolled in them.
- New England, which typically has the most generous health care packages overall, sees average HSA contributions of $685 for singles and $1,342 for families.
- By industry, construction, health care/social assistance, mining/oil and gas extraction, retail and wholesale provide the lowest HSA contributions for singles and families. Government employees have the most generous HSA contributions ($791 for singles and $1,431 for families).
For its research, UBA surveyed 9,950 employers sponsoring nearly 17,000 health plans nationwide.
IRS Begins Preparing Cadillac Tax Regulations; Public Input Requested
Originally posted February 24, 2015 on www.ifebp.org.
In Notice 2015-16, the Internal Revenue Service (IRS) outlines potential approaches for future proposed regulations regarding the excise tax on high cost employer-sponsored health coverage under section 4980I, also known as the Cadillac tax.
The notice is intended to initiate and inform the process of developing regulatory guidance regarding the excise tax on high cost employer-sponsored health coverage under section 4980I of the Internal Revenue Code. Section 4980I, which was added by the Affordable Care Act, applies to taxable years beginning after December 31, 2017.
Under this provision, if the aggregate cost of “applicable employer-sponsored coverage” provided to an employee exceeds a statutory dollar limit, which is revised annually, the excess is subject to a 40% excise tax.
The issues addressed in this notice primarily relate to:
- the definition of applicable coverage,
- the determination of the cost of applicable coverage, and
- the application of the annual statutory dollar limit to the cost of applicable coverage. The Department of the Treasury (Treasury) and IRS invite comments on the issues addressed in this notice and on any other issues under section 4980I.
This notice describes potential approaches on a number of issues which could be incorporated in future proposed regulations, and invites comments on these potential approaches.
Treasury and IRS intend to issue another notice before the publication of proposed regulations under section 4980I, describing and inviting comments on potential approaches to a number of issues not addressed in this notice, including procedural issues relating to the calculation and assessment of the excise tax.
After considering the comments on both notices, Treasury and IRS anticipate publishing proposed regulations under section 4980I. The proposed regulations will provide further opportunity for comment, including an opportunity to comment on the issues addressed in the preceding notices.
Tips for Handling Employee Pay Issues Caused By Mother Nature
Originally post February 9, 2015 by Laura Kerekes on www.thinkhr.com.
If you are inclined to believe “Punxsutawney Phil,” we’re in for another six weeks of wintry weather. When the groundhog emerged from his dwelling at Gobbler’s Knob in west-central Pennsylvania on February 2nd, he did not see his shadow. Let’s all hope for an early spring while we stay vigilant for more bad weather. Super storms packed punches in the Midwest and Northeast to start the New Year and continue adding to the area’s already taxed weather relief efforts. While your business may not have been affected by the recent superstorms, it is a great wakeup call to think through how businesses should handle the employee relations and pay issues that arise when they are forced to close due to inclement weather and/or when employees simply cannot get to work due to transportation or personal difficulties.
What should an employer do? Pay employees to stay at home? After all, in most cases, they are not at work through no fault of their own. Many businesses, however, do not have the financial resources to pay employees not to work. What follows are the rules regarding paying employees who miss work due to Mother Nature, along with some practical tips. From an employee relations perspective, the more generous you can afford to be to your employees who are suffering as a result of a weather-related disaster, the better. Employees (and their families) do pay attention to how they are treated, and a little extra time off and compassion for individual circumstances can go a long way towards enhancing employee loyalty.
If the company has no power and sends employees home for the day, should they be paid? And does it matter if the employee is exempt or nonexempt?
In general, there are two sets of rules for paying employees depending upon their classification under the Fair Labor Standards Act (FLSA) as it relates to eligibility for overtime. With nonexempt employees (those eligible for overtime pay), there is no obligation under federal or state law to pay for time not worked. However, under certain state laws, employers may have an obligation to compensate nonexempt employees under call-in/reporting pay laws, especially if the employees were not advised that they should not report to work and were denied work upon arrival at the workplace.
These pay obligations vary by state. With respect to salaried exempt employees who must be paid on a “salary basis” under the FLSA, employers may not make salary deductions for absences that result from an employer’s partial-week closing of operations, including closings due to weather-related emergencies or disasters. The bottom line is that exempt employees must be paid their full salary if they perform any work in a workweek and only miss work time due to the employer’s closure of operations. Closures for a full workweek need not be paid if no work is performed.
Are these rules different if the company can tell the employee not to come to work the next day?
For nonexempt employees, if they are told in advance not to come to work and the employees stay home, then the employer is under no obligation to pay them for the time off. The employer and the employee can choose to use accrued paid time off to compensate the employee for the missed workdays.
For exempt employees, the “salary basis” rule still applies. In some cases the employee may be working from home during the bad weather days. If state laws permit employers to do so, employers may deduct from the exempt employees’ accrued paid time off balances to resolve the issues related to “salary basis” compliance. The employer should ensure, however, that these employees have not done any work from home during the office closure prior to deducting time from the accrued paid time off bank balances.
If an employee is on Family and Medical Leave Act (FMLA) leave, do those “bad weather days” count against the employee’s 12-week allotment of time off?
The FMLA regulations are silent about bad weather office closures. However, the regulations do allow for situations when the employer’s business stops operating for a period of time and employees are not expected to come to work (plants closing for a few weeks to retool, mandatory company-wide summer vacation, etc). In that case, the week the business is closed and no employees are reporting to work would not count against the employee’s FMLA leave entitlement. If the business is closed for a shorter period of time, the general thinking is that the FMLA regulations relating to holidays would likely apply. Under those rules, if the business is closed for a day or two during a week in which the employee is on FMLA leave, then the entire week would count against the employee’s FMLA leave entitlement. If, however, the employee is on intermittent FMLA leave, then only the days that the business is closed and the employee is expected to be at work would count against the leave entitlement.
How do we handle attendance issues where the office is open but public transportation is not available due to the weather and employees cannot come to work?
If the business remains open but employees cannot get to work because of the weather, employers will need to consider their own attendance policies and practices in determining what flexibility to give employees as it relates to attendance. Employers may encourage employees to car pool or assist them in establishing alternative methods of transportation to get to work.
Under the FLSA rules as it relates to pay, however, employers do not need to pay nonexempt employees if they perform no work. For exempt employees, if the business remains open but an employee cannot get to work because of the weather, an employer can deduct an exempt employee’s salary for a full day’s absence taken for personal reasons without jeopardizing the employee’s exempt status. Employers cannot, however, deduct an exempt employee’s salary for less than a full-day absence without jeopardizing the employee’s exempt status.
Does a company have to allow employees to work from home (exempt or nonexempt) if the office is closed due to bad weather?
No, the employer does not need to allow employee to work from home, regardless of their FLSA status (exempt or nonexempt). The employer can make those decisions based upon the work that can be done remotely and based on the needs of the business. The employer should have clearly communicated policies and expectations regarding working from home during office closures.
The bottom line is that every employer should think about the needs of the business, its financial resources, and employees’ needs and have plans in place to manage business issues due to inclement weather. Thinking through what the wage and hour laws require and developing your policies and then applying them consistently and fairly with all employees can reap huge dividends in employee loyalty and retention.
Employer FAQs: Responding to the Anthem Breach
Originally posted February 9, 2015 by The National Law Review - National Law Forum LLC.
The first massive data breach of 2015 hit one of the country’s largest insurance issuers, Anthem, Inc., including Anthem Blue Cross and Blue Shield and other related entities (Anthem). The incident reportedly affected over 80 million persons who are or were covered under a policy or program insured or serviced by Anthem. The personal note from Anthem's CEO, Joseph R. Swedish, and the Anthem Facts (or FAQs) seek to provide helpful information to the millions of individuals affected. These communications address what is known about the incident, describe the kinds of information compromised, warn affected persons about potential email attacks, and advise that there is more information coming.
But there is not much information at this point for employers that are plan sponsors of group health plans and other welfare plans serviced by Anthem either as an insurance issuer or a third party claims administrator (TPA). Below are some FAQs about the Anthem breach for affected employers.
Isn't this really Anthem's problem?
From a legal compliance standpoint, the answer largely depends on whether the plan is insured or self-funded. For example, as discussed below, in the case of a self-funded group health plan, the HIPAA breach notification rules place the obligation to notify affected persons on the covered entity (i.e., the plan, and practically the plan sponsor) and not on the business associate (i.e., the TPA). However, contract obligations in the business associate agreement (or administrative services only agreement) have to be considered. Finally, as a practical matter, because employees and other persons covered under the plan(s) will be concerned and have questions, employers will need to have a strategy for addressing those concerns.
Is the information involved subject to HIPAA; the Anthem FAQs say Anthem does not believe diagnosis or treatment information was compromised?
According to the Anthem FAQs:
the member data accessed included names, dates of birth, member ID/ social security numbers, addresses, phone numbers, email addresses and employment information...[but its] investigation to date indicates there was no diagnosis or treatment data exposed.
Many maintain the mistaken belief that, in the case of a group health plan, a covered person’s name and social security number, alone, is not “protected health information” (PHI) under the privacy regulations issued under the Health Insurance Portability and Accountability Act (HIPAA). The absence of diagnosis or treatment data does not make information any less PHI. This is because the regulatory definition includes not only information about a person’s physical or mental health condition, but also how care is paid for and provided. Thus, data elements that relate to the payment or provision of health care, such as address and email address, could constitute PHI even if not as sensitive as a covered person’s diagnosis information.
What about the state breach notification laws, do they apply?
The Anthem breach involves personal information of individuals, such as names, member ID/social security numbers and other data, the kind of information protected by state breach notification laws, which currently exist in 47 states. Given the massive scale of the breach, it is likely that there are affected individuals residing in all 50 states and beyond.
Some of those state laws have exceptions when HIPAA or other federal regulations apply. Some do not. According to the Anthem FAQs, all product lines have been affected, not just health insurance (medical, dental and vision). This includes life, disability, workers compensation and other policies and products which typically are not subject to HIPAA. Thus, regardless of the Anthem policy or product at issue, the applicable state laws will need to be considered to determine their application in this case.
Our plan is/was insured by Anthem, what should we be doing?
Under HIPAA, both the employer’s group health plan under ERISA and the health insurance issuer that provides the insurance for that ERISA plan are covered entities under HIPAA. Covered entities have the primary breach notification obligations. Under state breach notification laws, the primary notification obligation generally falls on the entity that owns or licenses the data, not necessarily the entity that held the data at the time of the incident. However, in the case of a breach experienced by an insurer, and not the employer sponsoring the plan, the insurer generally is considered to be responsible for responding to the breach. Even if not entirely clear in the applicable statutes or regulations, this makes practical sense because the carrier is in control of the investigation and the facts, and usually is in the best position to work with law enforcement. Carriers can typically disseminate notifications more efficiently across the affected policies, as well as to federal and state agencies, and the media.
To date, Anthem appears to be taking the lead on the investigation and notifying affected persons. For example, its FAQs inform members that they can expect to “receive notice via mail which will advise them of the protections being offered to them as well as any next steps”. Because this incident affects both HIPAA-covered and non-HIPAA plans, it is likely the notices will address the applicable HIPAA and state law requirements.
Still, there are some action items for affected employers to consider:
-
Stay informed. Closely follow the developments reported by Anthem, including coordinating with your benefits broker who might have additional information.
-
Consult with counsel. Experienced counsel can help employers properly identify their obligations and coordinate with Anthem as needed.
-
Communicate with employees. Be prepared to respond to employee questions – consider providing a short summary of the incident to employees along with links to the Anthem materials and FAQs.
-
Evaluate vendors. Use this incident as a reason to examine more closely the data privacy and security practices of all third party vendors that handle the personal information of your employees and customers, including insurance companies. Of course, a data breach is generally not a reason, by itself, to switch vendors. With breaches of all sizes affecting many companies, there is no telling whether the grass will be greener. But making inquiries and pressing vendors to do more, including by contract, is a prudent course of action, and even required in some states.
-
Revisit your own data security compliance measures. Employers should take this as an opportunity to assess or reassess their own data security compliance measures. As many have noted, it is not just large companies that are vulnerable to these kinds of attacks.
Our plan is/was self-insured and Anthem was our TPA, what should we be doing?
In this case, whether the plan is a health plan covered by HIPAA or another employee welfare benefit, as TPA, Anthem maintains the personal information of covered persons on behalf of the employer. In that case, Anthem’s legal obligations under HIPAA and state law, as applicable, generally require only that it notify the employer concerning the circumstances of the breach – how it happened, the kind of information breach, who was affected, etc. Then it is up to the employer/covered entity to carry out an appropriate investigation, provide notice to affected persons and otherwise comply with the applicable federal and state laws. However, administrative service agreements and in the case of health plans, business associate agreements, may delegate some of these responsibilities to the TPA, as well as indemnification obligations. So, in addition to some of the steps listed above, employers have a number of things to consider and steps to take:
- Determine if plans have been affected. Employers might soon be receiving communications from Anthem concerning whether their plans have been affected. They also may want to reach out to Anthem and inquire.
- Act quickly. HIPAA and state breach notification laws generally require that notices be provided without unreasonable delay, as well as place outside limits on when such notices can be provided – e.g., 60 days following discovery under HIPAA, and 30 days in Florida.
- Examine the administrative services agreement and/or business associate agreement. For plans have been affected, employers need to review the related agreements as they could place certain obligations either on the employer or Anthem. The agreements also could be silent, in which case the plan/employer likely has the obligations to notify participants, agencies and media.
- If Anthem is responsible for responding, employers should consider taking certain steps to ensure Anthem’s reaction is compliant – e.g., has it protected data from further attacks, completed the investigation, identified all affected persons, crafted content-compliant notifications (HIPAA and some state laws have specific content requirements), and notified the applicable federal and state agencies.
- If the employer retained the responsibility to respond, it should be taking steps immediately to determine what happened and coordinate with Anthem concerning the response. This includes some of the steps listed above. For instance, in the case of group health plans under HIPAA, employers will need to confirm with Anthem whether Anthem or the employer/group health plan will be notifying the Department of Health and Human Services. Also, employers that have developed a data breach response plan (a good idea for all employers) should review that plan and follow it.
However, as a practical matter and regardless of what is in the services agreement, Anthem may decide to take the lead on the response, and not give employers much choice in shaping the communications made to persons covered under the plans.
-
Communicate with covered persons. If it turns out that the employer will be notifying plan participants, in addition to the notification letters referred to above, employers also need to be prepared to address participant questions about the incident. Designating certain individuals or outside vendors to handle these questions and creating a script of anticipated questions and answers would facilitate a consistent and controlled response.
-
Evaluate insurance protections. Some employers may have purchased “cyber” or “breach response” insurance which could cover some of the costs related to responding to the breach or defending litigation that may follow. Employers should review their policy(ies) with their brokers to understand the potential coverage and what steps, if any, they need to take to confirm coverage.
-
Document steps taken. Employers should document the steps they take to investigate and respond to the incident, particularly if it affects one of their group health plans covered by HIPAA.
Some employees have complained about our data security practices, how should we respond?
Take them seriously! Data security has been recognized at the federal, state and local levels as an important public policy concern, most recently by President Obama at the recent State of Union Address. Disciplining or taking adverse action against an employee who has raised these concerns could expose the employer to retaliation claims or violations of employee whistleblower protections.