For nearly a year the U.S. Equal Employment Opportunity Commission (EEOC) has endured harsh criticism from employers, members of the United States Senate, and the benefits community at large for commencing legal actions challenging employer-sponsored wellness programs before issuing guidance regarding the compliance status of those programs under the Americans with Disabilities Act (ADA). At long last the EEOC has released a Notice of Proposed Rulemaking (the “Notice”) addressing how Title I of the ADA applies to employer wellness programs. The good news is that the proposed regulations contained in the Notice hew fairly close to existing regulations published by other federal agencies and are generally limited to programs that involve disability-related inquiries and medical examinations. There are significant differences, however, regarding maximum rewards for programs that target tobacco use, the application of reward limits to certain participatory wellness programs, and the notice requirements that apply to wellness programs. Perhaps most importantly, the Notice attempts to address what makes participation in a wellness program “voluntary” and, thus, compliant with one of the safe harbor exceptions to the prohibition on employer-sponsored medical examinations under the ADA. Nevertheless, several questions affecting the legal compliance status of wellness programs remain.
Entries in Health Plans (52)
The 2014 end-of-year rush seems somewhat less frantic than in years past. Nevertheless, with a month left in the year many employers may find themselves scrambling to meet plan amendment and notice deadlines, and planning for 2015 may still be in process for some. This summary discusses a few key developments regarding employee benefit plans – especially group health plans – for employers to consider as they finish 2014 and move into 2015, including developments in:
- Retirement Plans,
- Health Plans and Health Care Reform, and
- EEOC Challenges to Wellness Programs.
On October 31, 2014, the Centers for Medicare & Medicaid Services (CMS) issued a statement delaying enforcement of the health plan identifier (HPID) requirement. Specifically, Controlling Health Plans (CHPs) are no longer required to obtain HPIDs by the originally announced deadline of November 5, 2014, which has been delayed “until further notice.” Because the duration of this enforcement delay is unknown, we recommend that CHP sponsors move forward with the application process to obtain HPIDs. Details about the HPID requirement and the application process are available here. We will continue to provide further updates on delayed enforcement of the HPID requirement on our blog, Employee Benefits Update.
Under final rules issued September 5, 2012 by the Department of Health and Human Services under HIPAA, nearly all employer group health plans are required to obtain a unique health plan identification number (HPID) by November 5, 2014. (We summarize the final rules briefly here.) Health plans with less than $5 million in annual receipts have until November 5, 2015 to comply. With less than three weeks to go until the deadline, employers still have questions about the requirements and the application process. From what we have heard from some clients, the application process can take at least a couple of days so don’t wait until November 5 to get started.
Employer group health plans and other covered entities that have not already amended business associate agreements (BAAs) to incorporate changes required by the Final Omnibus Rule must do so by September 22, 2014. (You can read our prior blog post on the Final HIPAA Omnibus Rule here.)
In January 2013 the Department of Health and Human Services published the Final HIPAA Omnibus Rule. Among other things, the Final Omnibus Rule expanded the scope of entities considered “business associates,” extended direct liability to business associates who fail to comply with certain HIPAA requirements, and required the addition of certain language to new and existing BAAs. Specifically, the Final Omnibus Rule required that existing BAAs be amended and new BAAs be drafted to include (among other things) provisions requiring a business associate to:
- Comply with applicable provisions of the HIPAA security rule;
- Ensure that any subcontractor creating, receiving, maintaining, or transmitting protected health information (PHI) on behalf of the business associate agrees in writing to the same restrictions and conditions that apply to the business associate with respect to such information;
- Report to the covered entity breaches of unsecured PHI as required by the breach notification rules; and
- To the extent the business associate carries out a covered entity’s obligations under the privacy rule, comply with the requirements of the privacy rule that apply to the covered entity in the performance of such obligations.
New and existing BAAs were required to comply with the Final Omnibus Rule by September 23, 2013, though parties with a BAA in place prior to January 25, 2013 were given the opportunity to delay amending the BAA for an additional year. Specifically, if, prior to January 25, 2013 (the publication date of the Final Omnibus Rule), the covered entity and the business associate were parties to a BAA that complied with the prior provisions of the HIPAA rules and the BAA was not renewed or modified after March 25, 2013, the parties could delay amendment of the BAA until September 22, 2014.
Employers who sponsor self-funded group health plans should review their existing BAAs to ensure that they comply with the Final Omnibus Rule. (HHS has provided sample language.) One final thought. Since the Final Omnibus Rule makes clear that covered entities may be liable for the acts of their business associates functioning in an agent capacity, employers should consider adding language to their BAAs to affirmatively disavow any agency relationship with a business associate in appropriate cases. This type of protective provision does not appear in the model language published by HHS, but competent legal counsel certainly can provide it.