When it comes to Employee Assistance Programs, confidentiality is a concern for both employers and employees. As an employer, it is helpful to understand the terms and processes your EAP uses to keep information confidential and ensure that your employees and your workplace are safe.

The Health Insurance Portability and Accountability Act (HIPAA) rules apply to EAPs and their affiliate providers. All information that is obtained during an EAP session is maintained in confidential files. The information remains confidential except in the following circumstances:

  1. An employee/client provides written permission/consent for the release of specific information. This can be done using a Consent to Inform or Release of Information form.
  2. The life or safety of the client or others is seriously threatened.
  3. Child abuse has occurred.
  4. EAP records are the subject of a court order (subpoena).
  5. Other disclosures required by applicable law.

Depending on the situation, an employee may use EAP services through a self-referral, guided-referral or mandated-referral

Voluntary or self-referrals are the most common. When an employee seeks EAP services voluntarily, all of the employee’s information, including whether he or she contacted the EAP or not, is confidential and cannot be released without written permission.

Guided referrals are an opportunity for the employer to encourage the employee to use EAP services when the employer senses there is a problem that needs to be addressed. This may occur when the employer identifies an employee who may be having personal or work-related difficulties but it is not to the point of mandating that the employee use an EAP. In the case of guided referrals, information disclosed by the employee is still kept confidential.

Mandatory or formal referrals usually occur when substance abuse or other behaviors are impacting productivity or safety. An employer’s policy may allow for putting the employee on a performance improvement plan and may even include a “last chance” agreement that states what an employee must do in order to keep their job. In these cases, employees are mandated by the employer to contact the EAP and a Release of Information is signed so the EAP can exchange information with the employer about employee attendance, compliance and recommendations.

In some cases, it may be advised to send the employee for a Fitness for Duty Evaluation or similar assessment to determine the employee’s ability to physically or mentally perform essential job duties, or assess for a potential threat of violence. These evaluations are performed by specially trained professionals and will come with an additional cost. If the employee has provided written consent, limited information may be released to the employer regarding the results of these evaluations.

By Kathryn Schneider
Originally Published By United Benefit Advisors

On August 22, 2017, in AARP v EEOC, a federal court found that regulations allowing employers to offer large incentives under workplace wellness programs were arbitrary. The court did not vacate (nullify) the rules due to concerns about disrupting employers’ existing programs. Instead the court has ordered the responsible agency, the Equal Employment Opportunity Commission (EEOC), to review and reconsider its regulations.

Background

The EEOC regulates and enforces provisions of the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) that affect workplace wellness programs. Employers with 15 or more workers generally are prohibited from requiring employees to undergo medical exams or answer disability-related questions (unless needed for certain job-related health/safety exams). An exception is allowed for wellness programs that are “voluntary,” but the meaning of voluntary has long been debated.

For many years, the EEOC failed to issue regulations defining voluntary while at the same time unofficially asserting that programs were not voluntary if the employee was required to provide private health information to earn a reward or avoid a penalty. In 2015, the EEOC finally proposed rules on the matter, which were finalized in 2016 and took effect January 1, 2017. In an about-face from its prior assertions, the EEOC rules allow employers to offer wellness program incentives of up to 30% of the health plan’s cost. The AARP, on behalf of its membership, sued in federal court alleging that the 30% threshold was too high to be considered a voluntary program.

(The Health Insurance Portability and Accountability Act (HIPAA), a separate federal law primarily regulated by the Department of Labor (DOL), not the EEOC, permits group health plans, including wellness programs, to offer incentives of up to 30% of plan cost. AARP did not challenge the HIPAA rules. HIPAA’s incentive cap applies only to health-contingent programs, however, while the EEOC’s ADA and GINA rules are broader and include both participatory-only and health-contingent wellness programs.)

In AARP v EEOC, the U.S. District Court for the District of Columbia found that the EEOC failed to justify how it had determined its new definition of a voluntary program. The court ordered the EEOC to reconsider its regulations and to file a status report by September 21, 2017 that includes a proposed schedule for the review.

Employer Considerations

Last week’s court ruling did not vacate the EEOC’s wellness program rules. They remain in force and employers may use them as guidance in designing and administering their workplace programs. At the same time, however, employers will want to be mindful that the current rules are under review and may be revised in the future. Also, employers whose wellness programs offer large incentives for providing individual health information need to consider whether their program may be challenged through private litigation. Employers are encouraged to work with their benefit advisors and legal counsel to ensure their wellness programs are consistent with rules under HIPAA, and, if applicable, under the ADA and GINA.

Originally Published By ThinkHR.com

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued its Man-in-the Middle Attacks and “HTTPS Inspection Products” guidance. The OCR warns organizations that have implemented end-to-end connection security on their internet connections using Secure Hypertext Transport Protocol (HTTPS) about using HTTPS interception products to detect malware over an HTTPS connection because the HTTPS interception products may leave the organization vulnerable to man-in-the-middle (MITM) attacks. In an MITM attack, a third party intercepts internet communications between two parties; in some instances, the third party may modify the information or alter the communication by injecting malicious code.

OCR provides a partial list of products that may be affected. Also, OCR provides a method that organizations can use to determine if their HTTPS interception product properly validates certificates and prevents connections to sites using weak cryptography.

OCR emphasized that covered entities and business associates must consider the risks presented to the electronic protected health information (ePHI) transmitted over HTTPS. Further, OCR encouraged covered entities and business associates to review OCR’s recommendations for valid encryption processes to ensure that ePHI is not unsecured and the U.S. Computer Emergency Readiness Team’s recommendations on protecting internet communications and preventing MITM attacks.

HIPAA Enforcement in the News

Below is a round up of the settlements recently in the news related to ePHI.

OCR Announces HIPAA Settlement for Impermissible Disclosure of ePHI, Insufficient Risk Analysis, and Insufficient Risk Management Processes

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its $2.5 million settlement with a wireless health services provider for impermissible disclosure of ePHI. OCR’s investigation revealed that the provider had insufficient risk analysis and risk management processes in place at the time of the impermissible disclosure, including failing to implement policies and procedures regarding ePHI safeguards. The settlement requires the provider to implement a corrective action plan.

OCR Announces HIPAA Settlement for Insufficient Security Management Process for ePHI

OCR announced its $400,000 settlement with a federally qualified health center (FQHC)  based on the FQHC’s failure to have a security management process, including risk analyses sufficient to meet the Security Rule’s requirements. The settlement requires the FQHC to implement a corrective action plan. OCR’s announcement also provided a link to its guidance on the Security Rule.

OCR Announces HIPAA Settlement for Failure to Have Business Associate Agreements

OCR announced its $31,000 settlement with a small, for-profit health care provider based on the provider’s failure to produce a signed business associate agreement with its business associate who stored records containing PHI. The settlement requires the provider to implement a corrective action plan.

Employers Ask…

UBA’s question of the month from employers addressed breach notification requirements:

Q. Under what circumstances do HIPAA’s breach notification requirements not apply when a breach of protected health information (PHI) occurs?

A. Generally, breach notification must be provided when a breach of unsecured PHI is discovered. HHS provides only two methods of creating “secured PHI” that would not be subject to the notification requirements if there is a breach:

  • Encryption
  • Destruction

This means that if PHI/ePHI is encrypted or destroyed and a breach occurs, HIPAA’s notification requirements are not triggered.
By Danielle Capilla
Originally Published By United Benefit Advisors

A fixed indemnity health plan pays a specific amount of cash for certain health-related events (for example, $40 per office visit or $100 per hospital day). The amount paid is neither related to the medical expense incurred, nor coordinated with other health coverage. Further, a fixed indemnity health plan is considered an “excepted benefit.”

Under HIPAA, fixed dollar indemnity policies are excepted benefits if they are offered as “independent, non-coordinated benefits.” Under the Patient Protection and Affordable Care Act (ACA), excepted benefits are not subject to the ACA’s health insurance requirements or prohibitions (for example, annual and lifetime dollar limits, out-of-pocket limits, requiring individual and small-group policies to cover ten essential health benefits, etc.). This means that excepted benefit policies can exclude preexisting conditions, can have dollar limits, and do not legally have to guarantee renewal when the coverage is cancelled.

Further, under the ACA, excepted benefits are not minimum essential coverage so a large employer cannot comply with its employer shared responsibility obligations by offering only fixed indemnity coverage to its full-time employees.

Some examples of fixed indemnity health plans are AFLAC or similar coverage, or cancer insurance policies.

Recently, the IRS released a Memorandum on the tax treatment of benefits paid by fixed indemnity health plans that addresses two questions:

  1. Are payments to an employee under an employer-provided fixed indemnity health plan excludible from the employee’s income under Internal Revenue Code §105?
  2. Are payments to an employee under an employer-provided fixed indemnity health plan excludible from the employee’s income under Internal Revenue Code §105 if the payments are made by salary reduction through a §125 cafeteria plan?

 

By Danielle Capilla, Originally Published By United Benefit Advisors

Cafeteria plans, or plans governed by IRS Code Section 125, allow employers to help employees pay for expenses such as health insurance with pre-tax dollars. Employees are given a choice between a taxable benefit (cash) and two or more specified pre-tax qualified benefits, for example, health insurance. Employees are given the opportunity to select the benefits they want, just like an individual standing in the cafeteria line at lunch.

Only certain benefits can be offered through a cafeteria plan:

  • Coverage under an accident or health plan (which can include traditional health insurance, health maintenance organizations (HMOs), self-insured medical reimbursement plans, dental, vision, and more);
  • Dependent care assistance benefits or DCAPs
  • Group term life insurance
  • Paid time off, which allows employees the opportunity to buy or sell paid time off days
  • 401(k) contributions
  • Adoption assistance benefits
  • Health savings accounts or HSAs under IRS Code Section 223

Some employers want to offer other benefits through a cafeteria plan, but this is prohibited. Benefits that you cannot offer through a cafeteria plan include scholarships, group term life insurance for non-employees, transportation and other fringe benefits, long-term care, and health reimbursement arrangements (unless very specific rules are met by providing one in conjunction with a high deductible health plan). Benefits that defer compensation are also prohibited under cafeteria plan rules.

Cafeteria plans as a whole are not subject to ERISA, but all or some of the underlying benefits or components under the plan can be. The Patient Protection and Affordable Care Act (ACA) has also affected aspects of cafeteria plan administration.

Employees are allowed to choose the benefits they want by making elections. Only the employee can make elections, but they can make choices that cover other individuals such as spouses or dependents. Employees must be considered eligible by the plan to make elections. Elections, with an exception for new hires, must be prospective. Cafeteria plan selections are considered irrevocable and cannot be changed during the plan year, unless a permitted change in status occurs. There is an exception for mandatory two-year elections relating to dental or vision plans that meet certain requirements.

Plans may allow participants to change elections based on the following changes in status:

  • Change in marital status
  • Change in the number of dependents
  • Change in employment status
  • A dependent satisfying or ceasing to satisfy dependent eligibility requirements
  • Change in residence
  • Commencement or termination of adoption proceedings

Plans may also allow participants to change elections based on the following changes that are not a change in status but nonetheless can trigger an election change:

  • Significant cost changes
  • Significant curtailment (or reduction) of coverage
  • Addition or improvement of benefit package option
  • Change in coverage of spouse or dependent under another employer plan
  • Loss of certain other health coverage (such as government provided coverage, such as Medicaid)
  • Changes in 401(k) contributions (employees are free to change their 401(k) contributions whenever they wish, in accordance with the administrator’s change process)
  • HIPAA special enrollment rights (contains requirements for HIPAA subject plans)
  • COBRA qualifying event
  • Judgment, decrees, or orders
  • Entitlement to Medicare or Medicaid
  • Family Medical Leave Act (FMLA) leave
  • Pre-tax health savings account (HSA) contributions (employees are free to change their HSA contributions whenever they wish, in accordance with the their payroll/accounting department process)
  • Reduction of hours (new under the ACA)
  • Exchange/Marketplace enrollment (new under the ACA)

Together, the change in status events and other recognized changes are considered “permitted election change events.”

Common changes that do not constitute a permitted election change event are: a provider leaving a network (unless, based on very narrow circumstances, it resulted in a significant reduction of coverage), a legal separation (unless the separation leads to a loss of eligibility under the plan), commencement of a domestic partner relationship, or a change in financial condition.

There are some events not in the regulations that could allow an individual to make a mid-year election change, such as a mistake by the employer or employee, or needing to change elections in order to pass nondiscrimination tests. To make a change due to a mistake, there must be clear and convincing evidence that the mistake has been made. For instance, an individual might accidentally sign up for family coverage when they are single with no children, or an employer might withhold $100 dollars per pay period for a flexible spending arrangement (FSA) when the individual elected to withhold $50.

Plans are permitted to make automatic payroll election increases or decreases for insignificant amounts in the middle of the plan year, so long as automatic election language is in the plan documents. An “insignificant” amount is considered one percent or less.

Plans should consider which change in status events to allow, how to track change in status requests, and the time limit to impose on employees who wish to make an election.

Cafeteria plans are not required to allow employees to change their elections, but plans that do allow changes must follow IRS requirements. These requirements include consistency, plan document allowance, documentation, and timing of the election change. For complete details on each of these requirements—as well as numerous examples of change in status events, including scenarios involving employees or their spouses or dependents entering into domestic partnerships, ending periods of incarceration, losing or gaining TRICARE coverage, and cost changes to an employer health plan—request UBA’s ACA Advisor, “Cafeteria Plans: Qualifying Events and Changing Employee Elections”.

By Danielle Capilla
Originally published by www.ubabenefits.com

On December 20, 2016, federal officials released FAQs About Affordable Care Act Implementation Part 35 (FAQ #35) in an ongoing series of informal guidance regarding the Affordable Care Act (ACA). This FAQ addresses several topics:

  • Special enrollment rules.
  • Preventive services.
  • Qualified small employer health reimbursement arrangements.

A summary of the key points from FAQ #35 follows.

Special Enrollment Rules

Group health plans are subject to rules under the Health Insurance Portability and Accountability Act (HIPAA) requiring plans to offer a special enrollment (mid-year enrollment) opportunity for persons who are not enrolled when first eligible but then experience certain events. Examples of qualifying events include acquiring a new dependent through marriage, birth or adoption (including placement for adoption) of a child, or losing coverage under another plan. The requirements are referred to as the HIPAA special enrollment rules.

One of the events triggering a special enrollment opportunity is the involuntary loss of other coverage, such as losing coverage under the spouse’s plan, unless the loss is for cause or due to failure to pay premiums.

UPDATE: FAQ #35 confirms that persons are entitled to a special enrollment if they are otherwise eligible for the group plan, had other coverage (including individual insurance obtained inside or outside of a Marketplace) when the group plan coverage was previously offered, and now have lost eligibility for that other coverage. Further, the special enrollment rule applies whether or not the individual is eligible for other individual market coverage, though or outside of a Marketplace.

Coverage of Preventive Services

The Affordable Care Act (ACA) requires that nongrandfathered health plans provide 100 percent coverage without deductibles or co-pays for certain preventive services. Some exceptions are allowed regarding services received outside the network when they are available from in-network providers and for brand-name drugs when equivalent generics are available (unless the physician determines a medical necessity). See the following current lists of required preventive services:

For women’s health services, the current list of required preventive services includes prescribed contraceptives (including sterilization procedures, and patient education and counseling). At this time, there are 18 FDA-approved contraceptive methods and the plan must cover at least one item in each method at 100 percent. Plans also must have an “exceptions process” to ensure 100 percent coverage of any item within the method based on medical necessity as determined by the physician.

The preventive services requirements are developed based on recommendations from the U.S. Preventive Services Task Force (USPSTF), the Centers for Disease Control (CDC), the Health Resources and Services Administration (HRSA), and others, and are subject to change from time to time.

UPDATE: FAQ #35 explains that updated HRSA recommendations for women’s preventive services will apply for plan years beginning on or after December 20, 2017 (e.g., January 1, 2018 for calendar-year plans). Plans may adopt the new guidelines earlier if they choose. The updated guidelines address several women’s health services, including breast cancer screening, cervical cancer screening, gestational diabetes, breastfeeding services and supplies, and well-woman preventive visits.

The new guidelines also will require plans to cover all 18 of the FDA-approved contraceptive methods. Plans may continue to impose cost-sharing requirements on branded drugs for which generic equivalents are available. Note that the ACA provides certain exceptions regarding contraceptives with respect to plans sponsored by religious employers and nonprofit religious-affiliated employers; those exceptions will continue.

See the HRSA’s Women’s Preventive Services Guidelines for more information.

Qualified Small Employer Health Reimbursement Arrangements (QSEHRAs)

Section 18001 of the recently-enacted 21st Century Cures Act creates an opportunity for small employers to offer a new type of health reimbursement arrangement for their employees’ healthcare expenses, including individual insurance premiums.

Employers of all sizes currently are prohibited from making or offering any form of payment to employees for individual health insurance, whether through premium reimbursement or direct payment. Employers also are prohibited from providing cash or compensation to employees if the money is conditioned on the purchase of individual health insurance. (Some exceptions apply; e.g., retiree-only plans, dental/vision insurance.) Violations can result in excise taxes of $100 per day per affected employee.

The new law does not repeal the existing prohibition, but rather it provides an exception for a new type of tax-free benefit called a Qualified Small Employer Health Reimbursement Arrangement (QSEHRA). Small employers meeting certain conditions may begin offering QSEHRAs in 2017. Our December 9, 2016 blog post, New Law Allows Small Employers to Pay Premiums for Individual Policies, summarized the requirements for small employers to offer QSEHRAs.

Separately, the 21st Century Cures Act offers small employers certain relief from excise taxes for violating the existing prohibition against employer payment of individual health insurance. The relief applies retroactively and continues through the 2016 plan year (whether or not the employer offers QSEHRAs in 2017), but certain conditions must be met. FAQ #35 clarifies the conditions for tax relief, as follows:

  • The relief applies only to plan years beginning on or before December 31, 2016;
  • The relief applies only to employers that employed on average fewer than 50 full-time and full-time-equivalent employees. In other words, for the relevant period, the employer must not have been an applicable large employer (ALE) as defined under the ACA; and
  • The relief is limited to employer arrangements that pay or reimburse only individual health insurance premiums (or Medicare Part B or D premiums, in some cases). The relief does not extend to stand-alone health reimbursement arrangements that pay or reimburse medical expenses other than individual health insurance premiums.

Lastly, note that an employer arrangement that qualifies for relief from excise taxes generally will be considered minimum essential coverage and preclude covered persons from qualifying for premium tax credits (subsidies) at a Marketplace (Exchange).

More Information

Employers and their advisors are encouraged to review the complete FAQ #35 to ensure their group health plans continue to comply with the ACA’s requirements. The special enrollment rule merely confirms existing HIPAA requirements. For preventive services, the update regarding women’s health services applies for plan years beginning on or after December 20, 2017 (e.g., January 1, 2018 for calendar-year plans). Lastly, small employers may want to consider the new option for QSEHRAs starting in 2017.

Originally published by www.thinkhr.com

auditThe U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) began a pilot program in 2012 to assess the procedures implemented by covered entities to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA). OCR evaluated the effectiveness of the pilot program and then announced Phase 2 of the program on March 21, 2016. Phase 2 Audits focus on the policies and procedures adopted by both covered entities and business associates to ensure they meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. Covered entities include health plans, health care clearinghouses, and health care providers; whereas, business associates include anyone handling health information on behalf of a covered entity.

Phase 2 Audits of business associates focus on risk analysis, risk management, and reporting of HIPAA breaches to covered entities. OCR emphasizes the importance of audits as a compliance improvement activity in order to identify best practices and proactively uncover and address risks and vulnerabilities to protect health information (PHI).

OCR chose entities to audit through random sampling of the audit pool. Communications from OCR were sent via email, so it is important to check spam filters and junk emails for communications from OSOCRAudit@hhs.gov. OCR emailed a notice to verify contact information. Once the contact information was verified, OCR emailed a pre-audit questionnaire to gather data about size, type, and operations of the entity. This data was used with other information to develop pools of potential covered entities for making audit selections.

Phase 2 Audits consist of three sets of audits. The first set of audits will be desk audits of covered entities and the second set of audits will be desk audits of business associates. These audits will examine compliance with specific requirements of the Privacy, Security, or Breach Notification Rules and covered entities will be notified of their audit in a document request letter. All desk audits in this phase will be completed by the end of December 2016. OCR will select entities and request they electronically submit documentation within 10 days. The third set of audits will be onsite and examine a broader scope of requirements from HIPAA Rules.

On July 11, 2016, 167 covered entities were notified that they were selected for a desk audit. Desk audits of business associates will begin this fall. Download the complete Compliance Advisor, “HIPPA Phase 2 Audits” for best practices for covered entities facing desk or field audits.

Originally published by www.ubabenefits.com

Thank you for putting the Plan Document together for us!  It is a big accomplishment knowing that we are in compliance!   Once again we are grateful and thankful for your continuing support and enjoy the relationship that we share.

- Office Manager, Food Distribution Company

Categories