Schaumburg, IL -- Benefit Express Services, LLC, a leader in providing benefits administration for large, medium, and small organizations, will be hosting a free Mergers & Acquisitions webinar on April 17 featuring Carrier Alexander and Kimberlie England from Findley Davies. The presentation will focus on HR's critical role during mergers and acquisitions, from assessing total compensation to retaining key talent. The audience will learn best practices for HR during each phase of a merger and acquisition.
"Benefit Express regularly hosts free educational webinars on issues that today's HR and benefit professionals are most concerned about," said Doug Hammond, Benefit Express' Vice President of Sales and Business Development. "We are constantly working to establish partnerships with industry experts that our client's want to hear from." Benefit Express offers Spring and Summer series of free educational and legislative webinars. Topics include: Healthcare Reform changes, COBRA rules and regulations, W2 requirements, HIPAA training, identity theft protection, wellness programs, total reward programs, and many more.
Webinar: 10 Best Practices for Human Resources during Mergers & Acquisitions
About Findley Davies
Findley Davies is an independent consulting firm focused on maximizing the effectiveness of human resources strategies. We help clients make critical business decisions to retain talent, manage health care and retirement costs, leverage technology, and drive organizational change. Our consultants, actuaries, and administrators partner with organizations to create solutions for complex business challenges. For more information, visit www.findleydavies.com.
Schaumburg, IL -- Benefit Express Services, LLC, a leader in providing benefits administration solutions for large, medium and small organizations, announced the launch of My Employee Communicator, a new feature in their suite of human resource administration tools. My Employee Communicator is an online communication tool that is directly integrated into Benefit Express' benefits administration and online enrollment system, My Benefit ExpressTM. The latest enhancement provides clients' human resource staff the freedom and flexibility to send out mass communication to their employees on demand.
Benefit Express' My Employee Communicator enables clients to:
Use predefined communications or create their own
Send electronic or paper communications
Send to the entire employee population or only specific groups of individuals
Schedule the release date, time and frequency of each communication
Encrypt and secure emails
Automatically attach each individual's confirmation statement to the tailored message
By integrating My Employee Communicator into Benefit Express benefits administration system, clients benefit from easier and more streamlined employee communication options and a reduction in their administrative load. "Our top priority is to provide our clients with solutions to the challenges they face every day," said Maria Bradley, president and founder of Benefit Express. "This solution helps employers communicate effectively and efficiently to their employee populations."
Schaumburg, IL -- Benefit Express Services, LLC, a leader in providing benefits administration for large, medium, and small organizations, will be hosting a free Total Rewards webinar on March 6 featuring Dale Moyer, President of Incentovate. The presentation will focus on four core areas of total rewards and will provide a perspective on how organization's offerings compare to the broader market. The audience will learn valuable strategies to evaluate their organization's compensation and benefits offerings as well as learn techniques to enhance the value proposition of their total rewards.
"Benefit Express regularly hosts educational webinars on issues that today's HR and benefit professionals are most concerned about," said Doug Hammond, Benefit Express' Vice President of Sales and Business Development. "We are constantly working to establish partnerships with industry experts that our client's want to hear from." Benefit Express offers Spring and Summer series of educational and legislative webinars. Topics include: Healthcare Reform changes, COBRA rules and regulations, W2 requirements, HIPAA training, identity theft protection, wellness programs, total reward programs, and many more.
Incentovate is a management consultant specializing in strategic evaluation and implementation of compensation and benefits solutions. Incentovate provides cutting-edge customized solutions designed to strengthen their client organizations and position them for future success. Clients include school districts, universities, private and non-for-profit organizations that regard their people as their greatest strategic assets. For more information, visit www.incentovatesolutions.com
About Benefit Express
At Benefit Express, the focus is on flexible administration solutions. Their self-service platform - My Benefit ExpressTM - delivers tools which help clients efficiently manage HR & Benefits Administration. With My Benefit ExpressTM clients have direct access to: customized content delivery, enrollment assistance, employee benefit education tools, transactional administrative processing/tracking, carrier billing reconciliation, vendor data-links and detailed HR reporting. Benefit Express' solutions provide the flexibility for clients to choose how, where and by whom work gets done. For more information, visit www.BenefitExpressOnline.com close
Schaumburg, IL -- Benefit Express Services, LLC, a leader in providing benefits administration for large, medium, and small organizations, announced today the expansion of their existing cloud architecture. The enhancement translates into several benefits for the company and its clients, including increased performance, and improved reliability and scalability allowing for a better end-user experience.
Benefit Express' award winning online enrollment system, My Benefit ExpressTM, is built upon multi-tiered architecture using a Microsoft platform. The multi-tier architecture allows the application to scale upwards by increasing individual hardware components at any of the levels without compromising the efficiency and reliability of My Benefit ExpressTM. Built using distributed architecture and deployed in a cloud environment, the software is designed to manage operations with millions of distinct clients with individual plans, procedures, and rules. Parallel processing, software and hardware fail-over, and distribution of processing to protect against network outages are all key to the company's scalability.
An increase in overall capacity 6 times its original size.
A boost in uptime efficiencies, processing power and the volume of redundancies.
An enhanced testing and deployment environment for updates and new product releases.
Improved flexibility allowing for easier management.
"The enhancements we've made to our private cloud help us maintain the great track record of reliability and availability our clients expect," said Bill Mayhew, Benefit Express' Technology Architect. "It also allows us to grow our business and keep our technology staff focused on product enhancements instead of the normal IT management tasks associated with a data center."
Yesterday, the Department of Labor released Technical Release 2013-02. It provided guidance for the Model Exchange Notice and the Model COBRA Election Notice. A copy of Technical Release 2013-02 follows:
Many provisions of the Patient Protection and Affordable Care Act (Affordable Care Act) that become effective beginning in 2014 are designed to expand access to affordable health coverage. These include provisions for coverage to be offered through a Health Insurance Marketplace (Marketplace), premium tax credits to assist individuals in purchasing such coverage, employer notice to employees of coverage options available through the Marketplace, and other related provisions. The Departments of Labor, Health and Human Services (HHS), and the Treasury are working together to develop coordinated regulations and other administrative guidance to assist stakeholders with implementation of the Affordable Care Act.
Beginning January 1, 2014, individuals and employees of small businesses will have access to affordable coverage through a new competitive private health insurance market - the Health Insurance Marketplace. The Marketplace offers "one-stop shopping" to find and compare private health insurance options. Open enrollment for health insurance coverage through the Marketplace begins October 1, 2013. Section 1512 of the Affordable Care Act creates a new Fair Labor Standards Act (FLSA) section 18B requiring a notice to employees of coverage options available through the Marketplace.(1)
This Technical Release provides temporary guidance regarding the notice requirement under FLSA section 18B and announces the availability of the Model Notice to Employees of Coverage Options. This Technical Release also provides an updated model election notice for group health plans for purposes of the continuation coverage provisions under Title X of the Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) to include additional information regarding health coverage alternatives offered through the Marketplace.
II. Background On The Notice to Inform Employees of Coverage Options Under the FLSA
Section 18B of the FLSA, as added by section 1512 of the Affordable Care Act, generally provides that, in accordance with regulations promulgated by the Secretary of Labor, an applicable employer must provide each employee at the time of hiring (or with respect to current employees, not later than March 1, 2013), a written notice:
Informing the employee of the existence of the Marketplace (referred to in the statute as the Exchange) including a description of the services provided by the Marketplace, and the manner in which the employee may contact the Marketplace to request assistance;
If the employer plan's share of the total allowed costs of benefits provided under the plan is less than 60 percent of such costs, that the employee may be eligible for a premium tax credit under section 36B of the Internal Revenue Code (the Code) if the employee purchases a qualified health plan through the Marketplace; and
If the employee purchases a qualified health plan through the Marketplace, the employee may lose the employer contribution (if any) to any health benefits plan offered by the employer and that all or a portion of such contribution may be excludable from income for Federal income tax purposes.
On January 24, 2013, the Department of Labor (the Department) issued guidance stating the Department's conclusion that the notice requirement under FLSA section 18B will not take effect on March 1, 2013 for several reasons.(2) The Department explained that this notice should be coordinated with HHS's educational efforts and Internal Revenue Service (IRS) guidance on minimum value. The guidance also stated the Department's commitment to a smooth implementation process including providing employers with sufficient time to comply and select an applicability date that ensures that employees receive the information at a meaningful time. The guidance further stated that the Department expects the timing for distribution of notices will be the late summer or fall of 2013, which will coordinate with the open enrollment period for the Marketplace.
The Department is issuing this temporary guidance and model notice in advance of the expected timeframe announced in the guidance because, since the issuance of the guidance, the Department has received several requests from employers for a model notice on an earlier timeframe so that they may be able to inform their employees now about the upcoming coverage options through the Marketplace. Therefore, employers are permitted to use the model notice and/or rely on this temporary guidance prior to the applicability date stated below(3) to inform their employees earlier.
III. Guidance For The Notice to Inform Employees of Coverage Options Under the FLSA
This section provides temporary guidance on what the Department will consider as compliance with FLSA section 18B, and this guidance will remain in effect until the Department promulgates regulations or other guidance. Future regulations or other guidance on these issues will provide adequate time to comply with any additional or modified requirements.
A. Employers Subject to the Notice Requirement
The FLSA section 18B requirement to provide a notice to employees of coverage options applies to employers to which the FLSA applies. In general, the FLSA applies to employers that employ one or more employees who are engaged in, or produce goods for, interstate commerce. For most firms, a test of not less than $500,000 in annual dollar volume of business applies.(4) The FLSA also specifically covers the following entities: hospitals; institutions primarily engaged in the care of the sick, the aged, mentally ill, or disabled who reside on the premises; schools for children who are mentally or physically disabled or gifted; preschools, elementary and secondary schools, and institutions of higher education; and federal, state and local government agencies.(5)
The Department's Wage and Hour Division provides guidance relating to the applicability of the FLSA in general including an internet compliance assistance tool to determine applicability of the FLSA. See www.dol.gov/elaws/esa/flsa/scope/screen24.asp .
B. Providing Notice to Employees
Employers must provide a notice of coverage options to each employee, regardless of plan enrollment status (if applicable) or of part-time or full-time status. Employers are not required to provide a separate notice to dependents or other individuals who are or may become eligible for coverage under the plan but who are not employees.
C. Form and Content of the Notice
Pursuant to the statute, the notice to inform employees of coverage options must include information regarding the existence of a new Marketplace as well as contact information and description of the services provided by a Marketplace. The notice must also inform the employee that the employee may be eligible for a premium tax credit under section 36B of the Code if the employee purchases a qualified health plan through the Marketplace; and a statement informing the employee that if the employee purchases a qualified health plan through the Marketplace, the employee may lose the employer contribution (if any) to any health benefits plan offered by the employer and that all or a portion of such contribution may be excludable from income for Federal income tax purposes.
D. Timing and Delivery of Notice
Employers are required to provide the notice to each new employee at the time of hiring beginning October 1, 2013. For 2014, the Department will consider a notice to be provided at the time of hiring if the notice is provided within 14 days of an employee's start date.
With respect to employees who are current employees before October 1, 2013, employers are required to provide the notice not later than October 1, 2013. The notice is required to be provided automatically, free of charge.
The notice must be provided in writing in a manner calculated to be understood by the average employee. It may be provided by first-class mail. Alternatively, it may be provided electronically if the requirements of the Department of Labor's electronic disclosure safe harbor at 29 CFR 2520.104b-1(c) are met.
There is one model for employers who do not offer a health plan and another model for employers who offer a health plan or some or all employees. Employers may use one of these models, as applicable, or a modified version, provided the notice meets the content requirements described above.
F. Paperwork Reduction Act Statement
The notice specified by this guidance is a collection of information approved under OMB Control Number 1210-0149, which currently is scheduled to expire on November 30, 2013. The Department notes that a federal agency cannot conduct or sponsor a collection of information unless it is approved by OMB under the PRA, and displays a currently valid OMB control number, and the public is not required to respond to a collection of information unless it displays a currently valid OMB control number. See 44 U.S.C. § 3507. Also, notwithstanding any other provisions of law, no person shall be subject to penalty for failing to comply with a collection of information if the collection of information does not display a currently valid OMB control number. See 44 U.S.C. § 3512. A covered employer's response to this collection is mandatory. See 29 U.S.C. § 218b. Each individual response is estimated to take less than 15 seconds, as an employer may send a copy of the same notice to each affected employee. Send comments about this information collection, including suggestions for reducing its burden, to G. Christopher Cosby, Department of Labor, Employee Benefits Security Administration, Office of Policy and Research, 200 Constitution Ave, NW, N-5718, Washington, DC 20210 (email@example.com). Do not send a copy of the notice to this address.
IV. Background and Guidance for the Model COBRA Election Notice
In general, under COBRA, an individual who was covered by a group health plan on the day before a qualifying event occurred may be able to elect COBRA continuation coverage upon a qualifying event (such as termination of employment or reduction in hours that causes loss of coverage under the plan).(6) Individuals with such a right are called qualified beneficiaries. A group health plan must provide qualified beneficiaries with an election notice, which describes their rights to continuation coverage and how to make an election. The election notice must be provided to the qualified beneficiaries within 14 days after the plan administrator receives the notice of a qualifying event.
The election notice is required to include:
The name of the plan and the name, address, and telephone number of the plan's COBRA administrator;
Identification of the qualifying event;
Identification of the qualified beneficiaries (by name or by status);
An explanation of the qualified beneficiaries' right to elect continuation coverage;
The date coverage will terminate (or has terminated) if continuation coverage is not elected;
How to elect continuation coverage;
What will happen if continuation coverage isn't elected or is waived;
What continuation coverage is available, for how long, and (if it is for less than 36 months), how it can be extended for disability or second qualifying events;
How continuation coverage might terminate early;
Premium payment requirements, including due dates and grace periods;
A statement of the importance of keeping the plan administrator informed of the addresses of qualified beneficiaries; and
A statement that the election notice does not fully describe COBRA or the plan and that more information is available from the plan administrator and in the plan's summary plan description (SPD).
Some qualified beneficiaries may want to consider and compare health coverage alternatives to COBRA continuation coverage that are available through the Marketplace. Qualified beneficiaries may also be eligible for a premium tax credit (a tax credit to help pay for some or all of the cost of coverage in plans offered through the Marketplace).
The Department of Labor has a model election notice that plans may use to satisfy the requirement to provide the election notice under COBRA. This notice is being revised to help make qualified beneficiaries aware of other coverage options available in the Marketplace. As with the earlier model, in order to use this model election notice properly, the plan administrator must complete it by filling in the blanks with the appropriate plan information. Use of the model election notice, appropriately completed, will be considered by the Department of Labor to be good faith compliance with the election notice content requirements of COBRA.
The model election notice is available in modifiable, electronic form on the Department's website at www.dol.gov/ebsa/cobra.html. A clean copy is available, as is a redline from the prior model notice to help interested stakeholders identify the changes.
V. For Further Information Contact
Amy Turner or Elizabeth Schumacher, Employee Benefits Security Administration, Department of Labor, at 202-693-8335. Additional information for employers regarding the Affordable Care Act is available at www.healthcare.gov and www.dol.gov/ebsa/healthreform.
The Secretary of Labor has delegated responsibility for FLSA section 18B rulemaking to the Employee Benefits Security Administration (EBSA) within the Department of Labor. See Q2 in ACA Implementation FAQ Part V, available at www.dol.gov/ebsa/faqs/faq-aca5.html.
On March 18, 2013, the Departments of Labor, Health and Human Services and Treasury (the "Departments") issued proposed regulations implementing the 90-day waiting period limit under health care reform. The regulations also amend existing regulations, including those relating to preexisting condition limits and other HIPAA portability provisions, to reflect changes made by health care reform.
90-Day Waiting Period Requirement - Background
Effective as of plan years beginning on or after January 1, 2014, group health plans and insurers are prohibited from applying a waiting period that exceeds 90 days, as provided in PHSA Section 2708, as added by PPACA, Pub. L. No. 111-148, Section 1201 (2010).
Who Must Comply?
The prohibition on excessive waiting periods applies to group health plans and insurers (as defined by applicable provisions of the PHSA, ERISA, or the Code) but not to certain "excepted benefits," as provided by PHSA Section 2708, as added by PPACA, Pub. L. No. 111-148, Section 1201 (2010).
Unlike the employer mandate provisions, the prohibition on excessive waiting periods applies to all group health plans (and insurers) regardless of the size of the employer/plan sponsor.
What Is a Waiting Period?
In IRS Notice 2012-59; DOL Tech. Rel. 2012-02; HHS: Guidance on 90-Day Waiting Period Limitation PHSA § 2708, the Departments issued substantially identical guidance on what initially will be considered compliance with the prohibition on excessive waiting periods for coverage.
In that guidance, a waiting period was defined as the period of time that must pass before coverage for an employee or dependent who is otherwise eligible to enroll under the terms of the plan can become effective. For this purpose, being eligible for coverage means having met the plan's substantive eligibility conditions (such as being in an eligible job classification or achieving job-related licensure requirements specified in the plan's terms).
In the guidance, the Departments also indicated that eligibility conditions that are based solely on the lapse of a time period are permissible for no more than 90 days. Other conditions for eligibility under the terms of a group health plan are generally permissible unless the condition is designed to avoid compliance with the 90-day waiting period limitation. Furthermore, if, under the terms of a plan, an employee may elect coverage that would begin on a date that does not exceed the 90-day waiting period limitation, the 90-day waiting period limitation is considered satisfied. Accordingly, a plan or insurer will not be considered to have violated the excessive waiting period prohibition merely because employees take additional time to elect coverage.
Application to Part-Time and Variable Hour Employees.
If a plan conditions eligibility on an employee regularly working a specified number of hours per period (or working full-time), and it cannot be determined that a newly hired employee is reasonably expected to regularly work that number of hours per period (or work full-time), the plan may take a reasonable period of time to determine whether the employee meets the plan's eligibility condition, which may include a measurement period that is consistent with the timeframe used for purposes of the employer mandate provisions. In general, a period will be considered reasonable if coverage is effective no later than 13 months from the employee's start date, plus, if applicable, the time remaining until the first day of the next calendar month.
In general, a period will be considered reasonable if coverage is effective no later than 13 months from the employee's start date, plus, if applicable, the time remaining until the first day of the next calendar month. Where cumulative hours of service are required for eligibility, up to 1,200 hours may be required; more than 1,200 hours would be considered designed to avoid compliance with the 90-day waiting period limitation.
The Proposed Regulations
The proposed rule follows the guidance in IRS Notice 2012-59; DOL Tech. Rel. 2012-02; HHS: Guidance on 90-Day Waiting Period Limitation PHSA § 2708 on the waiting period requirement and contains no surprises. Conditions based solely on the lapse of a time period before an employee or dependent becomes eligible for group health coverage cannot exceed 90 days. This requirement is absolute - the period cannot be extended past 90 days because the 90th day falls on a weekend or holiday and is not synonymous with three months. The prohibition does not mean, however, that an employee cannot take more than 90 days to sign up for coverage, as long as the employee could have begun coverage after 90 days. If an employee or dependent enrolls as a late enrollee or during a special enrollment period, the period before enrollment is not a waiting period.
The running of the 90-day waiting period may be delayed until a cumulative hours-of-service requirement has been met. The preamble notes that the 90-day limit does not bar hour-banking arrangements in multi-employer plans or buy-in arrangements where employees may pay part of the cost of insurance when they do not have enough hours in a pay period to qualify for full coverage. Insurers may rely on representations of employers as to eligibility information provided by employers as long as they have no specific knowledge that a waiting period in excess of 90 days is being imposed.
The proposed regulations also update existing regulations to conform to changes made by health care reform. Specifically, the proposed regulations amend:
2004 HIPAA regulations to remove provisions superseded by health care reform's prohibition on preexisting conditions and its implementing regulations.
Examples in other regulations to conform to changes made under health care reform, including the elimination of lifetime and annual limits and the provisions governing dependent coverage of children up to age 26.
The proposed regulations also clarify that multi-state plans will be subject to the federal external review process under health care reform.
On January 17, 2013, the Department of Health and Human Services released final regulations which provided sweeping changes to the rules update under privacy, security, enforcement, and breach notification requirements of the Health Insurance Portability and Accountability Act ("HIPAA"), the Health Information Technology for Economic Health ("HITECH") and Genetic Information Nondiscrimination Act ("GINA") Group health plans and business associates are required to comply with the regulations by September 23, 2013, unless otherwise stated in the regulations. With respect to the requirements on breaches of unsecured Protected Health Information ("PHI"), group health plans must still comply with the September 23, 2009 date. The following is a summary of the important changes under these final regulations.
1. Business Associates
Definition of Business Associate
Several updates and clarifications to the HIPAA definition of Business Associates ("BA") have been included.
A person or entity becomes a BA by (i) meeting the definition of a BA and (ii) creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity. Whether or not such person or entity has contracted with the covered entity and/or has entered into a Business Associate Agreement ("BAA") is not determinative. Additionally, the type of PHI involved in the transaction does not matter - information is considered PHI if the information is related to a covered entity.
The definition of BAs also include:
health information organizations;
other entities that provide data transmission services with respect to PHI to a covered entity and that require routine access to PHI;
entities that offers a personal health record to one or more individuals on behalf of a covered entity; and
entities that maintain PHI, whether or not the entities actually review the PHI.
Subcontractors of BAs
The HIPAA's BA provisions also apply to BAs' subcontractors (persons or entities that provide services to a BA which involves PHI to fulfill its contractual duties) if the subcontractors create, receive, maintain, or transmit PHI on behalf of BAs. Group health plans are not required to enter into Business Associate Agreements ("BAAs") with subcontractors, but the BAA must contain provisions that BAs will ensure that any subcontractors that create, receive, maintain, or transmit PHI on behalf of the BA agree to the same HIPAA restrictions, conditions, and requirements that apply to the BA.
Additional Clarifications Regarding BAs
Banking and financial institutions are not BAs with respect to payment process activities, as identified in § 1179 of HIPAA, but if the bank or financial institution's scope of activities exceeds the payment process activities, it will be considered a BA.
Patient safety activities were added to the list of functions that may be undertaken as a BA and were added to the definition of health care operations.
An insurer of a health plan product or insurance policy that is purchased by a covered entity is not a BA of the covered entity just by providing the insurance or product. In order to be considered a BA, the insurer must perform a function that involves PHI.
BAs are now directly liable for complying with certain HIPAA privacy and security rules:
Impermissible use and disclosure of PHI
Failure to provide breach notification to a covered entity
Failure to disclose PHI when required
Failure to provide access to electronic PHI to an individual, his/her designee or a covered entity
Failure to provide to a covered entity an accounting of disclosures
Failure to comply with HIPAA security rules contained in 45 C.F.R. §§ 164.306, 164.308, 164.310, 164.312, and 164.314
Failure to comply with the requirements relating to policies, procedures and documentation requirements of 45 C.F.R. § 164.316
Failure to establish BAAs with subcontractors
2. Business Associate Agreements ("BAA")
All Business Associate Agreements must be amended to include:
Provisions requiring BAs to comply with the HIPAA security rule
Provisions requiring BAs to report breaches involving unsecured PHI to covered entities
Provisions requiring BAs to obtain satisfactory assurances that subcontracts agree to comply with the underlying BAA's conditions and restrictions as applied to PHI
Additionally, the final regulations do remove the requirement that BAAs include a provision that required covered entities to report to the Department of Health and Human Services when a BA was out-of-compliance, was not able to cure the breach, and it was not possible to terminate the BAA between the covered entity and the BA.
The final regulations also provide for a "grandfathered" transition period for updating BAAs. If a HIPAA-compliant BAA was in effect prior to January 25, 2013 and is not renewed or modified between March 26, 2013, and September 23, 2013, the covered entity and BA may continue to operate under the current BAA for up to one year past the final regulation compliance date. That is, the BAA does not have to be amended until the earlier of: (1) the date the BAA is renewed or modified on or after September 23, 20133 or (2) September 22, 2014. This extension for compliance also applies to BAAs that contain automatic renewal provisions.
3. Notice of Privacy Practices
Notices of Privacy Practices ("NPP") must now be amended to include the following information (in addition to the existing HIPAA requirements):
A statement indicating that most uses and disclosures of psychotherapy notes (where appropriate), uses and disclosures of PHI for marketing purposes, and disclosures that constitute a sale of PHI require authorization;
A statement that an individual has a right to or will receive notifications of breaches of his or her unsecured PHI;
If the plan intends to use or disclose PHI for underwriting purposes, a statement that the plan is prohibited from using or disclosing PHI that is genetic information of an individual for such purposes; and
If the plan intends to contact an individual to raise funds for the plan, a statement regarding fundraising communications and an individual's right to opt out of receiving such communications.
For group health plans that post the NPP on their websites, the final regulations require that these plans must prominently post the changes or a revised Notice of Privacy Practices on websites by the September 23, 2013 compliance date; and provide the revised Notices of Privacy Practices, or information about the changes and how to obtain the revised Notices of Privacy Practices, in their next annual mailings to individuals then covered by the plans, such as at the beginning of the plan year or during open enrollment.
4. Breach Notification
Definition of Breach
The definition of what constitutes a "breach" has been changed. Breach is now defined as the acquisition, access, use or disclosure of PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of such information. However, the final regulations made no change to the existing exceptions to the definition of breach.
With the change to the definition of breach, the previously used risk of harm standard has been replaced with the rule that, unless one of the enumerated exceptions is applicable, an unauthorized use or disclosure of PHI is presumed to be a breach. To overcome the presumption, a covered entity or BA must show that there is a "low probability that the PHI has been compromised."
In support of this, the final regulations also identified four factors that must be evaluated by a covered entity or BA when determining whether PHI has been compromised:
What is the nature and extent of the PHI involved in the potential breach,
Who was the unauthorized user or recipient of the PHI,
Was the PHI actually received or viewed by the unauthorized user or recipient, and
To what extent has the breached PHI been mitigated.
The above four factors of the risk assessment are not determinative. Other factors may also need to be considered, depending on the individual circumstances of the breach. The risk assessment performed and conclusions reached by the covered entity or BA should be documented.
Additionally, the definition of breach has been changed by removing the exception for limited data sets that do not contain any dates of birth and zip codes.
Only a few changes have made to o the breach notice requirements. These include:
A covered entity must notify the Department of Health and Human Services of all breaches affecting fewer than 500 individuals not later than 60 days after the end of the calendar year in which the breach was discovered rather than when the breach occurred
Covered entities may delegate responsibility for breach notifications to a BA provided the BAA provisions provide that the BA has the same obligations that the covered entity has under the final regulations
The plan is not required to incur costs to print or run a media notice, when it must provide notice of a breach to the media (i.e., breaches involving 500+ individuals in a state or jurisdiction). Also, media outlets are not obligated to print or run information about breaches when they receive notifications about them.
The plan must provide notice within 60 days after the plan discovers the breach (rather than 60 days after the breach occurred), when the notice of a breach affects fewer than 500 individuals.
For this purpose, discovery means the first day on which an employee, officer other agent of the covered entity or BA knows or should know by exercising reasonable diligence of the breach.
5. Use and Disclosure of PHI
Use and Disclosure of PHI for Marketing Purposes
Individuals must now provide authorizations for certain communications where covered entities use or disclose PHI and receive financial remuneration for making the communications from a third party whose product or service is being marketed.
The Department of Health and Human Services clarified that remuneration related to marketing communications must be from or on behalf of the entity whose product or service is being described as well as it being in exchange for making the communication itself. Even if a BA, rather than the covered entity, receives the payment, the communication would be considered a marketing communication.
A covered entity must obtain an individual's authorization prior to using or disclosing PHI about the individual for marketing purpose other than the following:
treatment or health care operations activities that are made face-to-face, or
the provision of a promotional gift of nominal value to the individual.
The definition of marketing does not include:
refill reminders or other communications about a drug that is currently prescribed for the individual, as long as the financial remuneration received is reasonably related to the cost of making the communication
promoting health in general, not promoting a specific product or service
information related to government and government-sponsored programs
Use of PHI for Fundraising Purposes
If a covered entity (or a BA), uses an individual's PHI for purposes of raising funds, the communication's recipient must be provided with a "clear and conspicuous" opportunity to opt out of receiving any further fundraising communications. The method for "opting out" is left up to the covered entity to determine. However, the opt-out process may not create undue burden or more than nominal cost for the individual.
The use and disclosure of the following types of PHI can be used for fundraising:
Demographic information relating to an individual,
Dates of health care provided to an individual,
Department of service information,
Outcome information, and
Health insurance status
However, the rule that when using PHI to make fundraising communications, the minimum necessary standard still applies and only the minimum amount of PHI necessary to accomplish the intended purpose may be used or disclosed is still applicable.
Prohibition on Sale of PHI
A covered entity or BA is only allowed to receive remuneration (direct or indirect) in exchange for the disclosure of PHI if an individual's authorization is granted. The authorization must state that direct or indirect remuneration is being received in exchange for the PHI, unless an allowed exception applies. Sale of protected health information is defined as the disclosure of PHI by a covered entity or BA, where the entity or BA directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. The exceptions to the prohibition of the sale of PHI are:
For public health purposes
For treatment of the individual and payment purposes.
For the sale, transfer, merger or consolidation of all or part of a covered entity and for related due diligence purposes if the recipient of the PHI is or will become a covered entity
For research purposes, if the remuneration is cost-based
Services rendered by a BAA under a BAA at the specific request of the covered entity, as long as the remuneration is cost-based
Providing an individual with access to the individual's PHI
As required by law
For any other purpose permitted by HIPAA
Other Changes to Use and Disclosure of PHI
PHI stored in electronic devices such as photocopiers, fax machines, and other devices is now subject to the Privacy and Security Rules.
Covered entities are now permitted to disclose decedents' PHI to family members and others who were involved in decedents' care or payment for care prior to death, unless the covered entities know that such disclosure would be inconsistent with the decedents' prior expressed wishes. If such disclosure will be allowed by the covered entity, it must be limited to PHI relevant to the family members or other persons' involvement in the decedents' health care or payment for health care.
Additionally, a covered entity may disclose proof of immunizations to schools in states that have laws that require the school to have such information prior to admitting a student. Although written authorization for the disclosure is not required, it is encouraged.
6. Changes to Patient Rights
Right to Access Protected Health Information
If individuals requests electronic copies of PHI that are maintained electronically in one or more designated record sets, covered entities must now provide access to the information in the electronic form and format requested by the individual, if readily producible.
If not readily producible, covered entities must provide the PHI in a readable electronic form and format which is agreed to by the covered entities and the individual, such as Word, Excel, text, HTML, or text-based PDF. Additionally, the final regulations provide:
A plan must respond to such a request within 30 days of the request, with a one-time 30-day extension when necessary. If a plan takes the 30-day extension, it must provide written notice to the individual of the reasons for delay and the expected date for completing the request.
If an individual declines any readily producible electronic format, the plan must provide a hard copy as an option.
A plan can require individuals to make these requests for PHI in writing.
A plan is not required to scan paper documents to provide electronic copies.
If requested, a plan must transmit the copy of PHI directly to another person designated by the individual who is the subject of the PHI. If an individual directs the plan to send a copy of PHI to another person, the request must be in writing, signed by the individual, and clearly identify the designated person and where to send the PHI. The plan must implement reasonable policies and procedures to verify the identity of any person who requests PHI and implement reasonable safeguards to protect the information used or disclosed.
With respect to PHI from an electronic health record in electronic form, a plan cannot charge more than labor costs in responding to an individual's request. These costs may include skilled technical staff time spent to create and copy the electronic file or time spent preparing and explanation or summary of the PHI, if appropriate. A plan also can charge for the cost of supplies (such as CDs or USB drives) for creating the copy of PHI, if the individual requests the electronic copy on portable media, and associated postage.
Restrictions on Disclosures by Health Plans
The processes surrounding the requirement that covered entities must comply with an individual's request to restrict disclosure of PHI to a health plan if certain conditions are met have been clarified. Under the final regulations:
Health providers are not required to maintain separate medical records when a request to restrict disclosure is made, but they are required to use some method to identify which portions of the medical records are subject to the restriction request.
If a restriction is requested where payment is pending, health providers must either make reasonable efforts at resolving the payment issues before disclosing PHI or should request payment in full at the time of the requested restriction.
If an individual requests a restriction, it is the individual's responsibility - not the health providers - to notify any other providers who might be impacted.
HMO contractual requirements do not negate a provider's responsibility to adhere to a request to restrict disclosures.
Consequences of Noncompliance
The final regulations significantly increase covered entities and BAs potential exposure to civil monetary penalties and creates uncertain risk. First, covered entities and BAs will be liable under federal common law of the acts of their agents.
Next, the assessment of penalties will be left to fact specific analyses and the Department of Health and Human Services' discretion. There are four categories of HIPAAA violations that reflect increasing levels of culpabilities accompanied by four tiers of significantly increased monetary penalties. These include:
Tier 1: For violations in which it is established that the covered entity of BA did not know and, by exercising reasonable diligence, would not have known that the covered entity violated a provision, an amount not less than $100 or more than $50,000 for each violation
Tier 2: For a violation in which it is established that the violation was due to reasonable cause and not to willful neglect, an amount not less than $1000 or more than $50,000 for each violation
Tier 3: For a violation in which it is established that the violation was due to willful neglect and was timely corrected, an amount not less than $10,000 or more than $50,000 for each violation
Tier 4: For a violation in which it is established that the violation was due to willful neglect and was not timely corrected, an amount not less than $50,000 for each violation
A penalty for violations of the same tier will not exceed $1.5 million in a calendar year, but multiple violations of multiple requirements may be subject to the maximum penalty of $1.5 million times the number of requirements violated.
The maximum penalty amount will not necessarily be levied in all cases. There will be a determination based on factors including but not limited to: the nature and extent of the violation; the harm resulting from the violation; prior offenses or compliance of the entity involved; and the financial condition of the entity.
The final regulations provide insight into the application of penalties. In the case of a breach that affects multiple individuals, the number of violations will be based on the number of individuals affected. In the case of a breach that is continuous over a period of time, the number of violations will be based on the number of days that the entity did not have the breached information sufficiently protected. In the case of a breach involving violations of two or more provisions, a separate calculation may be made for each provision breached.
Increased penalty amounts may be levied if the violation due to willful neglect is not corrected within 30 days. Under the final regulations, for violations involving willful neglect, additional penalties may be assessed if the entity does not correct within 30 days. The 30 days begins to run when the entity first has actual or constructive knowledge of a violation due to willful neglect.
8. GINA Implementation
The Department of Health and Human Services' proposals have be adopted to:
Provide that genetic information is considered health information for purposes of HIPAA privacy rules and therefore subject to HIPAA privacy requirements;
Prohibit all health plans that are subject to HIPAA privacy rules from using or disclosing PHI that is genetic information for underwriting purposes (except with regard to insurance issuers of long term care policies);
Revise the HIPAA requirements relating to Notices of Privacy Practices for health plans that perform underwriting;
Make conforming changes to definitions and other provisions of the HIPAA privacy rules; and
The IRS issued a final regulations on when an employer-sponsored plan is considered "affordable" for an individual related to the employee for purposes of eligibility for a premium tax credit. Under Health Care Reform, employees may be eligible for a premium tax credit to purchase health insurance through the future health insurance exchanges if, among other reasons, the employer plan is deemed unaffordable.
The final regulations clarify that for taxable years beginning before January 1, 2015, an eligible employer-sponsored plan is affordable for related individuals if the portion of the annual premium the employee must pay for self-only coverage does not exceed 9.5% of the taxpayer's household income.
An employer plan will be affordable for family members if the cost of self-only coverage does not exceed 9.5% of the employee's household income. In other words, for purposes of whether family members are eligible for tax credits, the affordability of family coverage is not taken into account; all that matters is that the cost of self-only coverage is affordable to the employee.
For purposes of applying the affordability exemption from the individual mandate in the case of related individuals, the required contribution is based on the premium the employee would pay for employer-sponsored family coverage.
For an employee eligible under an employer plan, affordability (for individual mandate exemption purposes) will be based on whether the cost of self-only coverage exceeds 8% of the employee's household income. For a related individual (such as a spouse or child, however, affordability for this purpose will be based on whether the cost of family coverage exceeds 8% of household income. Under these rules, members of an employee's family may qualify for an individual mandate exemption, even though the offer of affordable employer coverage to the employee would require the employee to enroll or risk paying a penalty.
These final regulations apply to taxable years ending after December 31, 2013.
For a copy of the final regulations, please click on the link: GPO.gov