Compliance Matters Newsletter | September 2024

Let our team help you navigate the ever-changing benefits compliance landscape each month. Check out this month’s latest alerts, additional updates, and resources hot off the press:

Employee Benefits Compliance Alerts

This month’s Compliance Matters newsletter provides a comprehensive review of the following topics. To obtain your copy, please use the form below to download.

• Another Fiduciary Breach Lawsuit Highlights Employer Responsibilities
• Action Required for HIPAA Reproductive Healthcare Compliance
• Surprise Billing Regulations in the Courts
• Eligibility and Taxation of Owner and Director Benefits
• FTC and House Oversight Committee Investigate PBMs
• 2024 State Regulation Series: Michigan Personal Injury Protection (PIP)

Additional Updates & Resources

DOL Releases Updated CHIP Notice

The Department of Labor’s (DOL) Employee Benefits Security Administration (EBSA) recently released an updated model notice that employers may use to provide information on premium assistance eligibility under Medicaid or the Children’s Health Insurance Program (CHIP).

The Children’s Health Insurance Program Reauthorization Act of 2009 (CHIPRA) requires employers who maintain group health plans in states that provide premium assistance under Medicaid or CHIP to annually notify all employees of potential premium assistance opportunities in the state where an employee lives. To assist employers with their disclosure obligations, EBSA developed a model notice for employers to use. The model notice includes contact information for states that provide Medicaid or CHIP premium assistance programs.

EBSA customarily releases updated versions of the model notice twice a year – at the end of January and July – to account for recent changes to the contact information related to various state Medicaid or CHIP programs.

Employers may distribute the model notice annually with their health plan Summary Plan Description (SPD) or open enrollment materials, so long as the materials are provided to all employees and are provided in compliance with the DOL’s document distribution rules. The technical regulations require the notice to be separate from other plan materials so that it is easily distinguishable, and the importance of the notice is clear.

HDHP Relief for COVID Testing & Telemedicine Is Ending Soon

In 2020, as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, Congress granted temporary relief for telehealth plans to offer first-dollar coverage and remain compatible with a health savings account (HSA). Congress later extended relief, which is currently set to expire on December 31, 2024. A telehealth plan, whether stand-alone or built into a group health plan, is not compatible with an HSA unless the telehealth plan has a deductible or charges a fair market value (FMV) fee each time participants use the service until the minimum deductible required for a qualifying high deductible health plan (HDHP) is met. See our previous alert on this topic.

The Telehealth Expansion Act of 2023 (H.R. 1843 and S. 1001) would permanently exempt HDHPs from the requirement of a deductible for telehealth and other remote care services. These bills have bipartisan support, and it is possible that language from these bills will be included in an end-of-year consolidated appropriations act of 2024.

Without legislation extending the expiration date of the telehealth plan relief, as of January 1, 2025, plans that provide first-dollar coverage for telehealth will not be HSA compatible. Carriers will need to apply deductibles and coinsurance for telehealth and COVID-19 testing and treatment to maintain an HSA-eligible HDHP.

Internal Revenue Service (IRS) Notice 2020-15 provided that due to the unprecedented public health emergency posed by COVID-19, and the need to eliminate potential barriers to testing and treatment of COVID-19, a plan could provide first-dollar coverage for these benefits and remain an HDHP. In 2023, the IRS announced in Notice 2023-37 that, due to the end of the COVID-19 emergency, the relief previously provided regarding the COVID-19 testing and treatment benefits that could be provided by an HDHP was no longer needed and would apply only for plan years ending on or before December 31, 2024.

DOL Fiduciary Rule Put on Hold (Again)

The recently finalized Department of Labor (DOL) fiduciary rule for investment advice has been put on hold once again. A Court held that the fiduciary rule conflicted with Employee Retirement Income Security Act (ERISA) rules by treating companies giving one-time investment advice as fiduciaries. The court stated that they owed no deference to the DOL’s interpretation of the regulations relying on a recent Supreme Court decision in Loper Bright Enterprises v. Raimondo and placed a hold on the effective date of the rule and its prohibited transaction exemption amendment, PTE-84.

This is not the first time the DOL fiduciary rule has been put on hold. In 2016, a similar injunction was placed on the rule. At this time, plan sponsors and their advisors should continue to use the 1975 regulations to determine compliance. EPIC is continuing to monitor developments with these regulations.

Update from HHS on Change Healthcare Cybersecurity Incident

Change Healthcare (Change), a healthcare technology company and the largest healthcare claims clearinghouse in the United States, which is owned by UnitedHealth Group, Inc. (UHG), experienced a major cyberattack in February 2024. The attack impacted healthcare facilities, providers and patients nationwide. On March 5, 2024, the Department of Health and Human Services (HHS) issued a statement about the cyberattack, and a week later, the HHS Office of Civil Rights (OCR) launched an investigation into the attack. EPIC released previous updates about the attack, which can be accessed here and here.

In June 2024, Change released a statement that they determined protected health information (PHI) was part of the information compromised in the attack but were still conducting an investigation to determine the scope of information compromised and the identities of the individuals affected. On July 19, 2024, Change filed a breach report with HHS identifying 500 individuals as the “approximate number of individuals affected.” Change is still investigating the attack and determining the number of affected individuals; however, because there are at least 500 individuals affected, Change must report the breach to HHS.

Earlier this year, the OCR created a list of frequently asked questions (FAQs) on its website to provide updates and information about the Change cyberattack. Following this update from Change, the OCR updated the answer to Question Three on OCR’s “Change Healthcare Cybersecurity Incident Frequently Asked Questions.” The OCR will continue to update the FAQs as needed.

HHS Updates Civil Monetary Penalties

The Department of Health and Human Services (HHS) updates civil monetary penalties for certain compliance violations annually based on changes in the cost of living. On August 8, 2024, HHS released a notice updating penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA) administrative simplification, Medicare Secondary Payer (MSP), and Summary of Benefits and Coverage (SBC).

Penalties are as follows:

• Failure to provide an SBC: $1,406 (up from $1,362) for each failure
• Offering incentives to Medicare-eligible individuals not to enroll in a plan that would otherwise be primary: $11,524 (up from $11,162)
• Failure of responsible reporting entities to provide information identifying situations where the group health plan is primary: $1,474 (up from $1,428)
• HIPAA penalties are based on different tiers of knowledge/severity and range from $141 to $2,134,831, with a calendar year cap for each penalty of $2,134,831

San Francisco Updates HCAO Minimums

In August 2024, the San Francisco Office of Labor Standards Enforcement (OLSE) released new rates and standards for individuals covered by the San Francisco Health Care Accountability Ordinance (HCAO), effective January 1, 2025. 

The Health Care Accountability Ordinance (HCAO) applies to most City contractors and tenants (including those at the San Francisco International Airport and the Port of San Francisco) and requires employers to offer a compliant health plan to their covered employees, to make payments to the City for use by the Department of Public Health, or, under limited circumstances, to make payments directly to their covered employees. To offer a compliant health plan an employer plan must meet all the HCAO Minimum Standards. Questions about complying with the HCAO can be directed to the Department of Public Health. Additionally, the OLSE offers a set of frequently asked questions on its website. For more information, visit the website or join a webinar on the HCAO requirements on Wednesday, September 4, 2024.