PPI in the News Compliance Corner - March 31, 2022 Archive
You are here: Home / PPI in the News / Compliance Corner - March 31, 2022 Archive

On March 23, 2022, CMS announced an extension of its non-enforcement policy for specific ACA compliance requirements for certain non-grandfathered individual and small group coverage known as “grandmothered” policies. Under the latest extension, states may permit insurers that have continually renewed eligible grandmothered policies since January 1, 2014, to renew that coverage again for a policy year beginning on or before October 1, 2022. The non-enforcement policy remains in effect until the agency announces that coverage renewed under this policy must comply with the relevant requirements.

On November 14, 2013, CMS issued a letter outlining a transitional policy concerning health care reform mandates for coverage in the individual and small group markets. Under the policy, state authorities could allow health insurance issuers to continue certain coverage that would otherwise have been canceled for failure to comply with the ACA requirements.

This initiative allowed individuals and small businesses to elect to re-enroll in such coverage. Specifically, the non-enforcement policy provided relief from the following market reforms:

• Community rating
• Guaranteed issue and renewability of coverage
• Prohibition of coverage exclusions based on pre-existing conditions
• Nondiscrimination based on health status
• Nondiscrimination regarding health care providers
• Comprehensive coverage (i.e., coverage of essential health benefits and the application of maximum out-of-pocket limits)
• Coverage for participation in clinical trials

Since the initial announcement, the non-enforcement policy has been continually extended, thus permitting grandmothered policies to maintain an exemption from the above-mentioned requirements.

Although the CMS bulletin allows for the temporary continuation of these non-compliant plans at the federal level, it is important to note that the practice must still be approved by state regulators for policies to be available in a particular state. Insurers will then have a choice as to whether to keep offering the policies. The bulletin includes a notice that insurers can use in the event they issue coverage cancellation notices and will now provide the policyholder with the option to continue the coverage.

Accordingly, small employers who are currently covered by such grandmothered policies should be aware of the most recent non-enforcement extension. These employers should work with their advisors and insurers regarding the possible renewal of the coverage.

CMS Bulletin »

On March 10, 2022, the Wage and Hour Division (WHD) of the DOL published a Field Assistance Bulletin (FAB) (No. 2022-02) to provide guidance regarding worker protections against retaliation under the Family and Medical Leave Act (FMLA), the Fair Labor Standards Act (FLSA), the Migrant and Seasonal Agricultural Worker Protection Act (MSPA), and the Immigration and Nationality Act (INA).

Anti-retaliation provisions protect workers who complain to the government or make inquiries to their employers about violations of the law without fear that they will be terminated or subject to other adverse actions as a result.

Anti-Retaliation under the FMLA

The FMLA applies to all public agencies and private-sector employers who employed 50 or more employees in 20 or more workweeks in the current or proceeding calendar year. Along with other requirements, the FMLA prohibits employers from discharging or in any other way discriminating against any person for opposing or complaining about any unlawful practice under the FMLA. For instance, the following employer’s actions are prohibited: an employer’s refusal to grant FMLA leave; discouraging an employee from taking FMLA leave, or manipulation by an employer to avoid its FMLA responsibilities (e.g., changing essential functions of the job to prevent an employee from taking a leave). Unlawful discharge includes constructive discharge where an employer’s actions are in response to an employee exercising his or her FMLA rights, making the employee’s work situation so intolerable that a reasonable person would quit or resign.

The FAB illustrates when no-fault attendance policies under the FMLA would violate the law using two examples:

Example 1: An employee receives negative attendance points under the employer’s no-fault attendance plan while he was taking time off to care for his daughter, who was recovering from her surgery. In response, the FAB states that the FMLA’s anti-retaliation provisions prohibit an employer from counting FMLA leave days under no-fault attendance policies, and the employer must remove the negative attendance points from the employee.

Example 2: An employee used FMLA leave to take a few days off from work because her migraines prevented her from working. When she returns to work, her work hours are reduced in half. In response, WHD requires the employer to restore her previous work schedule and the employer to pay her an amount equivalent to her lost wages in liquidated damages.

For the guidance that applies to other laws, please refer to FAB 2022-02.

Employers who are subject to FMLA or other related laws (detailed in the FAB) should be aware of the recent guidance to avoid taking prohibited actions.

DOL Field Assistance Bulletin No. 2022-02 »

The US Court of Appeals for the Eighth Circuit recently held, in Pharmaceutical Care Management Association v. Wehbi , that ERISA does not preempt a set of North Dakota laws that impose certain requirements on pharmacy benefit managers (PBMs). This case was before the Eighth Circuit again after the Supreme Court vacated the Circuit’s previous finding that ERISA preempted the North Dakota laws and remanded the case for the Circuit to reconsider the case considering the Supreme Court’s ruling in Rutledge v. Pharmaceutical Care Management Association. (We discussed the Rutledge case in an article in the December 24, 2020, edition of Compliance Corner.)

The North Dakota PBM laws impose several requirements on PBMs, including provisions that limit fees and copayments PBMs may charge, require the use of electronic quality improvement platforms, prohibit gag orders, allow mail and delivery drugs, and require certain disclosures. After North Dakota enacted these laws, the Pharmaceutical Care Management Association (PCMA) filed suit against North Dakota state officials.

In Rutledge, the Supreme Court held that ERISA “supersede[s] any and all State laws insofar as they may now or hereafter relate to any” ERISA plan. Additionally, a law “relate[s] to” an ERISA plan if and only if it “has a connection with or reference to such a plan.” The Eighth Circuit applied that precedent in their analysis of the North Dakota PBM laws. They found that the laws did not have a connection with ERISA plans because they regulate noncentral matters of plan administration, do not interfere with uniform plan administration, and do not require plans to adopt specific structures or terms. They also found that the laws did not have an impermissible reference to ERISA plans because the laws regulate PBMs, regardless of whether the plans they service are covered by ERISA.

This decision represents another case finding that ERISA does not preempt a state’s PBM laws. Therefore, employers should be aware of these cases and the effect they may have on prescription drug offerings and costs.

Pharmaceutical Care Management Association v. Wehbi »

On March 18, 2022, the IRS issued additional guidance (Notice 2022-11) for the No Surprises Act. This guidance describes how to calculate the qualifying payment amount (QPA) for items and services furnished in 2022 when a health plan does not have sufficient information to calculate the QPA by increasing the median contracted rates in 2019. In this situation, the guidance provides that the QPA must be calculated by multiplying the median of the in-network allowed amounts for the same or similar item or service provided in the geographic region in 2021, using any eligible database, and then increasing that rate by the CPI-U percentage increase, which is 1.0299772040, over 2021.

Although this guidance may not directly affect employers, they should be aware of this update and work with their insurers or TPAs to prepare to respond to potential surprise medical billing claims from the plan participants. The effective date of this notice is January 1, 2022. (See the articles on the background of this subject in the October 14, 2021, and January 6, 2022, editions of Compliance Corner.)

IRS Notice 2022-11 »

The HHS Office of Civil Rights (OCR) released its Quarter 1 2022 Cybersecurity Newsletter, which features practical guidance for HIPAA covered entities related to security threats. The number of breaches of unsecured electronic protected health information (ePHI) increased 45% from 2019 to 2020 (for breaches affecting 500 individuals or more). Examples of the most common attacks are phishing emails, weak authentication protocols, and exploitation of known vulnerabilities.

While encryption technology has become more common and affordable, it is still not required under HIPAA Security rules. It is an addressable provision. This means that after conducting a risk analysis, a covered entity (which includes an employer plan sponsor of a group health plan) must review whether encryption is reasonable and appropriate for the entity and its ePHI. Encrypted ePHI is considered to be secure and may not be determined as a breach when a device is stolen. Therefore, encryption is always the best safeguard for ePHI.

Phishing is a common type of cyber-attack. The sender typically impersonates a trusted source or contact in an effort to trick the recipient into divulging private information or clicking a link that is used to access the company’s data. To protect against phishing, an entity should:

• Implement an ongoing security awareness and training program for all workforce members
• Follow-up on the training with security reminders, which could include sending workforce members a simulated phishing email to gauge their response
• Adopt anti-phishing technologies such as identifying emails sent from outside the organization, including scanning attachments and links of emails for potential threats and blocking when appropriate

Weak authentication protocols include weak password rules and single-factor authentication. Over 80% of breaches due to hacking include exploitation of credentials. To protect against these types of breaches, an entity should:

• Implement multi-factor authentication
• Adopt and follow procedures for terminating access following a change in role or termination of employment of a workforce member
• Monitor potential hacking attempts and implement new technology as necessary

Vulnerabilities may exist in an entity’s technology infrastructure, including servers, mobile device applications, databases, firewalls, and software. For protection, an entity should monitor security alerts for newly discovered vulnerabilities. OCR recommends subscribing to alerts from HHS Health Sector Cybersecurity Coordination Center. When learning about a vulnerability, the entity should apply the patch or new version, as recommended.

In summary, the safeguarding of ePHI related to a group health plan is becoming increasingly more complicated as cyberattacks become more sophisticated. Employer plan sponsors should work with their technology partners to continually review, monitor and implement policies and procedures. Please contact your advisor for more information on vendor solutions.

OCR Newsletter »

On March 14, 2022, the IRS announced that, until further notice, they would not accept applications for opinion letters on prototype IRAs (traditional, Roth and SIMPLE IRAs), Small Employer Plans (SEPs) or SIMPLE IRA plans. The IRS will take this time to update the prototype IRA opinion letter program and issue revised model forms, Listings of Required Modifications and related published guidance to reflect recent legislation (such as the SECURE Act).

Until the IRS issues further guidance, previous adopters of prototype IRAs, SEPs and SIMPLE IRAs may rely on their previously received favorable opinion letter. Entities may also use existing model forms to maintain current plans and establish new plans. The pre-approved documents that can be used to establish an IRA, SEP or SIMPLE IRA include:

• Form 5305, Traditional Individual Retirement Trust Account
• Form 5305-A, Traditional Individual Retirement Custodial Account
• Form 5305-R, Roth Individual Retirement Trust Account
• Form 5305-RA, Roth Individual Retirement Custodial Account
• Form 5305-RB, Roth Individual Retirement Annuity Endorsement
• Form 5305-S, SIMPLE Individual Retirement Trust Account
• Form 5305-SA, SIMPLE Individual Retirement Custodial Account
• Form 5304-SIMPLE, Savings Incentive Match Plan for Employees of Small Employers (SIMPLE) – Not for Use With a Designated Financial Institution
• Form 5305-SIMPLE, Savings Incentive Match Plan for Employees of Small Employers (SIMPLE) – For Use With a Designated Financial Institution
• Form 5305-SEP, Simplified Employee Pension – Individual Retirement Accounts Contribution Agreement; and
• Form 5305A-SEP, Salary Reduction Simplified Employee Pension – Individual Retirement Accounts Contribution Agreement

The IRS intends to issue a new revenue procedure describing the new procedures for submitting a request for an opinion letter on a prototype IRA, SEP or SIMPLE IRA. The IRS will later announce when applications may be submitted under their revised prototype IRA opinion letter program and when revised model forms must be used.

Plan sponsors looking to establish these types of plans should consult with their service providers during the temporary suspension of the IRS prototype IRA opinion letter program.

IRS Announcement 2022-6 »

On March 25, 2022, the IRS proposed regulations regarding certain multiple employer plans (MEPs). The proposed regulations provide guidance on an exception to the unified plan rule for MEPs in the event of a failure by one or more participating employers to comply with applicable Code requirements. Additionally, the IRS withdrew 2019 proposed regulations that amended the application of the unified plan rule to MEPs.

Under the unified plan rule (also known as the “one bad apple” rule), the qualification of a MEP applies to all participating employers. Therefore, the failure of one employer to satisfy an applicable qualification requirement will result in the disqualification of the MEP for all participating employers.

The Setting Every Community Up for Retirement Enhancement Act of 2019 created a statutory exception to the unified plan rule for certain types of MEPs. If specified conditions are met, the plan will not be treated as failing to meet the applicable Code requirements merely because one or more participating employers fail to take necessary compliance actions. The exception applies to defined contribution plans maintained by employers with a common interest (other than having adopted the plan) or a pooled plan provider (PPP). If a plan has a PPP during the year of a participating employer failure, the exception will not apply unless the PPP substantially performs all the administrative duties required of the PPP for the year.

Under the exception, the plan must provide that plan assets attributable to employees of an employer that fails to take necessary action to meet qualification requirements must be transferred to a single plan maintained only by that employer (unless the regulators determine it is in the best interest of the employees to retain the assets in the MEP). Generally, the employer failing to act (and not the plan or any other employer in the plan) will be liable for any liabilities concerning the plan attributable to employees of that employer.

The proposed regulations provide guidance on implementing this exception to the unified plan rule. Under this guidance, the MEP plan document language must describe the procedures to address participating employer failures. The procedures must explain the notices that the MEP plan administrator will send to an “unresponsive” employer by specified deadlines depending on the type of failure. The proposal outlines notice requirements for both employer failures to provide information (e.g., requested data or documents) and failures to take necessary action (e.g., to make corrective contributions). For a failure to act, delivery of three notices to the employer at 60-day intervals may be required, with the final notice also being sent to impacted participants and the DOL. The notified employer can either take appropriate action to address the failure or initiate a spin off to a single employer plan within 60 days after the final notice is provided.

The plan terms must also describe actions the plan administrator will take if the unresponsive employer does not address the failure or initiate the spin off transaction by this deadline. In such an event, the plan language must state that employees of the unresponsive participating employer have a non-forfeitable right to the amounts credited to their accounts, determined in the same manner as if the plan had terminated. The IRS expects to issue model language with the final rule. The MEP plan administrator must also stop accepting contributions from the participating employer and participants, provide notice to affected participants, and as applicable, provide participants with an election regarding the treatment of their accounts.

Employers who participate in MEPs should be aware of the proposed regulations and should consult with their advisors for further information. The DOL requests comments by May 27, 2022, and encourages electronic submission in accordance with the specified instructions. A public hearing on the proposed regulations has been scheduled for Wednesday, June 22, 2022.

IRS Proposed Regulation – Multiple Employer Plans »

In short, yes. A level-funded plan is often viewed as a blended solution for employers that want to switch from a fully insured plan but are not prepared to completely self-insure. An employer sponsoring a level-funded plan pays a set monthly amount to a carrier to cover the estimated cost of anticipated claims, the stop-loss premium and plan administrative costs. If the claim costs are lower than expected at the plan year-end, a refund may be provided to the employer.

However, a level-funded plan is considered a self-funded plan for benefits compliance purposes. Therefore, a plan transitioning from a fully insured plan to a level-funded plan should be aware of the additional compliance obligations, including (but not limited to) requirements under the ACA, HIPAA, ERISA and the Section 105 nondiscrimination rules.

With respect to the ACA, the employer would have additional ACA reporting obligations. For example, an applicable large employer (ALE) with 50 or more full-time employees in the prior year needs to provide information regarding minimum essential coverage on Forms 1094/5-C (in Part III). A small employer (non-ALE) needs to report minimum essential coverage using Forms 1094/5-B.

The employer would also be responsible for reporting and paying the PCOR fee required of carriers and self-funded plans. The reporting on IRS Form 720 and fee based on the average number of lives for the plan year is due on July 31 of the year following the last day of the plan year.

With respect to HIPAA, the level-funded plan would have to comply with the full range of HIPAA privacy and security obligations, including providing a HIPAA privacy notice (previously provided by the carrier under the fully insured plan), conducting a risk assessment, implementing more extensive privacy and security procedures and training staff.

Under ERISA, if the employer is holding plan assets in a segregated account, the plan would generally be considered funded and subject to the ERISA trust and fidelity bond requirements. If the plan is considered funded, then the exemption from the Form 5500 filing requirements for a small plan (with less than 100 participants at the plan year start) would no longer apply. Furthermore, if the plan receives a refund, any portion considered plan assets (such as amounts attributable to participant contributions towards premiums) must be returned to the plan participants (like an MLR rebate for a fully insured plan) in some manner.

The employer sponsoring the level-funded plan may also have ERISA fiduciary obligations regarding claim appeals (which were previously assumed by the carrier under the fully insured plan). Additionally, the level-funded plan would no longer be subject to state insurance laws, such as coverage mandates, because these would be preempted by ERISA.

Section 105 nondiscrimination rules will apply to level-funded plans, too. Under these rules, self-insured health plans cannot discriminate in favor of highly compensated employees (HCEs) with respect to eligibility or benefits. For this purpose, “highly compensated” includes the top 25% of the employer’s workforce, which is a broader definition than that found in Section 125 nondiscrimination rules (which apply to all cafeteria plans).

Accordingly, despite the funding differences between level-funded and self-funded plans, the level-funded plans are generally considered self-funded for benefits compliance purposes. Employers considering a change from a fully insured to a level-funded (or self-funded) plan should consult with counsel and their advisors for further information regarding the additional compliance requirements.

Washington recently passed a new law (House Bill 1733) that added four additional groups that may apply for an exemption from the WA Cares Fund premium assessment.

The WA Cares Fund is the state’s mandatory long-term care (LTC) insurance program. Employers are required to collect WA Cares premiums of $0.58 per $100 of earnings for employees whose work is localized in Washington starting July 1, 2023. The benefit will be available to eligible employees beginning January 1, 2025. (See the articles on the background of this subject in the December 23, 2021, January 6, 2022, and February 3, 2022, editions of Compliance Corner.)

Effective January 1, 2023, employees can apply for the following exemptions if they meet the criteria.

• Living out of state – An employee who is employed by an employer in Washington but has a permanent address and primary residence outside of the state can apply for the exemption. If an employee changes his or her primary residence to Washington, the employee will no longer qualify for the exemption.
• Temporarily working in Washington with a nonimmigrant visa – A temporary worker who holds a nonimmigrant visa can apply for this exemption. If an employee’s nonimmigrant visa status changes and they become a permanent resident or citizen employed in Washington, the employee will no longer qualify for the exemption.
• A spouse or registered domestic partner of an active-duty military member – An employee must be married to or have a registered domestic partnership with an active-duty service member in the US armed forces to qualify for this exemption. The employee will lose qualification if the employee’s spouse or domestic partner is discharged or separated from military service or upon dissolution of the marriage or registered domestic partnership.
• A veteran of the US military with a 70% or greater service-connected disability – An employee must be rated by the US Department of Veterans Affairs as having a service-connected disability of 70% or greater to be qualified for this exemption. Once approved, this is a permanent exemption.

The Employment Security Department will be developing rules and providing information about what documents are required for these new exemption groups in the future.

The existing exemption for employees with private LTC insurance remains a one-time exemption and application period. Specifically, employees who purchased private insurance by November 1, 2021, and apply for an exemption by December 31, 2022, may be exempted from the WA LTC Cares mandate. Therefore, employers need to retain the copies of approved exemptions received from the employees.

The newly added FAQs state that employees must apply for exemptions on their own; employers cannot apply on behalf of the employees. Moreover, employers will collect WA Cares premiums from the same employees that premiums are collected for the state’s Paid Family and Medical Leave (PFML) program. Although the PFML program sets a wage base cap on the premium contribution, WA Cares premiums do not have a wage base cap on its premium.

Employers should be aware of the new guidance and additional groups who may be eligible to apply for an exemption to the premium assessment.

House Bill 1733 »
WA Cares Fund – Main Site »
WA Cares Fund – Exemptions Site »