Employment LawScene Alert: New Rule Will Permit Employer Reimbursement of Employees’ Individual ACA Coverage Premiums

Beginning January 1, 2020, employers will have the option to reimburse employees’ individual ACA Exchange (or Marketplace) health insurance premiums under an employer-sponsored Health Reimbursement Arrangement (HRA).

This is a significant change from current rules, which generally permit an HRA to reimburse only group (not individual) health insurance coverage, and which prohibit employer reimbursement of any health insurance coverage provided through the ACA Exchange.

HRA Overview
An HRA is a type of account-based plan that an employer may use to provide pre-tax reimbursement, up to employer-determined annual limits, of certain employee medical care expenses. Under applicable law, an HRA is a self-funded health care plan, which may be funded only by employer (not employee) dollars. An HRA is subject to ERISA, HIPAA, and certain IRS rules, including the nondiscrimination requirements that prohibit discrimination in favor of highly compensated employees.

What’s Old is New Again
Under final regulations issued jointly, last week, by the United States Departments of Treasury, Labor, and Health and Human Services (the Departments), Employers can once again reimburse certain individual employee health insurance expenses on a pre-tax basis. This practice was broadly permitted under IRS rules in effect from 1961 through January of 2014, when the IRS put a sudden halt to the practice on the grounds that it violated the Affordable Care Act.

With Some Twists
Prior to 2014, employers could directly reimburse an employee for the cost of that employee’s individual insurance coverage premiums. No additional benefit plan or plan document was required.  Under the new rules, employer reimbursements of individual insurance premiums may not be made directly, but must instead flow through a documented HRA program.  The HRA must conform in form and operation with applicable Department rules.
Under the law in effect over the last few years, an HRA could reimburse group health plan insurance premiums only if it were “integrated with” an ACA-compliant employer-sponsored group health plan. Under the rules that will take effect January 1, 2020, HRA “integration” with ACA-compliant individual coverage will be available for the first time.

Why are the HRA Rules Changing?
The final regulations issued jointly by the three Departments last week ultimately result from an October 2017 Presidential Executive Order intended to expand “healthcare choice” and flexibility. HRAs were one of three priorities identified in President Trump’s Executive Order 13813, which directed the Departments to consider proposing regulations or revising guidance as needed “to expand employers’ ability to offer HRAs to their employees, and to allow HRAs to be used in conjunction with non-group coverage.”

Key Requirements
The final regulations exceed 200 pages and provide extensive detail on the requirements applicable to the new individual coverage HRAs (ICHRAs). Among these are the following six key conditions, which must be satisfied in order to successfully integrate an HRA with individual health insurance coverage:

  • All individuals covered by an ICHRA must be enrolled in individual coverage through the Exchange.
  • The employer may not offer an ICHRA to the same class of employees to whom it offers group health plan coverage. This means that an employee in a particular classification may not be given a choice between a traditional group health plan and an ICHRA. Under a related rule, employers are prohibited from steering participants with adverse health factors into individual, rather than into group, coverage.
  • An ICHRA must be offered in both the same amount and under the same terms and conditions to all employees. The HRA may not be more generous or less generous to some individuals based on an adverse health factor.
  • The ICHRA must offer an opt-out provision so that an employee may choose to waive ICHRA HRA coverage. This condition is intended to preserve an individual’s eligibility for a premium tax credit for coverage obtained on the Exchange under certain circumstances, such as when the ICHRA offered is either unaffordable or does not provide minimum value in accordance with ACA standards.
  • Claims for reimbursement under an ICHRA must be substantiated and confirmed to relate to the cost of individual Exchange health insurance premiums. An employer may rely on an employee’s attestation to this effect, and model attestation forms have been provided by the Departments. If an ICHRA sponsor learns of an incorrect or false attestation, future reimbursements relating to the relevant period may be denied.
  • Participants potentially eligible to participate in an ICHRA must be provided with a written notice at least 90 days before the beginning of each plan year (with some exceptions for a shorter notice period in for an initial year of eligibility). The final regulations specify the content that must be provided in the notice.

Limited Time to Prepare
In order for employers to reimburse employees’ purchase of individual ACA-regulated health insurance by January 1, 2020, there is much work to do in relatively little time. Before the November 1 start date of the open enrollment period for 2020 ACA coverage:

  • Employers must adopt (or amend existing) HRA Plan documents to comply with the new requirements;
  • Employers, as well as Exchanges will need to work to communicate the changes to eligible individuals; and
  • All separate State-facilitated Exchanges, as well as the Federal Exchanges must implement any required website coding and enrollment procedures.

The State-facilitated Exchanges have been concerned about a possible 2020 rollout since that date was initially mentioned in proposed rules issued late last year. This April, the administrators of all 12 State Exchanges asked the Departments to postpone the effective date.  In response, the Departments have promised to provide technical assistance to the Exchanges to facilitate timely implementation of the new rules.  Nonetheless, the final regulations are extremely detailed and complex. Whether, and to what extent, employers (and Exchanges) are able to embrace ICHRA reimbursement of individual health insurance premiums remains to be seen.
The attorneys of the Employment Law team of O’Neil, Cannon, Hollman, DeJong and Laing are closely following these new developments and are prepared to discuss how the change in HRA rules may impact your strategy regarding employee benefits offerings, ACA compliance, or how to amend an existing HRA or MERP (medical expense reimbursement plan) or to adopt a new HRA document to prepare for the reimbursement of individual coverage.

Employment LawScene Alert: Remember March 1 Deadline for Reporting a “Small” HIPAA Breach

Employers who are classified as covered entities under HIPAA are required to report any 2018 breach of protected health information that affected fewer than 500 individuals (also known as a small breach) by March 1, 2019. This current breach notification requirement arises from amendments made to HIPAA under the Health Information Technology for Economic and Clinical Health (HITECH) Act, as finalized in 2013. HIPAA defines a covered entity as either (1)  a group health plan, (2) a health care clearinghouse, or (3) a health care provider who electronically transmits any protected health information.  A covered entity may be an individual, an institution, or an organization.

Background

Under applicable rules, a breach is defined as an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. Some exceptions apply, so that not all incidents will rise to the level of a breach. Still, an impermissible use or disclosure of protected health information is generally presumed to be a breach unless the covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of several specified factors.

Notification Requirement

Upon the occurrence of a confirmed (or in some cases, suspected) breach, the affected individuals must be provided with detailed notification letters without unreasonable delay and no later than 60 days after the discovery of the breach. While the covered entity, most often, provides the required notifications, the final rules permit the delegation of reporting duties to a business associate.

A HIPAA breach also triggers an obligation to notify the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS).

  • When a breach affects 500 or more individuals, the reporting entity must notify OCR contemporaneously with the notification to individuals (and must also notify local media outlets).
  • Where a breach affects fewer than 500 individuals (also known as a small breach), however, a reporting entity must maintain a log or other documentation of all breaches occurring during the year, and annually report all such breaches no later than 60 days after the end of that calendar year.

For a small breach occurring any time in 2018, the deadline to report that breach to OCR is March 1, 2019.

Small Breach Reporting Details

A reporting entity is not required to wait until the March 1 deadline to report a small breach. Small breaches may be reported as early as contemporaneously with the occurrence of the breach. Regardless of timing, all small breaches must be reported to OCR in the same manner. Specifically a reporting entity must report the breaches online through the OCR’s “Breach Portal.”

Note that even when a covered entity delegates the reporting function to a business associate, the covered entity retains ultimate legal responsibility for proper reporting. Accordingly, covered entities who delegate reporting may want to require proof of timely reporting.

Be aware that, while the reporting entity may report all small breaches on a single date, each separate breach incident will require a separate submission. Instead of simply uploading a log of breach incidents occurring in the prior year, the reporting entity must complete a six-section questionnaire to provide: (1) general information; (2) identification of the covered entity, business associate, and relevant contact information; (3) the nature of the breach; (4) a summary of related notices provided and actions taken; (5) an attestation, and; (6) a summary. Multiple fields must be completed within each of these six sections. The HIPAA status of a reporting party (as either a HIPAA covered entity or a business associate) must be indicated on the “Contact” tab of the online filing form.

The online reporting form also requires the reporting entity to indicate the level of pre-breach HIPAA compliance status, including whether or not HIPAA Privacy Rule safeguards and HIPAA Security Rule safeguards were in place.

Because filing the breach notice can be time-consuming, parties tasked with reporting 2018 small HIPAA breaches of unsecured protected health information are advised to gather and prepare the content to be reported before actually logging on to the OCR Breach Portal. Because any changes or updates to the submitted information must be entered as a separate entry, it is preferable to ensure that each submission is fully accurate. Moreover, because the content of Breach Notifications to OCR can form the basis for a future OCR investigation and enforcement action, it is advisable to have legal counsel review content prior to submission.

In addition to ensuring that 2018 breaches affecting fewer than 500 individuals are reported by March 1, covered entities and business associates should continue to ensure that HIPAA Policies and Procedures, as well as the applicable administrative, physical and technical safeguards are up to date and periodically reviewed.