Compliance Corner

On February 23, 2023, in Hayes v. Prudential Insurance Company of America, the US Court of Appeals for the Fourth Circuit found that courts cannot extend plan deadlines for converting group life insurance coverage to individual coverage, even where extraordinary circumstances prevented an individual from meeting the deadline. The court’s conclusion was grounded in ERISA’s cornerstone principle to adhere to the plan terms.

The plaintiff in this case, Kathy Hayes, sued Prudential Insurance Company of America (Prudential) following Prudential’s denial of life insurance benefits due to lapsed coverage for her late husband, Anthony Hayes. Mr. Hayes worked as an environmental engineer for DSM North America, Inc. (DSM) and was insured under a group life plan with Prudential. In May 2015, Mr. Hayes had to stop working due to late-stage liver disease. He was unable to return to work, and when his employment was terminated in November 2015, his employer-provided group life insurance coverage also ended. The terms of the group plan allowed converting employer-provided coverage to an individual policy. To do so, terminating group participants were required to apply for individual conversion and pay the first premium by the later of 31 days after employer-provided coverage ended or 15 days after receiving written notice of the conversion privilege. Mr. Hayes’ employer provided written notice of the conversion privilege in December 2015. Unfortunately, Mr. Hayes did not contact Prudential about converting his life insurance coverage until 26 days after the conversion deadline. During this time, Mr. Hayes was incapacitated due to late-stage liver disease. He passed away six months later, in June 2016.

Prudential’s denial explained that even if Mr. Hayes was incapacitated weeks prior to his conversion deadline, Prudential was required to decide claims in strict adherence to the plan terms, which did not allow for an extension of the conversion period. Ms. Hayes sued Prudential, asking the court to apply the doctrine of equitable tolling in order to allow an exception to the conversion deadline in light of her husband’s incapacitation and award her benefits.

In reviewing Ms. Hayes’ arguments, the Fourth Circuit acknowledged that courts have previously allowed equitable tolling of statutes of limitations (i.e., extending the deadline to file a lawsuit) where a plaintiff has been prevented from timely filing a lawsuit due to extraordinary circumstances. However, the Fourth Circuit found that because the plan’s life insurance conversion deadline is not tied to the plan’s statute of limitations, it should not be modified by equitable tolling, even where extraordinary circumstances hindered a participant’s ability to meet the deadline. The Fourth Circuit emphasized that ERISA protects “contractually defined” benefits in group benefit plans by requiring plan administrators to follow plan terms, calling the focus on a plan’s written terms “the linchpin of [the] system.” Prudential’s denial of benefits was based on strict adherence to unambiguous plan terms and therefore upheld under ERISA.

The Hayes case underscores the unyielding nature of unambiguous ERISA plan terms like deadlines. The case also illustrates the importance of communicating life insurance conversion deadlines to departing employees. Employers sponsoring group life insurance should carefully review the plan terms in order to understand what is required of them, which could include sending written notice of conversion rights when group coverage terminates. Not only may clear notice of conversion rights be required to satisfy an employer’s ERISA fiduciary duty (when the plan requires such notice by the employer), but it is also the necessary catalyst for employees to meet strict conversion deadlines.

Hayes v. Prudential »

On February 17, 2023, the HHS Office for Civil Rights (OCR) released two annual reports to Congress summarizing the agency’s key HIPAA enforcement activities during the 2021 calendar year as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The first report, HIPAA Privacy, Security, and Breach Notification Rule Compliance, identifies the number of complaints received, the method by which those complaints were resolved, and other OCR HIPAA compliance enforcement activities. The second report, Breaches of Unsecured Protected Health Information, identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to the HHS and the actions taken in response to the breaches.

Due to a lack of financial resources, OCR did not conduct any audits in 2021. Further, OCR requested that the HITECH civil penalty caps be increased in the HHS Fiscal Year 2023 Legislative Supplement sent to Congress to secure enough staff and resources to carry out OCR’s enforcement activities.

The highlights of these two reports are as follows:

• New complaints alleging violations of HIPAA Rules and the HITECH Act in 2021 were 34,077, a 25% increase from calendar year 2020.
• Of those new complaints, OCR resolved 20,661 (78%) before initiating an investigation.
• The top five complaints resolved were: impermissible uses and disclosures, right of access, safeguards, administrative safeguards under the HIPAA Security Rule, and breach notice to individuals.
• OCR resolved 13 complaint cases in 2021 through resolution agreements and/or corrective action plans and monetary settlements totaling $815,150. Two complaint investigations resulted in the assessment of civil money penalties totaling $150,000.
• OCR received 609 notifications of breaches affecting 500 or more individuals, a decrease of 7% from the calendar year 2020.
• Hacking/IT incidents remained the largest category of breaches among incidences affecting 500 or more individuals in 2021. The largest category of breaches of 500 or more individuals by location involved network servers.
• For breaches affecting fewer than 500 individuals, the largest category by type of breach report was unauthorized access or disclosures, and the largest category by location was paper records.

The appendices sections of both reports include:

• The actual cases of the Resolution Agreements.
• A summary of the settlement terms that provide helpful insights to employers.
• Other covered entities (e.g., insurers) for the potential consequences of failing to comply with HIPAA rules.

These annual reports are an important reminder of the agency’s HIPAA compliance enforcement activities. So it is crucial that employers are educated in overall HIPAA rules and review their HIPAA compliance.

HHS: Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for Calendar Year 2021 »
HHS: Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2021 »

The Department of Labor’s Advisory Council on Employee Welfare and Pension Benefit Plans has issued a report addressing cybersecurity issues affecting health plans. While the Council has issued two reports on cybersecurity issues affecting employee benefit plans in the past (the first in 2011; the second in 2016), this report marks the first time the Council has focused exclusively on cybersecurity regarding health benefit plans alone.

This report emphasizes the vast amount of individualized data obtained, produced, and maintained by health plans makes these plans especially tempting targets for cyberattacks. Health plan datasets, after all, include not only standard personal identification information (e.g., names, addresses, phone numbers, social security numbers, etc.) but also extremely sensitive (and therefore extremely valuable) personal health information that cybercriminals can trade or sell on the “dark web” or exploit in other ways, such as through ransomware.

The Council paints a stark picture, noting that the HHS Office for Civil Rights has reported that since 2015 cybersecurity breaches among healthcare providers have affected the greatest number of individuals. Additionally, the FBI has identified the Healthcare and Public Health Sector as the US critical infrastructure sector most victimized by ransomware in 2021, and IBM has reported that the healthcare industry has borne the highest data breach costs of any industry for 12 years in a row, with the average cost totaling $10.1 million in 2022.

Before making its own recommendations on how best to combat these threats, the Council sought testimony from various outside experts and industry stakeholders, emphasizing whether DOL should expressly recognize the provision of cybersecurity for health plans as a fiduciary duty under ERISA.

While opinions on this question varied among the witnesses, the Council gleaned three “important threads” when it considered their testimonies, including:

• The relationship between the obligations of health plan fiduciaries with respect to cybersecurity under HIPAA and ERISA, including whether or not compliance with the HIPAA security rule would be sufficient to meet fiduciary standards under ERISA.
• The lack of clarity about and knowledge of ERISA fiduciary duties regarding cybersecurity for health plans, especially since DOL has not yet “made a sufficiently direct statement, whether in a regulation or guidance, declaring the basic principle that health plan fiduciaries have a duty to act prudently regarding cybersecurity risks.”
• How plans address cybersecurity issues in their dealings with third-party service providers, since “most of the action, most of the information, and most of the security risk [for health plans] lies with third-party administrators, insurers, and other service providers.”

After taking all the above and more into account, the Council concludes its report with the following recommendations:

1. The DOL makes explicit that acting prudently with regard to cybersecurity risks is a responsibility of fiduciaries of all employee benefit plans, not just pension plans.
2. The DOL makes clear that the fiduciary duty to act prudently regarding cybersecurity risks includes the duty of health plan fiduciaries to ascertain that their health plan service providers have practices and procedures in effect to deal with such risks. This would include, but not necessarily be limited to, an update to the DOL’s core publication for health plan fiduciaries, Understanding Your Fiduciary Responsibilities Under a Group Health Plan, to address fiduciary duties regarding cybersecurity risks.
3. The DOL clarifies that the Cybersecurity Program Best Practices and Tips for Hiring a Service Provider with Strong Cybersecurity Practices apply to health benefit plan fiduciaries.
4. The DOL indicates the extent to which compliance with HIPAA and HITECH satisfies any of the recommended practices in the Best Practices and Tips publications.
5. The DOL reviews, on a regular and timely basis and updates, if necessary, the Best Practices and Tips so that they reflect changes in those practices in light of the evolving nature of cybersecurity threats.
6. The DOL provides education and materials to health plan sponsors and fiduciaries to assist them in understanding and carrying out these duties, including but not necessarily limited to specific tailored and targeted educational programs and materials to inform plan sponsors and fiduciaries about their ongoing responsibilities and obligations related to cybersecurity and informing plan sponsors and fiduciaries of materials available from other agencies, such as the HIPAA Security Risk Assessment Tool which is designed to assist small-to-medium-sized organizations.

Recommendations such as these by the Advisory Council are, by definition, advisory only. Furthermore, they are directed at the DOL (specifically, the Secretary of the DOL) only, and the DOL can adopt some, all, or none of them at its complete discretion and on its own time.

Nevertheless, these recommendations (along with the report itself) provide tremendous insights regarding the cybersecurity challenges health benefit plans presently face, as well as possible approaches regulators may undertake to address those challenges in the future.

ERISA Advisory Council Report on Cybersecurity Issues Affecting Health Benefit Plans »

On February 23, 2023, the DOL, HHS and IRS (the departments) released FAQs regarding implementing certain transparency requirements under the Consolidated Appropriations Act, 2021 (CAA, 2021). Specifically, the guidance addresses the annual attestation of compliance with the CAA, 2021 prohibition against gag clauses.

The FAQs explain that a “gag clause” in the healthcare context refers to a contractual term that directly or indirectly restricts information that a group health plan or insurer can access or make available to another party. Effective December 27, 2020, the CAA, 2021 generally prohibited plans and insurers from entering into agreements with providers, TPAs and other service providers that include gag clauses that restrict:

1. Disclosure of provider-specific cost or quality of care information to the plan sponsor, participants, beneficiaries or referring providers.
2. Electronic access to de-identified claims and encounter information for each participant or beneficiary upon request, consistent with privacy regulations under the ADA, GINA and HIPAA.
3. Sharing information described in (1) and (2) or directing that such information be shared with a business associate, consistent with applicable privacy regulations.

Plans and insurers must submit an annual attestation of compliance with these gag clause prohibitions. The FAQs specify that the first “Gag Clause Prohibition Compliance Attestation” is due no later than December 31, 2023, covering the period beginning December 27, 2020 (or the effective date of the group health plan if later), through the date of attestation. Subsequent attestations, covering the period since the last preceding attestation, are due by December 31 of each year thereafter. The attestation must be submitted to CMS through the Gag Clause Prohibition Compliance Attestation System. Instructions, a system user manual and an Excel template are available for review on the CMS website. Plans and insurers that do not submit the required attestation may be subject to enforcement action.

The gag clause prohibitions and compliance attestations apply to fully insured and self-insured plans (including level-funded plans), regardless of grandmothered or grandfathered plan status. However, the requirements do not apply to plans offering only excepted benefits and will not be enforced with respect to HRAs integrated with a group health plan or insurance. For fully insured plans, the plan and the insurer are each required to annually submit the attestation. However, the insurer’s submission of the attestation on behalf of the plan will satisfy the attestation requirements for both the plan and insurer. Self-insured and level-funded plans may enter a written agreement with a TPA or service provider to attest on the plan’s behalf, but the plans remain ultimately responsible for satisfying the requirements.

Group health plan sponsors should be aware of this new guidance and ensure that their contracts with providers do not reflect any prohibited gag clauses. Sponsors should contact and coordinate with their insurers, TPAs, PBMs and other service providers to ensure the required attestations are submitted by December 31, 2023.

FAQs Part 57 »
Gag Clause Prohibition Compliance Attestation System »
Instructions »
User Manual »
Template »

On February 21, 2023, the IRS published final regulations (T.D.9972), significantly expanding the electronic filing mandate for various returns, including Forms 1094 and 1095-C, 1099-series and Forms W-2 beginning in 2024. The final regulations reflect changes made by the Taxpayer First Act of 2019 to increase electronic filing requirements. The reason for the delayed application date to 2024 is to give sufficient time for impacted filers and vendors to prepare for an increase in electronic filing.

Form 1094 Series; Forms 1095-B and 1095-C; Form 1099 Series; and Form 5498 Series
Under current regulations, the 250-return threshold applies separately to each type of information return covered under the regulations. The final regulations reduce the 250-return threshold to 10 or more returns in a calendar year. Furthermore, filers must aggregate almost all return types covered by the regulation to determine whether a filer meets the 10-return threshold rather than applying the 10-return threshold separately to each type of form. These new changes will take effect for returns filed on or after January 1, 2024. The proposed regulations issued in 2021 reduced the threshold to 100 returns for calendar year 2022 before the threshold decreases significantly to 10; however, the final regulations didn’t adopt this transition period.

For specific rules for other forms, please refer to the final regulations.

Additionally, the final regulations instruct that filing any corrected information returns must be filed in the same manner as the original formats (electronic or paper).

The final regulations generally provide hardship waivers for filers who would experience hardship complying with the electronic filing requirements, such as religious reasons.

These regulations considerably expand the electronic filing requirements to smaller employers and other filers. Employers who are filing returns in paper form should determine whether they will be subject to the electronic filing requirement in 2024. Further, affected employers should consult with their legal or tax advisor and consider engaging with an appropriate tax filing (or ACA reporting) vendor or implementing appropriate software to meet the new electronic filing requirements.

Final Regulations »
Press Release »

On January 26, 2023, the US Court of Appeals for the Ninth Circuit released an opinion that expands upon its previously released memorandum disposition reversing a district court’s judgment that United Behavioral Health (UBH) wrongfully denied benefits to plaintiffs by using overly restrictive criteria for administering claims for treatment of mental health and substance abuse disorders.

Plaintiffs initially filed suit against UBH in 2014, bringing claims under ERISA against the insurer for breach of fiduciary duty and improper denial of benefits. Plaintiffs alleged that UBH improperly developed and relied on internal guidelines that were inconsistent with the plans’ terms and with state-mandated criteria. Plaintiffs also alleged the plans’ provided coverage for treatment was consistent with generally accepted standards of care (GASC) but that UBH’s guidelines for making benefit determinations were more restrictive than GASC.

After a bench trial, the district court ruled in March 2019 that UBH had breached its fiduciary duties and wrongfully denied benefits because its guidelines impermissibly deviated from GASC and state-mandated criteria. Notably, the district court based its analysis in part on UBH’s dual role as both plan administrator and insurer, which it deemed a structural conflict of interest, as well as the incentivization for UBH to keep its expenses down, which it deemed a financial conflict of interest.

As a result, in November 2020, the district court directed the implementation of court-determined claims processing guidelines, ordered the “reprocessing” of all plaintiff class members’ claims under these guidelines and appointed a special master to oversee compliance for a 10-year period.

UBH appealed the district court’s decision to the Ninth Circuit on the following grounds:

• The court erred in concluding the insurer’s guidelines impermissibly deviated from GASC.
• The court did not apply the appropriate level of deference to the insurer’s interpretation of the plans.
• The unnamed plaintiffs in the “class” certified by the district court failed to exhaust their claims administratively in accordance with plan requirements. (UBH did not appeal the district court’s determination that the guidelines were impermissibly inconsistent with state-mandated criteria.)

The Ninth Circuit agreed with UBH on each of these points, holding that the district court misapplied the usual (and largely deferential) “abuse of discretion” standard of review afforded to plan administrators by substituting its own plan interpretations for those of UBH without regard to whether UBH abused its discretionary authority when it denied these claims. In the panel’s view, UBH did not abuse its discretionary authority, even when considering both the structural and financial conflicts of interest.

In the panel’s view, ERISA does not mandate what kind of benefits employers must provide but instead concerns itself with the written terms of benefit plans. Nor does ERISA necessarily mandate consistency with GASC; rather, ERISA mandates that a plan administrator (UBH, in this case) properly administers plans pursuant to the terms of those plans.

On these grounds, the panel reversed the district court’s judgment that UBH wrongfully denied benefits to the named plaintiffs based upon the court’s finding that the plan guidelines impermissibly deviated from GASC. Furthermore, the panel held that the district court should not have excused unnamed class members from demonstrating compliance with the plans’ administrative review exhaustion requirement because doing so conflicted with the written terms of the plan.

Wit v. UBH »

On January 19, 2023, the federal Office of Child Support Enforcement (OCSE) issued updates to the National Medical Support Notice (NMSN) and the instructions for the form. OCSE is the federal government agency that oversees the national child support program. It maintains the NMSN, which is the official form child support agencies send to employers to ensure that children receive healthcare coverage when available and required as part of a child support order.

The NMSN has two parts, Part A and Part B. Part A is the Notice to Withhold for Health Care Coverage and includes the employer response form and instructions. Part B is the Medical Support Notice to the Plan Administrator and includes the Plan Administrator response form and instructions. Significant changes to the NMSN Parts A and B form and instructions include:

• Added sample Part A
• Increased fields for children from six to eight
• Converted instructions into a stand-alone attachment
• Added addendum to Part B

Additional questions and answers on the State Medical Support Contacts and Program Requirements matrix are available on OCSE’s website.

Employers and plan administrators must review Part A of the NMSN and either return a completed Part A to the issuing agency or forward Part B to the appropriate plan administrator (if different from the employer) within 20 business days after the date of the NMSN.

National Medical Support Notice Forms and Instructions »

The IRS has released updated versions of Publications 502 and 503 for the 2022 tax year. Publication 502 describes medical expenses taxpayers can deduct on the 2022 federal tax returns, while Publication 503 explains the requirements necessary for taxpayers to claim the dependent care tax credit for child and dependent care expenses.

The updated version of Publication 502 is virtually identical to that of 2021, with two substantive changes:

• The standard mileage rate for the use of a vehicle for medical reasons in 2022 is 18 cents a mile from January 1 through June 30 and 22 cents a mile from July 1 through December 31. (The rate was 16 cents a mile for all of 2021.)
• References to the health coverage tax credit, a premium subsidy previously available to certain displaced workers and retirees since 2003 but expired at the end of 2021, have been removed.

Notably, masks, hand sanitizer and hand sanitizing wipes for the primary purpose of preventing the spread of COVID-19 (collectively, “personal protective equipment”) remain deductible for the 2022 tax year, just as they were for 2021, pursuant to IRS Announcement 2021-7.

Updates to Publication 503 reflect the expiration of the temporary enhancements to dependent care benefits made available under the American Rescue Plan Act of 2021 (e.g., the maximum excludable amount increased to $10,500 from $5,000 for most taxpayers in 2021). The updated version also references the COVID-19-related relief allowing for the carryover of unused DCAP amounts from 2021 to 2022 without counting toward the maximum exclusion amount to other DCAP benefits available in 2022.

While Publication 502 can be broadly instructive on the subject of medical expenses that can be reimbursed or paid for by tax-favored accounts such as health FSAs, HRAs and HSAs, its actual purpose is to explain the itemized deduction for medical expenses that individuals can claim on their income tax returns.

Accordingly, benefit plan administrators should exercise caution when using Publication 502 as a resource, given the differences among the rules specifically applicable to health FSAs, HRAs and HSAs, and the medical expense deduction (e.g., the treatment of insurance premiums). Publication 502 also has limitations when applied to plan designs with more restrictive reimbursement policies than Publication 502 might otherwise allow. For instance, many expenses deemed “deductible” by Publication 502 would not be reimbursable by an HRA integrated with a major medical plan because reimbursable expenses under an integrated HRA would (by definition) be limited only to those covered by the major medical plan.

2022 Publication 502 »
2022 Publication 503 »

On February 6, 2023, a Texas federal district court ruled in Texas Medical Association v. HHS that the federal agency failed to follow legislative intent when it issued the second version of its rules governing the surprise billing independent dispute resolution (IDR) process of the No Surprises Act (NSA). As a result, the court remanded the rulemaking to the agency for another revision.

This case is one of a series of lawsuits brought against HHS by the Texas Medical Association (TMA) challenging the agency’s IDR rules. The same judge decided against the agency in a previous case, as discussed in a March 1, 2022, article in Compliance Corner. In that case, the judge determined that the original rules required arbitrators in IDR proceedings to place too much emphasis on the qualifying payment amount (QPA), the median in-network rate for a given service in each market, when determining the appropriate amount to pay out-of-network providers. The judge ruled that this emphasis on the QPA did not comply with the NSA, which required arbitrators to consider a variety of factors when determining the appropriate payment. Because of that case, HHS issued revised final rules on August 19, 2022 (see the August 30, 2022, article in Compliance Corner).

In this case, TMA asserted that the revised rules continue to improperly restrict arbitrators’ discretion and unlawfully tilt the arbitration process in favor of the QPA. The judge agreed, noting that the new rules required arbitrators to consider the QPA first and restricted how they may consider information relating to the non-QPA factors. Under the rules, arbitrators must determine if the information provided outside the QPA is “credible,” that it “relates to the offer submitted by either party,” and is not “already accounted for by the QPA.” If the arbitrator relied on information other than the QPA, then they must explain why they did so in writing. The judge determined that these additional burdens resulted in a process that favored the QPA, and this emphasis was not in accordance with legislative intent. The judge remanded the rules back to the agency to revise the rules so that they do not favor consideration of the QPA over other factors.

This legal development adds uncertainty to a backlogged IDR process. Employers with self-insured plans that are involved in payment disputes with out-of-network providers should be aware of this development and consult with legal counsel if questions arise.

Texas Medical Association v. HHS »

The IRS recently released the updated Publication 969: Health Savings Accounts and Other Tax-Favored Health Plans for use in preparing 2022 tax returns. This publication provides basic information about Health Savings Accounts (HSAs), Medical Savings Accounts (MSAs), Flexible Spending Arrangements (FSAs) and Health Reimbursement Arrangements (HRAs), such as eligibility requirements, contribution limits and distribution rules.

The latest update includes reminders on important provisions for consumer-driven healthcare plans:

• HSAs:
  • HDHPs may have a $0 deductible for telehealth or other remote care services for plan years beginning before 2022, months beginning after March 2022 and before 2023, and plan years beginning after 2022 and before 2025 and still preserve HSA eligibility for individuals.
  • HDHPs may have a $0 deductible for selected insulin products for plan years beginning after 2022 and still preserve HSA eligibility for individuals.
  • HDHPs may provide benefits under federal or state anti-“surprise billing” laws with a $0 deductible for plan years beginning after 2021 and still preserve HSA eligibility for individuals.

• Health FSAs:
  • 2022 annual limit increased to $2,850, and carryover allowance increased to $570 for plan years beginning in 2022.
  • 2023 annual limit increases to $3,050, and carryover allowance increases to $610 for plan years beginning in 2023 (see our October 25, 2022, article in Compliance Corner).

• Home testing for COVID-19 and personal protective equipment remain eligible medical expenses that can be paid or reimbursed under health FSAs, HSAs, HRAs or Archer MSAs.

Employers should be aware of the availability of the updated publication and reference as needed.

2022 Publication 969 »