PPI in the News Compliance Corner - November 1, 2018 Archive
You are here: Home / PPI in the News / Compliance Corner - November 1, 2018 Archive

Updated Coverage for Mandated Preventive Care Services

Non-grandfathered health plans must provide coverage for certain recommended preventive care services with no cost sharing applied to participants. The recommendations are issued by the United States Preventive Services Task Force (USPSTF), the Advisory Committee on Immunization Practices (ACIP) of the CDC, and the Health Resources and Services Administration (HRSA). Group health plans must provide coverage for a new recommendation for plan years starting one year after it’s issued.

Below is a listing of the preventive care services that have been newly recommended since March 2018 along with the effective date (plans must comply for plan years starting on or after the indicated date).

• Skin cancer counseling about minimizing exposure to ultraviolet radiation for persons aged 6 months to 24 years with fair skin and their parents: March 1, 2019.
• Osteoporosis screening using bone measurement testing for women aged 65 and older with screening for postmenopausal women younger than age 65 who are at increased risk for osteoporosis: June 1, 2019.
• Exercise intervention to prevent falls in community dwelling adults aged 65 and older who are at increased risk for falls (includes supervised individual/group exercise classes and physical therapy): April 1, 2019.
• Obesity screening and counseling for adults with a body mass index of 30 or higher: Sept. 1, 2019.
• Syphilis screening for pregnant women: Sept. 1, 2019.
• Intimate partner violence screening for women of reproductive age with a referral to support services: Oct. 1, 2019.

USPSTF Recommendations »
ACIP Recommendations »
HRSA Recommendations for Children and Adolescents »
HRSA Recommendations for Women »
HRSA Recommendations for Newborns »

IRS Releases Proposed Regulations Addressing De Minimis Errors in Certain Information Returns and Statements

On Oct. 17, 2018, the IRS issued proposed regulations relating to the de minimis error safe harbor exceptions to penalties for failure to file correct information returns or furnish correct payee statements under IRC sections 6721 and 6722. These proposed regulations are consistent with prior guidance on the safe harbor included on page five of the final instructions to Forms 1094/1095-C, which were reported on in our Oct. 18, 2018 edition of Compliance Corner.

As background, the penalties apply when a person is required to file an information return or furnish a payee statement but the person fails to do so on or before the prescribed date, fails to include all of the information required to be shown or includes incorrect information.

Under the safe harbor, an error on an information return or payee statement is not required to be corrected, and no penalty is imposed, if the error relates to an incorrect dollar amount and the error differs from the correct amount by no more than $100 ($25 in the case of an error with respect to an amount of tax withheld). The information return or payee statement must be otherwise correct and timely filed or furnished on time. The safe harbor does not apply in cases of intentional disregard of the requirements to file or furnish correct information returns or payee statements. Further, the proposed regulations highlight the fact that the safe harbor does not apply if the payee elects in writing to receive a corrected statement.

Finally, the proposed regulations update the penalty amounts to reflect legislative increases and adjustments for inflation. Employers may be interested in the de minimis error safe harbor exceptions to penalties, because it applies to information reported on Forms W-2, 1094/1095-C, and 1099-R.

Proposed IRS Regulations »

CMS & IRS Release New Guidance that Would Make It Easier for States to Obtain ACA Waivers

On Oct. 24, 2018, HHS and the IRS jointly released guidance on the use of innovation waivers under the ACA which replaces previous guidance issued on Dec. 16, 2015 (80 FR 78131).

As background, the ACA allows states to apply for an “innovation waiver” from the employer mandate penalty tax and certain other requirements for plan years beginning on or after Jan. 1, 2017. The waivers give states the flexibility to pursue their own strategies to provide their residents with access to health insurance that’s affordable and provides MEC.

The new guidance revises 2015 guidance with the intent of providing more flexibility to states, as the previous guidance imposed significant restrictions on states beyond what was required by the ACA. For example, the 2015 guidance focused on the number of individuals estimated to receive comprehensive and affordable coverage. In contrast, this guidance concentrates on access to comprehensive and affordable coverage, thereby allowing states to offer access to more options that are less comprehensive but potentially more affordable.

In addition, the guidance expands the definition of coverage that must be provided to a comparable number of residents to include access to all forms of private coverage (including short-term, limited-duration insurance; association health plans; and employer-sponsored coverage) and public coverage (like Medicaid). To allow states greater flexibility in pursuing a waiver despite timing limitations (as when a state legislative calendar results in infrequent legislative sessions), the guidance clarifies that even though states are required to enact a law providing for implementation of the waiver, in certain circumstances, existing state legislation combined with a duly enacted state regulation or executive order may satisfy the requirement.

HHS intends to release additional guidance in the future, including examples of how states can take advantage of the increased flexibility in obtaining a waiver. In the meantime, this guidance makes it clear that waivers could potentially allow states to implement expanded options for association health plans. Thus, employers and citizens in certain states may potentially have greater coverage options in the future.

Fact Sheet »
Guidance »

Departments Propose Rule Allowing HRAs to Be Integrated with Individual Health Coverage

On Oct. 29, 2018, the IRS, DOL and HHS (the Departments) published a proposed rule which will allow employees to use their employers’ HRA to pay for individual health coverage. This rule comes after Pres. Trump issued an executive order directing the agencies to promulgate rules that would allow for the expanded use of HRAs.

Specifically, the proposed rule allows an employer to offer an HRA that can be integrated with individual health insurance coverage. As background, the ACA required that HRAs be integrated with group health coverage; this is the only way the HRA could be deemed to meet many of the ACA’s market reforms, such as the prohibition on annual and lifetime limits. As such, employers could not reimburse employees for individual coverage.

This rule would change that requirement by allowing employees to be reimbursed for the cost of individual coverage as long as the employee and any dependent for which the HRA would reimburse are actually enrolled in individual coverage. That individual coverage can be offered on or off the exchange and can include student health insurance coverage.

In order to deter adverse selection, the rule prohibits an employer from offering the HRA and a traditional health plan to the same class of employees. Additionally, the HRA must be offered on the same terms to each participant in the class (with limited exceptions). The rule allows the following classes of employees:

• Full-time
• Part-time
• Seasonal
• Employees covered under a collective bargaining agreement
• Employees who have not yet satisfied an ACA-compliant waiting period
• Employees under 25 prior to the beginning of the plan year
• Non-resident aliens with no US-based income
• Employees whose primary site of employment is in the same rating area

So, as an example, an employer could choose to offer a traditional group health plan to its full-time employees and an HRA integrated with individual coverage for its part-time employees. But that employer could not offer both a traditional group health plan and an HRA integrated with individual coverage for its full-time employees. This should make it more difficult for employers to shift high-cost individuals to the individual market.

In order to reimburse the individual coverage, employers must substantiate the employee’s coverage at the beginning of the HRA plan year and either prior to or in conjunction with any reimbursement. This can be done through third-party documentation of the coverage or an attestation from the employee. However, the attestation can only be relied upon as long as the employer doesn’t have specific knowledge that the individual is not enrolled in individual health coverage.

The proposed rule also would allow for employers to offer an excepted benefit HRA that isn’t integrated with any health coverage, as long as certain conditions are met. Specifically, to be considered a limited excepted benefit HRA, the employer must ensure that they offer other traditional coverage, limit the benefit to $1,800 per plan year (indexed for inflation), only reimburse for premiums of excepted benefit plans and make the HRA uniformly available.

The proposed rule also requires employers to distribute a notice to eligible employees 90 days before the start of the HRA plan year (or by the date of eligibility if someone becomes eligible for the HRA after the start of the plan year). The notice must describe the terms of the HRA, discuss the HRA’s interaction with premium tax credits, describe the substantiation requirements and notify the person that the individual health coverage integrated with the HRA isn’t subject to ERISA.

The rule also discusses the interaction of these HRAs with the Section 125 cafeteria plan regulations, the ACA and ERISA. As it pertains to the cafeteria plan regulations, the rule would allow an employee to take a pre-tax salary reduction to pay for the remainder of their individual policy as long as the individual coverage is offered outside of the exchange.

As it pertains to the ACA, the rule makes it clear that individuals who are covered by an HRA that’s integrated with affordable, minimum value individual health insurance coverage are ineligible for a premium tax credit. However, employees can waive the HRA so that they can retain their premium tax credit eligibility. The rule also states that an applicable large employer that offers a minimum value, affordable HRA or other employer-sponsored plan to at least 95 percent of its full-time employees and their dependents wouldn’t be liable for an employer mandate penalty.

As it pertains to ERISA, the rule makes it clear that individual coverage paid for through the HRA would not be subject to ERISA as long as the employer doesn’t take an active role in endorsing or choosing the individual coverage. In this way, the rules for having individual coverage avoid being subject to ERISA are similar to the rules for voluntary plans. However, the HRA itself would be subject to ERISA.

This rule would become effective on the first of the plan year beginning on or after Jan. 1, 2020. The Departments are requesting comments on the rule; those are due on or before Dec. 28, 2018.

While these rules could present additional options for smaller employers to offer coverage to their employees, the fact that there is no size limitation means that employers of all sizes could consider offering an HRA to certain classes of employees. Employers that want to do so will need to work with their service providers to implement the plan.

Proposed Rule »

IRS Provides Tax Relief for Victims of Hurricane Michael

The IRS recently published guidance containing certain relief for individuals and businesses affected by Hurricane Michael. Specifically, the IRS offered extensions in relation to certain tax filing deadlines. The extensions apply automatically to any individual or business in an area designated by the Federal Emergency Management Agency (FEMA) as qualifying for individual assistance.

Specifically, in Florida, individuals and businesses that reside in Bay, Calhoun, Franklin, Gadsden, Gulf, Hamilton, Holmes, Jackson, Jefferson, Leon, Liberty, Madison, Suwannee, Taylor, Wakulla and Washington counties may qualify for tax relief. In addition, deadlines were also extended in Georgia counties of Baker, Bleckley, Burke, Calhoun, Clay, Colquitt, Crisp, Decatur, Dodge, Dooly, Dougherty, Early, Emanuel, Grady, Houston, Jefferson, Jenkins, Johnson, Laurens, Lee, Macon, Miller, Mitchell, Randolph, Pulaski, Seminole, Sumter, Terrell, Thomas, Tift, Treutlen, Turner, Wilcox and Worth.

As a result of this relief, individuals or businesses that had forms due on or after Oct. 9, 2018 and before Feb. 28, 2019 have additional time to file the form through Feb. 28, 2019. The relief would apply to quarterly payroll, employment and excise tax filings due, as well as to any employers that may have previously applied for a Form 5500 filing extension.

Impacted employers should discuss their filing obligations with their CPA or tax professional, with this relief in mind.

Help for Victims of Hurricane Michael »
Tax Relief for Victims of Hurricane Michael in Florida »

Penalty Imposed Against Anthem for HIPAA Breach

On Oct. 15, 2018, the HHS and OCR issued a press release describing a $16M penalty against Anthem (an independent licensee of the Blue Cross Blue Shield association) for a HIPAA breach that occurred on Jan. 29, 2015. This breach is the largest in US history and involved a series of cyberattacks resulting in the exposure of electronic protected health information (ePHI) of nearly 79 million people. Anthem must pay the imposed $16 million civil monetary penalty, which is the largest settlement imposed by HHS for a HIPAA breach, and take substantial corrective action to avoid future HIPAA breaches.

Anthem self-reported the breach to HHS on March 23, 2015 explaining that a cyberattack initially occurred on Jan. 29, 2015 as a result of at least one employee responding to a malicious spear-phishing email sent by hackers. The attackers gained access to Anthem’s IT system and opened the door for further attacks. This type of attack is known as an advanced persistent threat. The cyber attackers stole the ePHI of 79 million people including their names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses and employment information.

In the press release, HHS indicated that Anthem failed to implement appropriate measures for detecting hackers. The investigation revealed that Anthem did not conduct a sufficient enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent cyber attackers from accessing sensitive ePHI, beginning as early as Feb. 18, 2014. “Healthcare entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”

Anthem entered into a resolution agreement with the OCR that, in addition to the penalty, requires Anthem to undertake a corrective active plan to comply with the HIPAA rules. While the agreement isn’t an admission or a concession that Anthem was in violation of the HIPAA rules, it does describe the investigation results that found Anthem had not:

• Conducted an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of all ePHI held by Anthem
• Satisfied the requirement to implement sufficient procedures to regularly review the records of information system activity
• Identified and respond to detections of a security incident (leading to this breach)
• Implemented technical policies and procedures for electronic information systems that maintain ePHI to allow access to only those persons or software programs that have been granted access rights
• Prevented the access of ePHI to 78.8 million individuals stored in the enterprise data warehouse

The corrective action plan requires Anthem to conduct a company-wide risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by Anthem. Anthem must also develop policies and procedures for the regular review of records of information system activity collected by Anthem and the processes for evaluating when the collection of new or different records needs to be included in the review. Access controls, such as network or portal segmentation and password management requirements, must also be created to protect the access between Anthem systems containing ePHI.

Anthem must submit an annual report to clarify the status of any findings and to ensure ongoing compliance with the corrective action plan. If HHS determines that Anthem hasn’t complied with the corrective action plan, it may impose additional civil monetary penalties.

This is another example of the ongoing diligence required for employers to comply with HIPAA policies and procedures to both prevent a breach and to respond once a breach occurs.

HHS press release »
Resolution Agreement »

DOL Proposed Rule Expands Access to Multiple Employer Plans

On Oct. 23, 2018, the DOL released a proposed rule that expands access to multiple employer plans (MEPs). As background, in Aug. 2018 Pres. Trump issued an executive order directing the DOL to propose rules that would make it easier for small employers to band together to offer retirement plans. (We discussed this executive order in the Sept. 6, 2018 edition of Compliance Corner.) This proposed rule does that by redefining the term “employer” under ERISA to allow certain employer groups and associations or PEOs to sponsor defined contribution retirement plans.

Specifically, if the group/association or PEO met the requirements laid out in the proposed rule, then ERISA would apply to the multiple employer plan on the plan level. This means that the individual employers would not be responsible for complying with the different ERISA requirements, such as the Form 5500 filing requirement and the fidelity bonding requirement. Instead, the plan would be responsible for meeting the bulk of ERISA’s requirements.

In order to meet the proposed rules’ requirements to offer a MEP, a group or association of employers has to meet multiple requirements. Interestingly, those requirements are quite similar to the requirements laid out in the new rules for association health plans. (See our article in the June 28, 2018 edition of Compliance Corner.) The proposed rules require the following for a MEP that wants to form under the new rules:

• There must be a formal organizational structure that’s controlled by its employer members with at least one substantial business purpose outside of providing a retirement plan.
• The members of the group or association must share a commonality of interest, which would be met if the members are in the same trade, industry, line of business or profession, OR if the members are in the same state or metropolitan area.
• The members must employ at least one participant and participation must only be offered to employees and former employees.
• The group or association must not be a financial services company such as a bank, trust company, insurance issuer or broker-dealer.

PEOs will also be able to avail themselves of this rule if they meet certain requirements. Specifically, PEOs could sponsor a MEP if they perform “substantial employment functions” for their members. The rule lists nine different criteria for determining if a PEO performs substantial employment functions. The DOL will automatically recognize Certified PEOs (as defined by the IRS) and any PEO that meets five of the nine criteria as performing substantial employment functions for the employer members.

The rules also clarify when working owners can participate in these MEPs. Working owners, such as sole proprietors and other self-employed individuals, can participate as long as they provide enough services to their company to have wages at least equal to the cost of group health plan coverage offered by the group or association.

The DOL will accept comments on the proposed rules through Dec. 24, 2018.

While this rule is intended to offer small employers more and less burdensome options for offering retirement plans to their employees, any size of employer may join one of these groups or PEOs. For more information on how this proposed rule might affect your company’s benefit options, please contact your advisor.

Proposed Rule »

For companies under common ownership, is there a requirement to offer only one plan to the different companies, or can the different companies sponsor their own separate plans?

Companies under common control are considered a ‘single employer’ for purposes of ERISA, the Internal Revenue Code (IRC) and for benefit offerings. That means one plan can be offered to the employees of all of the companies under common control. That said, there’s no requirement to offer the same plan to employees of all the commonly-controlled companies. It’s really up to the companies—and perhaps the parent company, if there is one—to decide how to offer benefits among the different companies. However, there are several compliance considerations.

First, the group of employers needs to consider the ACA’s employer mandate. All employees of all companies under common control must be included in the full-time employee/equivalent count in determining if the mandate applies. This means a smaller company that’s owned by a larger company may be subject to the mandate, even though on their own they may have fewer than 50 full-time employees/equivalents. In addition, the plans offered to full-time employees for all members of the controlled group would need to meet the minimum value and affordability standards under the mandate. Otherwise, the employer may be risking mandate penalties. Also, while each member of the controlled group is separately liable for such penalties, the group could come together and have one company offer the plan and perform reporting on behalf of the other controlled group members. But whatever the approach, the commonly-held companies would need to review their compliance obligations under the employer mandate.

Second, careful review of controlled group status should be made to avoid multiple employer welfare arrangement (MEWA) status. A MEWA is a plan that covers the employees of two or more separate (non-controlled group) companies. While MEWA status isn’t necessarily prohibited, it brings additional (and in some instances onerous) compliance obligations (such as Form M-1 filings and state requirements). Employers should ensure there’s sufficient common ownership before offering a single plan to companies within a controlled group in order to avoid additional MEWA obligations.

Third, if the group of commonly-owned companies offers different plans to different companies, there may be nondiscrimination testing required. The nondiscrimination rules prohibit a plan design that somehow favors highly compensated individuals (HCIs). There are two sets of rules that may apply: IRC Section 105 (if one of the offerings is self-insured) and IRC Section 125 (if employees can pay their portion of the premium pre-tax through salary reduction). While employers can vary plans (and employer contributions, among other things) by company (that is to say, different tax ID numbers/business lines within a controlled group), the result must not favor HCIs (which could happen if one of the companies had a much richer plan in place and that company had a disproportionate number of HCIs as compared to non-HCIs).

Fourth, whether the group offers one or multiple plans, arrangements should be outlined in related plan documents. Employers as plan sponsors have the ERISA obligation to create written plan documents and SPDs, and those should describe which company is sponsoring the plan and which companies’ employees are eligible to participate. So, after deciding to offer one plan versus multiple plans, the group should appropriately and sufficiently document their arrangements and offerings. They will also have to comply accordingly with other ERISA obligations (such as the Form 5500 and SAR reports).

Finally, the group of employers should work with outside counsel in running through the different considerations. Not only is the determination of actual controlled group status a tax and legal issue, but it also has consequences beyond benefits (primarily, employment tax and labor/employment law issues). Outside counsel would be in the best position to access and understand all of the facts and circumstances, and to advise the group of companies accordingly.