Jason Folks

The Department of Labor (DOL) issued compliance guidance for employee benefit plans impacted by Hurricane Maria and the California wildfires of October 2017 in the DOL news Release 17-1555-NAT.  

This guidance, in part, includes extensions of certain COBRA, HIPAA, and ERISA claims procedure requirements for participants, beneficiaries, and benefit plans located in Puerto Rico and the U.S. Virgin Islands identified for individual assistance by the Federal Emergency Management Agency following Hurricane Maria.  

Under this relief issued in conjunction with the Internal Revenue Service (IRS), additional time is afforded with respect to certain plan administrative deadlines.  For those affected individuals and plans in Puerto Rico, the period of September 17, 2017, through March 16, 2018, is disregarded.  For those similarly affected in the U.S. Virgin Islands, the period is September 16, 2017, through March 15, 2018.

This extension relief provides additional time for impacted participants and beneficiaries to make claims for benefits and to appeal denied claims.  In addition, these periods are disregarded when determining special enrollment periods under HIPAA (for example, adding a newborn to group health plan coverage).

For COBRA purposes, these periods are disregarded when calculating the date for providing COBRA election notices, affected qualified beneficiaries’ COBRA election periods, the timeliness of an affected COBRA continuant’s COBRA premium payment, and the date by which an affected individual must provide notification of a qualifying event or a Social Security disability determination.  

For example, if an impacted qualified beneficiary in Puerto Rico is provided a COBRA election notice on December 1, 2017, the period of September 17, 2017, through March 16, 2018, is disregarded when calculating her COBRA election period.  Therefore, her applicable election period (which would have normally ended January 30, 2018) would end 60 days following March 16, 2018, which is May 15, 2018.

In another example, assume an impacted COBRA continuant in the U.S. Virgin Islands had paid his COBRA premium for the September 2017 coverage period.  However, he was unable to make his payment for the October 2017 coverage period before Hurricane Maria made landfall.  Again, the period of September 16, 2017, through March 15, 2018, is disregarded when calculating the premium payment deadline date.  Therefore, he would have 30 days following March 15, 2018 (i.e., April 14, 2018) to remit his COBRA premium payments for the October 2017 through March 2018 coverage periods.  The April 2018 payment deadline date would remain May 1, 2018.    

The DOL’s Employee Benefits Security Administration (EBSA) has updated its FAQs for participants and beneficiaries previously published in the wake of Hurricanes Harvey and Irma to now include the California wildfires.  The EBSA has also issued a separate FAQ addressing Hurricane Maria—which highlights many of the extensions described above—to potentially address participant and beneficiary questions concerning their health coverage. 

WageWorks will continue to monitor this topic and—should the ruling agencies publish additional guidance—we will advise accordingly. 

The information contained in this article is not intended to be legal, accounting, or other professional advice. We assume no liability whatsoever in connection with its use, nor are these comments directed to specific situations.

On October 12, 2017, President Trump issued Executive Order 13813: Promoting Healthcare Choice and Competition Across the United States (the “Order”) directing the Departments of the Treasury, Labor (DOL), and Health and Human Services (HHS) to consider proposing new healthcare rules or guidance intended to increase options and market competition with respect to health care.  

Specifically, the order focuses on expanding the availability of (1) Association Health Plans (AHPs), (2) Short-Term Limited-Duration Insurance (STLDI), and Health Reimbursement Arrangements (HRAs).  

AHPs: The DOL is directed to consider—within 60 days from the date of the Order—proposing new regulations or revise existing guidance that would allow more American employers to form AHPs.  Specifically, the DOL could—in accordance with the Order—expand the conditions that satisfy the “commonality-of-interest” requirements under current DOL advisory opinions that address what constitutes an “employer” for purposes of ERISA § 5(3).  The Order encourages the DOL to consider ways to promote AHP formation based on common geography or industry (versus current guidance requiring a genuine organizational relationship).  The Order contemplates expanded access to AHPs would help small businesses to group together to collectively self-insure or purchase large group health insurance.  This would, the Order reasons, help such small businesses avoid certain costs associated with certain small-group and individual plan requirements of the Patient Protection and Affordable Care Act (PPACA) such as essential health benefits and community rating. 

STLDI: The departments are charged —also within 60 days from the date of the Order—to consider proposing regulations or guidance to allow expanded coverage periods of this low-cost (with typically higher out-of-pocket costs) coverage and for the consumer to renew such insurance.  Currently, SLTDI is defined as health insurance coverage with an applicable coverage period of less than three months and has no permitted extensions beyond the three-month period.  The Order directs these agencies to consider allowing “longer periods,” a term which is not defined.  

HRAs:  These departments are also instructed to consider—in this case within 120 days from the date of the Order—proposing new rules or guidance that would increase the usability of HRAs, to expand employers’ ability to offer HRAs to their employees, and to allow HRAs to be used in conjunction with individual coverage.  Under current guidance (see IRS Notice 2013-54), HRAs for active employees are generally required to be integrated with PPACA-compliant group health coverage. 

While the Order makes no actual change to any existing regulations, it does specifically request that the respective agencies make these considerations.  How—and to what extent—the DOL, HHS, and/or the Department of the Treasury makes these considerations and (potential) subsequent changes for AHPs, STLDI, and HRAs remains to be seen.

We will continue to monitor these arrangements and any subsequent guidance as this develops.

The information contained in this article is not intended to be legal, accounting, or other professional advice. We assume no liability whatsoever in connection with its use, nor are these comments directed to specific situations.

June marked the anniversaries of two noteworthy United States Supreme Court decisions concerning same-sex American couples.

On June 26, 2013, the Supreme Court held in United States v. Windsor that Section 3 of the Defense of Marriage Act—which provided that only opposite-sex individuals could be recognized as married “spouses” for purposes of federal law—was unconstitutional.  Following this, the Internal Revenue Service issued subsequent preliminary guidance¹ for applying the decision.  This clarification provided direction that the term “spouse”—for federal tax purposes—would include same-sex individuals validly married in accordance with the laws of any jurisdiction that recognizes same-sex marriage (i.e., the state of celebration) instead of the state in which a same-sex couple resides.  As a result of this federal recognition of same-sex marriages, group health plan coverage provided to legally married same-sex spouses was tax exempt. 

Two years (to the day) later, the Supreme Court held in Obergefell v. Hodges that the Fourteenth Amendment requires a state to not only issue marriage licenses for same-sex couples, but also to recognize those same-sex marriages licensed lawfully outside of the state (thereby eliminating the need for employers and plan providers to consider the state of celebration). 

Since these two decisions, in tandem, broadened the federal definition of the word “spouse” to include both same- and opposite-sex spouses, the increase in access to marriage can also lead to an increase in eligibility for spousal benefits under employer health plans. These legally married same-sex spouses now fall squarely into the population of individuals potentially eligible for health care continuation rights.

The Consolidated Omnibus Budget Reconciliation Act of 1985 (COBRA) affords a “qualified beneficiary” the right to continuation coverage if group health plan coverage is lost due to certain events.  This qualified beneficiary status is limited to employees, their spouses, and dependent children covered on the employer’s group health plan.  While the specific verbiage defining who is a qualified beneficiary has not changed, the federal regulatory phrase “…the spouse of the covered employee”² now means both opposite- and same-sex individuals who are legally married to the covered employee.     

Now same-sex spouses are equally entitled to COBRA if coverage is lost due to a qualifying event (such as divorce) and are afforded every right as their opposite-sex counterparts.  

As this subject gains greater attention in the months following these decisions, it is important to note the distinction between legally married same-sex couples and domestic partners, especially with respect to COBRA.

Even though same-sex couples are now able to get married in their states of residence, some states—such as California³—still allow couples to enter into formalized domestic partnerships entitled to many of the same state rights afforded to legally married couples.  These domestic partnership provisions, which were oftentimes drafted in the interest of providing parity to couples who could not at the time receive equal benefits under federal law, created a way for certain employers to design their group health plans to enable domestic partners to be covered under the plan.

The difference between a federally recognized same-sex marriage and, for example, a same-sex domestic partnership rests in part in the newly expanded definition of “spouse.”  And for COBRA purposes, this difference is key. 

When these domestic partners are eligible for coverage under an employer’s group health plan, one must consider whether or not they would be entitled to COBRA election rights should a qualifying event occur.  Remember, the term “qualified beneficiary”—a class of individual who must be offered COBRA election rights following a qualifying event—includes only the covered employee’s spouse.  As a result, domestic partners (of either the same or the opposite sex) or civil union partners still—even after the Windsor and Obergefell cases—do not meet the definition of a qualified beneficiary.  Even if they are covered under the group health plan, they will not be qualified beneficiaries and do not have independent COBRA continuation election rights under federal law.  

However, COBRA also requires continuation coverage to be the same coverage that a qualified beneficiary had on the day before the qualifying event and may not differ in any way from the coverage made available to similarly situated non-COBRA beneficiaries.⁴  Therefore, if a plan offers group health plan coverage to domestic partners or their children and both the employee and covered domestic partner lose coverage due to, for example, termination of employment, the employee could argue that he or she must be given the right to elect to continue the coverage in effect before the qualifying event (which included coverage for the domestic partner). 

Furthermore, if a similarly-situated active employee can add a domestic partner to his or her coverage at annual open enrollment, a former employee on COBRA coverage has the same right to add an eligible domestic partner to his or her COBRA coverage at open enrollment.  

But since these individuals are not included in the federal definition of “qualified beneficiary,” there is nothing that guarantees these individuals the independent right to elect COBRA continuation for themselves. For example, while a legally recognized same-sex spouse must be offered a COBRA election following the death of the covered employee, a non-qualified beneficiary domestic partner would not be entitled to the same election rights. 

While the rights of same-sex couples continue to evolve and expand, it is important for employers to seek legal counsel and/or consult with insurance carriers when considering if domestic partner benefits should be revised in consideration of expanded marriage laws or if continuation coverage (even non-COBRA continuation coverage) will be afforded to these individuals to continue benefits parity amongst employer benefits-eligible populations. 

References:

1. Revenue Ruling 2013-17
2. ERISA § 607(3)(A)(i)
3. Cal. Fam. Code §§ 297 and 297.5
4. ERISA § 602(1)

The information contained in this article is not intended to be legal, accounting, or other professional advice. We assume no liability whatsoever in connection with its use, nor are these comments directed to specific situations.

On March 2, 2017, the International Data Corporation published a report indicating 33.9 million smartwatches and fitness trackers were shipped in the fourth quarter of 2016.  This wearable technology gives consumers access to an estimated 259,000 different mobile health applications, allowing them to lead healthier lifestyles by monitoring heart rate, daily calorie intake, or physical activity.  

Employers sponsoring group health plans, in turn, can potentially reduce their health claim exposure by encouraging the use of this technology and these programs for their participants, which could lead to better health and awareness of health issues.  However, the increase in popularity of these trackers and programs present a corollary rise in the need for employers, plans, and even the health mobile application developers to understand the extent to which the Health Insurance Portability and Accountability Act (HIPAA) privacy and security laws may apply.

By way of background, HIPAA includes privacy and security rules establishing standards for the protection of individuals’ health information called–you guessed it—Protected Health Information (PHI).  Information is classified as PHI if it is individually identifiable. That is, if it can be tied back to a specific person by one of a number of unique identifiers such as a name or Social Security number, relates to the person’s past, present, or future physical or mental health, and is created, received, or maintained by a covered entity or its business associate.  For HIPAA purposes, covered entities include, but are not limited to, employer-sponsored group health plans; doctors, hospitals, and pharmacies conducting electronic transactions; and health care clearinghouses.1

Employers may receive health information that doesn’t fall into the definition of PHI, especially in conjunction with other benefits, such as life insurance benefits or accidental death and dismemberment plans, not maintained by the group health plan and therefore not subject to HIPAA’s privacy rules.

To assist in keeping the various requirements straight with respect to the health data potentially collected by wearable technology and mobile applications, the Department of Health and Human Services’ Office for Civil Rights (OCR) published its Health App Use Scenarios and HIPAA guidance2 (the Scenarios) covering the applicability of HIPAA to such mobile device applications that collect, store, manage, organize, or transmit health information. 

While OCR published the Scenarios to assist application developers in obtaining direction and education in the intersection of this growing technology and HIPAA regulations, employers sponsoring group health plans and their business associates can similarly look to this publication for clarification on their employees’ use of health mobile applications and the potential impact of HIPAA’s privacy and administrative simplification requirements.

The Scenarios put forth six hypothetical situations involving health mobile applications and OCR’s guidance as to how it believes HIPAA would apply to the developer in question. The Scenarios highlight the difference between health mobile applications offered directly to consumers for their own use and health information management and those offered on behalf of a covered entity (such as a health plan or provider).  

Scenario 1: A consumer voluntarily downloads a health mobile application to her smartphone and enters her health information she gathered herself (such as blood pressure readings).  The consumer is using the application to manage her own health information and is neither a covered entity nor a business associate.  Because the application developer is not creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity or business associate, the developer is not subject to HIPAA.

Scenario 2: A consumer voluntarily downloads a health mobile application to her smartphone to help her manage a chronic condition.  She uses her health care provider’s patient portal to download her electronic health records (EHR) onto her computer and then uploads it to her smartphone along with her own health information.  As before, the consumer is neither a covered entity nor a business associate and is using it for her own purposes to manage her own health information along with EHR received from her doctor.  There’s nothing to suggest the doctor hired the developer to provide or facilitate this service.  The application developer is not creating, receiving, maintaining, or transmitting PHI on behalf of a covered entity or business associate and is not subject to HIPAA.

Scenario 3: A doctor recommends a particular health mobile application to a patient to track his physical activity to assist with weight loss.  Based on this recommendation, the consumer downloads the application to his smartphone to send summary data to his doctor before his next appointment.  Even though the doctor recommended the application, there is no indication she hired the developer to provide or facilitate the handling of patients’ PHI.  The patient consumer’s use of the application to transmit data to the doctor (a covered entity) does not by itself make the application developer a business associate of the covered entity and is not subject to HIPAA.

Scenario 4: A consumer downloads a health mobile application to her smartphone to help her manage a chronic condition.  The healthcare provider and the application developer have entered into an interoperability agreement at the consumer’s request facilitating the secure exchange of the consumer’s health information between the two parties.  The consumer inputs her own information into the application and directs it to transmit the data to the provider’s EHR.  She can also use the application to access test results from the provider.  The application developer is transmitting data on behalf of the consumer, at her request, to and from the provider and is not a business associate of the covered entity.  The developer is not subject to HIPAA.

Scenario 5: A healthcare provider has contracted directly with an application developer for patient management services (such as remote patient health counseling, messaging, EHR integration, and monitoring patients’ physical activity).  The doctor instructs the consumer to download the application to her smartphone and the information it collects is automatically transmitted to the provider’s EHR.  Because the application developer contracted directly with the provider to create, receive, maintain, and transmit the patient’s PHI on behalf of the covered entity, the application developer is a business associate of the covered entity and is subject to HIPAA.

Scenario 6: A health plan offers a health mobile application that allows participants to download and store their health records, check claim status, and track their progress towards improving their health.  The usage data is collected and analyzed by the health plan.  The application developer offers a separate version of the application that is available directly to the consumer with the same functionality.  Since the health plan is a covered entity and is contracted directly with the application developer to create, receive, maintain, and transmit PHI on behalf of the plan, the application developer is a business associate and is subject to HIPAA with respect to the application offered by the health plan.  For the direct-to-consumer version, the application developer is not a business associate provided the information gathered in the direct-to-consumer version is kept separate from the version offered by the plan.  

Again, understanding these scenarios is important not only for application developers, but for group health plan sponsors when considering how and to what extent HIPAA applies in the mobile application context.  

Prompted in part by the wellness program incentives under the Affordable Care Act and HIPAA’s nondiscrimination provisions,3 employers are presented with more opportunities to incorporate wearable technology or health mobile applications into their wellness programs.  For example, an employer can offer its participants access to activity trackers that may be paired to a platform or online program compiling and organizing the participants’ information to monitor ongoing corporate-wide wellness goals.  In giving employees the tools to monitor (and perhaps improve upon) their own well-being, employers can realize a decrease in health care costs.  

However, when considering such a program, employers will need to consider if the information collected by the application or activity tracker is PHI; whether their plan participants are independently selecting and downloading the health applications and, if so, whether the employees control all decisions concerning the transmission of health care data to a covered entity; and whether the health plan has a relationship with or pays directly for the services made available through the application.  If so, then it’s likely there is a business associate relationship.

If the application developer is a business associate of the covered entity, then it is essential the employer group health plan obtains the necessary verification that the developer has its own safeguards in place to protect participant users’ PHI in compliance with HIPAA’s requirements, including, but not limited to, information about the encryption protocols used to protect the security of the electronic PHI and the secure transfer of such data to and from the health mobile application.   In addition, the employer group health plan who enters into a business associate agreement with the developer should establish the various permitted and required uses and disclosures of the PHI created, received, or maintained by the health mobile application, the required use of appropriate safeguards to prevent unauthorized access to the PHI, and require the application developer to report any instances of uses or disclosures of PHI not expressly permitted in the agreement. This includes breaches of unsecured PHI as required by HIPAA.

References:

CFR § 160.103

http://hipaaqsportal.hhs.gov/

http://webapps.dol.gov/federalregister/PdfDisplay.aspx?DocId=26880

The information contained in this article is not intended to be legal, accounting, or other professional advice. We assume no liability whatsoever in connection with its use, nor are these comments directed to specific situations.