Tag Archives: cynthia marcotte stamer

More Pressure to Protect Health Data

Health plans, insurers and other health plan industry service providers need to ensure that their Internet applications properly safeguard protected health information (PHI), based on a recent warning from Department of Health and Human Services (HHS) Office of Civil Rights (OCR).

The warning comes in a resolution agreement with St. Elizabeth’s Medical Center (SEMC) that settles OCR charges that it breached the Health Insurance Portability and Accountability Act (HIPAA) by failing to protect the security of personal health data when using Internet applications. The agreement shows how complaints filed with OCR by workforce members can create additional compliance headaches for covered entities or their business associates.

With recent reports on massive health plan and other data breaches fueling widespread regulatory concern, covered entities and their business associates should prepare to defend the adequacy of their own HIPAA and other health data security practices. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities.

SEMC Resolution Agreement Overview

The SEMC resolution agreement settles OCR charges that SEMC violated HIPAA. The charges stem from an OCR investigation of a Nov. 16, 2012, complaint by SEMC workforce members and a separate data breach report that SEMC made to OCR of a breach of unsecured electronic PHI (ePHI). The information was stored on a former SEMC workforce member’s personal laptop and USB flash drive, and 595 individuals were affected.

In their complaint, SEMC workers complained that SEMC violated HIPAA by allowing workforce members to use an Internet-based document application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

  • SEMC improperly disclosed the PHI of at least 1,093 individuals;
  • SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  • SEMC failed to identify and respond to a known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome in a timely manner.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan.” Although the required settlement payment is relatively small, the resolution agreement merits attention because of its focus on security requirements for Internet application and data use and sharing activities engaged in by virtually every covered entity and business associate.

HIPAA-Specific Compliance Lessons

OCR Director Jocelyn Samuels said covered entities and their business associates must “pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications.” She stated that, “to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The resolution agreement makes clear that OCR expects health plans and other covered entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates covered entities and business associates must be able to produce evidence showing a top-to-bottom dedication to HIPAA, to prove that a “culture of compliance” permeates their organizations.

Covered entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan,” starting with the specific steps that SEMC must take:

  • Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
  • Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
  • Conducting other tests and audits of security and compliance with policies, processes and procedures; and
  • Documenting results, findings, and corrective actions including appropriate up-the-ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance and Risk Management Lessons

Covered entities and their business associates also should be mindful of more subtle, but equally important, broader HIPAA compliance and risk management lessons.

One of the most significant of these lessons is the need for proper workforce training, oversight and management. The resolution agreement sends an undeniable message that OCR expects covered entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies.

The resolution agreement also provides insights to the internal corporate processes and documentation of compliance efforts that covered entities and business associates may need to show their organization has the required “culture of compliance.” Particularly notable are terms on documentation and up-the-ladder reporting. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details provide invaluable tips.

Risks and Responsibilities of Employers and Their Leaders

While HIPAA places the primary duty for complying with HIPAA on covered entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons.

HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs for employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction. These concerns usually require employers to expend significant management and financial resources to respond.

The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all-too-rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Because employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements.

Sponsoring employers and their management also should be aware that the employer’s exception from direct liability for HIPAA compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation.

While HIPAA generally limits direct responsibility for compliance with the HIPAA rules to a health plan or other covered entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws, arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk.

When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and that the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to be disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA rules.

Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI systems in violation of these conditions or other HIPAA rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – to wrongfully access health plan PHI, electronic records or systems. Because  health plan PHI records also typically include personal tax, Social Security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concerned about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Because HIPAA and some of these other laws under certain conditions make it a felony to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s federal sentencing guideline and other compliance programs.

Employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements.

For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. This fiduciary status and risk can occur even if the entity or individual is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Because fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority.

Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints.

Manage HIPAA and Related Risks

At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stopgap against the costs of investigation or defense of a HIPAA security or other data breach.

The Hidden Traps in Same-Sex Ruling

Employers should move quickly to review and update as necessary their human resources and employee benefit policies and practices concerning when same-sex partners of employees are treated as the spouses of the employees in light of the U.S. Supreme Court’s June 26, 2015, decision in Obergefell v. Hodges.

Employer and employee benefit plan leaders and their consultants are cautioned that the decision requiring states to allow same-sex couples to marry does not eliminate ambiguities or differences in state laws and documentation of marriage. Consequently, policies, practices and programs for administering the employment and employee benefit rights of married employees need to be carefully tailored to identify and require proof of marriage evenhandedly. Administrators must take into account variances and potential biases in state documentation and practices that could create complications or even liabilities for employers and plans if not appropriately considered.

Since the Supreme Court ruled that the Equal Protection Clause of the U.S Constitution entitled same-sex couples to equal treatment with married heterosexual couples under federal law in U.S. v. Windsor, 133 S.Ct. 2675 (2013), employers have faced several challenges understanding and updating their policies and practices with respect to employees involved in same-sex relationships.

The Obama administration’s aggressive reinterpretation of federal employment, employee benefit, tax and other laws and regulations placed pressure on employers to update their policies and practices concerning when to recognize employees in same-sex relationships as marriages for employment, employee benefits and other purposes.

As the Windsor decision did not address whether the U.S. Constitution also guaranteed same-sex couples a right to marry under state law, disparities in the treatment of same-sex marriages between the states and rapid changes in the state statutory and judicial rules governing these determinations created significant challenges. Employers had to determine if a same-sex couple could marry in a particular state and the right and duty of the employer in response to such an arrangement.

Today’s Obergefell ruling will help to resolve some, but not all, of this uncertainty by answering the question whether states may refuse to allow same-sex partners to marry or refuse to recognize marriages of same-sex partners. The Obergefell decision settles this debate by holding that the U.S. Constitution requires all states to allow same-sex couples to marry on the same terms as apply to heterosexual couples.

Employers still face many challenges. While states must now treat same-sex and opposite-sex couples equally under marriage laws, determining consistently whether two individuals are legally married in any particular state remains anything but simple. Variations in the marriage laws of the states mean the requirements for and proof of marriage can vary significantly.

Care must also be taken to manage potential discrimination risks that might arise from the adoption of policies that treat same-sex vs. opposite-sex partners disparately. There could be administrative complications and compliance risks. There could also be sex discrimination liability exposures under the Civil Rights Act and other laws.

Parties should act promptly and carefully with the advice of counsel to evaluate and update their policies to respond to the new decisions and these other challenges and duties.

Healthcare Breaches: How to Respond

The news of a data breach at Premera Blue Cross, following on the heels of the recent announcements of large-scale,  healthcare breaches at Anthem, is another reminder that employers and other health plan sponsors, fiduciaries and insurers need to take immediate steps to assess and tighten up their privacy, data security and data breach compliance and risk management.

Health plans and their employers, administrators, insurers and other vendors and service providers need to take immediate steps to conduct documented investigations, provide mandated breach notifications and take other actions that are required by the Privacy, Security & Breach Notification Rules imposed by the Health Insurance Portability & Accountability Act and other potentially applicable laws.

Employers or other plan sponsors, fiduciaries, administrators and service providers also may be subject to additional responsibilities under the fiduciary responsibility requirements of the Employee Retirement Income Security Act of 1974 (ERISA), the Internal Revenue Code and a host of other laws. Whether they are subject to the additional responsibilities depends on the scope of data affected and their involvement with the affected plans,

Insurance industry or other vendors providing services to these plans also may face specific responsibilities under applicable insurance, health care, federal or state identity theft, privacy or data security or other federal or state laws. (See, e.g., Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond; HIPAA Compliance & Breach Data Shares Helpful Lessons for Health Plans, Providers and Business Associates.)

The need for prompt assessment and action is not necessarily limited to health plans and organizations sponsoring, administering or doing business with the plans involved in the Premera or Anthem breaches. The report of these and other healthcare breaches, as well as recent reports of identity theft and other fraud affecting federal tax returns and other large data breach reports involving retailers and other prominent businesses are spurring recognition of the large risks and need for greater scrutiny and accountability to business collection, use and protection of sensitive personal and other data.

Of course, the risk is exploding largely in response to the continued evolution of electronic payment and other business operating systems coupled with the emergence of data harvesting and other capabilities at virtually every U.S. business. Cyber criminals seem to always be one step ahead of business and government in leveraging these emerging opportunities for their criminal purposes.

Everyone from the Internal Revenue Service, other federal and state government agencies and private business partners are pushing for electronic transactions and data. So, businesses are conducting more and more transactions electronically containing business and individual tax information, personal financial information, personal health information, confidential business and personal information. Meanwhile, “big data” and other business and marketing gurus also encourage businesses to use data from customers, prospects and other sources to benefit marketing and other parts of the business.

As these practices have taken hold over the past decade, data breaches, other cyber crimes and risks have also grown. Privacy, identity theft and other cyber crimes have led federal and state lawmakers to enact an ever-growing list of notice, consent, disclosure, security and other laws and regulations, including the Fair and Accurate Credit Transaction Act (FACTA),the Gramm-Leach-Bliley Act, the Privacy and Security Rules of the Health Insurance Portability and Accountability Act and state identity theft, data security and data breach and other electronic privacy and security laws.

As notorious breaches occur and judgments, penalties and other costs soar, federal and state regulators are looking at the need for expanded rules and penalties. (See Cybercrime Enforcement Statistics; DOJ Enforcement Priorities and Statistics.) Widening data privacy and security concerns from incidents like the recent reports of breaches at Anthem and elsewhere have prompted Congress and state regulators to hold hearings to consider the need for added reforms, and the Federal Trade Commission has just announced plans to host a workshop on Nov. 16, 2015, to look at the privacy issues around the tracking of consumers’ activities across their different devices for advertising and marketing purposes.

While these and other legal and enforcement developments promise new liabilities and expenses, the business losses and customer and business partner implications experienced by Target, Anthem and other businesses illustrate the severe business consequences that inevitably result if a business appears to have failed to take customer privacy or other data security concerns seriously.

The notorious Target hacking data breach event is illustrative. Target reported in late 2013 that credit and debit card thieves stole the name, address, email address and phone number from the credit and debit card records of around 70 million Target shoppers between Nov. 27 and Dec. 15, 2013. After announcing the breach, Target reported a 46% drop in profits in the fourth quarter of 2013, compared with the year before. The company announced plans to invest $100 million upgrading its payment terminals to support Chip-and-PIN-enabled cards and millions of dollars more in rectification efforts. Subsequently, Target’s losses have continued to mount, and it now faces lawsuits and other enforcement actions as a result of the breach.

Beyond a general need to tighten their defenses, health plans, their sponsors, fiduciaries, administrators and vendors have specific obligations that require immediate, well-documented action when an actual or potential breach happens. The Privacy, Security and Breach Notification requirements of HIPAA require that health plans adopt specific policies and maintain and administer specific safeguards. In the event of a breach, these rules require that the health plan, usually acting through its fiduciaries, and affected service providers that qualify as business associates both investigate and redress the breach, as well as provide specific notification as soon as possible, usually no later than 30 days after the health plan knows or has reason to know of the breach. Significant civil and even criminal penalties can apply.

Beyond the specific requirements of HIPAA, employers and other plan sponsors and others involved in the maintenance and administration of the health plan or the selection and oversight of its vendors often may have less-realized responsibilities. As health plan data often includes payroll and other tax data, employers, there may be specific responsibilities under the Internal Revenue Code or other laws. To the extent that the plan sponsor or another party is named as the plan administrator or otherwise exercises control over the selection of the insurer or other plan vendor or other plan operations, the fiduciary obligations of ERISA also may require a prudent investigation and other action. Brokers, insurers, third party administrators, preferred provider organizations or other managed care providers and others doing business with the health plan also may have specific responsibilities under state insurance, health care, data breach and identity theft or other laws. Under the provisions of most of these laws, leaving it to the insurer or other vendor involved in the breach generally will not suffice to fulfill applicable legal responsibilities, much less allay the fears of plan members, employees, healthcare providers and others involved with the health plan.

In the face of these developments, health plans and their sponsors, fiduciaries and others working with them must take immediate action in response to breaches. Businesses also should check the adequacy and defensibility of their current overall data collection, use and security practices while remaining ever-vigilant for new requirements, as well as weaknesses in their own practices.

Businesses need to build their defenses in anticipation of breaches both to withstand government and private litigation and enforcement, and the judgment of public opinion.

Private Exchanges: Panacea or Problem?

Employers trying to continue offering affordable health and welfare benefits amid the expanding costs and regulations enacted under the Patient Protection & Affordable Care Act (ACA) often are encouraged by some consultants and brokers to consider offering  coverage options pursuant to a “private exchange.”

While these options sound attractive, not all work for all employers.

The consumer-driven healthcare and other private exchange lingo used to describe these arrangements often means different things to different people. Some “private exchanges” are little more than high-tech online cafeteria enrollment arrangements. (See, e.g., A ‘Cynical’ Look at Private Exchanges.)

Employers need to scrutinize proposals both for compliance and other legal risks, affordability and cost and other suitability. When considering a private exchange or other arrangement, it is important to understand clearly the proposal, its design, operation, participating vendors, the charges, what is excluded or costs extra and who is responsible for delivering what.

Agencies have issued a long stream of guidance cautioning employers against paying for or reimbursing premiums for individual policies or the cost of enrolling in coverage under a public health insurance exchange. (See, e.g., DOL Technical Release 2013-03IRS Notice 2013-54;Insurance Standards Bulletin, Application of Affordable Care Act Provisions to Certain Healthcare Arrangement; IRS May 13, 2014 FAQs available here. )Most recently, the new FAQS About Affordable Care Act Implementation (XXII) (FAQ XXII) published by the agencies on Nov. 6, 2014, reiterates agency guidance indicating that tax basis for purchasing individual coverage in lieu of group health plan coverage.  FAQ XXII, among other things, states:

  • Health reimbursement accounts (HRAS), health flexible spending arrangements (health FSAs) and certain other employer and union healthcare arrangements where the employer promises to reimburse health care costs: are considered group health plans subject to the Public Health Service Act (PHS Act) § 2711 annual limits, PHS Act § 2713 preventive care with no cost-sharing and other group market reform provisions of PHS Act §§ 2711-2719 and incorporated by reference into the Employee Retirement Income Security Act (ERISA) and the Internal Revenue Code (Code) but
  • HRA or other premium reimbursement arrangements do not violate these market reform provisions when integrated with a group health plan that complies with such provisions. However, an employer healthcare arrangement cannot be integrated with individual market policies to satisfy the market reforms. Consequently, such an arrangement may be subject to penalties, including excise taxes under section 4980D of the Internal Revenue Code (Code).

FAQ XXII reinforces this prior guidance, stating, “Such employer healthcare arrangements cannot be integrated with individual market policies to satisfy the market reforms and, therefore, will violate PHS Act sections 2711 and 2713, among other provisions, which can trigger penalties such as excise taxes under section 4980D of the Code. Under the departments’ prior published guidance, the cash arrangement fails to comply with the market reforms because the cash payment cannot be integrated with an individual market policy.”

Another potential issue arises under the various tax and non-discrimination rules of the code and other federal laws.  For instance, Code sections 105, 125 and other Code provisions against discrimination in favor of highly compensated or key employees could arise based on the availability of options or enrollment participation.  Historically, many have assumed that these concerns could be managed by treating the premiums or value of discriminatory coverage as provided after-tax for highly compensated or key employees. However, IRS and Treasury leaders over the past year have made statements in various public meetings suggesting that the IRS does not view this as a solution. Of course, FAQ XXII also highlights the potential risks of underwriting or other practices of offering individual or other coverage in a manner that discriminates against disabled, elderly or other employees.

In addition to confirming that the arrangement itself doesn’t violate specific Code or other requirements, employers and others responsible for structuring these arrangements also should critically evaluate and document their analysis that the options offered are suitable. Like other employee benefit arrangements, ERISA generally requires that individual or group products offered by employers, unions or both be prudently selected and managed. Compensation arrangements for the brokers and consultants offering these arrangements also should be reviewed for prudence, as well as to ensure that the arrangements don’t violate ERISA’s prohibited transaction rules. Eligibility and other enrollment and related administrative systems and information sharing also should be critically evaluated under ERISA, as well as to manage exposures under the privacy and security rules of the Health Insurance & Portability Act (HIPAA) and other laws.

As a part of this analysis, employers and others contemplating involvement in these arrangements also will want to review the vendor contracts and operating systems of the vendors that will participate in the program for legal compliance, prudence for inclusion, prohibited transactions and other legal compliance, as well as to ensure that the contract holds the vendor responsible for delivering on service and other expectations created in the sales pitch. In reviewing the contract, special attention should be given to fiduciary allocations, indemnification and standards of performance, business associate or other privacy and data security assurances required to comply with HIPAA and other confidentiality and data security requirements and the like. The contractual commitments from the vendor also should cover expected operational performance and reliability as well as legal compliance and risk management.

Important Guidance on ACA Health Plans

The new FAQS About Affordable Care Act Implementation, published Nov. 6, 2014, confirm that employers can’t reimburse employees for purchasing individual coverage, even though various vendors are promoting that approach in lieu of group health plan coverage.

FAQ XXII makes clear that the departments of Labor, Health and Human Services and Treasury object to this practice. FAQ XXII makes clear that the departments consider ACA’s market reforms to outlaw any arrangement pursuant to which an employer provides cash reimbursement to employees for the purchase of an individual market policy, regardless of whether the reimbursement is paid on a pre- or after-tax basis.

This position is consistent with previous guidance that the departments have published, that health reimbursement arrangements (HRAs), health flexible spending arrangements (health FSAs) and certain other employer and union health care arrangements where the employer promises to reimburse health care costs are: considered group health plans subject to the Public Health Service Act (PHS Act) § 2711 annual limits, PHS Act § 2713 preventive care with no cost-sharing and other group market reform provisions of PHS Act §§ 2711-2719 and incorporated by reference into the Employee Retirement Income Security Act (ERISA) and the Internal Revenue Code (Code).

HRA or other premium reimbursement arrangements do not violate these market reform provisions when integrated with a group health plan that complies with such provisions. However, an employer health care arrangement cannot be integrated with individual market policies to satisfy the market reforms. Consequently, such an arrangement may be subject to penalties, including excise taxes under section 4980D of the Internal Revenue Code (Code). (See, DOL Technical Release 2013-03; IRS Notice 2013-54; Insurance Standards Bulletin, Application of Affordable Care Act Provisions to Certain Healthcare Arrangement; IRS May 13, 2014 FAQs.)

FAQ XXII reinforces this prior guidance, stating, “Such employer health care arrangements cannot be integrated with individual market policies to satisfy the market reforms and, therefore, will violate PHS Act sections 2711 and 2713, among other provisions, which can trigger penalties such as excise taxes under section 4980D of the Code. Under the departments’ prior published guidance, the cash arrangement fails to comply with the market reforms because the cash payment cannot be integrated with an individual market policy.” (See, DOL Technical Release 2013-03; IRS Notice 2013-54; Insurance Standards Bulletin, Application of Affordable Care Act Provisions to Certain Healthcare Arrangements, Sept. 16, 2013.)

FAQ XXII also confirms the departments’ view that arrangements where a vendor markets a product to employers claiming that employers can cancel their group policies, set up a Code section 105 reimbursement plan that works with health insurance brokers or agents to help employees select individual insurance policies, and allow eligible employees to access the premium tax credits or other HRA dollars to pay for Marketplace coverage are illegal.

According to FAQ XXII, these arrangements are problematic for several reasons, including:

The arrangements themselves are group health plans. Therefore, employees participating in such arrangements are ineligible for premium tax credits (or cost-sharing reductions) for Marketplace coverage. The mere fact that the employer does not get involved with an employee’s individual selection or purchase of an individual health insurance policy does not prevent the arrangement from being a group health plan. Department of Labor guidance indicates that the existence of a group health plan is based on many circumstances, including the employer’s involvement in the overall scheme and the absence of an unfettered right by the employee to receive the employer contributions in cash.

Under DOL Technical Release 2013-03, IRS Notice 2013-54 and the two IRS FAQs addressing employer health care arrangements, such arrangements are subject to the market reform provisions of the Affordable Care Act, including the PHS Act § 2711 prohibition on annual limits and the PHS Act § 2713 requirement to provide certain preventive services without cost sharing. Such employer health care arrangements cannot be integrated with individual market policies to satisfy the market reforms and, therefore, will violate PHS Act §§ 2711 and 2713, among other provisions, which can trigger penalties such as excise taxes under Code § 4980D.

FAQ XXII also confirms the department’s position that an employer violates the ACA provisions of PHS Act § 2705, ERISA § 715 and Code § 9815, as well as the Health Insurance Portability & Accountability Act (HIPAA) nondiscrimination provisions of ERISA section 702 and Code § 9802 prohibiting discrimination based on one or more health factors if it offers selectively only to employees with high claims risk a choice between enrollment in its standard group health plan or cash.

FAQ XXII clarifies that while the departments’ regulations allow more favorable rules for eligibility or reduced premiums or contributions based on an adverse health factor (sometimes referred to as benign discrimination), in the departments’ view this position does not extend to cash-or-coverage arrangements offered only to employees with a high claims risk. Accordingly, FAQ XXII states such arrangements will violate the nondiscrimination provisions, regardless of whether (1) the cash payment is treated by the employer as pre-tax or post-tax to the employee, (2) the employer is involved in the selection or purchase of any individual market product or (3) the employee obtains any individual health insurance.

Beyond these concerns stated in FAQ XXII, employers and others contemplating offering such a choice also should discuss potential exposures under the Americans With Disabilities Act (ADA) and, depending on the nature of the condition, Medicare law.

In light of this new guidance and previous guidance published by the departments, employers and others sponsoring or contemplating engaging in these arrangements are encouraged to contact competent counsel for assistance in understanding the potential concerns raised by involvement in these practices and their resolution.