Compliance Monthly Update: February 2024

Compliance Monthly Update: February 2024

A brief update on what happened the prior month in group health plan compliance at the federal level, organized chronologically. An update for the state and local level are further down. If you would like additional information, please reach out to the GBS Compliance Team.

Transparency in coverage FAQ guidance for low-utilization items.

On February 2, the regulatory agencies (DOL, IRS, and HHS) issued FAQ guidance (Part 65) on the implementation of the Transparency in Coverage (TiC) regulations. This FAQ addresses compliance with cost‑sharing disclosure requirements where a plan is providing cost estimates based on claims data but there is extremely low utilization of the item or service at issue.

  • As a reminder, the TiC rules require (among other things) that plans and insurers disclose individualized cost-sharing information to participants through an internet-based self-service tool and, upon request, in paper form. The disclosures, which show applicable rates for in-network providers and allowed amounts and billed charges for out-of-network providers, must be an accurate estimate at the time a request is made.
  • These estimates are generally based on contracted rates for items and services, but plans and insurers may use analytics, such as past claims data, to produce more accurate cost estimates. For instance, if rates are not negotiated as prospective dollar rates, past claims data may be used.
  • The FAQ guidance recognizes that plans and insurers may not be able to provide accurate cost estimates for items or services with limited past data because of very low utilization. The agencies advise that they are likely to exercise discretion, on a case-by-case basis, and not bring enforcement actions against plans and insurers that fail to include cost-sharing information for items and services for which a cost estimate would need to be based on past claims data and for which there have been fewer than 20 different claims in total over the past three years. The plan or insurer should indicate on the self-service tool that the item or service is covered, but that a specific cost estimate is not available because of insufficient data. The tool also should encourage the individual to contact the plan or insurer for more information on the item or service. When an individual reaches out to the plan directly (rather than using the self‑service tool), the plan should provide all available relevant information (e.g., information available on the SBC or the portion of costs that the individual will be responsible for).

Updated reporting instructions released for 2023 RxDC reporting due June 1, 2024.

On February 2, CMS released updated instructions and template data forms for group health plans and insurers to report prescription drug and health care spending data, as required by the Consolidated Appropriations Act, 2021 (CAA). The updated Prescription Drug Data Collection (RxDC) Reporting Instructions are for the 2023 reference year reporting that is due June 1, 2024. The instructions provide step-by-step guidance for submitting data through the RxDC module in the Health Insurance Oversight System (HIOS). See the CMS RxDC webpage for more information and for the updated instructions/forms.

Employers should (a) reach out to their carriers, TPAs, or PBMs (as applicable) to confirm that they will submit the RxDC reports for their group health plan(s), (b) make sure their written agreements with these third parties have been updated to reflect this reporting responsibility, (c) be on the lookout for communications and data requests from these third parties and respond in a timely manner so they can submit data on behalf of the group health plan, and (d) monitor and document their carrier’s, TPA’s, or PBM’s compliance. Employers who miss the carrier/TPA/PBM deadlines (as well as employers whose carrier/TPA/PBM will not complete the filing for them) will need to register and upload files in the HIOS system. Employers who need to file using HIOS will want to make sure they are carefully review and follow the updated reporting instructions. 

Johnson & Johnson lawsuit may signal new wave of group health plan fiduciary litigation.

On February 5, a class action lawsuit was brought by a participant in the Johnson & Johnson (J&J) group health plan alleging a breach of ERISA fiduciary duties in the selection of its PBM and by overpaying for specialty generic drugs offered on the plan’s formulary. The complaint focuses on the “spread pricing” model used by the plan’s PBM—in which the PBM charges the plan one amount for a specific drug and pays the pharmacy a different amount and retains the difference or “spread” between the two amounts. The complaint alleges that J&J breached the ERISA duty of prudence and the duty to act solely in the interest of the plan in selecting the PBM when other less costly arrangements were available.

  • Retirement plans have been subject to class action lawsuits alleging excessive fees for years now. These retirement plan lawsuits focus on fiduciary responsibilities with respect to vendor selection, fees, and investment performance. With the various new transparency requirement for group health plans, ERISA plaintiff’s law firms have indicated an intention to shift focus to group health plan fee and fiduciary litigation. Those law firms have now submitted ERISA document requests to several large group health plans for prior year plan documents, requested links to plan’s price estimator tools, and have been reviewing the publicly available machine-readable files of Rx prices (as is required under the new transparency rules). With this information, the law firms are investigating whether plan sponsors are acting in the best interest of their plan participants, exercising care and prudence with respect to the selection of service providers and administration of their plans, and ensuring that plan costs are reasonable.

  • This J&J case could be the first in a possible wave of this type of litigation against employers alleging breaches of fiduciary duties because a group health plan overpaid for services.

  • Note, however, that the J&J case is only at the initial stages. And while it is a good reminder to focus on basic ERISA fiduciary responsibilities, any drastic or radical changes to plan governance (that may be costly and time consuming) likely should be avoided. Rather, plan sponsors should engage in prudent fiduciary decision-making processes for designing their benefit plans and in their selection of PBMs and other vendors. Note that ERISA does not require plan fiduciaries to select the lowest cost vendors, rather they should make a prudent decision taking in the various factors in the vendor selection process to ensure the plans are designed and administered in participants best interests. Having good documentation and a process in place for making prudent group health plan decisions will generally be the most effective shield against potential lawsuits.

IRS Publication 969 (HSAs) released.

The IRS released Publication 969 (Health Savings Accounts and Other Tax-Favored Health Plans) for use in preparing 2023 tax returns. This publication is a good source of information and guidance on HSAs and health FSAs—including contribution limits, eligibility criteria, tax treatment of withdrawals, and provides examples to help understand how HSAs and FSAs work and interact.

IRS announces decrease for 2025 ACA employer mandate penalties.

On February 12, the IRS issued Rev. Proc. 2024-14 with 2025 indexed amounts used to calculate the ACA employer shared responsibility payments (ESRP) that applicable large employers (ALEs) may be liable for if they (1) fail to offer minimum essential coverage to 95% of full-time employees and their dependents, excluding spouses (i.e., the subsection (a) penalty), or if they (2) fail to offer coverage to full-time employees that is affordable and minimum value (i.e., the subsection (b) penalty). The adjusted penalty amount for failures occurring in the 2025 calendar year under subsection (a) will be $2,900 per full-time employee (less the 30-employee reduction)—a $70 decrease from 2024. The 2025 calendar year penalty under subsection (b) will be $4,350 per full-time employee that receives subsidized coverage through an Exchange—a $110 decrease from 2024. Current and previous penalty amounts are available on the IRS Question and Answers on Employer Shared Responsibility under the ACA webpage. Note that the IRS uses Letter 226-J to inform ALEs of potential ESRP amounts, and a response is generally due within 30 days for the ALE to inform the IRS if they agree or disagree with the proposed penalty. ALEs should be prepared to promptly respond to any Letter 226-J received.

DOL announces ERISA enforcement results for 2023.

On February 13, the DOL released a fact sheet (and associated news release) announcing ERISA enforcement results by the DOL’s Employee Benefits Security Administration (EBSA) for the 2023 fiscal year. The fact sheet highlights enforcement action taken to eliminate illegal plan provisions resulting in increased access to mental health benefits—which signals that compliance with mental health parity rules will continue to be a high priority for the DOL.

Updated NIST resource for complying with the HIPAA Security Rule.

On February 14, the HHS Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) released an updated version of Publication SP 800-66 Rev.2 titled “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – A Cybersecurity Resource Guide.” As a reminder, the HIPAA Security Rule focuses on safeguarding electronic protected health information (ePHI) held or maintained by regulated entities (including group health plans and business associates). The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. The updated guide provides practical guidance and resources that can be used to safeguard ePHI and better understand the security concepts discussed in the HIPAA Security Rule. The guide is generally organized to track the six core sections of the Security Rule—that is, general standards, administrative safeguards, physical safeguards, technical safeguards, organizational requirements including Business Associate Agreements (BAAs), and—lastly—policies, procedures, and documentation requirements.

HHS annual reports to Congress on HIPAA compliance.

On February 22, HHS issued its Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Year 2022 and the Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2022. These reports help HIPAA regulated entities, including group health plans and business associates, in their HIPAA compliance efforts by sharing steps taken by HHS to investigate complaints, breach reports, and compliance reviews regarding potential violations of the HIPAA Rules. The reports include important data on the number of HIPAA cases investigated, areas of noncompliance, and insights into trends such as cybersecurity readiness.

State/Local Compliance Update: February 2024

A brief update on what happened the prior month in group health plan compliance at the state and local level, listed alphabetically. If you would like additional information, please reach out to the GBS Compliance Team.

IVF uncertainty following Alabama Supreme Court ruling. The Alabama Supreme Court ruled that cryogenically frozen embryos are children and are protected from destruction under state law—which puts into question the future of in-vitro fertilization (IVF) in the state. Many group health plans provide IVF coverage, and employers may want to identify employees and covered plan members residing in Alabama and consider the potential impact of this ruling on those individuals. Some fertility networks and reimbursement solutions are confirming the operational status of their vendor networks or partner clinics in Alabama, and they are reaching out to their employer clients with employees in that state to review their current benefit design—whether it covers shipping eggs or embryos, long-term storage, and if the benefit allows members to receive treatment at any in-network clinic in any state. The Alabama State legislature may have the last word and restore access to IVF, but we will continue to monitor this situation as it develops.

St. Paul issues new guidance for the City’s Earned Sick and Safe Time (ESST) Ordinance. St. Paul issued new rules addressing various topics under the ESST including: when time employees spend travelling constitutes time worked for purposes of accruing ESST; whether and when employees accrue and can use ESST for time spent on call; appropriate procedures for frontloading ESST in lieu of allowing employee to accrue ESST; using an existing PTO policy to satisfy ESST requirements; determining the hourly ESST rate for employees paid by salary, commission, or piece rate; requesting documentation to support ESST leave requests; and how employers may comply with the Ordinance by maintaining a general PTO policy. For more information see the St. Paul ESST webpage.

Washington issues updated Paid Leave and WA Cares Employer Toolkits. Washington has provided updated 2024 Employer Toolkits for Washington’s Paid Leave and WA Cares Fund. The updated toolkits include the Employer’s Paid Leave Benefits Toolkit which helps anyone with employees in Washington learn about Paid Leave benefits, and the Employer Wage Reporting and Premiums Toolkit which provides more information about employer responsibilities for Paid Leave and WA Cares Fund. These toolkits and additional employer resources are available HERE.

Get CRITICAL employee benefits information delivered right to your inbox!
Featured Post
Recent posts