Tag Archives: stamer

Healthcare Case on Cutting Corners

Healthcare providers, health plans, healthcare clearinghouses (covered entities) and business associates that provide services that deal with protected health information received another reminder to be prepared to prove they are properly handling and administering electronic and other protected health information. This came after the Department of Health & Human Services Office of Civil Rights (OCR) announced its latest in a growing series of high-dollar resolution agreements with a covered entity that was charged with violating the privacy and security standards of the Health Insurance Portability and Accountability Act (HIPAA).

Raleigh Orthopaedic Charges and Resolution Agreement

The Resolution Agreement and Corrective Action Plan announced by OCR on April 20 requires the Raleigh Orthopaedic Clinic, P.A. to pay $750,000 to settle charges that it violated the privacy rule. The clinic handed over the protected health information of approximately 17,300 patients to a potential business partner without first executing a business-associate agreement.

Raleigh Orthopaedic is a provider group practice that operates clinics and a surgery center in the Raleigh, NC, area. OCR’s investigation indicated that Raleigh Orthopaedic violated privacy rules by releasing X-ray films and related protected health information of patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the X-ray films. Raleigh Orthopaedic failed to execute a business associate agreement with this entity before turning over the X-rays and protected health information (PHI).

Although the resolution only addresses charges OCR brought against the covered entity (Raleigh Orthopaedic), business associates need to keep in mind that both covered entities and business associates are now responsible for ensuring compliance with the business associate agreement requirements of the privacy rules — ever since the stimulus bill amended HIPAA to make most provisions of the privacy rule directly applicable to business associates, as well as covered entities.

Takeaways for Covered Entities and Their Business Associates

The resolution agreement includes a strong message for other covered entities and business associates: It’s important for an entity to take seriously its responsibility under the privacy rule to ensure the business associate agreement requirements of the privacy rule are met before business associates are allowed to receive, access or use protected health information. Jocelyn Samuels, the director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), said, “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected,” and “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.”

In many cases, the process of evaluating the adequacy of current arrangement and of considering the advisability of changes to tighten existing practices will result in the discovery and discussion of potentially sensitive information. For example, it is possible that, in the course of review, parties may be unable to locate a signed business associate agreement that governs a relationship, or, in the course of review, information indicates breaches of protected health information or other privacy rule violations may have occurred. For this reason, most covered entities and their business associates will want to consider arranging it so this review and analysis is conducted within the scope of attorney-client privilege or under the direction of qualified legal counsel with HIPAA experience who has entered into a business associate agreement.

Rising Risks of Medicare Audits

Texas physician Dennis B. Barson Jr. and his medical clinic administrator are headed to prison. The 10-year prison sentence imposed against Barson, like an $8 million-plus healthcare fraud civil settlement announced by the Justice Department on July 24, 2014, illustrate the significant legal risks that physicians and other healthcare providers face when physician charges are improperly billed to Medicare, Medicaid, Tricare or other federal or state healthcare programs for services actually provided by non-physician staff.

Physicians and others should heed the lessons from these and other similar federal and state healthcare fraud enforcement actions when deciding when it is appropriate to bill federal healthcare programs for physician services where physicians assistants, nurse practitioners or other nursing staff or other non-physicians perform part or all of the procedures billed.

Dr. Barson Prison Sentence Highlights Criminal Risks

On Monday, July 27, 2015, U.S. District Court Judge Melinda Harmon ordered Barson to serve 120 months in prison, followed by three years of supervised release, and to pay restitution of approximately $1.2 million for his Nov. 5, 2014, conviction on all 20 counts of conspiracy to defraud Medicare of $2.1 million.

With Judge Harmon presiding, a Houston jury found Barson and his medical clinic administrator, Dario Juarez, 55 years old, guilty on the Medicare fraud charges last November. Another co-defendant, Edgar Shakbazyan, entered a guilty plea to the 21-count original indictment on Oct. 27, 2014. Shakbazyan, of Glendale, CA, was sentenced to 97 months in prison, while Juarez, of Beeville, Texas, received 130 months. Both will also serve three years of supervised release.

The jury convictions of Barson and Juarez followed a trial where Department of Justice prosecutors proved the healthcare fraud charges based on evidence that Barson, Juarez and Shakbazyan fraudulently billed Medicare for rectal sensation tests and electromyogram (EMG) studies of the anal or urethral sphincter that were never performed. Shakbazyan was additionally charged and pled guilty to conspiracy to pay kickbacks for payments made to recruiters and beneficiaries.

According to the testimony at trial, Barson was the only doctor affiliated with the medical clinic located at 8470 Gulf Freeway in Houston. However, Juarez represented himself to be a doctor and was the one who actually saw patients at the clinic. Barson, Juarez and Shakbazyan caused Medicare to be billed for procedures on 429 patients in just two months. The three men also billed Medicare for seeing more than 100 patients on 13 different days, including a high of 156 patients on July 13, 2009.

Barson’s defense attempted to convince the jury that he was a victim of identity theft and was not the perpetrator of the crimes. The conviction shows the jurors did not believe his story. The criminal charges are the result of a joint investigation conducted by agents of the FBI, Department of Health and Human Services-Office of Inspector General and the Medicaid Fraud Control Unit of the Texas Attorney General’s Office.

Margossian Settlement Shows Even More Common Civil Penalty Risks

Barson’s sentencing is one of a growing series of criminal convictions and sentencing of physicians and other healthcare providers for healthcare fraud by participating in arrangements where Medicare, Medicaid or other federal healthcare programs are billed for services not provided or not provided as required to qualify for reimbursement. On July 24, 2015, for instance, the U.S. Attorney for the Eastern District of New York and the State of New York announced that Brooklyn, NY, OB/GYN Haroutyoun Margossian will pay $8 million as part of a civil settlement with the U.S. and the state of New York. The settlement resolves charges brought under the federal False Claims Act and the New York False Claims Act that Margossian wrongfully billed Medicare and Medicaid for physician services for treatments of women suffering from urinary incontinence that unlicensed and often unsupervised staff, rather than Margossian or another physician, actually administered. The government has also filed a criminal charge against Margossian for making false statements to Medicare and entered into a deferred prosecution agreement with him.

Healthcare Fraud Investigations Raise Other Licensing and Practice Risks

The Barson and Margossian actions are just two of the already long and ever-growing list of criminal convictions, civil sanctions and civil settlements that federal and state healthcare fraud fighters already can count as notches of success in their war against healthcare fraud by physicians and other healthcare providers. With these successes fueling more investigations, physicians and others should be prepared to “do time” for improperly billing physician fees to federal healthcare programs for services not provided by the billing physician or for engaging in other inappropriate billing practices. Targets of audits and investigations also must prepare to deal with a host of other threats to their practices that almost inevitably arise regardless of whether the government investigation leads to a conviction, civil sanctions or a settlement.

As demonstrated by the Margossian settlement, even if physicians, practice management and others swept up into these investigations escape being criminally charged, subjected to civil sanctions or penalties or suspended or excluded from Medicare or other federal healthcare programs, healthcare fraud investigations or charges still will carry a heavy cost. Healthcare fraud warriors are realizing great success in securing civil sanctions and settlements, federal program exclusions and other civil and administrative punishments against physicians and other healthcare providers that the government accuses of violating the False Claims Act or other federal healthcare fraud rules.

Of course, whether healthcare fraud investigations ultimately result in any civil or criminal prosecution, conviction or settlement, physicians and other licensed healthcare providers under suspicion of healthcare fraud inevitably must deal with a broad range of other professional fallout. These activities almost always trigger scrutiny or other actions by employers and medical practices, healthcare organizations and licensing boards.

Act to Strengthen Your Defenses

Physicians and others should take steps to minimize the risk of an investigation or audit as well as take steps to help ensure sufficient resources to defend themselves if the government comes knocking.

Of course, the first step should be to take proper, well-documented efforts to comply with the rules. Physicians and the clinics, hospitals and management working with them should carefully evaluate what can be defensibly billed as physician services to Medicare or another federal healthcare program — keeping in mind that the billing party, not the government, generally bears the burden of proving that the amount bill qualifies for coverage. Physicians and others must carefully consider the adequacy of the physician’s involvement in prescribing and delivering services intended to be billed as physician services. In areas where questions could be raised, physicians and their organizations are strongly urged to take extra care to retain documentation of their analysis and efforts to verify their compliance, including consulting legal counsel for advice within the scope of attorney-client privilege.

Physicians and others working with them also should familiarize themselves with their obligations and rights under employment agreements, shareholder or partnership agreements, medical staff bylaws, managed care contracts, medical licensing board rules and the Health Care Quality And Improvement Act. In many cases, these arrangements will compel a physician to provide notice of an investigation, audit, allegation or charge, will trigger separate investigatory or disciplinary action against the physician, or both.

Along with the stiff civil sanctions or settlements imposed, physicians and others investigated or charged with healthcare fraud often incur significant legal and other costs. Physicians and others should consider if they can expect to have sufficient funds to pay the legal and other costs of their defense. Physicians and their organizations concerned about the adequacy of these resources may wish to explore, where available, raising their malpractice policy coverage limits, purchasing other supplemental coverage and taking similar steps to better position themselves. Physicians generally will want to review the adequacy and limits of the coverages that their practices provide, as well as consider the reliability of that coverage in the event that the physician is terminated or leaves the practice.

Because of the 10-year statute of limitations applicable to False Claims Act claims, billings can come back to haunt a physician 10 years after their submission. With this tremendously long liability period, even in the absence of government investigation, a significant risk exists that a physician may experience a practice relocation or other change that would affect his coverage during this period. When an investigation happens, the possibility that the physician will relocate his practice skyrockets. Consequently, physicians should consider purchasing tail coverage, maintaining separate, portable professional liability coverage or both.

Physicians and their practices also should consider the adequacy of the coverage provided by their professional liability or other policies. If the policy provides no or limited coverage, both the physician and his associated organization or practice may want to explore purchasing additional riders on the existing policy, purchasing separate coverage or both, as well as to raise the limits on the coverages.

Practice leaders, hospitals and other organizations that would be swept up into these investigations generally share an interest in ensuring that the physician possesses adequate resources to defend herself, as their organization and its billings are likely to be hurt if the physician is unable to defend the billings.

More Pressure to Protect Health Data

Health plans, insurers and other health plan industry service providers need to ensure that their Internet applications properly safeguard protected health information (PHI), based on a recent warning from Department of Health and Human Services (HHS) Office of Civil Rights (OCR).

The warning comes in a resolution agreement with St. Elizabeth’s Medical Center (SEMC) that settles OCR charges that it breached the Health Insurance Portability and Accountability Act (HIPAA) by failing to protect the security of personal health data when using Internet applications. The agreement shows how complaints filed with OCR by workforce members can create additional compliance headaches for covered entities or their business associates.

With recent reports on massive health plan and other data breaches fueling widespread regulatory concern, covered entities and their business associates should prepare to defend the adequacy of their own HIPAA and other health data security practices. Accordingly, health plans and their employer or other sponsors, health plan fiduciaries, health plan vendors acting as business associates and others dealing with health plans and their management should contact legal counsel experienced in these matters for advice within the scope of attorney-client privilege about how to respond to the OCR warning and other developments to manage their HIPAA and other privacy and data security legal and operational risks and liabilities.

SEMC Resolution Agreement Overview

The SEMC resolution agreement settles OCR charges that SEMC violated HIPAA. The charges stem from an OCR investigation of a Nov. 16, 2012, complaint by SEMC workforce members and a separate data breach report that SEMC made to OCR of a breach of unsecured electronic PHI (ePHI). The information was stored on a former SEMC workforce member’s personal laptop and USB flash drive, and 595 individuals were affected.

In their complaint, SEMC workers complained that SEMC violated HIPAA by allowing workforce members to use an Internet-based document application to share and store documents containing electronic protected health information (ePHI) of at least 498 individuals without adequately analyzing the risks. OCR says its investigation of the complaint and breach report revealed among other things that:

  • SEMC improperly disclosed the PHI of at least 1,093 individuals;
  • SEMC failed to implement sufficient security measures regarding the transmission of and storage of ePHI to reduce risks and vulnerabilities to a reasonable and appropriate level; and
  • SEMC failed to identify and respond to a known security incident, mitigate the harmful effects of the security incident and document the security incident and its outcome in a timely manner.

To resolve OCR’s charges, SMCS agreed to pay $218,400 to OCR and implement a “robust corrective action plan.” Although the required settlement payment is relatively small, the resolution agreement merits attention because of its focus on security requirements for Internet application and data use and sharing activities engaged in by virtually every covered entity and business associate.

HIPAA-Specific Compliance Lessons

OCR Director Jocelyn Samuels said covered entities and their business associates must “pay particular attention to HIPAA’s requirements when using Internet-based document sharing applications.” She stated that, “to reduce potential risks and vulnerabilities, all workforce members must follow all policies and procedures, and entities must ensure that incidents are reported and mitigated in a timely manner.”

The resolution agreement makes clear that OCR expects health plans and other covered entities and their business associates to be able to show both their timely investigation of reported or suspected HIPAA susceptibilities or violations as well as to self-audit and spot test HIPAA compliance in their operations. The SEMC corrective action plan also indicates covered entities and business associates must be able to produce evidence showing a top-to-bottom dedication to HIPAA, to prove that a “culture of compliance” permeates their organizations.

Covered entities and business associates should start by considering the advisability for their own organization to take one or more of the steps outlined in the “robust corrective action plan,” starting with the specific steps that SEMC must take:

  • Conducting self-audits and spot checks of workforce members’ familiarity and compliance with HIPAA policies and procedures on transmitting ePHI using unauthorized networks; storing ePHI on unauthorized information systems, including unsecured networks and devices; removal of ePHI from SEMC; prohibition on sharing accounts and passwords for ePHI access or storage; encryption of portable devices that access or store ePHI; security incident reporting related to ePHI; and
  • Inspecting laptops, smartphones, storage media and other portable devices, workstations and other devices containing ePHI and other data devices and systems and their use; and
  • Conducting other tests and audits of security and compliance with policies, processes and procedures; and
  • Documenting results, findings, and corrective actions including appropriate up-the-ladder reporting and management oversight of these and other HIPAA compliance expectations, training and other efforts.

Broader HIPAA Compliance and Risk Management Lessons

Covered entities and their business associates also should be mindful of more subtle, but equally important, broader HIPAA compliance and risk management lessons.

One of the most significant of these lessons is the need for proper workforce training, oversight and management. The resolution agreement sends an undeniable message that OCR expects covered entities, business associates and their leaders to be able to show their effective oversight and management of the operational compliance of their systems and members of their workforce with HIPAA policies.

The resolution agreement also provides insights to the internal corporate processes and documentation of compliance efforts that covered entities and business associates may need to show their organization has the required “culture of compliance.” Particularly notable are terms on documentation and up-the-ladder reporting. Like tips shared by HHS in the recently released Practical Guidance for Health Care Governing Boards on Compliance Oversight, these details provide invaluable tips.

Risks and Responsibilities of Employers and Their Leaders

While HIPAA places the primary duty for complying with HIPAA on covered entities and business associates, health plan sponsors and their management still need to make HIPAA compliance a priority for many practical and legal reasons.

HIPAA data breach or other compliance reports often trigger significant financial, administrative, workforce satisfaction and other operational costs for employer health plan sponsors. Inevitable employee concern about health plan data breaches undermines employee value and satisfaction. These concerns usually require employers to expend significant management and financial resources to respond.

The costs of investigation and redress of a known or suspected HIPAA data or other breach typically far exceed the actual damages to participants resulting from the breach. While HIPAA technically does not make sponsoring employers directly responsible for these duties or the costs of their performance, as a practical matter sponsoring employers typically can expect to pay costs and other expenses that its health plan incurs to investigate and redress a HIPAA breach. For one thing, except in the all-too-rare circumstances where employers as plan sponsors have specifically negotiated more favorable indemnification and liability provisions in their vendor contracts, employer and other health plan sponsors usually agree in their health plan vendor contracts to pay the expenses and to indemnify health plan insurers, third party administrators and other vendors for costs and liabilities arising from HIPAA breaches or other events arising in the course of the administration of the health plan. Because employers typically are obligated to pay health plan costs in excess of participant contributions, employers also typically would be required to provide the funding their health plan needs to cover these costs even in the absence of such indemnification agreements.

Sponsoring employers and their management also should be aware that the employer’s exception from direct liability for HIPAA compliance does not fully insulate the employer or its management from legal risks in the event of a health plan data breach or other HIPAA violation.

While HIPAA generally limits direct responsibility for compliance with the HIPAA rules to a health plan or other covered entity and their business associates, HIPAA hybrid entity and other organizational rules and criminal provisions of HIPAA, as well as various other federal laws, arguably could create liability risks for the employer. See, e.g., Cyber Liability, Healthcare: Healthcare Breaches: How to Respond; Restated HIPAA Regulations Require Health Plans to Tighten Privacy Policies and Practices; Cybercrime and Identity Theft: Health Information Security Beyond. For example, hybrid entity and other organizational provisions in the HIPAA rules generally require employers and their health plan to ensure that health plan operations are appropriately distinguished from other employer operations for otherwise non-covered human resources, accounting or other employer activities to avoid subjecting their otherwise non-covered employer operations and data to HIPAA Rules. To achieve this required designation and separation, the HIPAA rules typically also require that the health plan include specific HIPAA language and the employer and health plan take appropriate steps to designate and separate health plan records and data, workforces and operations from the non-covered business operations and records of the sponsoring employer. Failure to fulfill these requirements could result in the unintended spread of HIPAA restrictions and liabilities to other aspects of the employer’s human resources or other operations. Sponsoring employers will want to confirm that health plan and other operations and workforces are properly designated, distinguished and separated to reduce this risk.

When putting these designations and separations in place, employers also generally will want to make arrangements to ensure that their health plan includes the necessary terms and that the employer implements the policies necessary for the employer to provide the certifications to the health plan that HIPAA will require that the health plan receive before HIPAA will allow health plan PHI to be disclosed to the employer or its representative for the limited underwriting and other specified plan administration purposes permitted by the HIPAA rules.

Once these arrangements are in place, employers and their management also generally will want to take steps to minimize the risk that their organization or a member of the employer’s workforce honors these arrangements and does not improperly access or use health plan PHI systems in violation of these conditions or other HIPAA rules. This or other wrongful use or access of health plan PHI or systems could violate criminal provisions of HIPAA or other federal laws making it a crime for any person – including the employer or a member of its workforce – to wrongfully access health plan PHI, electronic records or systems. Because  health plan PHI records also typically include personal tax, Social Security information that the Internal Revenue Code, the Social Security Act and other federal laws generally would require the employer to keep confidential and to protect against improper use, employers and their management also generally should be concerned about potential exposures for their organization that could result from improper use or access of this information in violation of these other federal laws. Because HIPAA and some of these other laws under certain conditions make it a felony to violate these rules, employer and their management generally will want to treat compliance with these federal rules as critical elements of the employer’s federal sentencing guideline and other compliance programs.

Employers or members of their management also may have an incentive to promote health plan compliance with HIPAA or other health plan privacy or data security requirements.

For instance, health plan sponsors and management involved in health plan decisions, administration or oversight could face personal fiduciary liability risks under ERISA for failing to act prudently to ensure health plan compliance with HIPAA and other federal privacy and data security requirements.. ERISA’s broad functional fiduciary definition encompasses both persons and entities appointed as “named” fiduciaries and others who functionally exercise discretion or control over a plan or its administration. This fiduciary status and risk can occur even if the entity or individual is not named a named fiduciary, expressly disclaims fiduciary responsibility or does not realize it bears fiduciary status or responsibility. Because fiduciaries generally bear personal liability for their own breaches of fiduciary duty as well as potential co-fiduciary liability for fiduciary breaches committed by others that they knew or prudently should have known, most employers and members of their management will make HIPAA health plan compliance a priority.

Furthermore, most employers and their management also will appreciate the desirability of taking reasonable steps to manage potential exposures that the employer or members of its management could face if their health plan or the employer violates the anti-retaliation rules of HIPAA or other laws through the adoption and administration of appropriate human resources, internal investigation and reporting, risk management policies and practices. See Employee & Other Whistleblower Complaints Common Source of HIPAA Privacy & Other Complaints.

Manage HIPAA and Related Risks

At minimum, health plans and their business associates should move quickly to conduct a documented assessment of the adequacy of their health plan internet applications and other HIPAA compliance in light of the Resolution Agreement and other developments. Given the scope and diversity of the legal responsibilities, risks and exposures associated with this analysis, most health plan sponsors, fiduciaries, business associates and their management also will want to consider taking other steps to mitigate various other legal and operational risks that lax protection or use of health plan PHI or systems could create for their health plan, its sponsors, fiduciaries, business associates and their management. Health plan fiduciaries, sponsors and business associates and their leaders also generally will want to explore options to use indemnification agreements, liability insurance or other risk management tools as a stopgap against the costs of investigation or defense of a HIPAA security or other data breach.

The Hidden Traps in Same-Sex Ruling

Employers should move quickly to review and update as necessary their human resources and employee benefit policies and practices concerning when same-sex partners of employees are treated as the spouses of the employees in light of the U.S. Supreme Court’s June 26, 2015, decision in Obergefell v. Hodges.

Employer and employee benefit plan leaders and their consultants are cautioned that the decision requiring states to allow same-sex couples to marry does not eliminate ambiguities or differences in state laws and documentation of marriage. Consequently, policies, practices and programs for administering the employment and employee benefit rights of married employees need to be carefully tailored to identify and require proof of marriage evenhandedly. Administrators must take into account variances and potential biases in state documentation and practices that could create complications or even liabilities for employers and plans if not appropriately considered.

Since the Supreme Court ruled that the Equal Protection Clause of the U.S Constitution entitled same-sex couples to equal treatment with married heterosexual couples under federal law in U.S. v. Windsor, 133 S.Ct. 2675 (2013), employers have faced several challenges understanding and updating their policies and practices with respect to employees involved in same-sex relationships.

The Obama administration’s aggressive reinterpretation of federal employment, employee benefit, tax and other laws and regulations placed pressure on employers to update their policies and practices concerning when to recognize employees in same-sex relationships as marriages for employment, employee benefits and other purposes.

As the Windsor decision did not address whether the U.S. Constitution also guaranteed same-sex couples a right to marry under state law, disparities in the treatment of same-sex marriages between the states and rapid changes in the state statutory and judicial rules governing these determinations created significant challenges. Employers had to determine if a same-sex couple could marry in a particular state and the right and duty of the employer in response to such an arrangement.

Today’s Obergefell ruling will help to resolve some, but not all, of this uncertainty by answering the question whether states may refuse to allow same-sex partners to marry or refuse to recognize marriages of same-sex partners. The Obergefell decision settles this debate by holding that the U.S. Constitution requires all states to allow same-sex couples to marry on the same terms as apply to heterosexual couples.

Employers still face many challenges. While states must now treat same-sex and opposite-sex couples equally under marriage laws, determining consistently whether two individuals are legally married in any particular state remains anything but simple. Variations in the marriage laws of the states mean the requirements for and proof of marriage can vary significantly.

Care must also be taken to manage potential discrimination risks that might arise from the adoption of policies that treat same-sex vs. opposite-sex partners disparately. There could be administrative complications and compliance risks. There could also be sex discrimination liability exposures under the Civil Rights Act and other laws.

Parties should act promptly and carefully with the advice of counsel to evaluate and update their policies to respond to the new decisions and these other challenges and duties.

Firms Must Now Clean Up Health Plans

Businesses, brace yourself for health plan enforcement! With the Supreme Court’s much anticipated June 25, 2015, King v. Burwell decision dashing the hope that the Supreme Court would provide relief for businesses and their group health plans from the Patient Protection and Affordable Care Act (ACA) mandates by striking down ACA, U.S. businesses that offered health coverage in 2014 and those continuing to sponsor health coverage must swiftly act to review and verify the adequacy of their 2014 and current group health plan’s compliance with ACA and other federal group health plan mandates. Business must also begin finalizing their group health plan design decisions for the coming year.

Prompt action to assess and verify compliance is particularly critical in light of the much-overlooked “Sox for Health Plans” style rules of Internal Revenue Code (Code) Section 6039D. The rules generally require group health plans that violated various federal group health plan mandates to self-identify and self-report these violations, as well as self-assess and pay the excise taxes of as much as $100 a day per violation triggered by uncorrected violations. While the mandates were applicable prior to 2014 for uncorrected violations of a relatively short list of pre-ACA federal group health mandates, ACA broadened the applicability of Code Section 6039D to include ACA’s group health plan mandates beginning in 2014. This means that, in addition to any other liability that the company, its group health plan and its fiduciaries might bear for violating these rules under the Employee Retirement Income Security Act, the code, the Social Security Act or otherwise, the sponsoring business also will incur liability for the Code Section 6039D excise tax for uncorrected violations, as well as late or non-filing penalties and interest that can result from late or non-filing.

Many employers have significant exposure to these Code Section 6039D excise tax liabilities because many plan sponsors or their vendors have delayed reviewing or updating their group health plans for compliance with some or all of ACA’s mandates. In many cases, businesses delayed in hopes that the Supreme Court would strike down the law, Congress would amend or repeal it, or both. In other cases, limited or continuing changes to the regulatory guidance about some of ACA’s mandates prompted businesses to hold off investing in compliance to minimize compliance costs. Regardless of the past reasons for such delays, however, businesses sponsoring group health plans after 2013 need to recognize and act to address their uncorrected post-2013 ACA violations exposures.

Although many businesses, as well as individual Americans, have held off taking long overdue steps to comply with ACA’s mandates pending the Supreme Court’s King v. Burwell decision, the three agencies charged with enforcement – the IRS, Department of Labor and Department of Health and Human Service — have been gearing up to enforce those provisions of ACA already in effect and to finalize implementation of others in the expectation of the ruling in favor of the Obama administration. As a practical matter, ACA opponents need to recognize that the Supreme Court’s King decision realistically gives these agencies the go-ahead to move forward with these plans for aggressive implementation and enforcement.

Although technically only addressing a challenge to the Obama administration’s interpretation of the individual tax credit (“Individual Subsidy”) that ACA created under Code Section 36B, the Supreme Court’s decision eliminates any realistic hope that the Supreme Court will provide relief to businesses or their group health plans with any meaningful past or current ACA violations by striking down the law itself. Of all of the currently pending challenges to ACA working their way to through the courts, the King case presented the best chance of a Supreme Court ruling that would wholesale invalidate ACA’s insurance reforms, if not the law itself, because of the importance of the Individual Subsidy to the intended workings of those reforms. By upholding the Obama Administration’s interpretation of Code Section 36B as allowing otherwise qualifying individuals living in states without a state-run ACA health insurance exchange to claim the Individual Subsidy for buying health care coverage through the federal Healthcare.gov health insurance exchange, the Supreme Court effectively killed the best possibility that the Supreme Court would invalidate the insurance reforms or ACA itself. While various challenges still exist to the law or certain of the Obama administration’s interpretations of its provisions, none of these existing challenges present any significant possibility that the Supreme Court will strike down ACA.

While the Republicans in Congress have promised to take congressional action to repeal or reform ACA since retaking control of the Senate in last fall’s elections, meaningful legislative reform also looks unlikely because the Republicans do not have the votes to override a presidential veto.

In light of these developments, businesses must prepare both to meet their current and future ACA and other federal health plan compliance obligations and defend potential deficiencies in their previous compliance over the past several years. The importance of these actions takes on particular urgency given the impending deadlines under the largely overlooked “Sox for Health Plans” rules of Code Section 6039D for businesses that sponsored group health plans after 2013.

Under Code Section 6039D, businesses sponsoring group health plans in 2014 must self-assess the adequacy of their group health plan’s compliance with a long list of ACA and other federal mandates in 2014. To the extent that there exist uncorrected violations, businesses must self-report these violations and self-assess on IRS Form 8928 and pay the required excise tax penalty of $100 for each day in the noncompliance period with respect to each individual to whom such failure relates. For ACA violations, the reporting and payment deadline generally is the original due date for the business’ tax return. Absent further regulatory or legislative relief, businesses providing group health plan coverage in 2014 or thereafter also should expect to face similar obligations and exposures. As a result, businesses that sponsored group health plans in 2014 or thereafter should act quickly to verify the adequacy of their group health plan’s compliance with all ACA and other group health plan mandates covered by the Code Section 6039D reporting requirements. Prompt action to identify and self-correct covered violations may mitigate the penalties a company faces under Code Section 6039D as well as other potential liabilities associated with those violations under the Employee Retirement Income Security Act (ERISA), the Social Security Act or other federal laws. On the other hand, failing to act promptly to identify and deal with these requirements and the potential reporting and excise tax penalty self-assessment and payment requirements imposed by Code Section 6039D can significantly increase the liability the business faces for these violations substantially both by triggering additional interest and late payment and filing penalties, as well as forfeiting the potential opportunities that Code Section 6039D otherwise might offer to qualify to reduce or avoid penalties through good-faith efforts to comply or self-correct.

While current guidance allows businesses the opportunity to extend the deadline for filing of their Form 8928, the payment deadline for the excise taxes cannot be extended. Code Section 6039D provides opportunities for businesses to reduce their excise tax exposure by self-correction or showing good faith efforts to comply with the ACA and other group health plan mandates covered by Code Section 6039D. Businesses need to recognize, however, that delay in identification and correction of any compliance concerns makes them less likely to qualify for this relief. Accordingly, prompt action to audit compliance and address any compliance concerns is advisable to mitigate these risks as well as other exposures.

Businesses preparing to conduct audits also are urged to consider seeking the advice from qualified legal counsel experienced in these and other group health plan matters before initiating their audit, as well as regarding the evaluation of any concerns that might be uncovered. While businesses inevitably will need to involve or coordinate with their accounting, broker and other vendors involved with the plans, businesses generally will want to preserve the ability to claim attorney-client privilege to protect all or parts of their audit investigation and analysis and certain other matters against discovery. Business will also want assistance with proper evaluation of options in light of findings and assistance from counsel to document the investigation and carefully craft any corrective actions for defensibility.