Executive Order Focused On Reducing Health Care Costs

Following are some preliminary thoughts on the Executive Order released on October 12, 2017, by President Trump:

  1. The primary emphasis of the Executive Order is to reduce costs for both employers and individuals. The Affordable Care Act, in contrast, emphasized, and made great strides in, expanding insurance coverage for millions of Americans.
  2. The Executive Order instructs the United States Department of Labor to consider proposing regulations or revising guidance to allow more employers to form association health plans. Many employers utilize association health plans to increase bargaining power and minimize volatility related to health insurance. However, since passage of the Affordable Care Act, the Department of Labor increased its scrutiny of association health plans and expanded its enforcement efforts. The Executive Order potentially reflects a sea change in how association health plans will be viewed by the federal government.
  3. The Executive Order instructs various federal agencies to enhance the availability of short-term, limited-duration insurance. Recent federal guidance restricted the availability of these limited insurance plans to three months or less. The Executive Order encourages the federal agencies to consider expanding the duration of these policies and to allow them to be renewed by consumers.
  4. The Executive Order finally instructs various federal agencies to consider proposing regulations or revising guidance relating to health reimbursement arrangements (HRA). An HRA is an employer-funded arrangement that reimburses employees and certain family members for medical care expenses. The Affordable Care Act significantly limited the utility of HRAs. The Executive Order specifically directs the agencies “to increase the usability of HRAs, to expand employers’ ability to offer HRAs to their employees, and to allow HRAs to be used in conjunction with nongroup coverage.”
  5. It is important to recognize that the Executive Order, by itself, does not alter any statute or regulation. However, it does start the wheels of the federal government turning to provide employers with more options to provide affordable coverage to their employees.
Posted in health insurance, Patient Protection and Affordable Care Act, Self-funded Health Plans | Leave a comment

What to do about ACA Reporting

I have been advising employers to wait until February 1, 2017 before starting work on the 2016 1094 and 1095 forms. My hope was that, based upon all of the campaign rhetoric, the ACA reporting obligations would either be further delayed or repealed during the first couple of weeks of the Trump administration.

President Trump did issue an executive order on January 20, 2017 instructing all federal government agencies “to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement” of the ACA. Unfortunately, as of February 1, a lengthy delay or repeal of the reporting requirements has not occurred.

I now believe that employers need to start working on the 1094 and 1095 forms to meet the applicable filing and distribution deadlines.  The deadline to file 1094-B, 1095-B, 1095-C and 1095-C (as applicable) with the IRS is February 28, 2017, or March 31, 2017 if filing electronically.  Form 1095-B or Form 1095-C (as applicable) must be distributed to employees by March 2, 2017.

Posted in Patient Protection and Affordable Care Act | Tagged , , , , | Leave a comment

Executive Order Issued on ACA

[Official Guidance]  The White House, via Fox News

Text of President Trump’s Executive Order: ‘Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal’
Signed on Jan. 20, 2017. “To the maximum extent permitted by law, the Secretary of Health and Human Services and the heads of all other executive departments and agencies with authorities and responsibilities under the Act shall exercise all authority and discretion available to them to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the Act that would impose a fiscal burden on any State or a cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications…. To the maximum extent permitted by law, the head of each department or agency with responsibilities relating to healthcare or health insurance shall encourage the development of a free and open market in interstate commerce for the offering of healthcare services and health insurance, with the goal of achieving and preserving maximum options for patients and consumers.”

Posted in Patient Protection and Affordable Care Act | Tagged , , ,

UMass settles potential HIPAA violations following malware infection

The following is text sent on November 22, 2016 from the HHS Office for Civil Rights Action.  For more information, contact Jim Hamilton at jhamilton@boselaw.com.

 

The University of Massachusetts Amherst (UMass) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement includes a corrective action plan and a monetary payment of $650,000, which is reflective of the fact that the University operated at a financial loss in 2015.

On June 18, 2013, UMass reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that a workstation in its Center for Language, Speech, and Hearing (the “Center”) was infected with a malware program, which resulted in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes. The University determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place.

OCR’s investigation indicated the following potential violations of the HIPAA Rules:

  • UMass had failed to designate all of its health care components when hybridizing, incorrectly determining that while its University Health Services was a covered health care component, other components, including the Center where the breach of ePHI occurred, were not covered components.  Because UMass failed to designate the Center a health care component, UMass did not implement policies and procedures at the Center to ensure compliance with the HIPAA Privacy and Security Rules. (Note:  The HIPAA Privacy Rule permits legal entities that have some functions that are covered by HIPAA and some that are not to elect to become a “hybrid entity.”  To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.)
  • UMass failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the Center.
  • Finally, UMass did not conduct an accurate and thorough risk analysis until September 2015.

In addition to the monetary settlement, UMass has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures, and train its staff on these policies and procedures.  The Resolution Agreement and Corrective Action Plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/umass.

OCR offers guidance to covered entities and their business associates on compliance with the HIPAA Security Rule at: http://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html.

Follow OCR on Twitter at http://twitter.com/HHSOCR

###

Posted in Privacy and Security Rules | Tagged , , , , , | Leave a comment

Yellow Light (Again): IRS Extends ACA Deadline to Furnish Forms

On November 18, 2016, the IRS extended the due date for employers to furnish 2016 Form 1095-B and Form 1095-C to individuals from January 31, 2017 until March 2, 2017. The IRS stated that the extension is appropriate because a substantial number of employers need additional time to gather and analyze the information necessary to prepare the forms.

Notice 2016-70 does not extend the deadline for filing the 1094-B, 1095-B, 1094-C or 1095-C with the IRS. The deadline to file these forms is February 28, 2017, or March 31, 2017 if filing electronically.

President-Elect Trump will take office on January 20, 2017. In light of the IRS extension and campaign rhetoric, it is becoming increasingly likely that employers will not be required to distribute and/or file the 2016 1094 and 1095 forms at all.  It would be helpful to all employers if the federal government would provide definitive guidance on this issue no later than the end of January.

Posted in Health Plans, Patient Protection and Affordable Care Act | Tagged , , , , , | Leave a comment

Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million

The following information was released by the HHS Office for Civil Rights in Action on August 4, 2016.

Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan.  This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.

OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals.  The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to:

  • conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
  • implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
  • obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
  • reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois.

Read the press release, resolution agreement and corrective action plan on the HHS website.

Posted in HIPAA, Patient Protection and Affordable Care Act | Tagged , , | Leave a comment

OCR Launches Phase 2 of HIPAA Audit Program

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.  Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.  These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information.  An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.  OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.  Communications from OCR will be sent via email and may be incorrectly classified as spam.

Learn more about OCR’s Phase 2 Audit program.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment