Compliance Monthly Update: September 2023
A brief update on what happened the prior month in group health plan compliance at the federal level, organized chronologically. If you would like additional information, please reach out to the GBS Compliance Team.
HHS makes updates to HIPAA Security Risk Assessment Tool.
On September 5, HHS announced an updated version of its interactive Security Risk Assessment Tool (SRA Tool) designed to help covered entities and business associates conduct a security risk assessment as required by the HIPAA Security Rule. A risk assessment helps ensure a covered entity or business associate is compliant with HIPAA’s administrative, physical, and technical safeguards and helps reveal areas where protected health information (PHI) could be at risk. The latest version of the SRA Tool includes a new optional remediation report—which provides users with the opportunity to document a plan for improvement, assign responsibilities, and track deadlines. Additionally, there are enhancements such as a glossary page with terms and definitions provided in one place for easy access, and tips embedded in the content to provide more information.
Comment period for MHPAEA proposed rule extended.
The regulatory agencies announced on September 19 an extension to the comment period for proposed regulations under the Mental Health Parity and Addiction Equity Act (MHPAEA) that were recently published in August. The comment period, which was originally scheduled to close on October 2, 2023, will be extended 15 days to October 17, 2023, for both the proposed regulations and the accompanying DOL Technical Release. The proposed regulations would amend existing rules under the MHPAEA and implement the nonquantitative treatment limitation (NQTL) comparative analysis requirement. The Technical Release focuses on the analysis of plan network composition and discusses a potential enforcement safe harbor for NQTLs related to network composition. The regulatory agencies indicate they are providing this extension in response to requests from stakeholders and because they value public feedback as they consider whether and how to issue final rules and future guidance.
Regulatory agencies request public input regarding coverage and access to OTC preventive services.
On September 29, the DOL/HHS/IRS released a press release and a Request for Information (RFI) seeking public input on how best to ensure coverage and access to over-the-counter (OTC) preventive services, including the benefits of requiring most health insurance plans to cover these services at no cost and without a prescription by a health care provider. Under the ACA, plans must cover certain recommended preventive items and services at no cost. Several of these recommended preventive items and services are currently available to consumers OTC without a prescription but are not required to be covered without cost sharing unless prescribed by a health care provider. The goal of the RFI is to understand the potential challenges and benefits to provide coverage at no cost for recommended OTC preventive products without requiring a prescription.
Draft 2023 ACA reporting forms and instructions issued.
The IRS released 2023 draft forms and draft instructions for ACA reporting under IRS Code Sections 6055 and 6056. As a reminder, Forms 1094-B and 1095-B are filed by minimum essential coverage providers (including small employers with a self-insured plan) to report coverage information in accordance with Section 6055. Forms 1094-C and 1095-C are filed by applicable large employers (ALEs) to provide information that the IRS needs to administer employer shared responsibility penalties and eligibility for premium tax credits, as required under Section 6056. Forms are required to be filed with the IRS by February 28, 2024, or April 1, 2024 (if filing electronically). The deadline to furnish forms to individuals is March 1, 2024.
In prior years, employers could file their ACA reporting forms by paper if the employer was filing fewer than 250 returns—however, starting in 2024 (for the 2023 calendar year reporting), employers filing 10 or more returns must file their forms electronically with the IRS.
Medicare Part D Notice due prior to October 15.
Each year, Medicare Part D requires group health plan sponsors to disclose to those eligible for Medicare Part D and to CMS whether the health plan’s prescription coverage is creditable or not. The Medicare Part D notice is important because Medicare beneficiaries who are not covered by creditable prescription drug coverage and do not enroll in Medicare Part D when first eligible will likely pay higher premiums if they enroll at a later date. The annual disclosure notice must be provided prior to October 15 (the start date of the annual enrollment period for Medicare Part D). “Prior to,” as used here, means the individual must have been provided with the notice within the past 12 months. Although there are no specific penalties associated with this notice requirement, failing to provide the notice may be detrimental to employees. The GBS annual notices packet contains this notice, and employers should distribute this notice if it has not already been disclosed. The Medicare Part D Notice should also be included in new hire enrollment materials and in annual open enrollment materials. Note also the separate requirement for plan sponsors to disclose online to CMS within 60 days of the beginning of the plan year whether their plan provides creditable coverage.
State/Local Compliance Update: September 2023
A brief update on what happened the prior month in group health plan compliance at the state and local level, listed alphabetically. If you would like additional information, please reach out to the GBS Compliance Team.
California legislatures passes amendment to existing paid sick leave mandate. On September 13, the California State Legislature passed S.B. 616 which expands existing paid sick leave requirements under the Health Workplaces, Healthy Families Act of 2014. The amendment increases the annual amount of California paid sick leave from three days (or 24 hours) to five days (or 40 hours) for eligible employees. The amendment also raises the accrual cap from 48 hours to 80 hours. If signed into law by Governor Newson, the amendment will take effect on January 1, 2024.
New Personal Data Privacy Act signed into law in Delaware. On September 11, the Delaware Personal Data Privacy Act (DPDPA) was signed into law and will go into effect January 1, 2025. Delaware is now the 13th state to enact comprehensive consumer data privacy legislation. The DPDPA applies to persons who conduct business in Delaware or produce products or services targeted to Delaware residents and who, during the preceding calendar year, either: (1) controlled or processed the personal data of at least 35,000 Delaware residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or (2) controlled or processed the personal data at least 10,000 Delaware residents and derived more than 20 percent of their gross revenue from the sale of personal data. The law does not provide a blanket exemption for covered entities and business associates subject to HIPAA, but it contains several limited exemptions for specific types of health data, including protected health information (PHI) covered by HIPAA.
Florida approves rules implementing provisions of new PBM law. On September 18, Governor DeSantis approved rules to implement several provisions of the Prescription Drug Reform Act (SB 1550) – broad legislation passed this past May addressing PBMs and drug pricing. The Office of Insurance Regulation has created a website with resources related to the new statutory requirements for PBMs, as well as information about how providers can lodge complaints.
Illinois enacts pre-tax commuter benefits requirement. The Transportation Benefits Program Act (TBPA) requires covered employers to provide pre-tax commuter benefits to covered employees beginning January 1, 2024. The pre-tax benefit means that employers must allow covered employees to use pre-tax dollars for the purchase of a transit pass through payroll deduction. A transit pass is any pass, token, care card, and the like entitling the employee to take public transit. Participating transit programs may include those offered by the Chicago Transit Authority (CTA) or the Regional Transportation Authority. To qualify for the benefit, an employee must average at least 35 hours of work per week. For newly hired employees, the benefit begins on the first full pay period after 120 days of employment.
The TBPA defines a covered employer as an employer that employs 50 or more covered employees in a specified geographical area at an address that is located within one mile of fixed-route transit service location. The Regional Transportation Authority will make a publicly available searchable map of addresses that are located within one mile of a transit service location.
Proposed PBM regulations published. New York announced the publication of proposed regulations that would increase oversight of PBMs. If the proposed regulations are adopted after the comment period, they would go into effect January 1, 2024. As proposed, the rules would regulate contracting with network pharmacies; prohibit preferential treatment of pharmacies owned or affiliated with PBMs; require prior approval for acquisitions of PBMs; and impose consumer protection requirements such as prohibiting market conduct practices deemed unfair, deceptive, or abusive, and requiring network adequacy standards.
New York City amends Earned Safe and Sick Time regulations. On September 15, New York City adopted changes to regulations governing the City’s Earned Safe and Sick Time Act (ESSTA). The amended regulations go into effect October 15, 2023. The ESSTA generally mandates that covered employers provide eligible employees with a certain amount of paid time off to care for themselves or a qualifying family member. The amendments touch on many aspects of ESSTA compliance including clarification on who is covered by the law, employer size and coverage thresholds, notice and documentation requirements, and reporting requirements.