Proposed Regulation on Association Health Plans Issued

On January 4, 2018, the United States Department of Labor (DOL) issued a proposed regulation relating to association health plans (AHPs).  This guidance was issued in response to an executive order issued by the White House on October 12, 2017.  The proposed regulation contains several provisions that are favorable; however, the guidance also introduces a new rule that will pose significant problems for many existing AHPs.

  • The guidance applies to employee welfare benefit plans subject to ERISA. Governmental plans are exempt from ERISA and are not subject to the new DOL guidance.
  • The proposed regulation notes that “AHPs are an innovative option for expanding access to employer-sponsored coverage (especially for small businesses).” This statement stands in contrast with recent DOL enforcement efforts against AHPs.
  • The DOL indicates that it will recognize an employer group or association as the “employer” sponsor of a single multiple-employer employee welfare benefit plan if it meets the requirements set forth in the regulations. Many of these requirements are more lenient than imposed by prior guidance.
  • Employers will be permitted to band together in new organizations whose sole purpose is to provide group health coverage to member employers and their employees. Prior guidance required that the group or association must exist for a bona fide purpose other than offering health coverage.
  • The proposed regulation would allow employers to band together for the express purpose of offering health coverage if they either are: (a) in the same trade, industry, line of business, or profession; or (b) have a principal place of business within a region that does not exceed the boundaries of the same State or the same metropolitan area (even if the metropolitan area includes more than one State). For example, it would now be permissible for a local chamber of commerce to start an AHP for various businesses in a region.
  • Working owners, such as sole proprietors and other self-employed individuals, may elect to act as employers for purposes of participating in an employer group or association and also be treated as employees of their businesses for purposes of being covered by the group or association’s health plan. However, the working owner must not be eligible for other subsidized group health plan coverage sponsored by any other employer or by a spouse’s employer.
  • The DOL most recently issued an advisory opinion in May 2017 that addressed plan MEWAs (Advisory Opinion 2017-02AC). MEWA is the acronym for “multiple employer welfare arrangement” — AHPs are almost always MEWAs.  Only the parties described in the advisory opinion may rely on the advisory opinion; however, the guidance provided reasonably clear guidance on how to achieve plan MEWA status.  It is curious that the proposed regulation and its preamble contain no reference to Advisory Opinion 2017-02AC.
  • Notwithstanding many of the positive provisions, the proposed regulations would prevent AHPs from utilizing health status to determine rates among participating employers (Prop. Reg. § 2510.3-5(d)(4)). Federal law currently prohibits an employer from differentiating premiums among employees based upon health-status related factors (except to the extent permissible under federal wellness regulations).  However, there is currently no restriction that limits an AHP from treating separate employers differently (as insurance carriers can and do with respect to large groups).  This new provision may result in significant cost increases for some AHP participants.  In the preamble, the DOL acknowledges that this provision: (a) could potentially represent an expansion of current regulations, and (b) would create involuntary cross-subsidization across firms that would discourage formation and use of AHPs.
  • The proposed regulations would permit AHPs to differentiate between participating employers based upon non-health factors, including age, group size and geographic location.

Written comments on the proposed regulation must be submitted by March 6, 2018.

Posted in health insurance, Health Plans | Tagged , , , , | Leave a comment

Executive Order Focused On Reducing Health Care Costs

Following are some preliminary thoughts on the Executive Order released on October 12, 2017, by President Trump:

  1. The primary emphasis of the Executive Order is to reduce costs for both employers and individuals. The Affordable Care Act, in contrast, emphasized, and made great strides in, expanding insurance coverage for millions of Americans.
  2. The Executive Order instructs the United States Department of Labor to consider proposing regulations or revising guidance to allow more employers to form association health plans. Many employers utilize association health plans to increase bargaining power and minimize volatility related to health insurance. However, since passage of the Affordable Care Act, the Department of Labor increased its scrutiny of association health plans and expanded its enforcement efforts. The Executive Order potentially reflects a sea change in how association health plans will be viewed by the federal government.
  3. The Executive Order instructs various federal agencies to enhance the availability of short-term, limited-duration insurance. Recent federal guidance restricted the availability of these limited insurance plans to three months or less. The Executive Order encourages the federal agencies to consider expanding the duration of these policies and to allow them to be renewed by consumers.
  4. The Executive Order finally instructs various federal agencies to consider proposing regulations or revising guidance relating to health reimbursement arrangements (HRA). An HRA is an employer-funded arrangement that reimburses employees and certain family members for medical care expenses. The Affordable Care Act significantly limited the utility of HRAs. The Executive Order specifically directs the agencies “to increase the usability of HRAs, to expand employers’ ability to offer HRAs to their employees, and to allow HRAs to be used in conjunction with nongroup coverage.”
  5. It is important to recognize that the Executive Order, by itself, does not alter any statute or regulation. However, it does start the wheels of the federal government turning to provide employers with more options to provide affordable coverage to their employees.
Posted in health insurance, Patient Protection and Affordable Care Act, Self-funded Health Plans | Leave a comment

What to do about ACA Reporting

I have been advising employers to wait until February 1, 2017 before starting work on the 2016 1094 and 1095 forms. My hope was that, based upon all of the campaign rhetoric, the ACA reporting obligations would either be further delayed or repealed during the first couple of weeks of the Trump administration.

President Trump did issue an executive order on January 20, 2017 instructing all federal government agencies “to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement” of the ACA. Unfortunately, as of February 1, a lengthy delay or repeal of the reporting requirements has not occurred.

I now believe that employers need to start working on the 1094 and 1095 forms to meet the applicable filing and distribution deadlines.  The deadline to file 1094-B, 1095-B, 1095-C and 1095-C (as applicable) with the IRS is February 28, 2017, or March 31, 2017 if filing electronically.  Form 1095-B or Form 1095-C (as applicable) must be distributed to employees by March 2, 2017.

Posted in Patient Protection and Affordable Care Act | Tagged , , , , | Leave a comment

Executive Order Issued on ACA

[Official Guidance]  The White House, via Fox News

Text of President Trump’s Executive Order: ‘Minimizing the Economic Burden of the Patient Protection and Affordable Care Act Pending Repeal’
Signed on Jan. 20, 2017. “To the maximum extent permitted by law, the Secretary of Health and Human Services and the heads of all other executive departments and agencies with authorities and responsibilities under the Act shall exercise all authority and discretion available to them to waive, defer, grant exemptions from, or delay the implementation of any provision or requirement of the Act that would impose a fiscal burden on any State or a cost, fee, tax, penalty, or regulatory burden on individuals, families, healthcare providers, health insurers, patients, recipients of healthcare services, purchasers of health insurance, or makers of medical devices, products, or medications…. To the maximum extent permitted by law, the head of each department or agency with responsibilities relating to healthcare or health insurance shall encourage the development of a free and open market in interstate commerce for the offering of healthcare services and health insurance, with the goal of achieving and preserving maximum options for patients and consumers.”

Posted in Patient Protection and Affordable Care Act | Tagged , , , | Leave a comment

UMass settles potential HIPAA violations following malware infection

The following is text sent on November 22, 2016 from the HHS Office for Civil Rights Action.  For more information, contact Jim Hamilton at


The University of Massachusetts Amherst (UMass) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement includes a corrective action plan and a monetary payment of $650,000, which is reflective of the fact that the University operated at a financial loss in 2015.

On June 18, 2013, UMass reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that a workstation in its Center for Language, Speech, and Hearing (the “Center”) was infected with a malware program, which resulted in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes. The University determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place.

OCR’s investigation indicated the following potential violations of the HIPAA Rules:

  • UMass had failed to designate all of its health care components when hybridizing, incorrectly determining that while its University Health Services was a covered health care component, other components, including the Center where the breach of ePHI occurred, were not covered components.  Because UMass failed to designate the Center a health care component, UMass did not implement policies and procedures at the Center to ensure compliance with the HIPAA Privacy and Security Rules. (Note:  The HIPAA Privacy Rule permits legal entities that have some functions that are covered by HIPAA and some that are not to elect to become a “hybrid entity.”  To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.)
  • UMass failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the Center.
  • Finally, UMass did not conduct an accurate and thorough risk analysis until September 2015.

In addition to the monetary settlement, UMass has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures, and train its staff on these policies and procedures.  The Resolution Agreement and Corrective Action Plan may be found on the OCR website at

OCR offers guidance to covered entities and their business associates on compliance with the HIPAA Security Rule at:

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at

Follow OCR on Twitter at


Posted in Privacy and Security Rules | Tagged , , , , , | Leave a comment

Yellow Light (Again): IRS Extends ACA Deadline to Furnish Forms

On November 18, 2016, the IRS extended the due date for employers to furnish 2016 Form 1095-B and Form 1095-C to individuals from January 31, 2017 until March 2, 2017. The IRS stated that the extension is appropriate because a substantial number of employers need additional time to gather and analyze the information necessary to prepare the forms.

Notice 2016-70 does not extend the deadline for filing the 1094-B, 1095-B, 1094-C or 1095-C with the IRS. The deadline to file these forms is February 28, 2017, or March 31, 2017 if filing electronically.

President-Elect Trump will take office on January 20, 2017. In light of the IRS extension and campaign rhetoric, it is becoming increasingly likely that employers will not be required to distribute and/or file the 2016 1094 and 1095 forms at all.  It would be helpful to all employers if the federal government would provide definitive guidance on this issue no later than the end of January.

Posted in Health Plans, Patient Protection and Affordable Care Act | Tagged , , , , , | Leave a comment

Advocate Health Care Settles Potential HIPAA Penalties for $5.55 Million

The following information was released by the HHS Office for Civil Rights in Action on August 4, 2016.

Advocate Health Care Network (Advocate) has agreed to a settlement with the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), for multiple potential violations of the Health Insurance Portability and Accountability Act (HIPAA) involving electronic protected health information (ePHI). Advocate has agreed to pay a settlement amount of $5.55 million and adopt a corrective action plan.  This significant settlement, the largest to-date against a single entity, is a result of the extent and duration of the alleged noncompliance (dating back to the inception of the Security Rule in some instances), the involvement of the State Attorney General in a corresponding investigation, and the large number of individuals whose information was affected by Advocate, one of the largest health systems in the country.

OCR began its investigation in 2013, when Advocate submitted three breach notification reports pertaining to separate and distinct incidents involving its subsidiary, Advocate Medical Group (“AMG”). The combined breaches affected the ePHI of approximately 4 million individuals.  The ePHI included demographic information, clinical information, health insurance information, patient names, addresses, credit card numbers and their expiration dates, and dates of birth. OCR’s investigations into these incidents revealed that Advocate failed to:

  • conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
  • implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
  • obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
  • reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

Advocate Health Care Network is the largest fully-integrated health care system in Illinois, with more than 250 treatment locations, including ten acute-care hospitals and two integrated children’s hospitals. Its subsidiary, AMG, is a nonprofit physician-led medical group that provides primary care, medical imaging, outpatient and specialty services throughout the Chicago area and in Bloomington-Normal, Illinois.

Read the press release, resolution agreement and corrective action plan on the HHS website.

Posted in HIPAA, Patient Protection and Affordable Care Act | Tagged , , | Leave a comment

OCR Launches Phase 2 of HIPAA Audit Program

As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.  Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.  These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).

In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.

The 2016 audit process begins with verification of an entity’s address and contact information.  An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.  OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.

If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.  Communications from OCR will be sent via email and may be incorrectly classified as spam.

Learn more about OCR’s Phase 2 Audit program.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment

Improper Disclosure of Research Participants’ Protected Health Information Results In $3.9 Million HIPAA Settlement

Feinstein Institute for Medical Research agreed to pay the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) $3.9 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and will undertake a substantial corrective action plan to bring its operations into compliance. This case demonstrates OCR’s commitment to promoting the privacy and security protections so critical to build and maintain trust in health research.  Feinstein is a biomedical research institute that is organized as a New York not-for-profit corporation

OCR’s investigation began after Feinstein filed a breach report indicating that on September 2, 2012, a laptop computer containing the electronic protected health information (ePHI) of approximately 13,000 patients and research participants was stolen from an employee’s car.  The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications and medical information relating to potential participation in a research study.

OCR’s investigation discovered that Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity.  Further, Feinstein lacked policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.  For electronic equipment procured outside of Feinstein’s standard acquisition process, Feinstein failed to implement proper mechanisms for safeguarding ePHI as required by the Security Rule.

Read the entire U.S. Department of Health and Human Services press release.

Read the resolution agreement.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment

$1.55 Million Settlement Underscores the Importance of Executing HIPAA Business Associate Agreements

North Memorial Health Care has agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities. The settlement includes a monetary payment of $1,550,000 and a robust corrective action plan.

Read the entire U.S. Department of Health and Human Services press release.

Read the resolution agreement.

Posted in HIPAA, Privacy and Security Rules | Tagged , , , , | Leave a comment