Compliance Recap I June/July 2022
The summer has seen a flurry of compliance-related activity, most notably the landmark decision issued by the U.S. Supreme Court to overturn Roe v. Wade. As we move into the second half of the 2022 employee benefits compliance calendar, there are a number of important issues to note.
SCOTUS Overturns Roe v. Wade; Employers Weigh Benefits Responses
As forecast in a leaked draft opinion in May, the U. S. Supreme Court officially overturned Roe v. Wade on June 24. The official opinion specifically held that the U.S. Constitution does not confer a right to abortion; Roe and Casey (the two landmark abortion rights cases) are overruled; and the authority to regulate abortion is returned to the people and their elected representatives. Thus, each state will now have autonomy to decide how it will handle abortion rights within – and potentially beyond – its borders.
Employers have been weighing what, if anything, they will do regarding abortion and abortion-related services and expenses under their employee benefit programs. There was an initial burst of highly public announcements from many major national employers as to expanding or creating benefit programs to either cover abortion services, or travel expenses related to accessing such services, in states where they remain legal. Several states immediately reacted by ratcheting up efforts to criminalize abortion, including potentially prosecuting employers who reimburse for such services even when received by individuals in states where the services are not banned.
The stakes are high for employers wishing to offer expanded benefits programs, and there are many compliance considerations to factor as well. Multi-state employers that are fully insured will need to monitor relevant state departments of insurance in highly restrictive states that either already have or soon will regulate the insurance industry within their states, including insurance issued in another state that covers individuals within that state, to severely curtail any abortion benefits in an insured policy.
In addition, questions remain regarding the impact of state abortion restrictions and bans for employers with self-insured plans. While fully insured medical plans are subject to state insurance laws, employers with self-funded healthcare plans are governed by the federal Employee Retirement Income Security Act (ERISA), which generally preempts state law. However, ERISA does not preempt criminal laws of general applicability,
so ERISA might not be a full shield to an employer in a state where a general criminal law aims to punish the employer for aiding and abetting receiving an abortion. Litigation on the ERISA preemption and state regulation issues surely will follow – in particular, for employers who adopt travel benefits for abortion access.
Travel benefits for medical care are not uncommon in group health plans and can be provided tax-free up to certain limitations in the Internal Revenue Code (Code). Because travel for medical care is defined as medical care under both ERISA and the Code, adopting a policy for travel is almost certainly a group health plan subject to the ACA, ERISA, COBRA, HIPAA, the Mental Health Parity and Addiction Equity Act and other laws. Employers can reduce their compliance burden with many of these laws by designing the program as an excepted benefit (e.g., limited EAP). Offering any travel benefits should be monitored in light of changing and emerging state laws, especially when many state legislators return for what is sure to be a lively legislative session.
Certain employers are choosing to donate money to Planned Parenthood or nonprofits that are focused on reproductive rights. Further, most employers who have adopted a policy regarding abortion-related travel have chosen to more broadly define covered services to include all reproductive rights (e.g., transgender services) that are also limited in certain states. Others have opted to cover travel for all medical care not available within a 50- or 100-mile radius from an affected individual’s residence.
Finally, employers in states that have (or soon will pass) criminal aiding and abetting laws will need to examine the pharmacy benefits under their group health plans to determine the possible impact of covering drugs that can be obtained legally in one state but might not be ingested until the individual returns to her home state where the drugs are banned. There is a risk that these states could attempt to go after employers who reimburse or cover such drugs even if obtained legally.
There will be many twists and turns in the litigation that will stem from the actions taken following the Dobbs decision. Many legal scholars agree that efforts by certain states to impose their laws and views on other states or employers will likely fail on constitutional and federalism grounds, but the route to that ultimate outcome will surely be long and require a great expenditure of resources. An employer weighing the benefits options available to it must balance the intended benefits against these hefty potential costs.
HHS Issues HIPAA Privacy Guidance for Abortion-Related Care
On the heels of the Supreme Court ruling in Dobbs, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued new guidance to help protect patients seeking reproductive health care, as well as their providers. In general, the guidance addresses how the Health insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations safeguard protected health information (PHI) relating to abortion and other sexual and reproductive health care. The guidance clarifies OCR’s view that providers are not always required to disclose PHI to third parties.
The guidance addresses how and when the HIPAA Privacy Rule permits disclosure of PHI without an individual’s authorization. It explains that disclosures for purposes not related to health care, such as disclosures
to law enforcement officials, are permitted only in narrow circumstances tailored to protect the individual’s privacy and support their access to health care, including abortion care. Specifically, the guidance:
- Reminds HIPAA covered entities and business associates that they can use and disclose PHI, without an individual’s signed authorization, only as expressly permitted or required by the Privacy Rule.
- Explains the Privacy Rule’s restrictions on disclosures of PHI when required by law, for law enforcement purposes, and to avert a serious threat to health or safety.
Disclosures Required by Law
OCR notes that the Privacy Rule permits but does not require covered entities to disclose PHI about an individual, without the individual’s authorization, when disclosure is required by another law and the disclosure complies with the requirements of the other law. This permission to disclose PHI as “required by law” is limited to “a mandate contained in law that compels an entity to make a use or disclosure of PHI and that is enforceable in a court of law.” Further, where a disclosure is required by law, the disclosure is limited to the relevant requirements of that law. Disclosures of PHI that do not meet the “required by law” definition in the HIPAA Rules, or that exceed what is required by such law, do not qualify as permissible disclosures.
Example: An individual goes to a hospital emergency department while experiencing complications related to a miscarriage during the tenth week of pregnancy. A hospital employee suspects the individual of having taken medication to end their pregnancy. State or other law prohibits abortion after six weeks of pregnancy but does not require the hospital to report individuals to law enforcement. Where state law does not expressly require such reporting, the Privacy Rule would not permit a disclosure to law enforcement under the “required by law” permission. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
Further, the Privacy Rule permits but does not require covered entities to disclose PHI about an individual for law enforcement purposes “pursuant to process and as otherwise required by law,” under certain conditions. For example, a covered entity may respond to a law enforcement request made through legal processes such as a court order, court-ordered warrant, subpoena, or summons, by disclosing only the requested PHI, provided that all of the conditions specified in the Privacy Rule for permissible law enforcement disclosures are met.
OCR states that, in the absence of a mandate enforceable in a court of law, the Privacy Rule’s permission to disclose PHI for law enforcement purposes does not permit a disclosure to law enforcement where a hospital or other health care provider’s employee chose to report an individual’s abortion or other reproductive health care. That is true whether the employee initiated the disclosure to law enforcement or others or the employee disclosed PHI at the request of law enforcement.
OCR further states that, generally, state laws do not require doctors or other health care providers to report an individual who self-managed the loss of a pregnancy to law enforcement. Also, state fetal homicide laws generally do not penalize the pregnant individual, and “appellate courts have overwhelmingly rejected efforts to use existing criminal and civil laws intended for other purposes (e.g., to protect children) as the basis for arresting, detaining, or forcing interventions on pregnant” individuals.
A law enforcement official goes to a reproductive health care clinic and requests records of abortions performed at the clinic. If the request is not accompanied by a court order or other mandate enforceable in a court of law, the Privacy Rule would not permit the clinic to disclose PHI in response to the request. Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
A law enforcement official presents a reproductive health care clinic with a court order requiring the clinic to produce PHI about an individual who has obtained an abortion. Because a court order is enforceable in a court of law, the Privacy Rule would permit but not require the clinic to disclose the requested PHI. The clinic may disclose only the PHI expressly authorized by the court order.
Disclosures to Avert a Serious Threat to Health or Safety
The guidance states the Privacy Rule permits but does not require a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI if the covered entity, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person or persons who are reasonably able to prevent or lessen the threat. The guidance declares that, according to major professional societies, including the American Medical Association and American College of Obstetricians and Gynecologists, it would be inconsistent with professional standards of ethical conduct to make such a disclosure of PHI to law enforcement or others regarding an individual’s interest, intent, or prior experience with reproductive health care.
Example: A pregnant individual in a state that bans abortion informs their health care provider that they intend to seek an abortion in another state where abortion is legal. The provider wants to report the statement to law enforcement to attempt to prevent the abortion from taking place. However, the Privacy Rule would not permit this disclosure of PHI to law enforcement under this permission for several reasons, including:
- A statement indicating an individual’s intent to get a legal abortion, or any other care tied to pregnancy loss, ectopic pregnancy, or other complications related to or involving a pregnancy does not qualify as a “serious and imminent threat to the health or safety of a person or the public.”
- It generally would be inconsistent with professional ethical standards as it compromises the integrity of the patient–physician relationship and may increase the risk of harm to the individual.
Therefore, such a disclosure would be impermissible and constitute a breach of unsecured PHI requiring notification to HHS and the individual affected.
The guidance signals how OCR will view certain disclosures made by covered entities faced with requests to disclose PHI by authorities claiming that HIPAA does not protect certain PHI in the face of anti-abortion legislation or aiding-and-abetting statutes aimed at employer plan sponsors. The guidance at least serves to have employers consider each request thoroughly in the context of the situation and not automatically assume that the requesting entity has the right to the disclosure under a HIPAA-authorized exception. Covered entities may also wish to update HIPAA training to incorporate the examples in the guidance to be sure employees with access to PHI understand the nuances of these types of disclosure requests.
OCR also issued information for individuals about protecting the privacy and security of their PHI when using their personal cell phone or tablet. In most cases, the HIPAA Privacy, Security, and Breach Notification Rules do not protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets. OCR provides tips about steps an individual can take to decrease how their cell phone or tablet collects and shares their health and other personal information without the individual’s knowledge.
Eleventh Circuit Says Employee Equitable Relief Apt for Breach of Fiduciary Duty During Enrollment
In a case of first impression, the Circuit Court of Appeals for the 11th Circuit ruled that a beneficiary of an ERISA plan can recover monetary damages under ERISA against a fiduciary to recover for benefits that were lost due to the fiduciary’s breach of its duties during plan enrollment.
The case involved an employee who received enrollment paperwork from his employer’s human resources department. The participant elected to pay for $350,000 in supplemental life insurance coverage on top of the plan’s standard $150,000 in employer-paid coverage. The plan required a separate evidence of insurability form for supplemental life insurance, but the employer’s HR staff failed to provide that form during enrollment. Nor did the HR staff ever tell the participant that the form was required for coverage to be effective.
For three years, despite never having received the correct form, the employer deducted premiums for the supplemental coverage from the employee’s paychecks. Moreover, it provided him with a benefits summary stating that he had $500,000 in coverage.
The employee died, and his spouse beneficiary filed a claim for benefits which the insurance carrier denied. The beneficiary filed a lawsuit seeking monetary damages from the employer plan administrator. A lower federal court dismissed the claim which was then appealed to the 11th Circuit.
The 11th Circuit ruled that the case should not have been dismissed, and the plaintiff can pursue a breach of fiduciary duty claim for monetary damages because he was not entitled to recover the remaining $350,000 in supplemental benefits under the terms of the plan. In other words, a claim for benefits could not be made because, despite paying higher premiums, the spouse never filed the required form. But the court reasoned that the plaintiff could be entitled to monetary damages under an equitable surcharge argument because the employer’s breach of fiduciary duty prevented the beneficiary from becoming eligible for the supplemental benefits.
Plan administrators should take note of this case which provides an avenue to allow for monetary damages that are typically not present in a suit for benefits under ERISA. Employers should be careful to provide all necessary enrollment paperwork whether during open enrollment or as part of a new hire process. Further, plan administrators should include in the enrollment process a checklist of required documents to complete for each employee who elects benefits.
HHS Q&A Explains How Health Plans Can Comply with HIPAA for
On June 13, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released Q&A Guidance to help group health plans know how they can meet their privacy and security obligations as covered entities under the Health insurance Portability and Accountability Act of 1996 (HIPAA). The guidance focuses on the increased use of telehealth throughout the COVID-19 pandemic and specifies how audio-only telehealth can comply with HIPAA even when OCR’s Notification of Enforcement Discretion for Telehealth Remote Communications (Telehealth Notification) lapses.
OCR noted that large segments of the U.S. might have limited access to audio-video telehealth and, therefore, seeks to ensure the same coverage opportunities to affected individuals while still safeguarding their protected health information (PHI). The guidance describes the circumstances under which HIPAA permits audio-only telehealth
As the COVID-19 public health emergency (PHE) expanded, OCR issued its original Telehealth Notification to address the expanded use of remote health care services. OCR later published FAQs to support and clarify the Telehealth Notification and announced that it will exercise enforcement discretion and refrain from penalizing covered entities for noncompliance with HIPAA Rules in connection with the good faith provision of telehealth using non-public-facing audio or video remote communication technologies during the PHE. The Telehealth Notification will remain in effect until the Secretary of HHS declares that the COVID-19 PHE no longer exists, or upon the expiration date of the declared PHE, whichever occurs first.
Now, even after the Telehealth Notification ceases to apply, OCR will continue to not enforce HIPAA rules as to covered entities, including health plans, for telehealth services as follows:
- HIPAA covered entities can use remote communication technologies to provide telehealth services, including audio-only services, in compliance with the HIPAA Privacy Rule. OCR expects covered health care providers to provide telehealth services in private settings to the extent feasible. If telehealth services cannot be provided in a private setting, they still must implement reasonable safeguards, such as using lowered voices and not using speakerphone, to limit incidental uses or disclosures of PHI. Further, if a covered entity does not know an individual, the entity must verify the identity of the individual either verbally or in writing.
- The HIPAA Security Rule does not apply to audio-only telehealth services provided by a covered entity that is using a standard telephone line (landline) because the information transmitted is not electronic. Accordingly, a covered entity does not need to apply the Security Rule safeguards to telehealth services that they provide using traditional landlines (regardless of the type of telephone technology the individual uses).
- However, the Security Rule will apply to electronic communication technologies such as Voice over Internet Protocol (VoIP) and mobile technologies that use electronic media, such as the Internet, intra- and extranets, cellular, and Wi-Fi. Covered entities using telephone systems that transmit ePHI need to adhere to the HIPAA Security Rule. Potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI when using such technologies need to be identified, assessed, and addressed as part of a covered entity’s risk analysis and risk management processes, as required by the HIPAA Security Rule.
Covered health care providers may offer audio-only telehealth services using remote communication technologies consistent with the requirements of the HIPAA Rules, regardless of whether any health plan covers or pays for those services. Health plan coverage and payment policies for health care services delivered via telehealth are separate from questions about complying with the HIPAA Rules.
IRS Issues Guidance on Mileage Reimbursement Rate
Responding to the recent nationwide surge in fuel prices, the IRS announced in Notice 2022-13 that it was modifying previously released standard mileage rates for computing the deductible costs of operating an automobile for business, medical, or moving expense purposes and for determining the reimbursed amount of these expenses that is deemed substantiated.
The revised standard mileage rates are:
- Business: 62.5 cents per mile
- Medical and moving: 22 cents per mile
The IRS stated that the revised standard mileage rates will apply to deductible transportation expenses paid or incurred for business, medical, or moving expense purposes on or after July 1, 2022, and to mileage allowances that are paid to an employee on or after July 1, 2022, and for transportation expenses paid or incurred by the employee on or after July 1, 2022. The previous standard mileage rates set forth in Notice 2022-3 will continue to apply to expenses paid or incurred before July 1, 2022, to mileage allowances paid to an employee before July 1, 2022, and to transportation expenses paid or incurred by the employee before July 1, 2022.
The IRS also reminded taxpayers that the Tax Cuts and Jobs Act (TCJA), continues to disallow a deduction for unreimbursed employee travel expenses for taxable years beginning after December 31, 2017, and before January 1, 2026. Thus, the revised business standard mileage rate in Notice 2022-13 cannot be used to claim an itemized deduction for unreimbursed employee travel expenses through at least 2025.
This announcement also serves as a reminder that employers contemplating reimbursing employees for certain medical travel expenses in the aftermath of the Supreme Court’s Dobbs ruling should understand that any mileage reimbursement above the revised medical mileage rate will be taxable to the employee.
Departments Clarify ACA Birth Control Coverage Mandate
The U.S. Department of Health and Human Services (HHS), alongside the Departments of Labor and of the Treasury (the Departments), acted on July 28 to clarify protections for birth control coverage under the Affordable Care Act (ACA). Under the ACA, most private health plans are required to provide birth control and family planning counseling at no additional cost.
The guidance follows a period during which the Departments fielded increasing complaints from women and covered dependents about being denied proper contraceptive coverage. The guidance also signals the Departments’ commitment to enforce these requirements.
The ACA guarantees coverage of women’s preventive services, including free birth control and contraceptive counseling, for all individuals and covered dependents with reproductive capacity. This includes, but is not limited to:
- Hormonal methods, like birth control pills and vaginal rings
- Implanted devices, like intrauterine devices (IUDs)
- Emergency contraception, like Plan B® and ella®
- Barrier methods, like diaphragms and sponges
- Patient education and counseling
- Sterilization procedures
- Any additional contraceptives approved, granted, or cleared by the FDA
The Departments emphasize that the ACA requires that, with respect to women, non-grandfathered plans must cover such additional preventive care and screenings not included in the recommendations of the United States Preventive Services Task Force (USPSTF) as provided for in comprehensive guidelines supported by the Health Resources and Services Administration (HRSA).
The 2019 HRSA-Supported Guidelines recommended that adolescent and adult women have access to the full range of female-controlled FDA-approved contraceptive methods, effective family planning practices, and sterilization procedures to prevent unintended pregnancy and improve birth outcomes. The 2019 HRSA-Supported Guidelines also provided that contraceptive care should include contraceptive counseling, initiation of contraceptive use, and follow-up care (for example, management and evaluation as well as changes to, and removal or discontinuation of, the contraceptive method).
In 2021, HRSA accepted updates to the existing guidelines regarding breastfeeding services and supplies, well-woman preventive care visits, access to contraceptives and contraceptive counseling, screening for human immunodeficiency virus, and counseling for sexually transmitted infections.
The Departments also noted that plans and issuers must cover without cost-sharing emergency contraception (e.g., levonorgestrel), and emergency contraception (e.g., ulipristal acetate), including OTC products, when the product is prescribed for an individual by their attending provider. Plans and issuers are required to cover these products without cost-sharing including when they are prescribed for advanced provision. Plans and issuers are also encouraged to cover OTC emergency contraceptive products with no cost-sharing when they are purchased without a prescription.
Finally, the Departments reiterated that most non-grandfathered plans must continue to follow 2019 HRSA-Supported Guidelines and must provide coverage consistent with the 2021 HRSA-Supported Guidelines beginning with plan years (in the individual market, policy years) starting on and after December 30, 2022.
Questions of the Month
Q: Can a health savings account (HSA) reimburse costs for abortion-related expenses?
A: HSAs can be used for medical expenses that are described in Internal Revenue Code Section 213(d). However, while the IRS definition includes travel for medical care, it is limited to only some travel expenses. For example, amounts for lodging are reimbursable on a tax-free basis only up to $50 per night per individual. Lodging for a person traveling with the individual receiving medical care that is either an adult with a minor or a licensed medical caregiver would also be excluded, bringing the total up to $100 per night. However, it is unlikely the lodging exception will apply to most abortion travel because the medical care must be provided by a physician in a licensed hospital or in a medical care facility that is related to, or the equivalent of, a licensed hospital. Transportation expenses may also be reimbursed, although the mileage rate is currently only about a third of what is allowed for business travel. Finally, meals and childcare expenses may not be reimbursed from the HSA.
Q: Can a health savings account (HSA), health flexible spending arrangement (health FSA) or health reimbursement arrangement (HRA) reimburse expenses incurred for OTC contraception obtained without a prescription?
- Yes. According to Departmental guidance, an HSA, health FSA, or HRA can reimburse an individual for the cost (or portion of the cost) incurred for OTC contraception to the extent that cost is not paid or reimbursed by another plan or coverage.
Under the Code, a distribution from an individual’s HSA is not included in the individual’s gross income if it is used to pay for medical expenses incurred by an individual (or the individual’s spouse or dependent) “but only to the extent such amounts are not compensated for by insurance or otherwise.” Therefore, expenses incurred for contraception paid or reimbursed by a plan or issuer are not qualified medical expenses for purposes of an HSA. If the entire cost of contraception is not paid or reimbursed by the plan or issuer, qualified medical expenses include the portion of the cost not paid or reimbursed by the plan or issuer.
Plans and issuers must cover the cost of certain OTC contraceptives when prescribed for an individual by their health care provider. Plans and issuers that will cover costs of OTC contraceptives without a prescription should advise individuals not to seek reimbursement from an HSA, health FSA, or HRA for the cost (or the portion of the cost) of contraception paid or reimbursed by the plan or issuer, and not to use an HSA, health FSA, or HRA (including any related debit card) to purchase contraception for which the individual intends to seek reimbursement from the plan or issuer.