Compliance Corner Archives

In November 2024, HHS issued its inaugural report on prescription drug spending and trends, as required under Section 204 of the CAA 2021, which directs the agency to report on “prescription drug reimbursements under group health plans and group and individual health insurance coverage, prescription drug pricing trends, and the role of prescription drug costs in contributing to premium increases or decreases under such plans or coverage.”

The report is an analysis of data for the years 2020 and 2021 regarding premiums, enrollments, nondrug medical spending, spending on prescription drugs, and prescription drug rebates provided by group health plans and health insurance issuers through the Prescription Drug Data Collection program (RxDC).

Highlights of the report include information regarding:

• Number of Covered Persons: In 2020, an estimated 143 million Americans had prescription drug coverage from private group health insurance plans (mostly employer-sponsored), and an estimated 11 million had prescription drug coverage from individual market health insurance plans.
• Breadth of Coverage: Most private health insurance coverage includes prescription drug benefits. Most individual (non-group) market and small group market plans are statutorily required to provide prescription drug coverage. Nearly all large group market plans provide prescription drug coverage, though they are not required to.
• Cost-Sharing: Average deductibles and out-of-pocket maximums in employer-sponsored coverage have generally increased since 2014, with employer-sponsored health insurance plans making greater use of coinsurance formulas rather than fixed copayments. Employer-sponsored health insurance plans have also adopted benefit designs with a larger number of cost-sharing tiers, allowing them to set higher cost-sharing for more expensive brand drugs.
• Prescription Drug Pricing Trends: Gross drug prices have generally been growing more rapidly than prices net of rebates paid by manufacturers to PBMs. Ratios of total spending net of rebates to gross spending, including rebates were 0.80 in 2020 and 0.78 in 2021, with variation across therapeutic class, market segment, and state. Rebates therefore accounted for 20-22 percent of gross drug spending in employer-sponsored and individual market plans, which is a smaller share than the 31 percent in Medicare Part D or the 53 percent in Medicaid.
• Relationship Between Prescription Drug Costs and Premiums: Research indicates that consumers are highly sensitive to premiums and consider premiums more than expected out-of-pocket costs when choosing health insurance plans, which is why plans and issuers are often more inclined to respond to increases in prescription drug costs with changes to formularies or utilization management rather than premium increases.

• RxDC Data Collection Issues: The report makes suggestions for improvements in the RXDC program with particular emphasis on two significant limitations with the current data collection process.

  • First, the “nondrug data” reported on Data Templates D1 and D2 (specifically, average and total premiums, member life-years, and medical spending and cost-sharing other than retail prescription drugs) was often aggregated to the plan or issuer level and usually submitted by the private health insurance plan or issuer, while the “drug data” reported on Templates D3 through D8 (e.g., “Top 50” drug data, total drug spending, etc.), was often submitted by the plan or issuer’s PBM with the data aggregated with those of other plans that the PBM served. It was therefore not possible in these cases for researchers to directly link data from the same underlying health plan across all eight templates to conduct certain analyses. Furthermore, the RxDC data could not be used to address the role of prescription drug costs in contributing to changes in premium levels.

  • Second, in many cases the reported spending aggregated at the PBM level in templates D3 through D8 was spending by the PBM, rather than spending only by the plan or issuer, as the RxDC instructions require. This limited researchers’ ability to use the data to understand what portion of rebates is retained by PBMs since PBMs often retain a portion of negotiated rebates and do not pass them on to the plan sponsor or issuer, and so the data reported via RxDC could include those amounts.

    Because of these issues, HHS, together with the DOL, IRS, and Office of Personnel Management, will be investigating different ways to address these limitations, such as allowing for estimations in future reports of rebates and prescription drug spending per member per month by market segment and by state, while also taking into account any additional data submission burdens on submitting entities and implementation costs to the government.

Employers should be aware of the contents of this report, which provides detailed information about nationwide trends in prescription drug coverage, costs, and pricing as reflected in reported group and individual health insurance coverage data. Employers should also take note of potential future adjustments to the RxDC process, particularly with regard to PBM reporting.

For further information about RxDC reporting, please ask your broker or consultant for a copy of the NFP publication CAA 2021: A Quick Reference Guide to Prescription Drug Data Collection Reporting.

Report to Congress: Prescription Drug Spending, Pricing Trends, and Premiums in Private Health Insurance Plans

In a report issued last month, the HHS Office of Inspector General (OIG) advocated for increased HIPAA audits and enforcement efforts from the Office for Civil Rights. Of particular concern for OIG was the recent increase in cyberattacks and the vulnerability of electronic information protected by HIPAA.

As background, the Office for Civil Rights (OCR) is the HHS agency tasked with implementing and enforcing HIPAA. In 2009, HIPAA’s protections and requirements with respect to electronic protected health information (ePHI) were strengthened by the HITECH Act, which specifically mandates that OCR perform periodic audits on covered entities and business associates. Given the increasing number of successful cyberattacks, ransomware attacks, and other security incidents targeting healthcare organizations, OIG undertook an investigation to determine whether OCR is meeting its HIPAA audit obligations. The report details their findings and outlines their recommendations.

Findings

OIG considered OCR’s HIPAA audit program for the time period of January 2016 through December 2020. During this time, OCR conducted 207 audits. All of these were desk audits, with zero comprehensive on-site audits. OCR has not initiated any new audits since 2017, largely due to a lack of financial and staffing resources.

OIG found that OCR did fulfill its requirement under the HITECH Act to perform periodic audits of organizations’ compliance with the HIPAA Privacy, Security, and Breach Notification Rules. However, of the 180 requirements included in the HIPAA Rules, OCR’s audits assessed only eight of those requirements during that period. Those eight requirements included only two Security Rule administrative safeguards – specifically, the responsibility to conduct a security risk analysis and risk management – and zero physical or technical safeguards. Furthermore, where deficiencies were found, OCR did not require audited entities to implement a corrective action plan or confirm implementation. Because of their limited scope and accountability, OIG concludes that OCR’s HIPAA audit program likely was not effective at improving cybersecurity protections at healthcare organizations.

Recommendations

The report contains four recommendations:

1. Expand the scope of HIPAA audits to include physical and technical safeguards.
2. Implement a program for ensuring that identified deficiencies are corrected in a timely manner.
3. Identify criteria for determining whether follow-up compliance reviews should occur.
4. Define metrics for determining the effectiveness of the HIPAA audit program in strengthening protections over ePHI.

OCR agreed with OIG’s first, third, and fourth recommendations, contingent upon receiving the funding and personnel levels needed to accomplish them. They also disclosed their plans to initiate additional HIPAA audits and create a follow-up survey protocol in the near future. However, OCR did not agree with OIG’s second recommendation, pointing out that entities can choose to pay a civil monetary penalty under the HITECH Act instead of correcting HIPAA deficiencies.

The report’s appendices include a description of the scope and methodology of OIG’s review, an outline of the OCR HIPAA audit process, and citations to the applicable federal requirements under HIPAA and HITECH.

NFP Takeaways

Employers who sponsor group health plans—particularly self-insured group health plans that handle PHI—should be aware of OCR’s stated plans to undertake more HIPAA audits soon. For that reason, self-insured group health plans should ensure that they are complying with HIPAA’s requirements, such as regular training for staff members who handle PHI, maintaining written HIPAA policies and procedures, and conducting security risk analyses to identify IT vulnerabilities. With the upcoming change in administration, the priorities, funding, and personnel at the OCR and other federal agencies will almost certainly experience a shift. However, HIPAA compliance and cybersecurity remain important issues.

The Office for Civil Rights Should Enhance Its HIPAA Audit Program to Enforce HIPAA Requirements and Improve the Protection of Electronic Protected Health Information

On November 15, 2024, the Congressional Research Service (CRS) published a report on HSA Qualified Medical Expenses. The report describes HSA-qualified medical expenses and legislative approaches to amend HSA-qualified medical expenses.

HSA funds that are distributed for qualified medical expenses of the account holder, spouse, and any of their tax dependents are not subject to federal tax. Over the years, Congress has broadened the items and services that are considered qualified medical expenses (e.g., OTC drugs purchased without a prescription and more recently, menstrual products).

However, the report provides CRS’s observations that expanding the items and services that are considered HSA-qualified medical expenses could reduce federal revenues. CRS proposes several policy issues for Congress to consider when modifying the items and services that can be paid for using an HSA.

Congress has used two legislative approaches to amend and expand the list of HSA-qualified medical expenses:

• Amending the definition of medical care at IRC Section 213(d), which has broader effects impacting not only HSAs but also FSAs, HRAs, and other health-related tax-advantaged accounts, or
• Amending IRC Section 223 directly to create or address an HSA-specific rule.

The report states that policies amending IRC Section 213(d) could result in a larger budgetary impact as compared with a similar policy focused on HSAs alone. For example, the Congressional Budget Office estimated that the CARES Act expansion of qualified medical expenses for HSAs, FSAs, HRAs, and Archer MSAs to include over-the-counter medicines and menstrual care products would reduce revenues by $9 billion from 2020 to 2030 because individuals are expected to contribute more to these accounts because of expanded qualified medical expenses. The report suggests Congress consider whether such modifications are consistent with the intent that Congress had when it passed legislation establishing HSAs and the extent to which a change to such structure is warranted.

Many plan sponsors offer HDHPs and HSA programs to their employees and have welcomed the expansion of healthcare items and services that can be considered qualified medical expenses and thus payable from HSAs on a tax-free basis. The report provides a somewhat sobering view, for consideration by Congress, of the budgetary impact of the further expansion of such expenses and ways to reduce that impact. However, given the incoming administration’s stated desire to increase the flexibility of HSAs, it’s unclear whether and to what extent the budgetary concerns will factor into related legislation.

Health Savings Account (HSA) Qualified Medical Expenses

On October 25, 2024, the HHS Office for Civil Rights (OCR) published its October 2024 OCR Cybersecurity Newsletter. The newsletter focuses on “social engineering,” which the OCR defines as “an attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks or taking an action (e.g., clicking a link, opening a document, etc.).” The OCR highlights four common types of social engineering.

The first two types of social engineering are “phishing” and “smishing.” Generally, "phishing" is the attempt to trick people into providing sensitive information electronically, most often through email. The second type is “smishing,” which is a type of phishing that uses text messages to reach victims. The hacker disguises themselves as someone trustworthy and asks the potential victim to provide sensitive information for what appears to be a legitimate reason. Although the HIPAA Privacy Rule addresses attacks against work-related electronic communication (such as a work email address), phishing and smishing attacks often bypass this by going directly to a person’s personal email or phone number.

The third type of social engineering is “baiting.” This type attempts to trick people into providing sensitive information by offering a prize or deal in return for that information. Like other forms of social engineering, baiting appears to be legitimate, even though the offers appear too good to be true. Baiters also target personal emails and phone numbers even when seeking sensitive work information.

The final type of social engineering is the “deepfakes.” This type of social engineering uses AI to create likenesses of people (or their voices) to trick others into providing sensitive information.

The newsletter provides measures that people can take to guard against these types of social engineering and reminds readers that the HIPAA Security Rule requires regulated entities, which include employer-sponsored group health plans and their business associates, to ensure the confidentiality of electronic protected health information (ePHI) against anticipated threats. The types of social engineering outlined in the newsletter are anticipated threats that regulated entities should consider when implementing security measures. Regulated entities need to include in their risk analysis a consideration of the potential threat that social engineering poses to their networks and the ePHI that is stored there. The OCR suggests that educational programs covering social engineering should be provided to employees. In addition, regulated entities should have safeguards in place in the event social engineering works to fool an employee into providing access to the entities’ ePHI. Technical safeguards include protecting the integrity of ePHI from improper alteration or destruction and allowing access to ePHI to only those granted access rights to such ePHI.

Employers who sponsor group health plans and gather and maintain ePHI should be aware of the types of social engineering described in this article and of the OCR’s expectations that they consider them and implement safeguards to protect against them.

October 2024 OCR Cybersecurity Newsletter

On November 8, 2024, the DOL issued Advisory Opinion FMLA2024-01-A, which addresses whether an employee can take leave under FMLA for treatment of a serious health condition provided as part of a clinical trial.

As background, the inquirer is an organization involved in the treatment and cure of a known disease that uses clinical trials as part of its research goals towards finding a cure. In its research, the organization has found that one barrier to participation in their clinical trials is participants’ beliefs that they cannot take time off from work to participate in the trial. The organization sought clarification from the DOL as to whether participation in the clinical trial would be a qualifying reason for leave for an employee who is otherwise eligible for leave under FMLA.

Under the FMLA, a qualifying reason for leave includes a serious health condition that makes the employee unable to perform functions of their employment. A serious health condition can be an illness, injury, impairment, or condition that involves continuing treatment by a healthcare provider or care at a hospital or treatment facility.

In its opinion, which is based solely on the facts provided by the inquirer, the DOL notes that the term “treatment” applies broadly and the fact that treatment is related to the individual’s voluntary participation in a clinical trial would not impact the applicability of the term. Treatment may include services such as therapy or care requiring specialized equipment, significant intervention, or prescription medication, which are often found in clinical trial participation. The opinion notes that the regulations also do not specify that the treatment meets specific efficacy standards to be considered a qualifying reason for leave.

Similar to other FMLA requests, an employee must still submit certification documents as requested to support the need for continued leave. However, employers are not permitted to inquire as to the effectiveness of the treatment as part of the decision-making process.

The opinion concludes that treatment for a serious health condition that is included as part of a clinical trial can be a qualifying reason for leave under FMLA for an otherwise eligible employee. While matters of FMLA fall into employment law rather than employee benefits, it is important for employers to ensure FMLA is administered correctly and consistently. This opinion letter is a helpful reminder to employers to carefully review the facts of an employee’s specific situation prior to making a determination under FMLA.

Advisory Opinion FMLA2024-01-A

On November 7, 2024, the IRS issued a reminder to employees with access to health flexible spending arrangements (FSAs) through their employer on the advantages of using these arrangements to pay for medical expenses with tax-free dollars. For plan years beginning in 2025, health FSA and limited-purpose health FSA plan year limits will increase from $3,200 to $3,300 with the entire plan year election amount available on the first day of the plan year. The maximum carryover amount increases from $640 to $660.

Employers with non-calendar year health FSA plans must continue to rely on the limits established for their 2024 plan year until the beginning of their 2025 plan year. Employers can choose to provide a lower salary reduction limit but cannot exceed the IRS plan year maximum. Employer contributions, if any, do not count toward the plan year maximum.

The maximum annual health FSA salary reduction amount is a per-employer limit; an employee who has more than one employer can make health FSA elections up to the maximum allowed by each employer. Similarly, if an employee’s spouse has a plan through their own employer, the spouse can also contribute up to $3,300 to that plan. In this situation, the couple could jointly contribute up to $6,600 for their household.

The reminder also highlights certain qualified medical expenses that employees can pay for with health FSA funds, assuming those expenses are not otherwise covered or reimbursed by their health plan or other source. These include copays, deductibles, and a variety of prescription or over-the-counter medical, dental, and vision products and services. Note, however, that employers can limit the types of expenses that are reimbursable from a health FSA, provided such limitations are memorialized in the health FSA plan document. Further, employers or plan administrators are responsible for obtaining the relevant information to substantiate claims before processing reimbursement requests. This includes determining that the claim was incurred by a covered individual during the coverage period.

For a list of qualified medical expenses that may be paid for with health FSA funds, please ask your broker or consultant for a copy of the NFP publication Qualified Medical Expenses.

IRS: Healthcare FSA Reminder

On November 5, 2024, the United States Court of Appeals for the Ninth Circuit (Ninth Circuit) affirmed a district court’s summary judgment ruling that a legal separation agreement (LSA) met the necessary requirements for a qualified domestic relations order (QDRO) under ERISA.

At issue was language in the LSA between Haili Kowalski and her now-deceased ex-husband (the decedent), which provided that the decedent “shall carry and maintain a policy of life insurance in the amount of $800,000” and “name [Kowalski’s minor son, EK] as sole beneficiary.” Notwithstanding this obligation, the named beneficiary on the decedent’s employer-sponsored life insurance policy provided through the Hartford Life and Accident Insurance Company (“the Hartford Plan”) was not EK, but Marilyne Valois, the decedent’s girlfriend, in the amount of $493,000.

When Kowalski presented the LSA to Hartford after her ex-husband’s death, Hartford brought an interpleader action in the United States District Court for the Northern District of California to resolve the discrepancy. The district court ruled on summary judgment that the LSA was a QDRO under ERISA, and that therefore EK, rather than Valois, was the rightful beneficiary of the decedent’s life insurance proceeds, after which Valois appealed to the Ninth Circuit.

Valois argued that ERISA requires that a QDRO must “clearly specif[y]” “each plan to which such order applies,” and that therefore the LSA could not be a QDRO because while it required the decedent to have carried and maintained life insurance for EK, it did not clearly specify the Hartford Plan for those purposes.

The Ninth Circuit rejected this argument, holding that it has historically only required “substantial compliance” with ERISA’s specificity requirements, the purpose of which is to “spar[e] plan administrators the grief they experience” due to “uncertainty concerning the identity of the beneficiary.” Under this standard, even though the LSA made only a general mention of “a policy of life insurance,” rather than specifying the Hartford Plan as such, it still substantially complied with ERISA, since the Hartford Plan was the only life insurance policy the decedent had.

Valois also argued that the LSA could not be a QDRO for purposes of the Hartford Plan because the Hartford Plan only provided for $493,000 of benefits, rather than the $800,000 specified in the LSA. The Ninth Circuit also rejected this argument on the grounds that the LSA is an agreement between the decedent and Kowalski, not between Kowalski and Hartford, and nothing in the LSA required Hartford to provide an amount greater than $493,000, and Kowalski was not requesting any more than the amount allowed under the Hartford Plan.

While plan sponsors usually handle QDROs in the context of retirement plans, they can also play a role in group life insurance plan administration, as this case demonstrates. Even though life insurance carriers bear the primary burden of complying with QDROs to ensure that insurance proceeds are distributed to the proper beneficiary or beneficiaries, the Ninth Circuit’s reasoning and holding in this case should provide plan sponsors a glimpse into how courts approach these issues.

Hartford Life and Accident Insurance Company v. Marilyne Valois v. Haili Kowalski

On November 7, 2024, the DOL and IRS (the agencies) issued joint guidance providing an extension of various compliance deadlines for employee benefit plans, participants, beneficiaries, qualified beneficiaries, and claimants directly affected by Hurricane Helene, Tropical Storm Helene, or Hurricane Milton. In a separate announcement, Disaster Relief Notice 2024-01, the DOL provided additional relief for such plans and individuals.

The joint guidance is primarily designed to minimize the possibility of individuals directly affected by these natural disasters from losing plan benefits due to a failure to comply with certain pre-established timeframes (e.g., with respect to HIPAA special enrollments, COBRA continuation coverage, or ERISA benefit claims). “Directly affected” means the individual resided, lived, or worked in one of the disaster areas (as designated by FEMA) at the time of the hurricane or tropical storm or whose coverage was under an employee benefit plan that was directly affected. Generally, a plan is directly affected if the principal place of business of the plan sponsor or office of the plan administrator or primary recordkeeper is in a disaster area.

Specifically, ERISA group health plans, disability and other welfare benefit plans, and pension benefit plans must disregard the relevant Relief Period (as explained below) in determining the following periods and dates applicable to directly affected individuals:

• The 30-day (or 60-day, if applicable) deadline to request a HIPAA special enrollment
• The 60-day COBRA election period
• The 30-day (or 60-day, if applicable) deadline to notify the plan of a COBRA qualifying event (and the 60-day deadline to notify the plan of a determination of a disability)
• The 45-day deadline to make a first COBRA premium payment and 30-day deadline for subsequent COBRA premium payments
• Deadlines to file benefit claims or appeals under the plan’s claims procedures
• Deadlines for filing a request for external review of a denied claim or information to perfect a request for external review

Furthermore, relief is provided for directly affected group health plans by allowing sponsors to disregard the relevant Relief Period when determining the date for providing a COBRA election notice.

The commencement of the relevant Relief Period ranges from September 23 to October 5, 2024, depending upon the specific hurricane and disaster area in Florida, Georgia, North Carolina, South Carolina, Tennessee, and Virginia, and ends on May 1, 2025. For example, for designated disaster areas in North Carolina, South Carolina, and Virginia due to Hurricane or Tropical Storm Helene, the Relief Period begins on September 25, 2024, and ends on May 1, 2025. Plan sponsors with directly affected plans or individuals should refer to the joint notice to determine the Relief Period commencement date applicable to their situation.

The tolling of applicable deadlines during the Relief Period is like that during the “Outbreak Period” of the COVID-19 pandemic. The joint guidance provides numerous examples to illustrate the application. In one example, an individual who resides in Columbia, South Carolina (a disaster area), is eligible for, but previously declined participation in, her employer-sponsored group health plan. On October 31, 2024, she gives birth to a child. The example explains that she would normally have at least 30 days from the date of the birth to exercise her HIPAA special enrollment right to enroll herself and the child in the group health plan (with coverage retroactive to the date of birth). However, under the relief guidance, she may exercise her special enrollment rights until 30 days after May 1, 2025, which is May 31, 2025, if she pays her share of the premiums for the period of coverage.

HHS encourages non-federal governmental plans to extend the otherwise applicable timeframes for directly affected individuals in a manner consistent with the relief specified in the joint guidance.

Additionally, in Disaster Relief Notice 2024-01, the DOL provides an extension of deadlines for affected plan sponsors to provide notices, disclosures, and other documents required by Title 1 of ERISA over which the DOL has regulatory authority (and excepting notices and disclosures addressed by the joint guidance). (The DOL’s Reporting and Disclosure Guide for Employee Benefit Plans provides further information on Title 1 disclosures.) The relief under Notice 2024-01 extends for the Relief Period, provided the plan and responsible fiduciary act in good faith and furnish the notice, disclosure, or document as soon as administratively practicable under the circumstances. Notice 2024-01 also provides certain relief regarding pension plan loan and distribution verification procedures, participant contributions and loan repayments, blackout notices, and Form 5500 filings. The DOL reminds plan fiduciaries that the guiding principle must be to act reasonably, prudently, and in the interest of the covered individuals.

Sponsors of ERISA benefit plans and/or with participants directly affected by the disasters should be aware of the timeframe extensions and ensure that HIPAA special enrollment rights, COBRA continuation coverage, claim reviews, and other procedures are administered in accordance with the relief guidance, as applicable. The timeframe extensions should also be coordinated, as necessary, with service providers, such as COBRA administrators and TPAs. Sponsors should review the guidance for further details.

• Extension of Certain Timeframes for Employee Benefit Plans, Participants, Beneficiaries, Qualified Beneficiaries, and Claimants Affected by Hurricane Helene, Tropical Storm Helene, or Hurricane Milton
• Disaster Relief Notice 2024-01

On October 21, 2024, the DOL, HHS, and IRS (the departments) issued proposed rules that would, among other items, expand ACA preventive service coverage requirements to include over-the-counter (OTC) contraceptive items. 

Following the US Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, President Biden issued several executive orders to protect and expand access to reproductive healthcare services. Executive Order 14101, issued on June 23, 2023, specifically asked the departments to consider additional actions ‘‘to promote increased access to affordable OTC contraception, including emergency contraception.” On October 3, 2023, the departments released a request for information regarding coverage of OTC preventive items and services, including contraceptives, without a prescription; please see our October 10, 2023, article in Compliance Corner. In response, the departments received over 376 public comments, which were considered in the development of the proposed rules. 

Currently, the ACA requires non-grandfathered group health plans to cover OTC contraceptives as preventive care only if prescribed by a healthcare provider. Under the proposed rules, plans would be required to cover recommended OTC contraceptive items without requiring a prescription or cost-sharing from participants. Plans that have a network of providers, such as pharmacies (including mail-order pharmacies) that can provide OTC contraceptive items would not be required to cover OTC contraceptive items provided by out-of-network (OON) providers. However, plans that lack in-network (INN) providers of OTC contraceptive items would be obligated to cover OTC contraceptive items without cost-sharing provided by OON providers. The proposed rules would not modify federal conscience protections related to contraceptive coverage for plans and plan sponsors.

Under the proposed rules, network coverage for OTC contraceptive items and services would generally be provided in a manner comparable to coverage for other recommended preventive services (e.g., plans should not impose shipping costs on OTC contraceptive items furnished via mail order if the plans would not impose such costs on comparable prescription products). Further, plans must ensure their processes to reimburse participants for out-of-pocket OTC contraceptive items are reasonable. 

The departments acknowledge concerns regarding overconsumption, fraud, waste, or abuse that could be increased by OTC contraceptive coverage without a prescription but anticipate that plans would be able to mitigate these risks by using existing claims processing systems with respect to INN coverage. However, the departments recognize there may be challenges (particularly with respect to privacy concerns) in the context of OON coverage and request comments regarding these issues. The departments have also requested comments regarding reasonable quantity limits for OTC oral contraceptives but note that a one-month supply would generally not be considered reasonable. 

In addition, the proposed rules would require plans to cover certain recommended contraceptive items that are drugs and drug-led combination products (i.e., comprising a drug and a device for which the drug component provides the primary mode of action) without cost-sharing, unless a therapeutic equivalent is covered without cost-sharing. (For more information on therapeutic equivalents, please see the DOL ACA Implementation FAQs Part 64.) The departments believe this requirement, which was previously an option, will ensure coverage of the full range of FDA-approved contraceptive items and protect against narrow drug formularies.

Furthermore, the proposed rules require disclosure of the available OTC contraceptive coverage in plans’ Transparency in Coverage internet-based self-service tools (or, if requested, on paper). Specifically, if a participant requests cost-sharing information for any covered contraceptive item or service through such a tool, the information provided in response must include a statement explaining that OTC contraceptive items are covered without cost-sharing and without a prescription. 

With respect to preventive care coverage generally, the proposed rules would codify that medical management techniques (e.g., to contain costs, promote efficiencies, and minimize risks of fraud, waste, and abuse) would not be considered reasonable (and thus permissible) unless the plan provides an easily accessible, transparent, and sufficiently expedient exceptions process. The exceptions process must allow a participant to receive coverage without cost-sharing for a preventive item or service that is medically necessary, as determined by the participant’s attending provider, even if such item or service is not generally covered under the plan. For example, if a participant experiences side effects from a generic preventive item, the plan may need to cover the brand name version without cost-sharing, if determined to be medically necessary for the participant by their healthcare provider. Relevant information regarding the exceptions process would need to be included in plan documents and other materials (including the plan’s website) that describe preventive services coverage. The departments have requested comments on how the proposed exceptions process requirement should apply to OTC contraceptive items (for which no provider involvement is generally required). 

Plan sponsors should be aware of the issuance of these proposed rules. As proposed, the OTC contraceptive coverage requirements would generally be applicable for plan years beginning in 2026. However, the general preventive service requirements regarding the medical management exceptions process would apply on the effective date of the final rules. Sponsors wishing to submit comments, including whether the proposal related to coverage of OTC contraceptives should be extended to other recommended preventive items and services (e.g., tobacco cessation items), may do so by December 27, 2024, in accordance with the instructions in the proposed rules. Sponsors should monitor for further guidance, and we will provide updates on relevant developments in future editions of Compliance Corner. 

Federal Register: Proposed Rule; Enhancing Coverage of Preventive Services Under the ACA

On October 21, 2024, the DOL updated its FAQs for the ACA and the Women’s Health and Cancer Rights Act (WHCRA) by adding FAQ Part 68. These new FAQs concern issues relating to preventive services, including coverage of Pre-Exposure Prophylaxis (PrEP) and insurance coding practices, as well as coverage for a specific breast reconstruction technique. 

As background, the ACA requires non-grandfathered group health plans and issuers to cover certain in-network preventive services with zero cost-sharing for participants. The WHCRA mandates coverage of breast reconstruction after a mastectomy. 

In Q1, the DOL clarifies changes made by the US Preventive Services Task Force (USPSTF) in 2023 regarding coverage of PrEP to those who are at high risk of contracting HIV. Specifically, the USPSTF recommended coverage of three different formulations of PrEP: two oral and one injectable. Plans and issuers must cover all three of those formulations without cost-sharing and may not use medical management techniques to direct participants towards one formulation over another. 

In Q2 through Q7, the DOL addresses common medical service coding issues that arise during the processing of claims for preventive items and services. Q2 clarifies that when a carrier receives an in-network claim that uses an industry-standard ICD-10 or CPT code to denote that it is preventive in nature, the carrier should go ahead and process it without cost-sharing. Q3 and Q4 discuss the circumstances under which a carrier may use additional information to process the claim without zero cost-sharing. 

Q5 encourages plans and issuers to review their coding practices and to provide clear guidance to their network providers on how to submit preventive service claims accurately. Q6 consists of several examples illustrating the guidance provided in Q2 through Q4.

Finally, the DOL confirms in Q7 that plans must cover a specific type of breast reconstruction – namely, chest wall reconstruction with aesthetic flat closure – under the WHCRA. If this specific procedure is elected by the patient in consultation with their attending physician after a mastectomy, then it is subject to the WHCRA’s mandate. Plans may impose cost-sharing for these benefits in a manner consistent with other benefits provided under the plan. 

Ultimately, the issues discussed in these FAQs will need to be implemented and administered by a plan’s medical carrier or TPA. Accordingly, plan sponsors should contact their carrier or TPA, as applicable, with any questions.

DOL, FAQs About Affordable Care Act and Women's Health and Cancer Rights Act

On October 30, 2024, the Fifth Circuit Court of Appeals (Fifth Circuit) reversed a district court’s decision to vacate certain regulations promulgated by three federal agencies: the DOL, HHS, and IRS (the agencies). The regulations established priorities for independent arbitrators appointed to resolve disputes between healthcare providers and payors through an Independent Dispute Resolution (IDR) process established under the No Surprises Act (NSA). In particular, the regulations establishing parameters for determining the median in-network rate for a given service in a market, which in turn establishes a baseline for determining how much a provider will be paid for services provided out of network, were upheld in this appeal. 

In this case, the issue revolved around the qualifying payment amount (QPA), which is the median in-network rate for a given service in each market. The QPA is one of several factors that independent arbitrators must consider when determining the appropriate payment for services provided out-of-network. At the district court level, the plaintiffs (who have successfully challenged other aspects of the IDR process) pointed out that the government’s rules for determining the QPA included “ghost rates,” which are contracted rates that technically exist but have never been used. The plaintiffs argued that including these ghost rates artificially lowers the median rate. In addition, the plaintiffs argued that the agencies' regulations that exclude consideration of “case-specific” rates (which are rates agreed to between the provider and the payor that are not included in the standard rates paid to other participants in the network) exceed the agencies' authority under the NSA because these are contracted rates that must be considered. Similarly, the plaintiffs argued that the regulations’ exclusion of bonus payments exceeded their authority. The district court agreed that the agencies exceeded their authority and ruled that the regulations should be vacated. However, the Fifth Circuit disagreed, reasoning that the agencies had the authority under the NSA to include (or exclude) these rates in their regulations. 

The Fifth Circuit also rejected another of the plaintiffs’ arguments. The plaintiffs argued that certain disclosure requirements imposed on insurers do not provide providers with enough information and hinder their ability to challenge the insurer’s QPA. Although the district court agreed that the disclosure requirements were arbitrary and capricious, the Fifth Circuit ruled that the responsibility for establishing disclosure requirements was well within the agencies’ scope and the fact that the plaintiffs would have required other information in those disclosures does not, by itself, mean that the agencies were being arbitrary and capricious. 

The Fifth Circuit did agree with the plaintiffs and the district court that the agencies’ rule establishing a deadline for insurers to provide either an initial payment or notice of denial of payment to a provider exceeded their authority. The Fifth Circuit found that the NSA establishes the deadline as not later than 30 calendar days after the bill for such services is transmitted by such provider. However, the agencies’ rule states that the thirty-day clock starts on the date that the plan or issuer receives the information necessary to decide a claim for payment for such services, commonly known as a “clean claim” under many existing state laws. Accordingly, the Fifth Circuit determined that this rule exceeded the authority granted under the NSA. 

Overall, this ruling is a deviation from the pattern of rulings against the agency regulations that administer the NSA’s IDR process. Despite this decision, this process's status is in constant flux, and there is uncertainty about how the growing number of payment disputes will be resolved. Although this case does not explicitly halt the IDR process, it is not unreasonable to expect the agencies to pause the process while they figure out what to do next, which will likely create more backlog and uncertainty. Accordingly, employers should be aware of this issue.

Texas Medical Association vs. HHS

On October 8, 2024, CMS released the proposed Notice of Benefit and Payment Parameters Rule for 2026. This notice is issued annually preceding the applicable benefit year and, once final, adopts certain changes. Additionally, CMS issued Premium Adjustment Percentage and related guidance to inform the payment parameters for the 2026 benefit year. While the proposed rule primarily impacts the individual market and the Exchange, CMS’s Premium Adjustment Percentage and related guidance addresses certain ACA provisions and related topics that impact employer-sponsored group health plans. Below are the highlights.

Annual Cost-Sharing Limits

The ACA requires non-grandfathered group health plans to comply with an out-of-pocket maximum on expenses for essential health benefits. CMS proposes that this maximum annual limitation on cost-sharing for 2026 will be $10,150 for self-only coverage and $20,300 for family coverage (an increase from $9,200 and $18,400 for self-only/family coverage respectively in 2025).

Premium Adjustment Percentage and Payment Parameters

CMS announced the premium adjustment percentage for the 2026 benefit year as 1.6002042901 ($7,833/$4,895), which indicates an increase in employer-sponsored insurance premiums of approximately 60.0% over the period from 2013 to 2025. This premium adjustment percentage will also be used to index the Employer Mandate provision’s penalty amounts for the 2026 benefit year.

The proposed Notice of Benefit and Payment Parameters Rule proposes updates to marketplace requirements and includes provisions to address network adequacy, improve access to healthcare items and services (such as prescription drugs and adult dental benefits), and promote fair marketing standards. For further details of the specific proposed rule, please refer to the CMS Notice.

Once the regulations are finalized, employers should review them and implement any changes needed for the 2026 plan year.

• Proposed Rule
• Fact Sheet
• 2026 PAPI Parameters Guidance

On October 17, 2024, the IRS published two notices (Notice 2024-71 and Notice 2024-75) to expand and clarify the list of preventive care benefits that are permitted under an HDHP without a deductible or with a deductible below the applicable minimum deductible for the HDHP.

As background, an HDHP is generally not permitted to provide benefits for any year until the minimum deductible for that year is satisfied. However, Code section 223(c)(2)(C) provides a safe harbor to provide preventive care even before meeting a deductible.

Notices 2024-75 expanded eligible over-the-counter (OTC) preventive care items to include oral contraceptives (including emergency contraceptives) and male condoms, effective for plan years that begin on or after December 30, 2022. Additionally, the notice clarified that:

• All types of breast cancer screening (e.g., Magnetic Resonance Imaging, ultrasounds, and similar breast cancer screening services) for individuals who have not been diagnosed with breast cancer are treated as preventive care under Section 223(c)(2)(C). This change clarifies language in Notice 2004-23 and thus is effective as of the publication date of Notice 2004-23 (April 12, 2004).

• Continuous glucose monitors for individuals diagnosed with diabetes are preventive care under section 223(c)(2)(C) in the same circumstances as other glucometers if the continuous glucose monitor is measuring glucose levels using a similar detection method or mechanism to other glucometers (i.e., piercing the skin). This clarifies guidance in Notice 2019-45 and thus is effective as of the effective date of Notice 2019- 45 (July 17, 2019).

• The new safe harbor for absence of a deductible for certain insulin products in Section 223(c)(2)(G) applies without regard to whether the insulin product is prescribed to treat an individual diagnosed with diabetes or prescribed for the purpose of preventing the exacerbation of diabetes or the development of a secondary condition. This guidance is effective for plan years (in the individual market, policy years) beginning after December 31, 2022.

Notice 2024-71 provides a safe harbor under Section 213 for amounts paid for condoms. Specifically, the notice states that amounts paid for condoms will be treated as amounts paid for medical care under Section 213(d) and thus will be eligible to be paid or reimbursed under a health flexible spending arrangement (health FSA), Archer medical savings account (Archer MSA), health reimbursement arrangement (HRA), or health savings account (HSA). However, if an amount paid for condoms is paid or reimbursed under a health FSA, Archer MSA, HRA, HSA, or any other health plan or otherwise, it is not a deductible expense under Section 213. The term “medical care” means amounts paid for the diagnosis, cure, mitigation, treatment, or prevention of disease, or for the purpose of affecting any structure or function of the body.

The notices provide helpful clarifications and updates for employers and employees. Employers who offer an HDHP, HSA program, HRA or a health FSA, or HRA should review these notices closely, work with their vendors to update applicable systems, and revise plan documents and other employee communications accordingly.

• N-2024-75 (irs.gov)
• N-2024-71 (irs.gov)

On October 1, 2024, in M.S., et al v. Premera Blue Cross, et al, the United States Court of Appeals for the Tenth Circuit (the Tenth Circuit) vacated a lower court’s MHPAEA violation judgment because the plaintiffs lacked standing to bring a MHPAEA claim against the defendants in federal court. Additionally, the Tenth Circuit found that the defendants violated ERISA’s document disclosure requirements and upheld the imposition of penalties and attorneys’ fees and costs.

As background, in order to bring a lawsuit in federal court, a plaintiff must demonstrate standing for each claim they seek to press and for each form of relief that is sought. This concept is known as “Article III standing,” in reference to the portion of the US Constitution that restricts federal court adjudication. Standing must be proven by a plaintiff by demonstrating that they have suffered a specific and concrete “injury in fact” that can be traced to the defendants and can be remedied by the court’s action.

In this case, the plaintiffs sought residential treatment facility benefits under the Microsoft Corporation Welfare Plan for their minor child’s mental health condition. The claims administrator, Premera Blue Cross, denied the claim and subsequent appeal as not medically necessary based upon the definition of “medical necessity” in the SPD and using a set of guidelines for evaluating medical appropriateness known as the “McKesson InterQual Criteria.” Plaintiffs argued that the denial was both a violation of the plan’s own written terms under ERISA and a violation of MHPAEA because the McKesson InterQual Criteria was an additional non-quantitative treatment limitation (NQTL) that did not apply to medical and surgical claims in the same category. The plaintiffs also sued under ERISA for failure to produce requested documentation used by Premera to come to its decision — namely, the Administrative Services Agreement and the McKesson InterQual Criteria guidelines. The district court ruled that there was no ERISA claims violation but found in favor of the plaintiffs with respect to the MHPAEA claim and the ERISA disclosure claim. The defendants appealed the latter two rulings.

Upon review, the Tenth Circuit found that the plaintiffs lacked Article III standing to bring the MHPAEA claim due to the fact that the district court had found that there was no ERISA claims violation. In other words, the plaintiffs had failed to demonstrate the medical necessity of their child’s treatment at the residential treatment facility, and the plan would have denied treatment in accordance with the written terms of the SPD — even without the application of the McKesson InterQual Criteria. Therefore, any violation of MHPAEA did not cause a loss of benefits and thus did not itself result in injury to the plaintiffs. As a result, the Tenth Circuit vacated the lower court’s judgment on the MHPAEA claim and remanded with instructions to dismiss the claim for lack of jurisdiction.

The Tenth Circuit looked at the merits of the plaintiff’s claim that the defendants failed to produce certain requested documents used by Premera Blue Cross in their decision to deny the residential treatment facility claims in a violation of ERISA disclosure requirements. ERISA requires plans to respond to a participant’s request for documents used to administer the plan - including the SPD, summary annual report, and any contract or other instrument under which the plan is established or operated - within 30 days. Failure to comply can result in penalties of up to $100 per day, plus any other relief deemed proper by the court. The Tenth Circuit found that the plan’s Administrative Services Agreement between Premera Blue Cross and the Microsoft Corporation Welfare Plan should have been provided under ERISA but that the McKesson InterQual Criteria documents were beyond what ERISA requires. The Tenth Circuit affirmed the $100 per day penalty against the defendants in the total amount of $123,100, plus the award of nearly $70,000 in attorneys’ fees and costs. 

ERISA plan sponsors, particularly those within the Tenth Circuit’s jurisdiction of Colorado, Kansas, New Mexico, Oklahoma, Utah, and Wyoming, should be aware of this development. Sponsors of self-insured plans should review their administrative procedures to ensure that participant requests for documents under ERISA are addressed by service providers in a timely manner in order to avoid costly penalties and litigation fees. Furthermore, though the Tenth Circuit declined to rule on the merit of the MHPAEA claim due to the lack of standing in this particular case, it is important to note that the district court found that the application of additional guidelines for residential treatment facility claims did constitute an impermissible NQTL under MHPAEA. Self-insured group health plan sponsors should review their NQTL comparative analyses with their TPA, carrier, and/or counsel as needed.

M.S., et al. v. Premera Blue Cross, et al.

Currently, the Fifth Circuit Court of Appeals (Fifth Circuit) is considering an appeal by air ambulance providers Guardian Flight, LLC and Med-Trans Corporation (appellants) of a district court decision dismissing their claim against insurer Health Care Service Corporation (appellee). As reported in our July 30, 2024, edition of Compliance Corner, the appellants sought to compel payment of an amount awarded them under the CAA No Surprises Act (NSA) independent dispute resolution (IDR) process. However, the district court ruled that NSA IDR awards were unenforceable by federal courts, increasing existing concerns regarding the efficacy of the NSA IDR process.

The NSA, which took effect in 2022, protects health plan participants from surprise bills by limiting their cost-sharing (to in-network rates) for protected out-of-network (OON) emergency and air ambulance services and certain OON services at in-network facilities. As a result, OON healthcare providers must resolve the remaining OON bills with plans and carriers through arbitration (i.e., the IDR process) if negotiations are unsuccessful. However, the IDR process and related CMS guidance has been subject to numerous legal challenges by healthcare providers. These legal cases have caused disruptions in an IDR process already burdened by a much higher-than-anticipated volume of claims.

Additionally, the expectation was that the NSA and IDR process would largely result in OON rates becoming more aligned with the median contracted in-network rates for items or services in a particular geographic region, which are termed qualifying payment amounts (QPAs) under the NSA. But successful legal challenges by healthcare providers have resulted in the QPAs being emphasized less in the IDR process and calculated more favorably to providers; please see our prior article in the May 7, 2024, edition of Compliance Corner for further information.

Recent CMS reports on the IDR process illustrate how the actual IDR process has deviated from the original conception. (The NSA requires the DOL, IRS, and HHS to publish on a public website certain information about the IDR process, which is made available on the CMS IDR reports webpage.) The most recent report (for the second half of 2023) reflects that certified IDR entities (i.e., the arbitrators) contended with a large volume of disputes, making substantially more payment determinations than in the first six months of 2023. Significantly, the healthcare providers won the IDR process 82% of the time; health plans and insurers prevailed in only 18% of the disputes. Also notably, the prevailing offer was higher than the QPA in approximately 88% of payment determinations. However, as in the first half of 2023, the reports only reflect the activity of a small number of OON claims covered by the NSA and thus may not provide the complete picture.

Of course, it’s unknown at this time whether the Fifth Circuit will uphold the district court’s dismissal of the appellants’ claim. If so, Congress may act to address the enforcement of IDR rewards. In addition to the litigating parties, the Departments of Justice and Labor filed a brief in the case, asserting that the district court interpreted the NSA too narrowly and focused too much on the absence of a specific statutory provision authorizing a healthcare provider to seek federal judicial enforcement of an IDR reward. Regardless, from a plan sponsor’s perspective, the question remains as to whether the NSA will achieve the intended effect of lowering OON costs for group health plans as well as participants.

We will continue to monitor the litigation and CMS reports and provide relevant updates in Compliance Corner.

On September 25, 2024, in Knudsen v. MetLife Group Inc., the Third Circuit Court of Appeals (Third Circuit) affirmed the dismissal of a putative class action lawsuit claiming ERISA violations by defendant MetLife for its retention of prescription drug plan rebates. The Third Circuit found that the plaintiffs, who were former MetLife employees, had failed to allege the necessary financial harm to establish standing as required under Article III of the US Constitution.

In Knudsen, MetLife was the sponsor and plan administrator of a self-insured ERISA plan that offered various benefits, including prescription drugs, to employees and their families. The plan was funded by MetLife’s contributions and participant contributions toward premiums, which were held in several trusts. The plan contracted with a PBM to negotiate volume discounts and rebates with drug manufacturers. The plan document terms expressly stated that the rebates would be applied to plan expenses and would not be considered when calculating any copayments or coinsurance.

Nonetheless, the plaintiffs claimed that MetLife violated its ERISA fiduciary obligations by diverting $65 million in drug rebates from the plan to itself from 2016 to 2021. The plaintiffs alleged that MetLife’s misappropriation of plan funds caused participants to pay higher out-of-pocket (OOP) costs, primarily in the form of premiums, and that MetLife owed these funds to participants. They argued that if MetLife allocated the rebates to the plan, the amounts “may have” been used to reduce participant premium contributions or cost-sharing or been distributed to plan participants in proportion to their contributions to the plan. The plaintiffs asserted ERISA breach of fiduciary and prohibited transaction claims and alleged that MetLife violated ERISA’s anti-inurement provision.

MetLife filed a motion to dismiss the complaint alleging that the plaintiffs lacked Article III standing because they were not injured by how the rebates were used. The district court granted MetLife’s motion after concluding that the plaintiffs had failed to plead facts to show a personal injury-in-fact. The district court drew analogies between MetLife’s plan and the defined benefit retirement (aka pension) plan in Thole v. US Bank NA, in which the US Supreme Court explained that an alleged injury to a plan is not necessarily an injury to the participants themselves.

Upon appellate review, the Third Circuit first outlined the basic requirements to establish Article III standing; specifically, that a plaintiff must show 1) a personal injury-in-fact 2) caused by the defendant, and 3) that would likely be addressed by a favorable court decision. The injury-in-fact must be actual or imminent and not conjectural or hypothetical.

Next, the Third Circuit discussed Thole and agreed with the district court and MetLife that analogies could be made between a self-funded health insurance plan and a pension plan since in both situations the sponsor bears the financial risk of providing benefits to participants. Thole involved claims brought by pension plan participants alleging an injury due to the sponsor’s mismanagement of plan assets. In Thole, the Supreme Court held that participants had not established an injury-in-fact based on financial harm to the plan assets because they had received the fixed periodic payments they were entitled to under the plan, and the outcome of the suit would not affect their benefits.

However, the Third Circuit declined to hold that Thole categorically barred an ERISA plaintiff’s assertion of injury based on increased OOP costs. Accordingly, the Third Circuit disagreed with MetLife’s argument that under Thole, an ERISA group health plan participant, like a pension plan participant, has no injury unless they plead the denial of promised benefits (e.g., reimbursement of healthcare claims or a substantial likelihood that the benefits will not be paid) and that any increase in participants’ insurance costs is immaterial to the analysis. Rather, the Third Circuit indicated that a plaintiff could establish financial injury under other circumstances and suggested an example in which plan participants were charged more in premiums than allowed under the plan documents.

But in Knudsen, the Third Circuit determined that the plaintiffs had failed to demonstrate a concrete actual financial injury (i.e., that their increased OOP costs were due to MetLife’s retention of the rebates, and that they had an individual right to these withheld amounts). The Third Circuit noted that although the plaintiffs generally alleged that their OOP costs increased, they did not specify which OOP costs increased, in what years, or by how much. Nor did the complaint allege that under the plan documents, the drug rebates and/or plan asset value were used to calculate participant OOP costs. Therefore, based on the pled allegations, it was speculative that MetLife’s alleged misappropriation of drug rebate money resulted in the plaintiffs paying more for their health insurance or had any effect at all.

Consequently, the Third Circuit affirmed the district court’s dismissal of the complaint without prejudice but noted that the district court could exercise discretion on remand in responding to a request to amend it.

Following several high-profile ERISA fiduciary breach class action lawsuits brought against group health plan sponsors, the Third Circuit’s decision in Knudsen serves as an important reminder that Thole is still the law of the land. Thus, plaintiffs in these lawsuits may face significant difficulties in establishing Article III standing. Of course, the Third Circuit did not preclude the possibility of a plaintiff doing so on a particular set of facts. We will continue to monitor these legal developments and report any relevant updates in Compliance Corner. Regardless of the outcome of any litigation, group health plan sponsors should review their own ERISA fiduciary governance practices and ensure they are fulfilling their fiduciary obligations to their plans and participants, including following the terms of their plan documents.

Knudsen v. MetLife Group, Inc.

Certain pre-tax wellness arrangements that promise large tax savings for employers and employees with little employer investment (sometimes referred to as “wellness indemnity plans” or “FICA savings programs”) frequently lack a legitimate basis in tax law (the Internal Revenue Code (IRC)) and consequently are typically too good to be true. Unfortunately, marketing and other promotional materials regarding these cafeteria plan wellness arrangements can be vague and misleading, making it difficult to recognize an illegitimate program. Employers should always seek guidance from their tax advisor and/or legal counsel for any concerns about the legitimacy of a program, especially if it implicates the tax laws.

The Rules

The IRC establishes boundaries within which all employee benefit tax exclusions must operate. While wellness programs can be beneficial to employers and employees in many ways, they generally do not offer additional tax savings beyond those that would otherwise be available for a qualified benefit provided through a typical cafeteria plan. If an arrangement promotes “innovative design,” “huge tax savings,” or “essential benefits at no cost,” and/or is associated with a wellness program designed to supplement existing comprehensive coverage, it deserves careful examination.

The relevant IRC guidelines are as follows:

• Amounts that an employer pays for an employee’s health insurance premiums are generally excluded from taxation. This includes pre-tax salary reduction amounts paid through a cafeteria plan.
• Amounts paid or received for qualified medical expenses incurred by an employee (or spouse or dependent) are also generally excluded from taxation. Such amounts are excluded, however, only to the extent that they relate to an unreimbursed qualified medical expense. If there is no charge for the expense (e.g., completing a health risk assessment) or the expense is otherwise covered by a group health plan (e.g., preventive care services such as annual physicals and FDA-approved vaccinations), then the amounts received by program participants are not excluded from income and are considered taxable wages.
• Under a traditional wellness program, incentives or rewards are provided to employees for participating in “healthy activities” like filling out a health risk assessment, getting an annual physical, or engaging in a health-contingent program. Typically, a premium is not charged for participation. Incentives like cash awards and gift certificates are taxable and included in an employee’s income. Other incentives linked to a nontaxable benefit, such as a payment for an unreimbursed qualified medical expense, reduction in healthcare premiums, deductibles, or copays, or a contribution to an HSA, health FSA, or HRA, may be tax-free.

Purported Tax Savings — When It Sounds Too Good to Be True…

Many of these purported tax-saving designs appear to provide a wellness program that is in and of itself a medical reimbursement program (e.g., a group health plan) akin to an HRA or health FSA, where a pre-tax premium is paid to participate and a maximum tax-free reimbursement is provided, often equivalent to the tax-free premium paid.

However, payments or reimbursements from these programs may not be tied to legitimate qualified expenses. For example, the tax-free reimbursement might be for an expense already covered under the comprehensive medical plan (like a vaccination or physical) or an event for which no actual expense has been incurred (e.g., filling out a health questionnaire). In other words, a participant can’t have the same qualified medical expense reimbursed twice (i.e., “double-dipping”). There must be an actual unreimbursed qualified medical expense. Other potential issues with these programs include the lack of any insurance risk and overpayment of qualified medical expenses (i.e., the reimbursement is much larger than the expense).

In recent years, the IRS has issued several legal memoranda addressing these types of wellness indemnity arrangements that appear to exploit the nontaxable nature of wellness, group health, and cafeteria plans. The IRS is actively enforcing noncompliance with the tax law. There are significant taxes and penalties associated with improper income tax withholding and/or payment of employment taxes. We reported on the most recent IRS memo addressing one variation of these types of wellness programs in Compliance Corner.

Takeaways

The IRC rules on permissible employee benefit tax exclusions are well-established. Programs promoting innovative designs with substantial tax savings may instead set up improper withholdings and underpayment of employment taxes. Accordingly, employers should review the details and legal risks of any similarly promoted tax savings vehicles with their tax advisor and/or legal counsel before adding these to their employee benefits plans.

On September 19, 2024, in Dwyer v. United Healthcare Ins. Co., the United States Court of Appeals for the Fifth Circuit (the court) found that defendant United Healthcare (UHC) improperly denied benefits for the continuing treatment of a participant’s anorexia nervosa, disregarding both the plan’s own coverage terms and its claims and appeals procedures.

In this case, ED, the preteen dependent of plaintiff Kelly Dwyer, received inpatient care at a residential treatment facility that specializes in the treatment of eating disorders. After four months, UHC stepped down her treatment to partial hospitalization. Dwyer appealed this decision, but UHC denied the appeal. Despite ED’s continuing struggles, the facility’s doctors approved a three-day pass at home, during which her anorexia nervosa symptoms continued and her weight dropped. Nevertheless, UHC denied continued partial hospitalization treatment and discharged ED entirely in favor of outpatient-only treatment. ED’s doctors immediately objected, and Dwyer submitted an appeal, but UHC denied it on the grounds that the treatment was not medically necessary.

Simultaneously, Dwyer contested UHC’s payment of claims from the facility as out-of-network. The facility was covered by UHC’s so-called “MultiPlan benefit” and thus had a predetermined contract for services and rates. Dwyer’s plan through UHC participated in the MultiPlan program. UHC initially paid some claims from the facility at the MultiPlan rate, but most of them were paid as out-of-network. Dwyer repeatedly questioned UHC on this issue and eventually filed a detailed formal appeal. UHC acknowledged receipt of the appeal but did not respond.

First, the court rejected UHC’s argument regarding the lack of medical necessity for ED’s partial hospitalization treatment and ruled that “[UHC’s] denial letters are not supported by the underlying medical evidence. In fact, they are contradicted by the record.”

Second, the court emphasized that ERISA requires a full and fair review of benefit denials, including a “meaningful dialogue” between the administrator and the beneficiary. Here, the court found that UHC's denial letters fell short of these requirements by failing to explain how ED’s medical condition was evaluated under the plan’s provisions. In other words, given that UHC was provided with extensive information, its conclusory responses without citing the medical record did not afford a full and fair review.

Third, the court found that UHC failed to follow the administrative process by ignoring Dwyer’s appeal regarding the MultiPlan issue. (Incidentally, the court determined that UHC should have paid all facility claims at the negotiated MultiPlan network rate.)

In addition to causing potential issues under the MHPAEA, the exclusion and denial of benefits for the treatment of eating disorders is the subject of much ERISA litigation. Plan sponsors should ensure their claims administrators are exercising their discretionary authority carefully when adjudicating these (and other) claims and communicating their determinations to participants in a comprehensive manner. Benefit denial notices should be written in a way the average participant understands and should specify all information required by ERISA.

Dwyer v. United Healthcare Ins. Co.

HHS's Office for Civil Rights (OCR) has recently released its latest cybersecurity newsletter to remind HIPAA-covered entities, which include employer-sponsored health plans, and business associates (collectively, “regulated entities”), that physical security measures such as facility access controls are essential for HIPAA Security Rule compliance. These measures help prevent unauthorized access to electronic protected health information (ePHI) as the incidences of cyberattacks and breaches of ePHI are increasing.

The newsletter highlights the importance of implementing proper physical safeguards, including facility access controls. It notes that OCR received over 50 large breach reports (i.e., breaches of unsecured PHI involving 500 or more individuals), affecting over 1,000,000 individuals attributable to stolen equipment and devices containing ePHI from 2020 to 2023. These breaches involved equipment and devices such as workstations, servers, laptops, external hard drives, backup devices, flash drives, smartphones, and medical devices. Regulated entities should ensure that they have proper physical safeguards in place to deter and prevent unauthorized access.

The Facility Access Controls standard of the HIPAA Security Rule consists of four implementation specifications that must be considered when assessing the sufficiency of facility access controls:

• Contingency Operations. Regulated entities must establish a contingency plan to respond to an emergency or other occurrence that damages systems containing ePHI. Emergencies can include natural disasters (e.g., floods or fires) and human actions (e.g., malicious actions such as hacking and malware attacks and non-malicious actions). When developing contingency operations procedures, regulated entities can consider who requires access, who is responsible for the organization’s contingency plans, alternative means of accessing facilities and ePHI, and what activities and resources would be needed for diverse types of emergencies.
• Facility Security Plan. Regulated entities must establish policies and procedures to protect facilities and equipment from unauthorized physical access, tampering, and theft. When creating a facility security plan, regulated entities may consider how the following items are addressed in a plan: surveillance cameras, alarm systems, property control/inventory tags, employee/contractor ID badges and visitor badges, private security guards/patrols, facility escorts for visitors/contractors, and biometric, electronic, and/or mechanical security systems. Moreover, regulated entities may consider workforce training and annual reviews, updating the facility security plan, and testing the facility security plan.
• Access Control and Validation Procedures. Regulated entities must control and validate access to facilities based on an individual’s role or function, including visitor control and access to software for testing and revisions.
• Maintenance Records. Regulated entities must establish policies and procedures to document information and retain records about repairs and modifications made to the physical components of a facility related to security (e.g., hardware, doors, and locks).

The newsletter reminds regulated entities that the failure to implement facility access controls can result in a breach of PHI and potential enforcement actions by OCR.

Plan sponsors and fiduciaries should regularly evaluate their facility access controls standards to make sure that they include reasonable and appropriate contingency operations, facility security plans, access controls, policies and procedures, maintenance of records, and training of their workforce members on the facility security plan.

August 2024 OCR Cybersecurity Newsletter

On September 12, 2024, in Amy G. v. United Healthcare, the US District Court of Utah (the court) ruled that the denial of wilderness therapy benefits by defendants United Healthcare and United Behavioral Health (UBH) was arbitrary and capricious because UBH failed to provide a sufficient explanation and analysis for the denial, as required by ERISA. The court remanded the claim back to the defendants for reevaluation and redetermination.

In this case, AG, the minor child of plaintiffs Amy and Gary G., had received treatment for mental health conditions at Second Nature Wilderness Family Therapy (Second Nature). The child’s treatment included individual and group therapy sessions led by a psychologist, as well as other activities such as hiking, drawing, painting, music, and movement. The plaintiffs sought coverage for Second Nature’s services, which totaled about $47,045, through the self-funded group health plan sponsored by Amy G.’s employer, Geico Corporation. UBH, the plan’s mental health claims administrator, paid for the therapy sessions but denied coverage for the other services based on the plan’s exclusion of “experimental or investigational or unproven services.”

After exhausting the plan’s internal appeal process, the plaintiffs filed a complaint against UBH, which included a claim for benefits under ERISA. The plaintiffs alleged that UBH failed to follow the claim procedure requirements of ERISA and the plan, offered insufficient explanations and analysis to justify the denial of benefits, and wrongly determined their son’s wilderness treatment at Second Nature was experimental.

UBH maintained that they substantially complied with ERISA and the plan’s claim procedure requirements, and their decision to deny coverage for wilderness treatment was not an abuse of discretion. In determining that wilderness therapy was experimental, UBH largely relied upon a report by its internal Clinical Technology Assessment Committee (CTAC), which had extensively reviewed published literature, statements by professional societies, and government reviews and concluded that “wilderness therapy is recommended unproven, potentially unsafe, and not medically necessary for emotional, addiction, and/or psychological problems among children and adolescents.” Both parties sought summary judgment.

In reviewing UBH’s denial of benefits, the court applied the deferential arbitrary and capricious standard of review because the plan expressly granted UBH discretionary authority to decide benefits coverage and whether treatments are unproven. Although the plaintiffs’ suit involved three arguments, the court did not find the administrative record supported the first two arguments. The court then turned to the plaintiffs’ third argument that UBH failed to provide sufficient explanation and analysis for the denial of coverage and wrongly determined that their son’s treatment at Second Nature was unproven. The court explained that if the denial is based on an experimental treatment or similar exclusion or limit, the written benefits denial notice must include, among other items, an explanation of the scientific or clinical judgment for the determination, applying the terms of the plan to the claimant’s medical circumstances. The court observed that none of UHC’s denial letters included any explanation or analysis of how or why the specific services AG received at Second Nature qualify as wilderness therapy under the CTAC report. Nor did the notices provide any citations to AG’s medical records and facts or a clinical judgment applying the plan terms to his circumstances. Rather, UBH’s denial letters contained only conclusory statements that the treatment AG received at Second Nature was wilderness therapy.

Therefore, the court concluded that UBH’s determination that the plan excluded AG’s treatment was arbitrary and capricious. However, because it was unclear whether the plaintiffs were entitled to plan benefits for the treatment, the court remanded the case back to the defendants for reevaluation and redetermination.

Wilderness therapy exclusions are a subject of much litigation, with courts reaching different decisions based on specific claims. Plan sponsors should ensure their claims administrators are exercising their discretionary authority carefully when adjudicating these (and other) claims and communicating their determinations to participants in a comprehensive manner. Benefit denial notices should be written in a way the average participant understands and specify all information required by ERISA. As illustrated by this case, denials based on plan exclusions must include a clinical explanation as to why the exclusion applies to the specific claimant’s situation.

Plan sponsors should also be aware of the upcoming teleconference meeting hosted by the ERISA Advisory Council (council), which provides advice and guidance to the DOL, to discuss recommendations regarding health and welfare plan claim and appeal procedures. The meeting follows hearings hosted by the council where panelists expressed that the appeal process is often unnecessarily challenging for participants and in need of improvements.

Amy G. v. United Healthcare

On September 9, 2024, the DOL, HHS, and IRS (the departments) announced final rules implementing MHPAEA, specifically aimed at ensuring equitable access to treatments for mental health and substance use disorders as compared to medical and surgical treatments. The final regulations are extensive and build on the existing MHPAEA compliance requirements. Certain notable highlights are summarized below, including a new certification requirement by a named plan fiduciary (e.g., the sponsor of a self-insured plan).

Background: MHPAEA Compliance and NQTLs

Enacted in 2008, MHPAEA applies to group health plans and insurers that cover mental health/substance use disorder (MH/SUD) benefits. Self-insured plans sponsored by small employers (50 or fewer employees) and stand-alone retiree-only medical plans that do not cover current employees are exempt. Broadly, MHPAEA requires plans and insurers that cover MH/SUD benefits to provide such coverage on par with medical/surgical (MED/SURG) benefits. This means plans and insurers cannot impose financial requirements (e.g., deductibles, copays, coinsurance, or out-of-pocket maximums), quantitative treatment limitations (“QTLs”, e.g., number of covered days, visits, or treatments), or non-quantitative treatment limitations (“NQTLs”, e.g., coverage exclusions, prior authorization requirements, medical necessity guidelines, network restrictions, or reimbursement rates) on MH/SUD benefits that are more restrictive than those applied to MED/SURG benefits.

Since the law was passed in 2008, MHPAEA enforcement has been a challenge for insurers, employers, regulators, and courts. The departments have reported a significant amount of noncompliance regarding the design and application of NQTLs that ultimately resulted in restricted access for MH/SUD benefits. To address this, the Consolidated Appropriations Act, 2021 (CAA, 2021) included an amendment to MHPAEA requiring that applicable group health plans and insurers document compliance with the law by providing an NQTL comparative analysis beginning February 10, 2021. Plans must make their comparative analysis available to the departments, applicable state agencies, or participants upon request.

In the preamble to the final rules, the departments chronicle America’s mental health crisis and describe pervasive barriers to access MH/SUD treatment, despite MHPAEA protections. While the departments have prioritized MHPAEA enforcement over the last few years, they continue to encounter widespread noncompliance, especially with respect to the design and application of NQTLs that apply to MH/SUD benefits. The departments’ comparative analyses reviews revealed that many plans and issuers had not carefully designed and implemented compliant NQTLs. (See our previous Compliance Corner articles on the 2023 Report to Congress and FY 2022 Enforcement Fact Sheet for more information.)

Final Rules: Key Provisions for Plan Sponsors

The final rules are extensive and focus on NQTLs, offering compliance guidance to plans and insurers. They have been partly modified to reflect the thousands of stakeholders’ comments the departments received.

To ensure MHPAEA compliance, including for purposes of preparing and/or reviewing NQTL comparative analysis, plans must:

• Ensure that the definitions of MH/SUD conditions used in coverage terms are consistent with the most current version of the International Classification of Diseases (ICD) or Diagnostic and Statistical Manual of Mental Disorders (DSM).
• Offer meaningful benefits that include at least one “core treatment” for each MH/SUD condition in every classification in which MED/SURG benefits are offered (those classifications being in-network outpatient, in-network inpatient, out-of-network outpatient, out-of-network inpatient, emergency care, and prescription drugs). The final regulations define core treatment as a standard treatment indicated by generally recognized independent standards of current medical practice.
• Ensure that the factors and evidentiary standards used to design NQTLs do not discriminate against MH/SUD conditions. This refers to biased factors or standards, rather than those based on reliable and independent sources.
• Collect and evaluate relevant outcomes data and take reasonable action to address material differences in access to MH/SUD benefits as compared to MED/SURG benefits.
• Include specific elements in the plan’s NQTL comparative analysis and make available to the departments, an applicable state authority, or participants upon request.

Fiduciary Certification

For ERISA plans, the final regulations require a named plan fiduciary – typically the insurer in a fully insured plan or an employer sponsoring a self-insured plan – to certify that they have engaged in a “prudent process” to select at least one qualified service provider (e.g., TPA) to complete the plan’s comparative analysis. The plan must also monitor the service provider’s work. Specifically, the DOL expects that a plan fiduciary will take an active role in the process by – at a minimum – reviewing the comparative analysis, confirming and understanding the findings, and seeking assurances from the service provider(s) that the plan’s NQTLs and comparative analysis comply with MHPAEA. These duties align with the general duties that ERISA imposes on plan fiduciaries.

Applicability Dates

While the final rules are generally applicable to group health plan years beginning on or after January 1, 2025, certain new requirements that will take more time to implement (e.g., those relating to the provision meaningful benefits, prohibition on discriminatory factors and evidentiary standards, evaluation of outcomes data, and related comparative analysis requirements) are applicable for plan years beginning on or after January 1, 2026.

Role of Insurers and TPAs

While MHPAEA compliance is directly applicable to health insurance issuers and group health plans, the departments view both issuers and TPAs as best situated to conduct the required comparative analyses. Since they already manage the same claims administration framework and provider networks across many plans, these entities are equipped to implement existing efficiencies to generate comparative analysis of NQTLs under their plan design and networks. The departments expect this will reduce the compliance burden on group health plan sponsors.

Specifically, with respect to fully insured plans, the departments observed that insurers, as the designers of the products and claims administrators, make decisions about which NQTLs to use and how to implement them. Insurers also typically own claims data and other data related to plan administration. Accordingly, the departments assume that insurers will complete the NQTL comparative analysis for fully insured plans.

With respect to self-insured plans, the departments observed that TPAs and insurance companies providing administrative services only (ASO) overwhelmingly design the plans, administer the networks, manage claims, provide plan services, maintain and hold the data relevant to the comparative analysis, and therefore drive MHPAEA compliance. Accordingly, they are typically in the best position to generate the NQTL comparative analyses for their self-insured clients. While not directly subject to the comparative analysis requirements like insurers, the departments expect that TPAs will perform most of the work associated with the analyses because they can do so at the lowest cost and greatest scale. That said, self-insured plans are directly responsible for the comparative analysis under MHPAEA and may need to take additional steps (e.g., hiring an expert) to address unique plan issues.

Employer Takeaways

Even if steps towards MHPAEA compliance have not been taken in the past, employers should connect with their insurers and TPAs to inquire about assistance with a comparative analysis. While many provisions in these final rules are not applicable until 2026, the comparative analysis requirement is in effect today. These final rules will likely prompt insurers and TPAs to take a more active role in supporting employer-provided group health plans. MHPAEA enforcement will continue to be a top priority for the departments. It’s important not to overlook this requirement.

Fully insured employers should confirm the insurer’s obligation to comply with MHPAEA is acknowledged in the carrier agreement. Insurers are directly subject to MHPAEA’s comparative analysis requirements, so assurances of compliance should be readily available.

Self-insured employers should confirm that any administrative services agreements with their TPAs address responsibility for MHPAEA compliance. If necessary, these agreements should be amended to address how the TPA will support the plan’s NQTL comparative analysis. If the TPA will not provide the comparative analysis, then a self-insured plan will need to work with legal counsel or a qualified vendor to satisfy the requirements. Importantly, self-insured employers should evaluate the sufficiency of their TPA’s or other vendor’s comparative analysis with their legal counsel and take steps to remove any problematic NQTLs.

The departments indicated that updated guidance and compliance assistance materials will be released in the coming months. In addition, the rules may be challenged in court before becoming fully applicable. We will continue to report on any notable developments in Compliance Corner.

• Final Rules
• Fact Sheet
• New Mental Health and Substance Use Disorder Parity Rules: What They Mean for Plans and Issuers
• News Release

On September 9, 2024, the IRS published Revenue Procedure 2024-35, which provides the employer contribution percentage requirements applicable for plan years beginning in calendar year 2025 and the 2025 premium tax credit (PTC) table.

The ACA’s employer-shared responsibility rules (also known as the employer mandate) require an employer to provide affordable, minimum-value coverage to its full-time employees. The IRS required contribution percentage is used to determine whether an employer-sponsored health plan offers an individual affordable coverage, and the affordability percentage is adjusted for inflation each year. In addition, the ACA also provides a refundable PTC, based on household income, to help individuals and families afford health insurance through insurance exchanges. The IRS provides the PTC percentage table for individuals to calculate their PTC.

In 2025, the ACA's affordability percentage will increase significantly to 9.02% (up from 8.39% in 2024). For the employer mandate and affordability, this means that an employee’s required premium contribution toward single-only coverage under an employer-sponsored group health plan can be no more than 9.02% of the federal poverty line (FPL) or of an employee’s W-2 income or rate of pay (depending on which of the three affordability safe harbors the employer is relying upon). Under the 2025 affordability threshold, the maximum employee cost-share for the lowest-cost self-only coverage that will satisfy the FPL affordability safe harbor will be $113.20/month (for plan years that begin in 2025 prior to July 2025). Note that the monthly FPL amount is slightly higher for Alaska and Hawaii.

The 2025 PTC table used to determine an individual’s eligibility for PTCs is provided below. (These percentages are used to calculate the maximum amount an individual must pay for their health insurance premiums, with the remainder covered by the premium tax credit.) However, if the ALE offers affordable minimum value coverage to full-time employees, the employees will not be eligible for a premium tax credit.

Employers should be mindful of the upcoming 2025 affordability percentages and make sure that the premium offerings for 2025 remain affordable for full-time employees to avoid any employer-shared responsibility penalties.

For further information on the affordability requirements, please ask your broker or consultant for a copy of our NFP publications ACA: Employer Mandate Penalties and Affordability and Cost-Share Contribution Models: A Guide for Employers.

Revenue Procedure 2024-35

On August 28, 2024, the IRS issued a reminder that principal and interest charges on employees’ qualified education loans are eligible expenses under educational assistance programs. Prior to March 27, 2020, eligible expenses were limited to items such as current tuition, fees, books, supplies, etc.; student loan repayment was not a qualified expense until after that date. After March 27, 2020, employers can either reimburse the employee or pay the lender directly for qualified education loan expenses up to the $5,250 annual limit. Currently, this provision is set to expire December 31, 2025.

As we reported in Compliance Corner in July, the IRS issued FAQs on educational assistance programs, which included FAQs addressing questions on qualified education loans and how employers can make those payments. Employers who sponsor or are considering sponsoring educational assistance programs should be aware that student loan repayment expenses are currently qualified expenses at least through December 31, 2025.

IRS Reminder: Employer Educational Assistance Programs Can Still Be Used to Help Pay off Workers’ Student Loans Through Dec. 31, 2025

On August 22, 2024, in Synoracki v. Alaska Airlines, the US Court of Appeals for the Ninth Circuit (Ninth Circuit) ruled that a class action lawsuit brought by pilots seeking additional benefit accruals during periods of military leave must be reconsidered in light of its recent decision in Clarkson v. Alaska Airlines, Inc, which involved similar allegations. The Ninth Circuit vacated in part the district court’s prior grant of summary judgment for the airline and remanded the case for reevaluation.

In this case, the plaintiffs, a group of Alaska Airlines pilots, sued their employer under USERRA for failing to provide paid sick leave and vacation accruals during periods of military leave. As background, USERRA applies to all employers regardless of size and prohibits employers from discriminating and retaliating against employees or applicants because of their military status or military obligations. Further, and of significance here, USERRA requires employers to provide employees on military leave with the same rights and benefits provided to other employees on comparable non-military related leaves of absence. Specifically, the plaintiff’s complaint alleged that employees who take paid sick leave and jury duty leave (i.e., non-military leaves of absence) are afforded the benefit of paid sick time accrual and vacation time accrual; therefore, Alaska Airlines pilots on military leave should also have been given the same benefits under USERRA.

The Washington district court granted the airline’s motion for summary judgment, holding the pilots’ military leave was not comparable to other paid short-term leave. However, the district court ruling was issued prior to the Ninth Circuit’s decision in Clarkson, which held that when assessing USERRA violations, an examination of the length of the specific military leave at issue, rather than a categorical, “one-size-fits-all" approach to military leave, is the correct approach when assessing leave comparability.

The federal courts of appeal that have addressed short-term paid military leave under USERRA have consistently ruled in favor of employees in active military service. (See Scanlan, et al. v. American Airlines and Myrick v. City of Hoover.) For employers, these recent USERRA short-term paid military leave decisions highlight the importance of reviewing military leave and administration policies, including with respect to the comparability of military leave in relation to non-military leaves such as paid sick leave, jury duty, bereavement, and vacation. Given the increased litigation in this area, employers should also monitor for further developments that may impact their USERRA leave administration.

Synoracki v. Alaska Airlines

On August 19, 2024, the United States Court of Appeals for the Sixth Circuit (Sixth Circuit) held that the federal common law prevented the named beneficiary of ERISA group life insurance from benefiting from his murder of the insured and a co-beneficiary.

In November of 2016, Joel M. Guy, Jr. murdered his mother, the named insured of an employer-sponsored group life plan which named Guy as one of the two beneficiaries, and his father, the other named beneficiary, in their Knoxville, Tennessee, home, in order to collect the $500,000 life benefit that would be made available to him if both of his parents were dead.

The evidence presented against Guy at trial was overwhelming, including Guy’s own handwritten notes detailing his plans, including his financial motivation (e.g., “He’s not alive to claim her half of the insurance money — all mine ($500.000)”). Consequently, a Tennessee jury found Guy guilty of two counts of first-degree premeditated murder along with other offenses, and Guy was sentenced to two consecutive life terms plus four years in prison.

Standard Insurance Company, which provided the Tennessee-sitused group life insurance policy, denied Guy’s claim for the benefits because Tennessee “slayer statute” provides that “[t]he felonious and intentional killing of the decedent . . . [r]evokes any revocable . . . [d]isposition or appointment of property made by the decedent to the killer in a governing instrument.” Standard, therefore, intended to distribute the proceeds to Guy’s aunt, uncle and half-sisters instead, as they would be the appropriate substitute beneficiaries under the terms of the policy.

Undeterred, Guy argued that ERISA preempted Tennessee’s slayer statute and that, therefore, he remained entitled to the proceeds, after which Standard filed an interpleader action in federal district court to determine who the rightful beneficiary or beneficiaries would be. The court reasoned that since ERISA “does not address the proper designation of beneficiaries where a beneficiary feloniously kills the insured,” either Tennessee law or federal common law would dictate the decision. And since both Tennessee law and federal common law would disqualify Guy (because both have “slayer rules”), he would be disqualified, with no need to directly address the preemption issue.

Guy appealed to the Sixth Circuit, arguing that since ERISA compels unwavering adherence to plan documents when it comes to beneficiary designations and since his mother’s plan was silent on how to handle a slayer scenario, the administrator must pay a slayer who is named as a beneficiary pursuant to the plan documents.

While acknowledging ERISA’s broad preemptive scope as well as its own longstanding position that “the designation of beneficiaries plainly relates to ERISA plans,” the Sixth Circuit nevertheless affirmed the district court’s ruling. Like the lower court, the Sixth Circuit did so without resolving the preemption issue, reasoning that the outcome of the case would not change whether ERISA preempted the slayer statute or not. The Sixth Circuit observed that federal courts “have long applied the common-law slayer rule in the insurance context,” and so, even assuming ERISA did preempt the statute, federal common law principles would still prevent Guy from getting the proceeds just as the statute would have.

Federal courts will often employ common law concepts and principles to decide ERISA cases where the language of ERISA itself may not be sufficient to address the issue at hand, especially when, as here, a strict reliance on the wording of the statute alone would result in a manifestly unjust outcome. While the federal common law “slayer rule” itself may have little practical application in the day-to-day employer or plan sponsor context, this case nevertheless provides a useful reminder that employee benefit plans governed by ERISA are for that very reason also subject to the precepts of federal common law.

Standard Insurance Company v. Guy

HHS recently announced inflation-adjusted penalty amounts related to violations of Summary of Benefits and Coverage (SBC), Medicare Secondary Payer (MSP), and HIPAA privacy and security rule requirements. These new penalty amounts are calculated based on a cost-of-living increase of 1.03241% and are applied to penalties assessed on or after August 8, 2024, for violations occurring on or after November 2, 2015.

Summary of Benefits and Coverage (SBC)

The ACA requires insurers and group health plan sponsors to provide SBCs to eligible employees and their beneficiaries before enrollment or re-enrollment in a group health plan. The maximum penalty for a health insurer or plan's failure to provide an SBC has increased from $1,362 to $1,406 per failure.

Medicare Secondary Payer (MSP) Rules

The MSP provisions prohibit employers and insurers from offering Medicare beneficiaries financial or other benefits as incentives to waive or terminate group health plan coverage that would otherwise be primary to Medicare. The failure to comply with the MSP rules has increased from $11,162 to $11,524.

In addition, the maximum daily penalty for the failure of an insurer, self-insured group health plan, or a third-party administrator to inform HHS when the plan is or was primary to Medicare has increased from $1,428 to $1,474.

HHS Administrative Simplification

The HIPAA administrative simplification regulations provide standards for privacy, security, breach notification, and electronic healthcare transactions to protect the privacy of individuals' health information.

The penalty amounts vary depending on a violator’s level of culpability and are broken down by HIPAA's four-tiered penalty structure, as summarized in the following chart:

With this latest increase in penalties, employers should review their compliance with SBC, MSP, HIPAA, and other employee benefits compliance requirements to help prevent agency audits and potential penalties.

HHS Adjustment of Civil Monetary Penalties for Inflation and the Annual Civil Monetary Penalties Inflation Adjustment for 2024

On August 5, 2024, the Seventh Circuit Court of Appeals (Seventh Circuit) affirmed the district court’s ruling in favor of insurer Group Health Cooperative (the defendant) when they denied claims for therapy treatment brought by parents on behalf of their autistic child (plaintiffs) based upon then-current medical literature.

The plaintiffs asked the defendant health insurer to pay for certain treatments for their autistic child that occurred between 2017 and 2019. The defendant refused to pay since the medical literature at the time did not support speech therapy as a treatment for autism for a child at the relevant age and did not support the use of sensory integration therapy (a form of occupational therapy) as a treatment for autism at any age. The defendant began covering these treatments after 2020, when the medical literature changed; however, they did not cover the plaintiffs’ earlier claims. After exhausting their administrative appeals, the plaintiffs sued the defendant and alleged violations of ERISA, state law regarding the coverage for autism, and the MHPAEA. The district court found that the defendant could rely on the relevant medical literature at the time the claims were made and ruled in favor of the defendant.

The plaintiffs’ appeal focused on the alleged violation of MHPAEA. The plaintiffs argued that the insurer's requirement for treatments to be "evidence-based" was applied more stringently to mental health benefits for autism than to medical benefits, violating MHPAEA. In support of this argument, the plaintiffs compared the therapies at issue in the case with chiropractic care for musculoskeletal conditions in pediatric patients, a treatment that the defendant did cover, and which the plaintiffs contended lacked scientific support. The district court, however, found that the insurer's policies reflected the differing focus of medical literature on autism and musculoskeletal conditions, with the former often considering efficacy by age due to the nature of autism diagnosis and treatment. The court concluded that the insurer was entitled to rely on the available medical literature when determining treatments to cover if the process applied to both mental health and medical benefits.

In addition, the plaintiffs focused on only one medical benefit to compare to the therapies at issue in the case. The court determined that MHPAEA requires that treatment limitations applicable to mental-health benefits be no more restrictive than treatment limitations “applied to substantially all” medical and surgical benefits covered by the plan. Although the court did not determine exactly what “substantially all” meant in this context, they did conclude that it meant more than one. The court concluded that the plaintiffs could not establish that substantially all medical benefits under the plan were less restrictive by comparing the treatment limitations of just one medical treatment with the therapies at issue with the case. Ultimately, the insurer's practices were deemed consistent with the MHPAEA, as the act allows for reliance on medical literature when assessing treatments, regardless of the type of benefit, and the Seventh Circuit affirmed the district court’s ruling in favor of the defendant.

Employers should be aware that plans can rely on current medical literature when determining whether a particular treatment or therapy can be covered. Additionally, employers should compare their mental health benefits to substantially all medical and surgical benefits covered by their plan to evaluate whether mental health benefits are in parity with medical and surgical benefits.

Midthun-Hensen on behalf of K.H. v. Grp. Health Coop. of S. Cent. Wisconsin, Inc.

On August 20, 2024, representatives Robert Scott and Mark DeSaulnier, ranking members, respectively, of the House Committee on Education and the Workforce and the Subcommittee on Health, Education, Labor, and Pensions, sent a letter to the DOL’s Employee Benefits Security Administration (EBSA) assistant secretary Lisa Gomez asking for increased oversight on group health plan service providers. In part, the letter stems from a springtime New York Times (NYT) investigation into a data analytics company, which alleged the company engaged in harmful business practices, including hidden service provider costs, lower provider reimbursements, and self-dealing compensation practices, which ultimately left plan participants footing the bill.

The letter emphasizes that ERISA plan sponsors have a fiduciary obligation to exercise prudence in the selection and monitoring of plan service providers and to ensure all plan fees and reimbursement practices are reasonable. It notes that despite the enactment of the CAA 2021 transparency regulations and, particularly, the service provider compensation disclosure requirements, the meaningfulness of such disclosures remains uncertain. Details from the NYT findings and pending lawsuits indicate that some plans and participants may still be incurring higher-than-expected costs.

The representatives asked EBSA to respond to specific questions related to the enforcement of CAA 2021 service provider disclosures, the applicability of service providers’ ERISA fiduciary duties, and a request for additional guidance on service provider disclosures. The letter also requests an update on the EBSA’s existing service provider working group.

The letter serves as an important reminder to plan sponsors of their ERISA fiduciary duties to prudently select and monitor their plan service providers and the compensation they receive. Specifically, sponsors should ensure they timely receive and carefully review the CAA 2021 compensation disclosures from their plan service providers and document the review process. As we have already seen with respect to retirement plans, establishing a prudent process for evaluating service provider compensation can greatly assist plan sponsors in responding to potential litigation regarding excessive fees or a regulatory inquiry. We will be closely monitoring for any additional EBSA guidance, updates, or enforcement actions undertaken in response to this request.

Scott, DeSaulnier Letter to DOL Re: MultiPlan

On July 29, 2024, in Mullins v. CONSOL Energy Inc. Long Term Disability Plan, the Third Circuit Court of Appeals (Third Circuit) held that the termination of a coal miner’s ERISA long-term disability benefits by the claims administrator, Lincoln Financial Group (Lincoln), was not based on substantial evidence in the record and was therefore an abuse of discretion. The Third Circuit vacated the prior district court judgment upholding Lincoln’s termination decision and remanded the case back to the district court for reinstatement of the miner’s benefits.

In 2015, Timothy Mullins was working as a section supervisor at a coal mine owned by CONSOL Energy, Inc. (Consol) when he sustained an ankle injury and sought benefits from Consol’s disability plan (the plan). The plan provides two phases of disability benefits to eligible employees. The first phase covers up to 12 months of the employee being unable to perform their own occupation (the own occupation period). The second phase covers the subsequent period when the employee cannot perform any other suitable employment (the other occupation period). The plan defined total disability as an employee being either “unable to perform the material and substantial duties of [his] regular occupation or any reasonable alternative offered by the Company” during the own occupation period or “completely unable to engage in any suitable employment” during the other occupation period.

Initially, Mullins was granted disability benefits under the plan. But in 2020, Lincoln terminated the benefits after determining, based on medical evaluations and a 2019 vocational assessment (also known as a transferable skills analysis (TSA)), that Mullins did not have a total disability that prevented him from working at any suitable occupation as required by the plan. Rather, Lincoln decided Mullins could perform suitable sedentary employment because his medical records specified that he could work with some physical limitations, and the TSA indicated he had the qualifications for three alternative jobs.

Following the termination of benefits, Mullins filed a two-count ERISA complaint against the plan alleging wrongful denial of benefits and improper offset of benefits due to Social Security disability benefits. The district court granted summary judgment for the plan, holding that Lincoln’s benefits denial was backed by substantial medical and vocational evidence and was not an abuse of discretion. Mullins appealed.

On appeal, the Third Circuit explained that Lincoln’s determination that Mullins did not suffer a total disability must have been based on adequate evidence that Mullins had both the physical capacity and the relevant education, training, or experience for alternative employment. With respect to physical capacity, the Third Circuit observed that Lincoln relied upon two peer reviews by board-certified physicians who had reviewed at least 35 different medical records and test results, described each examined record, and provided an analysis that concluded Mullins was capable of limited, sedentary work. Mullins did not offer evidence from his treating physicians to dispute this conclusion. Accordingly, the Third Circuit affirmed that Lincoln’s determination with respect to Mullin’s physical capacity was reasonable and supported by substantial medical evidence.

The Third Circuit then considered whether Mullins could satisfy the relevant educational, training, or experience requirements for alternative employment. Significantly, the Third Circuit noted that the 2019 TSA incorrectly reflected Mullin’s job as a mine superintendent instead of a section supervisor. At Consol, the mine superintendent position was held by an individual with two college degrees and prior supervisory experience. According to the DOL job description, the mine superintendent role included duties like reviewing survey reports and geological records, calculating mine operation costs, and reading and enforcing mining laws and safety regulations. However, Mullins had never been a mine supervisor and had only completed the tenth grade and obtained a GED. Additionally, his role as section supervisor involved the “use of hand tools,” the “operation of equipment,” and “obtaining and seeing to the appropriate use of equipment, facilities, and materials to do certain work.”

Similarly, the three alternative roles suggested by the 2019 TSA – production planner, supervisor of terminal operations, and branch manager – required work experience (e.g., production analysis, mathematical calculations, revenue report reviews, budget planning) and an educational background that Mullins did not have. Accordingly, the Third Circuit determined that the district court erred in concluding that section supervisor and mine superintendent are similar managerial positions, noting that that “is a bit like saying that because a TSA lists the skills ‘teaching,’ ‘lesson planning,’ and ‘grading students’ work,’ there is no difference between an elementary school teacher and a university professor.”

The Third Circuit concluded that Lincoln and Consol abused their discretion by failing to identify suitable alternative jobs, based on substantial evidence, as required under the plan before benefits can be terminated. Accordingly, the Third Circuit vacated the district court’s decision and remanded the case for entry of summary judgment in favor of Mullins, retroactive reinstatement of Mullin’s benefits, and determination of the correct amount of a Social Security offset.

This case serves as an important reminder that ERISA plan administrators must exercise their discretion carefully, especially when reviewing claim appeals. They should ensure their decisions are in accordance with the plan terms, substantiated by the evidentiary record, and based on accurate and relevant information. As this case illustrates, failure to adhere to ERISA’s requirements can result in unfair outcomes for plan participants and undesired litigation and adverse court rulings for plan sponsors.

Mullins v. Consol Energy Inc. Long Term Disability Plan (PDF)

On August 2, 2024, the Fifth Circuit Court of Appeals (Fifth Circuit) affirmed the district court’s decision to vacate regulations promulgated by three federal agencies: the DOL, HHS, and IRS (the agencies). The regulations established priorities for independent arbitrators appointed to resolve disputes between healthcare providers and payors through an Independent Dispute Resolution (IDR) process established under the No Surprises Act (NSA).

The IDR process is the subject of ongoing litigation between the Texas Medical Association and the federal government. In this case, the issue revolved around the qualifying payment amount (QPA), which is the median in-network rate for a given service in each market. The QPA is one of several factors that independent arbitrators must consider when determining the appropriate payment for services provided out-of-network. At the district court level, the plaintiffs argued that the government’s rules placed too much emphasis on the QPA. The district court agreed with the plaintiffs, determining that the agencies did not follow legislative intent when they promulgated these rules. As a result, the district court vacated the rules and remanded the matter back to the agencies to rewrite them. We covered this controversy in an article in the February 14, 2023 edition of  our Compliance Corner.

The agencies appealed, and the Fifth Circuit affirmed the trial court’s decision. Although the agencies argued that they properly interpreted the NSA, the Fifth Circuit determined that nothing in the NSA gave the agencies the authority to put more emphasis on one factor over other factors when determining the appropriate payment amount. Citing a recent Supreme Court case, Loper Bright Enters. v. Raimondo, which provides courts more latitude when adjudicating agency rules, the Fifth Circuit concluded that the NSA did not bestow upon the agencies the authority to set substantive standards for arbitrators. In this case, the Fifth Circuit determined that the agencies exceeded their authority by:

• Requiring arbiters to consider the QPA first.
• Requiring arbiters to disregard information deemed not credible or unrelated or that is already accounted for in the QPA.
• Requiring arbitrators to explain why they deviated from the QPA in coming to their decision.

The Fifth Circuit concluded that these requirements had the effect of placing the QPA above all other factors that arbiters must consider. Since the NSA did not expressly grant the agencies the authority to do this, the rules must be vacated.

This ruling puts another log on the fire that is the IDR process. This process's status is in constant flux, and there is uncertainty about how the growing number of payment disputes will be resolved. Although this case does not explicitly halt the IDR process, it is not unreasonable to expect the agencies to pause the process while they figure out what to do next, which will likely create more backlog and uncertainty. Accordingly, employers should be aware of this issue.

Texas Med. Ass’n v. HHS

Recently, in Tanner v. Stryker Corp. of Michigan, the US Court of Appeals for the Eleventh Circuit (Eleventh Circuit) affirmed a lower court’s ruling that a non-birthing parent does not have a right to protection under the FMLA prior to the birth of a child.

As background, the plaintiff was expecting a child with his former girlfriend who lived out of state. The plaintiff requested leave under FMLA to travel and await the birth of the child. However, his employer advised that FMLA for the birth of the child does not begin until the day the child is born and therefore any leave taken prior to the birth must be taken under the employer’s existing PTO or sick-time policies. The plaintiff traveled for the birth and exhausted his accrued PTO and sick time prior to the birth. The plaintiff was out of state and unable to work while continuing to await the birth. Under the employer’s attendance policy, absence from work without using accrued PTO or sick time may lead to disciplinary action up to and including employment termination.

The plaintiff sued his employer for both interference with his rights under FMLA and for retaliation. The trial court ruled in favor of the employer, holding that the employee is not entitled to FMLA leave prior to the birth of the child and that termination was in accordance with employer policy. The plaintiff appealed this decision, and the Eleventh Circuit affirmed the trial court’s ruling. In its ruling, the Eleventh Circuit wrote that the facts of this case were quite narrow as to whether FMLA provides “an expectant parent who is neither pregnant nor married to a pregnant spouse with pre-birth leave,” to which the court affirmed the requested leave did not fall under FMLA protection.

While matters of FMLA fall into employment law rather than employee benefits, it is important for employers to ensure FMLA is administered correctly and consistently. This case is a helpful reminder to employers to carefully review the facts of an employee’s specific situation prior to making a determination under FMLA.

Tanner v. Stryker Corp. of Michigan »

On May 30, 2024, the federal district court in the Northern District of Texas issued an order granting Health Care Service Corporation's (HCSC) motion to dismiss the claims of plaintiffs Guardian Flight LLC and Med-Trans Corporation against HCSC.

Plaintiffs are air ambulance providers who provided services out-of-network and went through the Independent Dispute Resolution (IDR) process with the defendant to settle a payment dispute. Established under the No Surprises Act (NSA), which protects patients from surprise medical bills and balance billing, the IDR process is a dispute resolution system for when healthcare providers and insurers dispute surprise medical bills. The plaintiffs claimed that HCSC failed to pay the awards determined through the IDR process, that HCSC improperly denied benefits to its beneficiaries by failing to pay the IDR awards, and that they did not provide HCSC with any direct benefit.

The district court concluded that the NSA does not provide a private cause of action to enforce an IDR award and convert that award to a final judgment, and that the court lacks subject-matter jurisdiction over the ERISA claim because the plaintiffs do not have standing to bring that claim. (Note that a district court in New Jersey came to an opposite conclusion in 2023 and determined the Federal Arbitration Act did provide a mechanism to enforce IDR awards.)

However, the plaintiffs are appealing the district court decision. On June 21, 2024, the plaintiffs filed a notice of appeal of the district court’s final judgment (and from all orders and decisions encompassed therein) to the Fifth Circuit Court of Appeals.

Plan sponsors should be aware of this development. From a sponsor’s perspective, the question remains as to whether and to what extent the NSA will achieve the intended effect of lowering out-of-network costs for group health plans as well as participants. The NSA envisioned that the NSA and IDR process would largely result in out-of-network rates becoming more aligned with the median contracted in-network rates for items or services in a particular geographic region, which are termed qualifying payment amounts (QPAs) under the NSA. But successful healthcare provider legal challenges have resulted in the QPAs being emphasized less in the IDR process and also calculated more favorably to providers; please see our prior article in the May 7, 2024 edition of Compliance Corner for further information. Accordingly, the recent district court decision just adds additional uncertainty regarding the IDR process and whether the NSA’s cost-saving goals will be achieved.

• Northern District of Texas Memorandum Opinion and Order »
• Northern District of Texas Plaintiffs' Notice of Appeal »

On July 3, 2024, the US District Court for the Southern District of Mississippi issued a stay on the effective date of parts of the final rule issued by HHS on May 6, 2024 (the May 2024 Rule), that applies the ACA Section 1557 nondiscrimination provisions to discrimination on the basis of gender identity. For more information on this rule, see the article in the May 7, 2024, edition of Compliance Corner. 

The May 2024 Rule was scheduled to take effect on July 5, 2024. On May 30, 2024, the states of Tennessee and Mississippi joined with 13 other states to file a complaint for declaratory and injunctive relief from the rule on the grounds that it exceeded HHS’ statutory authority in violation of the Administrative Procedures Act (APA). 

In the midst of this litigation, and just one week before the May 2024 Rule’s effective date, the Supreme Court of the United States issued its ruling in Loper Bright Enterprises v. Raimondo, holding that federal agencies were no longer entitled to the deference accorded to them by its 1984 decision in Chevron, U.S.A., Inc. v. Natural Resources Defense Council, Inc.  

With its two-step framework for judicial review of agency rules (sometimes called the “Chevron Two-Step”), Chevron had been the linchpin of federal administrative law upon which courts have relied for decades. Using the Chevron Two-Step analysis, courts would first determine whether Congress directly spoke to the precise question at issue through the language of the applicable statute (the first step). If so, then that ended the analysis. If not, then, using the second step (sometimes called “Chevron deference”) the court would determine whether the agency’s interpretation with respect to the specific issues was based upon a reasonable or permissible construction of the statute. 

The Loper Bright court overturned Chevron, holding that the APA requires courts to exercise their independent judgment in deciding whether an agency has acted within its statutory authority, rather than deferring to an agency’s interpretation simply because statutory language is ambiguous.  

The Mississippi court issued its injunction just three days after the Loper Bright ruling and relied primarily upon Loper Bright’s rejection of Chevron’s deference for its decision. In the court’s view, the May 2024 Rule unreasonably conflates the phrase “on the basis of sex” from Title VII of the Civil Rights Act of 1964 (Title VII) and upon which the Supreme Court relied to prohibit employment discrimination on the basis of being gay or transgender in Bostock v. Clayton County with “on the basis of gender identity” in its May 2024 Rule prohibiting discrimination on that basis under ACA Section 1557 and for that reason stayed the rule’s July 5, 2024 effective date. 

HHS is all but certain to appeal the court’s decision to the Fifth Circuit, including a request for a lifting of the stay or, short of that, restrictions upon its jurisdictional scope. In the meantime, though, the court’s nationwide injunction on the new HHS rules stands until further notice. Given Section 1557’s limited application to federally funded healthcare programs and activities, its actual application to private employer-sponsored health plans remains a subject of continued discussion. Nevertheless, private employers are generally subject to Title VII’s prohibition on discrimination against gay and transgender employees (as expressed by the Supreme Court in Bostock), a prohibition that can potentially extend to employer-sponsored health plans, at least according to a recent Fourth Circuit decision. Both public and private employers should therefore remain aware of ongoing legal developments in this area and should consult with legal counsel regarding the application of Section 1557 to their specific plans. 

State of Tennessee: Memorandum Opinion and Order

On June 27, 2024, HHS updated its “HIPAA and Reproductive Health” web page with resources to help covered entities, including group health plans, and business associates comply with the 2024 final HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the 2024 Final Rule). 

On April 26, 2024, HHS published the 2024 Final Rule, which modifies the existing HIPAA Privacy Rule. The 2024 Final Rule follows the US Supreme Court ruling in Dobbs v. Jackson Women’s Health Organization, which removed the federal right to an abortion. As a result, several states enacted laws banning or restricting access to abortion. 

Accordingly, the 2024 Final Rule was issued in part to protect the privacy of individuals crossing state lines to seek an abortion in a state where it is lawful. More broadly, the 2024 Final Rule aims to limit the circumstances under which an individual’s reproductive healthcare information can be used for non-healthcare purposes if such use or disclosure could be damaging to the privacy of the individual or another person or the individual’s relationship with their healthcare providers. 

As explained in our May 7, 2024, Compliance Corner article, the 2024 Final Rule prohibits HIPAA-covered entities and business associates from using or disclosing protected health information (PHI) related to lawful reproductive healthcare under certain circumstances, such as to conduct a criminal, civil, or other legal proceeding. By December 23, 2024, covered entities and business associates will need to comply with a new attestation requirement that applies when HIPAA-covered entities or business associates receive a request for PHI that is potentially related to reproductive healthcare to ensure the use or disclosure is not for a prohibited purpose. 

The updated HHS web page provides a Model Attestation Form to assist covered entities and business associates with this new compliance obligation related to reproductive healthcare. The Model Attestation Form includes instructions for the person requesting PHI and information for covered entities and business associates. This information explains that covered entities and business associates must obtain a new attestation for each applicable use or disclosure request, the circumstances under which the attestation can be relied upon, and the requirement to maintain a written copy of each completed attestation and any relevant supporting documents. 

Additionally, by February 16, 2026, covered entities will need to update their Notice of Privacy Practices (NPP) to inform individuals that their PHI may not be used or disclosed for a prohibited purpose under the 2024 Final Rule. The delayed NPP deadline is designed to align with the deadline for covered entities to update the NPP for changes under the Confidentiality of Substance Use Disorder Patient Records Final Rule, which we covered in our February 13, 2024, Compliance Corner article, thus preventing a situation in which the NPP would need to be updated twice within a short period. 

The new HHS resources include a slide presentation that provides an overview of the 2024 Final Rule, including key dates, definitions, compliance requirements, and links to other resources. This presentation is accompanied by a new video that explains how the 2024 Final Rule addresses individuals’ concerns about sharing reproductive healthcare information with providers that could be disclosed to and used by law enforcement. Additionally, a social media toolkit and other reproductive healthcare summaries are provided for educational purposes. 

Employers, particularly those that sponsor self-insured plans, and their business associates should review the Model Attestation Form and other HHS resources and ensure their HIPAA privacy policies and procedures are updated by December 23, 2024, to reflect the 2024 Final Rule requirements. Employers should also be aware that the NPP provided to participants will require modification by February 16, 2026. 

HIPAA and Reproductive Health 

On July 1, 2024, the OCR announced that it settled an investigation into Heritage Valley Health System (HVHS), a healthcare provider, following a ransomware attack that resulted in a breach of PHI. OCR alleged that HVHS failed to take necessary steps required by HIPAA to reduce the risk of a ransomware attack. 

OCR began an investigation into HVHS on October 31, 2017, after media reports of the provider experiencing a data breach. As a result of this investigation, OCR determined that HVHS failed to complete the following HIPAA requirements: 

• Conduct a compliant risk analysis to determine the potential risks and vulnerabilities to electronic protected health information (ePHI) in its systems.  
• Implement a contingency plan to respond to emergencies, like a ransomware attack, that damage systems that contain ePHI. 
• Implement policies and procedures to allow only authorized users access to ePHI. 

Heritage Valley agreed to pay $950,000 to the federal government and implement a corrective action plan to end the investigation. The plan requires HVHS to satisfy the requirements they failed to meet and train their workforce on their HIPAA policies and procedures. 

Employers should be aware of the risks associated with failing to meet HIPAA privacy requirements. OCR recommends that healthcare providers, health plans, clearinghouses, and business associates covered by HIPAA take the following steps to mitigate or prevent cyber threats: 

• Review all vendor and contractor relationships to ensure business associate agreements are in place as appropriate and address breach/security incident obligations. 
• Integrate risk analysis and risk management into business processes to be conducted regularly and when new technologies and business operations are planned.
• Ensure audit controls are in place to record and examine information system activity. 
• Implement regular review of information system activity. 
• Utilize multifactor authentication to ensure only authorized users are accessing ePHI. 
• Encrypt ePHI to guard against unauthorized access to ePHI. 
• Incorporate lessons learned from incidents into the overall security management process. 
• Provide training specific to organization and job responsibilities on a regular basis and reinforce workforce members’ critical roles in protecting privacy and security. 

Heritage Valley Health System Resolution Agreement and Corrective Action Plan 

OCR Press Release 

On June 21, 2024, the Fifth Circuit Court of Appeals (Fifth Circuit) reversed the nationwide injunction imposed by a Texas federal district court that prohibited the federal government from enforcing the ACA’s preventive care mandate. However, the Fifth Circuit remanded the case back to the district court for further proceedings, so the fate of the mandate remains unresolved. 

On September 7, 2022, the US District Court for the Northern District of Texas issued a ruling in Braidwood Management Inc. v. Becerra, in which the court ruled that certain ACA preventive care mandates violated the US Constitution as well as the Religious Freedom Restoration Act (RFRA). 

In this case, the plaintiffs included two businesses and six individuals who sought health insurance that excluded or limited coverage required by the ACA preventive care mandates. Among other claims, the plaintiffs argued that the ACA preventive care mandates violate the US Constitution because the appointment process for members of three entities that made recommendations for services covered by the mandate, the US Preventive Services Task Force (PSTF), the Advisory Committee on Immunization Practices (ACIP), and the Health Resources and Services Administration (HRSA), did not satisfy the constitutional method for appointing “US officers.” A person is a US officer if that person occupies a continuing position established by federal law and exercises significant authority under that law. 

The plaintiffs also asserted that the PSTF-recommended requirement to cover pre-exposure prophylaxis (PrEP) drugs to prevent HIV infection violated their religious rights under the RFRA. 

The district court determined that the appointment process for members of the PSTF did not satisfy the constitutional method for appointing US officers. The court agreed with the plaintiffs that the actions of the PSTF, whose decisions bind those subject to the ACA mandate (such as insurers and sponsors of self-insured plans), are actions that must be done by persons appointed using the process under the Constitution (or actions that must be ratified by someone who was so appointed). The court did find that the other two entities passed constitutional muster. The court also found that the requirement to cover PrEP drugs violated the RFRA. 

Accordingly, the district court issued a judgment that invalidated and prohibited the DOL, IRS, and HHS (the departments) from enforcing all PSTF-recommended preventive care mandates issued since the ACA's March 23, 2010, enactment on a nationwide basis. Additionally, the final judgment prevents the departments from enforcing the PrEP coverage requirements as to the plaintiffs with religious objections. See the article in the April 3, 2023, edition of Compliance Corner, for more information and discussion on the impact of this ruling. 

Note that the Fifth Circuit stayed the injunction pending the resolution of the appeal, meaning the nationwide injunction was delayed until the appellate court reached a decision. Due to the June 21 decision, the nationwide injunction will not go into effect. 

The Fifth Circuit agreed with the district court that the members of the PSTF were not validly appointed as required by Article II of the Constitution and that the federal government had not cured this deficiency. However, the appellate court also determined that the district court overreached by enjoining all government action taken to enforce the preventive care mandate because it lacked the statutory authority to do so. Similarly, the Fifth Circuit found that the district court lacked the authority to vacate all previous decisions made by the PSTF. Instead, the Fifth Circuit limited the injunction by preventing the government from enforcing the mandate against the plaintiffs in the case. 

The Fifth Circuit also remanded the case back to the district court to consider the fate of two other government entities involved in determining what must be covered under the preventive care mandate. Although the district court and the Fifth Circuit found that the members of the ACIP and the HRSA were properly appointed, the Fifth Circuit questioned whether the process that these entities followed when making their recommendations complied with requirements under the federal Administrative Procedures Act (APA), and therefore remanded the matter back to the district court for further consideration. 

With the specific exceptions of the plaintiffs in this case, the preventive care mandate is still in effect. However, the case is not over, and the mandate may be struck down later. As this case continues through the legal process, employers should be aware of the recent appellate decision, consult with their carriers and TPAs, and monitor future developments. For specific advice and guidance, employers should always engage their attorneys. 

Braidwood Management Inc. v. Becerra

On June 17, 2024, the IRS issued FAQs related to educational assistance programs under Section 127 of the IRC. Educational assistance programs are sponsored by employers and provide up to $5,250 in tax-free benefits to employees for certain qualified educational expenses. These expenses include items such as tuition, fees, books, supplies, equipment, etc. Principal or interest payments on qualified education loans made by the employer are also included if made after March 27, 2020, and before January 1, 2026. 

The FAQs address three main topics: 

1. General information: Questions 1 - 3 provide basic information to define an educational assistance program, describe tax-free educational assistance benefits, define total allowable assistance amounts, and outline written plan document requirements.
2. Qualified education loans: Questions 4 - 6 describe the requirements for a qualified education loan and how employers can make payments for employees’ qualified loans.
3. Miscellaneous information and exclusions: The final three questions (7 - 9) address the applicability of student debt as a qualified educational benefit, whether owners or shareholders are eligible participants, and any other exclusions that may be available.  

It is important to note that the FAQs are only intended to provide general guidance and cannot be relied upon by the IRS to resolve a case. Employers who sponsor, or are considering sponsoring, educational assistance programs should review the FAQs and work with their vendor or TPA as needed. 

Educational Assistance Program FAQs 

On June 20, 2024, the US District Court for the Northern District of Texas ruled that guidance issued by the HHS Office for Civil Rights (OCR) on the use of third-party online tracking technologies by HIPAA-regulated entities, which include covered entities (such as healthcare providers) and business associates, was unlawful and that OCR overstepped its authority when it issued the guidance. The district court invalidated OCR’s guidance that individually identifiable health information (IIHI), a component of protected health information under HIPAA, includes the connection of a person’s IP address with their visit to certain unauthenticated public webpages. 

HIPAA defines IIHI as information that (1) “relates to” an individual’s healthcare and (2) “ identifies the individual” or provides “a reasonable basis to believe that the information can be used to identify the individual.” Previously, OCR expressed concerns that IIHI collected on a regulated entity's (e.g., hospital’s) website or mobile app was not adequately protected due to third-party tracking technologies. To address these concerns, OCR issued a bulletin in December 2022 and later revised it in March 2024.

However, in this case, the plaintiff hospital groups asserted that OCR had exceeded its authority under HIPAA in promulgating an expansive definition of IIHI under the bulletin. The district court agreed with the plaintiffs and held that the provision at issue in the bulletin could not be aligned with HIPAA’s definition of IIHI under two statutory conditions.

First, the district court explained that visitors accessing unauthenticated public webpages is not information that “relates to” an individual’s health, receipt of healthcare, or payment for healthcare because covered entities cannot know that visitors are accessing certain webpages for the purpose of seeking information about their own health conditions, as opposed to some other probable purpose, such as accessing the page for academic research. Second, the district court determined that visitors accessing unauthenticated public webpages does not and cannot identify or provide a reasonable basis for identifying health information about a specific individual as required by the IIHI definition. Because of these reasons, the district court declared the OCR’s guidance unlawful and vacated the elements of the bulletin. 

Though this case primarily impacts providers and third-party online tracking technology vendors, employers should be aware of this development and review their HIPAA obligations with their advisers and outside counsel when developing a comprehensive strategy for adhering to HIPAA's privacy, security, and breach response requirements. 

• Opinion and Order »
• Final Judgment »

On June 13, 2024, the Supreme Court of the United States held in Food and Drug Administration v. Alliance for Hippocratic Medicine that a consortium of doctors and medical organizations opposed to abortion did not have legal standing to challenge the FDA’s actions regarding mifepristone.

Mifepristone is an oral abortifacient available to patients in both brand name form (Mifeprex), which the FDA approved in 2000, and generic form, which the FDA approved in 2019. In 2016, the FDA relaxed its original restrictions on access to the drug, which included a minimum requirement of three in-person consultations between patients and doctors, by allowing other healthcare providers, such as nurse practitioners, to prescribe the drug and reducing the in-person consultation requirements to a single visit. The FDA then announced in 2021 that it would no longer enforce the in-person consultation requirement, a determination that was made in the context of the then-ongoing COVID-19 pandemic but one that the agency left in place after the pandemic subsided.

Just a few months after the United States Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization to overturn Roe v. Wade, the doctor plaintiffs moved the US District Court for the Northern District of Texas to issue a preliminary injunction requiring the FDA to either rescind its approval of mifepristone altogether or, in the alternative, to rescind its 2016 and 2021 regulatory actions. In response, Danco Laboratories, which sponsors Mifeprex, intervened to defend the FDA’s actions.

The District Court agreed with the plaintiffs and enjoined the FDA’s approval of mifepristone, effectively ordering the drug off the market. FDA and Danco appealed and moved to stay the District Court’s order pending appeal. The Supreme Court ultimately stayed the District Court’s order pending the disposition of proceedings in the Fifth Circuit.

On the merits, the Fifth Circuit held that the plaintiffs had legal standing to sue and concluded that plaintiffs were unlikely to succeed on their challenge to FDA’s 2000 and 2019 drug approvals but were likely to succeed in showing that FDA’s 2016 and 2021 actions were unlawful. The FDA and Danco then asked the Supreme Court to review that ruling.

The Supreme Court reversed the Fifth Circuit’s decision, holding that the plaintiffs lacked standing under Article III of the Constitution to bring suit. Article III limits the jurisdiction of federal courts to actual disputes between parties – which it calls “Cases” or “Controversies” – and so a plaintiff filing suit in federal court must establish “standing” to be heard by demonstrating that that he or she has suffered or likely will suffer an injury in fact, that the injury likely was caused or will be caused by the defendant being sued, and that the injury likely would be redressed by the requested judicial relief.

Writing for a unanimous Court, Justice Kavanaugh acknowledged the plaintiffs’ “sincere legal, moral, ideological, and policy objections to elective abortion and to FDA’s relaxed regulation of mifepristone,” but because they themselves neither use nor want to prescribe mifepristone nor are they forced to prescribe mifepristone or are otherwise obliged to participate in providing abortion-related medical treatment over their conscientious objections to abortion, they did not have standing to challenge the FDA’s treatment of mifepristone in federal court.

The Court observed that the plaintiffs lacked standing because they failed to demonstrate that the FDA’s treatment of mifepristone had injured them or could potentially injure them in any way. Rather, the plaintiffs objected only to what the FDA’s actions allowed other people to do, and in the Court’s view, “a plaintiff’s desire to make a drug less available for others does not establish standing to sue.”

This case has been heavily covered by news outlets and other media because of its subject matter and importance, especially in the aftermath of the Dobbs decision, and many reports have framed the Court’s decision in this case as a victory for supporters of greater access to mifepristone and reproductive options in general.

While this is certainly true as a practical matter, it is important to note that this is not because the Supreme Court made a ruling in support of those policies. Nor, it should be said, did it make a ruling in opposition to those policies. Rather, the Court held only that because the plaintiff doctors lacked standing to challenge the FDA’s policies in federal court, no “Case” existed in which a federal court could make a ruling at all.

As such, while plan sponsors and other stakeholders can operate with the understanding that the FDA’s rules that have made mifepristone widely available remain in effect, they should not assume that this case marks the final word on the subject. Plan sponsors and other stakeholders should continue to monitor ongoing political developments in the executive and legislative branches of the federal government as well as any future legal developments in the judicial branch in the event another plaintiff can establish the necessary standing to challenge these rules that the doctors in this case ultimately could not.

Food and Drug Administration v. Alliance for Hippocratic Medicine

On May 31, 2024, in Bristol SL Holdings, Inc. v. Cigna Health and Life Insurance Company, the Ninth Circuit Court of Appeals (Ninth Circuit) held that ERISA preempts state law claims challenging the denial of out-of-network provider reimbursements by group health plans. The Ninth Circuit affirmed the district court’s grant of summary judgment in favor of Cigna, the TPA for the ERISA plans, in the action brought by a drug treatment center’s successor-in-interest, Bristol SL Holdings, Inc. (Bristol).

For several years, Sure Haven, a drug treatment center, had contacted Cigna by phone to verify their patients’ out-of-network plan coverage, seek preauthorization for their care, and obtain the applicable reimbursement rate. But despite this verification process, in 2015, Cigna began rejecting Sure Haven’s reimbursement claims for covered plan participants due to “fee-forgiving.” Fee-forgiving is a healthcare provider’s practice of failing to collect patient cost-sharing (e.g., copayments and deductibles), which inflates insurance costs. The ERISA plan language clearly permitted Cigna to deny claims based on fee-forgiving. Accordingly, Cigna refused to reimburse 106 covered patients’ treatment claims, which reportedly totaled over $8.6 million. Sure Haven filed for bankruptcy in 2017.

Bristol purchased Sure Haven’s insurance claims against Cigna from the bankruptcy estate. When negotiations failed, Bristol sued Cigna in federal court, asserting an ERISA claim for recovery of plan benefits and various state law contract and fraud claims, including breach of contract and promissory estoppel. (Promissory estoppel is a doctrine that allows for recovery of damages despite no actual contract based upon one party’s detrimental reliance on a promise made by the other party.) Bristol contended that Cigna’s representations during the verification and preauthorization calls created independent, enforceable contractual obligations under state law.

As a defense, Cigna asserted ERISA preemption (i.e., that any state law claims are superseded and thus set aside by ERISA.) The district court held that ERISA preempted Bristol’s state law contract claims and granted summary judgment for Cigna. Bristol appealed the ruling to the Ninth Circuit.

On appeal, the Ninth Circuit affirmed the district court ruling and held that Bristol’s state law claims for breach of contract and promissory estoppel were preempted by ERISA because they had both a “reference to” and an “impermissible connection with” the ERISA plans. In its opinion, the Ninth Circuit first explained that a state law claim has a “reference to” an ERISA plan if it is premised on the existence of an ERISA plan, provides alternate enforcement mechanisms for ERISA plan obligations, or challenges the administration of ERISA plan benefits. Here, the Ninth Circuit observed that Sure Haven’s calls to Cigna were specifically to verify out-of-network coverage and reimbursement available under ERISA plans. Similarly, Cigna’s denial of claims due to Sure Haven’s fee-forgiving was in accordance with the ERISA plan terms. Additionally, Bristol’s calculation of damages for the state law claims relied upon the ERISA plan terms. Therefore, the Ninth Circuit concluded that the state law contract claims challenging the administration of plan benefits were premised upon the ERISA plan terms and thus preempted (i.e., Bristol could not seek to obtain through a state remedy what it could not obtain through ERISA).

Next, the Ninth Circuit analyzed Bristol’s claims under the “connection with” test for ERISA preemption. Under this test, a claim has an impermissible connection with an ERISA plan if it governs a central matter of plan administration or interferes with nationally uniform plan administration. The Ninth Circuit noted that permitting state law liability on Bristol’s claims would intrude on a central matter of ERISA plan administration (specifically, Cigna’s system of verifying out-of-network coverage and authorizing treatment by phone, while later conditioning reimbursement on whether a medical provider has secured the proper financial contributions from plan participants). Additionally, the Ninth Circuit recognized that allowing liability on Bristol’s state law claims would impermissibly interfere with nationally uniform plan administration by subjecting an insurer’s verification and preauthorization communications to their variable treatment under state law instead of ERISA and the plan terms.

In a concurrently filed memorandum, the Ninth Circuit also affirmed the district court’s grant of summary judgment to Cigna on Bristol’s ERISA claim seeking recovery of plan benefits.

For ERISA group health plan sponsors, the ruling is important because it reinforces the breadth of ERISA’s preemption of state law causes of action, particularly in the context of pre-service coverage communications between healthcare providers and plan administrators. The decision makes clear that healthcare providers seeking reimbursement from group health plans cannot circumvent ERISA or expand the scope of available legal actions by asserting state law claims.

Bristol SL Holdings, Inc. v. Cigna Health and Life Insurance Company

On June 11, 2024, the DOL announced a recent settlement with Unum Life Insurance Company of America (Unum) following an investigation into the carrier’s group supplemental life insurance claims practices. The DOL investigation found that Unum routinely accepted premiums (via employer payroll deductions) for many years without verifying if participants satisfied an evidence of insurability (EOI) standard. Then, when a plan participant died, Unum would deny the death benefit, claiming it never received EOI. Similarly, Unum routinely provided coverage to dependents without EOI, despite a plan exclusion for totally disabled dependents. If the dependent died within two years of enrollment, Unum would then review their medical records to determine whether they were disabled at the time of enrollment. If the dependent was disabled at the time of enrollment through the date of their death, Unum would deny the claim. Unum failed to clearly inform participants and dependents that dependent coverage would be delayed through a period of disability.

These practices left beneficiaries without the life insurance benefit that plan participants had paid for and believed was in place prior to their deaths. The DOL’s announcement noted that parallel investigations found that other life insurers engage in similar prohibited practices. (See our previous Compliance Corner article covering a DOL settlement with Prudential).

The Unum settlement provides protections for participants who have paid premiums for extended periods of time and are thereby led to reasonably believe their coverage is in force. First, Unum is prohibited from denying a death claim based on lack of EOI when premiums were collected for 90 days or more. Second, Unum is prohibited from denying continued coverage based on EOI for any participant who has been paying premiums for more than one year. Third, for any participant that has not submitted EOI as required under the group life policy terms but has been paying coverage for less than one year, Unum can only require EOI as of the date of the participant’s first premium payment. Meaning, Unum cannot request or consider information regarding a medical issue, diagnosis, new prescription, or any other relevant insurability fact arising after Unum’s receipt of the participant’s first premium payment. Fourth, Unum must direct all group policyholders (employers) to not collect employee premiums on coverage that requires EOI until confirming that Unum has approved the required EOI. In the event a group policyholder then collects premiums without first confirming that Unum has approved the required EOI, the employer may be liable for any death claim filed on coverage lacking EOI.

As to Unum’s total disability exclusion for dependent coverage, the settlement allows Unum to deny death claims filed within two years of the dependent’s enrollment if the dependent has been continuously confined to a home, hospital, hospice, or similar healthcare facility. Unum is required to provide group policyholders clarification on its current total disability exclusion for dependent coverage (i.e., only in cases of confinement).

Importantly, for employers sponsoring group life insurance plans, the DOL settlement affirms that employers may be liable for claims if they collected premiums without first confirming that Unum approved the employee’s or dependent’s EOI. This is consistent with federal courts across the country that have found employers liable for breach of fiduciary duty under ERISA when collecting premiums on life insurance coverage that is not in force. Two of these cases were featured in Compliance Corner: Gimeno v. NCHMND, Inc. and Skelton v. Radisson Hotel Bloomington.

Employers should work with their life insurance carriers to maintain a safeguarded system for verifying enrollment and collecting premiums. Any discrepancies should be reviewed with legal counsel.

DOL and Unum Settlement Agreement

On June 6, 2024, in N.C., individually and on behalf of minor A.C., v. Premera Blue Cross (Premera), the Ninth Circuit Court of Appeals (Ninth Circuit) affirmed the district court’s grant of summary judgment in favor of plaintiff-appellee N.C. regarding their ERISA claim for recovery of residential treatment benefits.

Premera (the defendant) challenged the district court’s conclusion on de novo review that A.C.’s 14-month residential treatment at Change Academy was medically necessary under the plan. Premera also challenged the district court’s consideration of two sets of guidelines from the American Academy of Child and Adolescent Psychiatry (AACAP): Principles of Care for Treatment of Children and Adolescents with Mental Illnesses in Residential Treatment Centers (Principles of Care) and Practice Parameter for the Assessment and Treatment of Children and Adolescents with Reactive Attachment Disorder and Disinhibited Social Engagement Disorder (RAD Practice Parameter).

The Ninth Circuit affirmed the district court’s decision on the grounds that it was fully within that court’s discretion to consult the AACAP guidelines because they were part of the administrative record. Moreover, the district court was permitted to supplement that record as necessary for “evidence regarding interpretation of the terms of the plan rather than specific historical facts.” Finally, the court determined that because “generally accepted standards of medical practice” is ambiguous, the district court did not abuse its discretion in considering the AACAP Principles of Care.

Regarding Premera’s challenge to the district court’s conclusion on the medical necessity of the treatment, the Ninth Circuit noted the district court’s copious citations to the record, which indicated that “A.C.’s treating providers agreed that less intensive treatment settings were ineffective and that residential treatment was necessary. And Dr. Nair, who treated A.C. at Change Academy, repeatedly recommended that he continue residential treatment.” The Ninth Circuit further noted that their prior decisions have held that protecting the reasonable expectations of insureds serves the federal policies underlying ERISA. Accordingly, the Ninth Circuit affirmed the district court’s conclusion that A.C.’s treatment at Change Academy was medically necessary.

This case provides a useful illustration of how courts approach plan participant challenges to adverse claims determinations under ERISA. It also provides a reminder to ERISA plan sponsors to review and monitor the claims and appeals processes of their plans regarding conformity to ERISA’s requirements. Particular consideration should also be paid both to the contents of claims determination communications to participants as well as any plan terms describing the process and criteria for “medical necessity” determinations.

N.C., individually & on behalf of minor A.C. v. Premera Blue Cross

The DOL, HHS, and IRS have jointly updated the Submission Instructions and User Manual for the Gag Clause Prohibition Compliance Attestation (GCPCA), dated May 2024. Group health plans and health insurance issuers (insurers) offering group or individual health insurance coverage must annually submit a GCPCA to the DOL, HHS, and IRS (collectively, the agencies).

The statutory provisions added by the CAA 2021 generally prohibit plans and issuers from entering into an agreement with healthcare providers or a network of providers, third-party administrators, or other service providers that offer access to a network of providers that directly or indirectly restricts the plan or issuer from making certain data and information (including cost or quality of care data and claims information) available to certain other parties (i.e., gag clauses). Specifically, plans and issuers may not enter into an agreement that:

• Prevents the plan or issuer from disclosing cost or quality of care information or data, and certain other information, to:
  • Active or eligible participants, beneficiaries, and enrollees of the plan or coverage.
  • The plan sponsor.
  • Referring providers.
• Restricts the health plan or issuer from electronically accessing de-identified claims and encounter information or data for each participant or beneficiary in the plan or coverage, upon request and consistent with the relevant privacy regulations.
• Restricts the plan or issuer from sharing such information with a business associate, consistent with applicable privacy regulations.

In general, the Submission Instructions and User Manual provide clarifications and more detail about the process. Changes include definitions of key terms and a new section describing what agreements are subject to the requirements. The instructions also clarify that a single group health plan with more than one benefit package is a single responsible (reporting) entity and may submit a single attestation, even if some coverage types are insured and others are self-insured. Employers that sponsor multiple group health plans with separate plan numbers, however, must file an attestation for each plan. Although the annual attestation must be submitted by December 31, attestations may be made at any time during the year. Each attestation covers the period from the date of the last attestation through the date of the subsequent attestation.

Although most self-funded plan sponsors will contract with TPAs or other service providers to make the attestation for the plan, the legal obligation to submit the attestation remains with the plan. Self-funded plan sponsors that do contract out the submissions should confirm that their service provider is aware of the changes and that the submission has actually been made.

• GCPCA Annual Submission Instructions, May 2024 »
• GCPCA User Manual, May 2024 »

On May 9, 2024, the IRS released Revenue Procedure 2024-25, which provides the 2025 inflation-adjusted limits for HSAs and HSA-qualifying HDHPs. According to the revenue procedure, the 2025 annual HSA contribution limit will increase to $4,300 for individuals with self-only HDHP coverage (up $150 from 2024) and to $8,550 for individuals with anything other than self-only HDHP coverage (family or self + one, self + child(ren), or self + spouse/domestic partner coverage), an increase of $250 from 2024.

For qualified HDHPs, the 2025 minimum statutory deductibles will be $1,650 for self-only coverage (up $50 from 2024) and $3,300 for individuals with anything other than self-only coverage (an increase of $100 from 2024). The 2025 maximum out-of-pocket limits will increase to $8,300 for self-only coverage (up $250 from 2024) and up to $16,600 for anything other than self-only coverage (up $500 from 2024). For reference, out-of-pocket limits on expenses include deductibles, copayments, and coinsurance, but not premiums. Additionally, the catch-up contribution maximum remains $1,000 for individuals aged 55 years or older (this is a fixed amount not subject to inflation).

The maximum amount that may be made newly available for plan years beginning in 2025 for excepted benefit HRAs is $2,150 (up $50 from 2024).

The 2025 limits may impact employer benefit strategies, particularly for employers coupling HSAs with HDHPs. Employers should ensure that employer HSA contributions and employer-sponsored qualified HDHPs are designed to comply with the 2025 limits.

RP-2024-25 »

On April 29, 2024, the Fourth Circuit, sitting en banc, affirmed district court findings that coverage exclusions of gender-affirming care for the treatment of gender dysphoria violated both the 14th Amendment’s Equal Protection Clause and Section 1557 of the ACA, which in part prohibits discrimination in coverage based on sex.

The Fourth Circuit’s decision regarded two cases. In the first, the trial court found in favor of transgender North Carolina and West Virginia state employees who sued those states’ health plans for their exclusions of “treatment or studies leading to or in connection with sex changes or modifications and related care” on constitutional grounds, finding that these exclusions violated the Equal Protection Clause of the 14th Amendment. In the second, the trial court found in favor of transgender West Virginia Medicaid recipients who sued that state’s Medicaid program for its exclusion of gender-affirming surgery (called “transsexual surgery” by the program), finding that this exclusion violated both the Equal Protection Clause and the nondiscrimination provisions of Section 1557 of the ACA. (For additional information regarding the scope of Section 1557, please see our article in this edition of Compliance Corner.)

The defendant state programs appealed these decisions and the Fourth Circuit affirmed both district court rulings that the exclusions discriminate based on sex, with specific reference to the district court’s observation that these exclusions “cannot be applied ‘without referencing sex’.”

The court also endorsed the trial court’s application of the Supreme Court’s holding in Bostock v. Clayton County, which held that transgender individuals are protected by Title VII of the Civil Rights Act. The defendant states argued that it was not appropriate to extend Bostock – which regarded employment discrimination against transgender individuals – to claims of discriminatory coverage by health plans. The Fourth Circuit disagreed, observing that “there is nothing in Bostock to suggest the holding was that narrow.”

Notably, the Fourth Circuit’s decision was not joined by six of the court’s 14 judges, who wrote or joined dissents that, taken together with the majority opinion, broadly reflect the current national divide on these issues. The 39 amici briefs filed by 38 states and the District of Columbia, 21 of which were filed in support of the defendant state plans and 18 of which were filed in support of the plaintiffs, also illustrate this divide.

As this case demonstrates, coverage exclusions for gender-affirming care and surgery are being closely examined by the courts. It is widely anticipated that the Supreme Court will weigh in on this issue at some point in the future, though it has not yet expressed an intention to do so. In the meantime, employers and group health plans that want to exclude gender-affirming coverage for their employees and their families should consult with legal counsel regarding the potential ramifications of that decision.

Fourth Circuit Opinion No. 22-1721 »

On May 6, 2024, the Congressional Research Service published a report concerning the scope of ACA Section 1557 (the Section). Section 1557 prohibits discrimination on the basis of race, color, national origin, disability, age, and sex in federally funded healthcare programs or activities. It is the source of intense regulatory and legal scrutiny. The report focuses on the federal government’s and the courts’ attempts to define the entities to which the Section applies and provides recommendations to Congress regarding the Section’s implementation.

Three administrations have expanded and contracted the application of this Section through rules. In 2016, the Obama administration issued a rule that applied the Section to entities that provided health-related services, health-related insurance coverage, or other health-related coverage (including group health plans and TPAs) that received any federal financial assistance. If such entities received any federal financial assistance, then all its activities are subject to the Section. In 2020, the Trump administration narrowed the application of the Section through revisions to the 2016 rule, asserting that the administration would not consider health insurance issuers and TPAs to be a “health program or activity” subject to Section 1557’s antidiscrimination requirements. In 2024, the Biden administration issued a rule that expanded the Section’s application back to what it was in 2016, including pharmaceutical care and health research and education for healthcare professionals. That said, the 2024 rule acknowledges that group health plans and their sponsors are distinct from one another and that a fact-specific analysis must be applied to determine which are subject to the Section.

Despite the federal government’s efforts to define which entities are subject to the Section, courts have often disagreed. The paper cites Pritchard v. Blue Cross Blue Shield of Illinois, in which the defendant TPA argued that they were not subject to the Section according to the 2020 rule. The federal district court disagreed, determining that the plain language of the Section extended its application to the TPA, despite what the 2020 rule said. The US Court of Appeals for the Seventh Circuit similarly found that, according to the language in the Section, the statute clearly applied to the group health plan defendant in T.S. v. Heart of CarDon, despite the rule.

The report also noted a case in which a court disagreed with a TPA defendant that it was not subject to the Section because of ERISA. In Tovar v. Essentia Health, the TPA argued that ERISA required it to follow the plan’s terms, which were under the exclusive control of the employer sponsor. The court found nothing in the Section that provided for an exemption under these circumstances.

Ultimately, the report suggests that Congress should amend the Section if it wishes the courts and the federal government to apply it differently. The report notes that courts will disregard the rules in favor of the plain language in the statute, and the cases cited in the report show that the courts are willing to apply the Section to TPAs and group health plans, despite the 2020 rule’s efforts otherwise. Accordingly, the report suggests that if Congress does not want the Section to apply to TPAs and group health plans, then it should make the necessary changes to the statute.

Employers should be aware that, as the law currently stands, they may be subject to the nondiscrimination mandates of Section 1557 if their plans receive any federal financial assistance. Although the 2024 rule makes this clear, it is subject to change with a change in administration. Nevertheless, courts may defer to the Section itself rather than the rule, so employers should keep an eye on the administration of their plans to make sure it complies with the Section. Employers should consult with legal counsel if advice is needed regarding the application of the Section to their specific plans.

The Scope of ACA Section 1557: "Health Program or Activity" »

On May 2, 2024, the IRS published the revised 2024 IRS Publication 15-B, the Employer's Tax Guide to Fringe Benefits, to correct the figures for HSA eligibility and employer contribution limits. The 2024 IRS Publication 15-B was originally published in January 2024 and was covered in the January 17, 2024, edition of Compliance Corner. This publication provides an overview of the taxation of fringe benefits and applicable exclusion, valuation, withholding, and reporting rules.

Accordingly, the updated IRS publication reflects the corrected figures. Specifically, under the section heading “Health Savings Accounts (HSAs),” the paragraph under “Eligibility” indicates a qualifying HDHP must have a deductible of at least $1,600 for self-only coverage and $3,200 for family coverage. Further, a qualifying HDHP must limit annual out-of-pocket expenses of the individuals to $8,050 for self-only coverage and $16,100 for family coverage.

Additionally, the paragraph under “Employer Contributions” clarifies that the annual limitation on deductions for an individual with family coverage under an HDHP should have been noted as $8,300.

Employers should review and defer to the revised 2024 Publication 15-B.

2024 Publication 15-B »

On April 26, 2024, the HHS Office for Civil Rights (OCR) announced that it published a final rule strengthening privacy protections for information relating to reproductive healthcare. The agency proposed the rule on April 23, 2023, which we covered in the April 25, 2023, edition of Compliance Corner.

The final rule prohibits the use or disclosure of PHI by individuals, covered entities (which includes group health plans), or their business associates (collectively, “regulated entities”) for either of the following purposes:

• To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare, where such healthcare is lawful under the circumstances in which it is provided.
• The identification of any person for the purpose of conducting such investigation or imposing such liability.

The prohibition applies when a regulated entity determines that one or more of the following conditions exist:

• The reproductive healthcare is lawful under the law of the state in which such healthcare is provided under the circumstances in which it is provided.
• The reproductive healthcare is protected, required, or authorized by federal law, including the US Constitution, regardless of the state in which such healthcare is provided.
• The reproductive healthcare was provided by a person other than the covered healthcare provider, health plan, or healthcare clearinghouse (or business associates) that receives the request for PHI, and the receipt of reproductive healthcare was presumed lawful under the circumstances (in accordance with the specifications of the final rule).

Note that the final rule allows a regulated entity to use or disclose PHI for purposes otherwise permitted under the Privacy Rule. However, regulated entities can use or disclose PHI, if the request for PHI is not made primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive healthcare.

The final rule requires regulated entities to obtain a signed attestation from whomever submits a request for PHI potentially related to reproductive healthcare. This attestation requirement would apply when the request is for PHI in any of the following circumstances:

• Health oversight activities
• Judicial and administrative proceedings
• Law enforcement purposes
• Disclosures to coroners and medical examiners

Finally, the final rule requires that the Notice of Privacy Practices, provided to all participants in a health plan, must be revised to reflect these new requirements.

Employers, particularly those with self-insured plans, should be aware of this final rule. The final rule effective date is June 25, 2024, but plans must comply with the requirements imposed by this rule by December 23, 2024, although changes to the Notice of Privacy Practices have a delayed effective date of February 16, 2026.

• Fact Sheet »
• Final Rule »

On May 1, 2024, the DOL, HHS, and Treasury (the departments) issued an FAQ regarding implementation of the No Surprises Act in light of the August 24, 2023, decision in Texas Medical Association, et al. v. U.S. HHS, et al. (TMA III) (see our August 15, 2023, and October 24, 2023, editions of Compliance Corner for coverage of this case). Specifically, the FAQ extends enforcement relief related to calculating equivalent in-network rates for out-of-network services covered under No Surprises Act protections until November 1, 2024.

As background, the No Surprises Act and July 2021 interim final rules provide protections against balance billing and limit cost-sharing for emergency services from out-of-network providers, non-emergency services from out-of-network providers during a visit to an in-network facility, and out-of-network air ambulance services. The participant’s or beneficiary’s cost-sharing for these services covered under the No Surprises Act must not be greater than the cost-sharing requirements for equivalent in-network services. Specifically, cost-sharing must be calculated based on the “recognized amount.” If there is no established amount set by an All-Payer Model Agreement under the Social Security Act, and there is no state law on the applicable amount, then the recognized amount, according to the interim final rules, would be the lesser of billed charges or the qualifying payment amount (QPA).

The QPA is generally the median contracted plan rate on January 31, 2019, for the same or similar service in the same geographic region and adjusted for inflation. Under the July 2021 interim final rules, the median contracted plan rate was determined based on all plans of the plan sponsor (or administering entity) or all coverage offered by the insurer in the same insurance market. On August 24, 2023, the court in TMA III held that the interim rules on calculating the QPA were unlawful. Some of the QPA calculation provisions that the TMA III court took issue with allowed the inclusion of “ghost rates” (rates for services that a particular provider has not provided) and rates for providers outside the applicable specialty, excluding bonus or other incentive provisions from the rate calculation, and allowing self-insured plan calculations to be based on the rates of other self-insured plans administered by the same TPA. The Department of Justice appealed the TMA III decision, which is currently pending.

On October 6, 2023, the departments issued FAQ guidance acknowledging the TMA III decision on QPAs and the significant challenges associated with revisiting and recalculating QPAs established prior to the decision. To address these challenges, the departments stated they would grant enforcement relief for any plan, issuer, or other party to a No Surprises Act payment dispute that applies a QPA calculated under the July 2021 interim rules to services delivered before May 1, 2024 (see our October 24, 2023, edition of Compliance Corner for coverage of the October 6, 2023, FAQ guidance).

The May 1, 2024, FAQ guidance extends this enforcement relief until November 1, 2024. This extension is in response to feedback that plans and insurers need more time to recalculate QPAs in a manner consistent with the TMA III decision, as several of the changes to the QPA calculation require manually locating data. Accordingly, the departments will grant enforcement relief for any plan, issuer, or other party to a No Surprises Act payment dispute that applies a QPA calculated under the July 2021 interim rules to services delivered before November 1, 2024 (previously May 1, 2024). The departments will continue to assess the status of QPA calculations but do not expect to extend this enforcement relief for services delivered on or after November 1, 2024.

Although the No Surprises Act payment calculation process is typically handled by insurers and TPAs, employers should be aware of the recent guidance and monitor future developments.

FAQ about Consolidated Appropriations Act, 2021 Implementation Part 67 »

On April 29, 2024, the DOL announced a final rule to rescind the 2018 Association Health Plan (AHP) rule that created alternative criteria that could be used to determine whether a group or association of employers without a commonality of interest could establish an AHP for the primary purpose of providing benefits. We covered the DOL’s proposed rule in our January 3, 2024, edition of Compliance Corner.

The intention of the 2018 AHP rule, in part, was to increase access to quality health coverage. However, the DOL determined that the rule was inconsistent with the definition of employer under ERISA. The department notes that the rule was never fully implemented and is unaware of any existing AHP formed based on the rule.

The recission will alleviate uncertainty under the rule and marks a return to a facts-and-circumstances approach to determine if a group or association of employers is a bona fide employer group capable of sponsoring an ERISA plan. Criteria include:

• Whether the employers have business purposes unrelated to the provision of benefits.
• Whether employers share a genuine organizational relationship unrelated to the provision of benefits.
• Whether participating employers exercise control over the program.

AHPs offered by bona fide employer groups remain subject to ERISA and are subject to MEWA regulations, including state-specific MEWA laws.

Employers participating in an AHP should review the rescinded rule to identify whether it continues to meet the pre-rule requirements as noted above.

• Federal Register: DOL’s Rescission Rule »
• Fact Sheet »

HHS has published a final rule expanding protections under Section 1557 of the ACA, which prohibits discrimination in certain health programs and activities on the basis of race, color, national origin, sex, age, or disability in any health program activity that receives federal financial assistance and other covered entities. The Section 1557 regulations that took effect in 2016 under the Obama administration expanded the scope of Section 1557 prohibitions by including discrimination based upon gender identity. The 2016 regulations also required entities covered by the rule to distribute nondiscrimination notices and required them to have compliance coordinators and written grievance procedures to handle complaints concerning possible violations of Section 1557. In 2020, however, the Trump administration's HHS issued a final rule amending Section 1557 of the ACA to scale back explicit protections based on gender identity introduced by the Obama administration.

In the 2024 final rule, HHS reinstated the scope of the 2016 regulations and expanded the regulations further. The final rule is generally effective 60 days after publication in the Federal Register, but certain provisions have delayed effective dates. The complete effective dates on each provision under Section 1557 can be found in the HHS Section 1557 Final Rule: Frequently Asked Questions.

Here are highlights of the 2024 final rule on Section 1557:

Restores and broadens the definition of covered entities to include insurers and pharmacy benefit managers (PBMs).

The final rule restored and expanded the definition of covered entities of Section 1557 to health programs and activities that include health insurers and PBMs that receive federal financial assistance and all the operations of a covered entity, including an insurer's TPA activities. In contrast, group health plans are not explicitly defined as covered entities since many employers and group health plans are not direct recipients of federal financial assistance. The final rule states that Section 1557 will not be applied if it would violate federal protections for religious freedom and conscience. The final rule provided an administrative process for obtaining a written assurance of exemption.

Prohibits discrimination on the basis of sex.

The final rule affirms that protections against sex discrimination include protections against discrimination on the basis of sexual orientation and gender identity. Additionally, the final rule clarifies that sex discrimination includes discrimination on the basis of sex stereotypes, sex characteristics (including intersex traits), and pregnancy or related conditions.

Requires covered entities to take steps to identify and mitigate discrimination when they use patient care decision support tools.

The final rule requires covered entities to make reasonable efforts to identify patient care decision support tools that use input variables or factors that measure race, color, national origin, sex, age, or disability and to make reasonable efforts to mitigate the risk of discrimination that may result from the use of such tools. Within 120 days of the effective date, covered entities must begin providing an annual notice of nondiscrimination and a notice of language assistance services to participants, beneficiaries, enrollees, and applicants. FAQs accompanying the final regulations note that HHS has prepared sample notices in multiple languages to assist with this requirement.

Clarifies that nondiscrimination requirements apply to health programs and activities provided through telehealth services.

The final rule clarifies that covered entities must not discriminate in their delivery of health programs and activities provided through telehealth services. This means ensuring that such services are accessible to individuals with disabilities and providing meaningful program access to people with limited English proficiency.

The prohibition of discrimination on the basis of sex is historically one of the most litigated provisions of Section 1557. As explained above, the final rule is primarily directed at covered entities that receive federal financial assistance. However, group health plan sponsors should be aware of the issuance of the final rule, which could potentially impact their plan indirectly. Sponsors with questions regarding the specific application of Section 1557 and other nondiscrimination laws to their plan design should consult with their legal counsel.

• Final Rule »
• Fact Sheet »
• FAQ »

On April 11, 2024, in Ryan S. v UnitedHealth Group, Inc., et al., the Ninth Circuit Court of Appeals (Ninth Circuit) filed a decision reversing a Middle District of California District Court dismissal of a class action suit brought under ERISA by a beneficiary (Ryan S.) of a group health plan insured, managed, and administered by UnitedHealthcare (UHC). The lawsuit, which alleged a MHPAEA violation and breach of an ERISA fiduciary duty, was remanded for further proceedings.

Between 2017 and 2019, Ryan S. completed two different outpatient and out-of-network substance use disorder programs. UHC did not cover most of the charges for that treatment, which amounted to hundreds of thousands of dollars. Ryan S. alleged that UHC systematically denied his claims and cited a 2018 California Department of Mental Health Care report that had concluded that certain UnitedHealthcare entities, including UHC, were applying a more stringent internal review process (that included the use of algorithms that added additional levels of review) to such mental health and substance use disorder (MH/SUD) claims than was applied to medical/surgical claims for treatment in violation of MHPAEA. The district court dismissed the case based on its conclusion that Ryan S. had 1) failed to allege that his claims had been “categorically” denied and 2) insufficiently identified analogous medical/surgical claims that he had personally submitted and UHC had processed more favorably.

Relying heavily on the findings and conclusions of the California state agency, the Ninth Circuit concluded that a plaintiff alleging that a defendant applied a more stringent internal process to MH/SUD claims than to medical/surgical claims may be able to allege a plausible claim without having to allege a categorical practice or differential treatment for the plaintiff’s own medical/surgical claims. In other words, it is enough for such a plaintiff to allege the existence of a procedure used in assessing MH/SUD benefit claims that is more restrictive than those used in assessing medical/surgical claims under the same classification if the allegation is adequately pled in the complaint. A plaintiff doesn’t have to allege that they had claims of both types.

Since the district court had dismissed the MHPAEA claim and the breach of fiduciary duty claims for failure to state a violative (claims) process, the Ninth Circuit reversed both of those dismissals and remanded.

The plaintiff in this case benefited from a recent state study and report that supported their allegations and allowed these claims to survive the motion to dismiss. The case has drawn greater attention to the use of algorithms in the claim review process, particularly with respect to MHPAEA claims. The Ninth Circuit has tried to clarify how to determine what violates the MHPAEA without much clear guidance from the federal agencies yet. Hopefully, the anticipated MHPAEA final rules will provide guidance that will help to clarify the law’s application to various claim review processes.

Ryan S. v. UnitedHealth Group Inc. »

On April 13, 2024, the IRS released a set of FAQs concerning the tax treatment of work-life referral (WLR) services that employers may provide to employees. The FAQs establish that WLR services are a de minimis fringe benefit excluded from an employee’s gross income and from the employer’s employment taxes.

The FAQs define WLR services as “informational and referral consultations that assist employees with identifying, contacting, and negotiating with life-management resources for solutions to a personal, work, or family challenge.” WLR services include assistance with completing paperwork and basic administrative tasks associated with finding resources to tackle problems, such as finding childcare, eldercare, or financial advisors. Although WLR services do not provide childcare or other similar services directly, they help employees access those services. WLR services are sometimes called caregiver or caretaker navigation services.

According to the FAQs, WLR services are considered de minimis. “De minimis” is defined as “any property or service the value of which is (after taking into account the frequency with which similar fringes are provided by the employer to the employer's employees) so small as to make accounting for it unreasonable or administratively impracticable.” In circumstances where it would be administratively difficult to determine the frequency with which fringe benefits are provided to each employee, the employer can measure the frequency using the employer-measured frequency standard.

The FAQs apply this definition and frequency standard to WLR services. As a de minimis benefit, WLR services are excluded from an employee’s gross income and from the employer’s employment taxes.

Note that these FAQs are published as general information to taxpayers and tax professionals, and the IRS will not use them to resolve any case involving WLR services. However, if a taxpayer or professional reasonably relies on them in good faith, then the IRS will not impose a penalty that provides a reasonable cause standard for relief, including a negligence penalty or other accuracy-related penalty, to the extent that reliance results in an underpayment of tax. Accordingly, employers should be aware of the tax treatment of WLR services.

Frequently Asked Questions About Work-Life Referral Services »

In response to a request by Congress, the Government Accountability Office (GAO) recently released a report focusing on state regulation of PBMs serving private health plans. Among other things, the report describes actions selected states have taken to regulate PBMs and the views of various stakeholders regarding such state regulation.

As cited in the report, retail prescription drug spending by private health plans in the US totaled nearly $152 billion in 2021 — almost 13% of total private healthcare spending and an almost 18% increase over 2016. This increase in spending was driven by increased drug prices, including specialty drug prices, as opposed to increased drug utilization (i.e., the number of prescriptions filled).

Many health plans contract with PBMs to administer their prescription drug benefits and help contain rising costs. PBMs may negotiate drug prices and rebates with manufacturers, develop formularies, process claims, and perform other plan services. The significant role and market power of PBMs and the opaqueness of certain PBM compensation arrangements have led some industry stakeholders to call for greater transparency and other changes in PBM practices. State legislatures have responded by enacting laws to regulate PBMs. According to the report, all 50 states have enacted at least one PBM-related law since 2017.

The GAO report focuses on five states that have enacted a wide range of PBM laws — Arkansas, California, Louisiana, Maine, and New York. The GAO examined these states’ laws with respect to whether a fiduciary or other “duty of care” was imposed upon PBMs and requirements regarding transparency (including licensure and reporting), drug pricing and pharmacy reimbursements, and pharmacy network and access. The GAO also interviewed stakeholders, including regulators, pharmacy associations, and health plan associations in each of the five states and four national organizations representing the interests of PBMs, patients, employers, and drug manufacturers, respectively.

According to the report, four of the five selected states (California, Louisiana, Maine, and New York) have enacted laws to impose a duty of care on PBMs. However, only Maine’s law states that PBMs owe a fiduciary duty to the health plans with which they contract. The other state laws impose a “lesser” standard on PBMs, such as a requirement to act in “good faith and fair dealing.” Regulators in states that do not impose a fiduciary requirement cited political opposition from the PBM trade association or concerns about ERISA preemption as factors.

With respect to efforts to increase the transparency of PBMs’ operations, the report explains that all five states require PBMs to be licensed and/or registered and provide certain information, such as rebate and fee data, to the state or the health plans with which they contract. Additionally, each of the five states has enacted some type of legislation regulating drug pricing and pharmacy payments, such as a law limiting a PBM’s use of manufacturer rebates or “spread pricing” (i.e., paying pharmacies less than they charge health plans for drugs). For example, Arkansas requires that PBMs and health plans set cost-sharing amounts for prescription drugs based on post-rebate prices and prohibits spread pricing. Furthermore, all five states have enacted legislation to expand patient access to affordable drugs (e.g., by ensuring pharmacies are not prohibited in their contracts from informing enrollees when a less costly alternative to paying for a prescription through their insurance is available).

According to the report, all stakeholders interviewed expressed support for PBM transparency requirements such as licensure, registration, and annual reporting on rebates and revenue sources. However, most health plan associations and the PBM trade association opposed state laws regulating pharmacy reimbursements and network design. Additionally, some believed the laws may conflict with ERISA by preventing large employers from designing uniform plans across multiple states.

Regarding enforcement, regulators sought broad authority to respond to emerging PBM-related issues and robust enforcement measures to achieve better compliance. The regulators indicated they rely primarily on complaints to ensure PBM compliance and, in some states, had taken actions such as audits to address complaints. However, regulators also expressed concerns regarding ERISA preemption affecting their enforcement of state PBM laws with respect to self-insured plans.

Employers that sponsor prescription drug plans should be aware of the GAO report requested by Congress, although it is unclear whether any federal PBM legislation will be enacted soon. The report provides a helpful sample of various types of state PBM laws and stakeholder opinions regarding such measures. However, it is difficult to draw broad conclusions from the report, especially since much is unsettled in this area of the law. But additional regulatory action is anticipated, so employers should monitor for further developments.

GAO-24-106898, PRESCRIPTION DRUGS: Selected States’ Regulation of Pharmacy Benefit Managers »

On April 3, 2024, the DOL, HHS, and IRS (the departments) published final rules (with an accompanying fact sheet) to amend certain requirements regarding fixed indemnity excepted benefits coverage and limited duration insurance. These rules finalize some of the amendments proposed on July 12, 2023. Notably, beginning in 2025, plan sponsors offering fixed indemnity coverage must provide a new consumer protection notice to enrollees.

The final rules follow several Biden Administration Executive Orders, which direct the departments to review policies for consistency with the goals of strengthening ACA protections and providing access to affordable, comprehensive healthcare. The Biden Administration also seeks to ensure individuals understand their coverage options so they do not unknowingly purchase low-quality coverage (referred to as “junk insurance”) that may result in burdensome household medical debts. Accordingly, the final rules impose new restrictions on coverage not fully subject to the ACA mandates, such as preventive care requirements, annual and lifetime limits, and prohibitions on pre-existing condition exclusions (known as “excepted benefits”).

First, the final rules reaffirm that in order to qualify as excepted benefits, fixed indemnity policies must pay benefits per day (or other time period) of hospitalization or illness regardless of the expenses incurred, medical services received, or illness severity. Group coverage that pays benefits on a per medical item or service basis would not be considered an excepted benefit. While the proposed rules were poised to amend certain requirements on coordination of benefits (with respect to exclusions or payments) between an employer’s fixed indemnity policy and group health plan, the final rules did not include these changes, citing the need for additional time to study the concerns raised by commenters.

The final rules explain that while fixed indemnity insurance is designed to provide income replacement in the event of a hospitalization or illness, policies sold today often include certain features resembling comprehensive coverage (e.g., benefits paid based on receipt of a medical service or directly to a healthcare provider). To address this, the final rules add a required consumer protection notice be provided to employees in relation to group fixed indemnity excepted benefits coverage, applicable to plan years beginning on or after January 1, 2025. The notice is designed to highlight the differences between fixed indemnity excepted benefits and comprehensive major medical coverage and must be prominently displayed in any marketing, application, and enrollment materials. Insurers can satisfy this new notice requirement on behalf of the plan sponsor.

Second, the final rules require short-term limited duration insurance (STLDI) to be truly short-term. STLDI is health insurance primarily designed to fill temporary gaps in coverage when an individual is transitioning from one plan or coverage to another, such as during a waiting period for a new employer’s plan. Under the ACA, STLDI is not health insurance, so it is not subject to certain ACA protections (e.g., prohibitions on exclusions for pre-existing conditions, discrimination based on health status, or dollar limits on essential health benefits). Specifically, the final rules change the maximum duration of STLDI policies to four months (a three-month initial term with a one-month extension or renewal permitted within a year of the original effective date). This proposed duration is much shorter than the current 36-month maximum permitted under a 2018 Trump Administration rule. The final rules also update the STLDI notice requirements to highlight coverage limitations in concise, easy-to-understand, and prominently displayed language. To further consumer protection, the notice must be included in any marketing, application, and enrollment materials.

The departments declined to finalize proposed rules on the tax treatment of employer-provided fixed indemnity accident or health insurance plans (including hospital indemnity and specified disease coverage), citing the need for additional time to study the concerns raised by commenters. In addition, while the proposed rules requested comments on the design and operation of specified disease coverage (e.g., cancer insurance) and level-funded plan arrangements, no new guidance has been provided.

Employers should consult with their advisors regarding any potential future impact on their coverage offerings, including confirming that their plan’s fixed indemnity insurer will satisfy the new consumer protection notice requirement on behalf of the plan. Note that these final rules only partially addressed the proposed rules. Employers should continue to monitor Compliance Corner for updates regarding additional final rules or new related guidance.

CMS Fact Sheet »
Final Rules »

On April 2, 2024, the HHS, CMS, and IRS released the 2025 Notice of Final Benefit and Payment Parameters (the 2025 final rule), an accompanying fact sheet, and, in coordination with the DOL, a related FAQ. The 2025 final rule, which follows a proposed rule issued on November 15, 2023, is primarily directed at health insurers and the ACA marketplace but includes certain information that directly or indirectly impacts group health plans.

Notably, the final rule and FAQ codify that prescription drugs in excess of those covered by a state's benchmark plan are considered essential health benefits (EHBs) and are subject to the applicable ACA out-of-pocket (OOP) maximum and prohibition on annual and lifetime dollar limits, unless the coverage of the drug is mandated by state action such that it would not be considered an EHB.

As background, the ACA requires insurers in the individual and small group markets to offer plans with a comprehensive set of benefits called EHBs. The coverage must include items and services in ten EHB categories, which include prescription drugs. Additionally, all non-grandfathered health plans, including self-insured group health plans and large group market plans, to the extent these plans cover EHBs, must comply with the ACA annual OOP cost-sharing limit and the prohibition on annual and lifetime limits. As a reminder, the 2025 ACA plan annual OOP cost-sharing limits, as specified in prior CMS guidance, are $9,200 for self-only coverage and $18,400 for other than self-only coverage. (The 2024 limits are $9,450 and $18,900, respectively.)

CMS has historically taken the position that prescription drugs covered beyond the minimum EHB-benchmark coverage requirement (unless pursuant to a state mandate) are also EHBs and thus subject to the ACA annual OOP cost-sharing limit and prohibition on annual and lifetime dollar limits. Accordingly, the 2025 final rule formalizes CMS’s position, which was previously informal guidance, for clarification purposes and to promote greater compliance. The 2025 final rule provision applies only to non-grandfathered individual and small group market plans. These plans will need to review their drug plan design immediately and work with their insurers and PBMs (if applicable) to take steps to ensure that drug coverage in excess of its EHB-benchmark plan is also subject to the annual OOP cost-sharing limit and the prohibition on lifetime and annual limits. These plans may also need to review their related policies for compliance, including how drug manufacturer assistance applies towards the plan’s OOP cost-sharing limit.

The 2025 final rule provision does not apply to large group and self-insured plans. However, the FAQ noted that the DOL, HHS, and IRS intend to propose rulemaking that would align the EHB prescription drug requirements for large and self-insured plans with those applicable to individual and small group market plans. In such event, most of the group health plans would be required to treat prescription drugs covered by the plan, including drugs in excess of the applicable EHB-benchmark plan requirements as EHBs for purposes of the ACA annual OOP cost-sharing limit and prohibition on lifetime and annual limits.

Among numerous other changes, the 2025 final rule also removes a prior prohibition against including routine non-pediatric dental services as an EHB. This change will allow states to update their EHB-benchmark plans to include routine non-pediatric dental services effective for benefit years beginning on or after January 1, 2027.

Employers that sponsor group health plans should be aware of the release of the 2025 final rule, which is effective June 4, 2024, and particularly, the provisions regarding the extent to which covered prescription drugs are considered EHBs subject to applicable ACA limits. Employers should also monitor for additional guidance; we will report on relevant developments in future editions of Compliance Corner.

Federal Register: Public Inspection: Patient Protection and Affordable Care Act, HHS Notice of Benefit and Payment Parameters for 2025; Updating Section 1332 Waiver Public Notice Procedures; Medicaid; Consumer Operated and Oriented Plan Program; and Basic Health Program »
HHS Notice of Benefit and Payment Parameters for 2025 Final Rule »
DOL FAQ about Affordable Care Act Implementation Part 66 »

On March 24, 2024, in McKee Foods Corporation v. BFP, Inc. dba Thrifty Med Plus Pharmacy, the Sixth Circuit US Court of Appeals (Sixth Circuit) held that McKee Foods’ claims that Tennessee’s “any willing pharmacy” (“any-willing-pharmacy”) laws are preempted by ERISA, and that state law does not require it to include Thrifty Med in its approved network of pharmacies, were not rendered moot following changes to the underlying state laws and other factual developments in the case. The Sixth Circuit reversed and remanded the case for further proceedings.

McKee Foods is a commercial bakery in Tennessee that offers a health benefits plan (Health Plan), governed by ERISA, for its eligible employees and their eligible dependents. Part of that plan is their Prescription Drug Program (PDP) that offers favorable benefits to participants for using in-network pharmacies. Thrifty Med is an independent pharmacy in Tennessee and was a member of PDP’s network of pharmacies until July 2019 when McKee Foods and its pharmacy benefit manager (PBM) removed Thrifty Med from the network. For the next three years, Thrifty Med actively pursued getting reinstated into PDP’s network by meeting with McKee multiple times, circulating petitions among McKee employees, paying for billboards, and paying an attorney to contact McKee to argue that Tennessee’s any-willing-pharmacy statute required McKee to admit Thrifty Med to the network. Thrifty Med also lobbied the Tennessee legislature for passage of an amendment to the any-willing-pharmacy statute, which previously applied only to insured plans. The new statute, which took effect on July 1, 2021, extended the any-willing-pharmacy law to self-insured entities (see Compliance Corner, July 7, 2021, article).

Soon after passage of the statute, Thrifty Med began submitting claims for payment to PDP, and when the claims were denied, Thrifty Med filed three administrative complaints with the Tennessee Department of Commerce and Insurance (TDCI). The complaints were dismissed by the TDCI but not before McKee filed this action in mid-November 2021 seeking, 1) a declaratory judgment that the any-willing-pharmacy statute is preempted by ERISA, 2) an order enjoining Thrifty Med from pursuing any legal or administrative action to enforce the state’s any-willing-pharmacy laws against McKee or otherwise to force McKee to include Thrifty Med in its PDP, and 3) instruction from the court as to the scope of its fiduciary duties in determining which pharmacies to include in the Health Plan and whether the Health Plan is subject to the statute.

In April 2022, the Tennessee Legislature passed yet another amendment to the any-willing-pharmacy statute, changing the application to specifically include ERISA plans. About a month later, McKee moved for summary judgment. The next day, Thrifty Med filed a competing motion to dismiss for lack of subject matter jurisdiction or, in the alternative, for summary judgment. In Thrifty Med’s filing in support of its motion, the president of Thrifty Med stipulated that Thrifty Med would “no longer pursue reinstatement to McKee’s Prescription Drug program under the [first amendment to the any-willing-pharmacy]” but also that “it remain[ed] to be determined whether Thrifty Med w[ould] pursue reinstatement under” the April 2022 amendment to the statute.

After a hearing on the pending motions, the district court held that the case was moot because 1) the TDCI dismissed Thrifty Med’s administrative complaints, 2) Thrifty Med had taken no further legal action, and 3) Thrifty Med had stipulated that it had no current plans or intentions to pursue reinstatement, so McKee’s alleged “harm” was too speculative to demonstrate the existence of a live case or controversy over which the court could exercise jurisdiction.

The Sixth Circuit addressed the issue of whether the case was moot, first finding that the April 2022 amendment to the any-willing-pharmacy statute did not render McKee’s claims moot because the new law did not substantially and materially amend the pertinent statutory language of the first amendment to the statute. Next, Thrifty Med’s qualification of its intent to continue to pursue reinstatement to the PDP network does not meet the “heavy burden” of persuading the Sixth Circuit that it is unlikely to resume its pursuit of reinstatement in the future. Thus, Thrifty Med has not demonstrated with absolute clarity that McKee will not have to defend against a renewed pursuit of reinstatement from Thrifty Med.

The case will return to the district court for further proceedings on McKee’s original complaint. The ultimate question is whether any-willing-pharmacy statutes passed by states are preempted by ERISA. If the state laws are preempted by ERISA, self-funded ERISA plans would not have to comply with them. The US Supreme Court has already ruled (under different facts) that ERISA did not preempt a state regulation of PBMs that required the PBMs to pay pharmacies regulated by the state for drugs at a price equal to or greater than wholesale cost (see Compliance Corner, December 22, 2020, article). But the Tenth Circuit Court of Appeals ruled in August 2023 that a similar any-willing-pharmacy statute in Oklahoma was preempted by ERISA (see Compliance Corner, August 29, 2023, article). We are seeing states passing laws that are worded to regulate PBMs, and not healthcare plans, in an attempt to avoid preemption. Health plan sponsors will want to follow the outcomes of these laws that could affect their prescription drug plans.

McKee Foods Corporation v. BFP, Inc. dba Thrifty Med Plus Pharmacy »

On March 19, 2024, a federal trial court held that the hearing-impaired mother and daughter stated a sufficient claim of “proxy” discrimination under ACA Section 1557 against Regence BlueShield, a health insurer, for its plans’ exclusion of all hearing devices except cochlear implants to proceed to trial.

ACA section 1557 prohibits discrimination in certain health programs or activities based on race, color, national origin, sex, age, or disability. “Proxy” discrimination can result from (in the court’s words) a “policy that treats individuals differently on the basis of seemingly neutral criteria” where excluding criteria is “so closely associated with the disfavored group,” that “facial discrimination” against that group is reasonably inferred. For example, gray hair might be used as a proxy to exclude individuals over a certain age from coverage.

Here, the plaintiffs alleged that individuals requiring hearing aids were proxies for discrimination by the plan on the basis of disability. Because hearing aids are generally prescribed when there is an objective diagnosis of hearing impairment, together with the subjective impact on daily life, nearly all individuals who are prescribed hearing aids (and who are therefore adversely affected by the exclusion) are “disabled” under federal law. Anyone requiring a hearing aid is, therefore, by proxy, a person with a hearing disability, and by barring coverage for all hearing devices but cochlear implants, the Regence plans intentionally discriminated against hearing-disabled individuals.

Finding that the plaintiffs provided enough support (which also included historical enactment and targeted enforcement data) to show that “all or very nearly all individuals who obtain prescription hearing aids are ‘disabled’ under federal law” because they “experience a substantial impact of their hearing loss in their daily lives,” and that only a “small minority” of those would qualify for cochlear implants, the court denied the insurer’s motion to dismiss the plaintiffs’ claim, allowing the case to go forward to a trial on the merits.

Employers and plan sponsors should closely monitor the developments in this case in terms of its potential effects on plan exclusions so closely related to particular disabilities that they could give rise to a plausible proxy discrimination claim against the plan in instances where there are enough facts to support such a claim.

E.S., et al. v. Regence BlueShield, et al. »

On February 29, 2024, in Black v. Unum Life Insurance Company of America, the Federal District Court for the Northern District of Texas granted in part the motion for summary judgment by Black (the plaintiff), determining that Unum (the defendant) failed to provide a full and fair review of plaintiff’s long-term disability claim. The court remanded the matter back to the defendant to review the claim in line with ERISA requirements.

The plaintiff received long-term disability claims through her employer under a plan administered by the defendant. In September 2021, the defendant denied a claim submitted by the plaintiff, asserting that the plaintiff was no longer disabled. The defendant stated that it reviewed the medical records and talked with the treating medical providers as part of its review. The plaintiff appealed the denial. The defendant’s employee, a nurse, determined that there was no medical disagreement among the plaintiff’s physicians regarding her functionality and denied the claim on appeal. The defendant declined to review the claim denial again, so the plaintiff filed the lawsuit, alleging that the defendant failed to provide a full and fair review of her claim as ERISA requires.

The court applied a substantial compliance standard when evaluating the defendant’s review. Under ERISA, an appeal of an adverse determination of a claim based upon medical judgment must include consultation with a medical professional with training and experience in the field of medicine involved in the medical judgment. The medical professional cannot be the same person who was consulted for the original determination. Since the initial denial was based on a review of medical records and consultations with the plaintiff’s doctors, the court concluded that the initial denial was based on medical judgment. However, the court determined that the nurse who conducted the appeal review deferred to the opinions of the doctors in the original review. In addition, the nurse was not qualified to conduct the appeal review because she did not have the appropriate experience and training. Accordingly, the court determined that the defendant failed to substantially comply with ERISA requirements.

Employers that offer long-term disability benefits to their employees should be aware of ERISA claim review and appeal requirements and take steps to ensure that the applicable procedures for their long-term disability plans comply with ERISA’s requirements, including conferring with their disability carriers on the subject, where applicable.

Black v. Unum Life Insurance Company of America »

On March 18, 2024, HHS’ Office of Civil Rights (OCR) issued an updated bulletin modifying its previous guidance issued in December of 2022 on the use of third-party online tracking technologies by HIPAA-regulated entities, which include covered entities (such as group health plans) and business associates.

OCR generally defines tracking technology as a script or code on a website or mobile app used to gather information about users or their actions as they interact with a website or mobile app. After information is collected from websites or mobile apps, it is then analyzed by the website owners, mobile app owners, or third parties to gain insights about users’ online activities. While OCR has acknowledged through its guidance that such insights can be used in beneficial ways to help improve care or the patient experience, to improve the utility of webpages and apps, or to efficiently allocate resources, it has also expressed its concerns about the potential misuse of tracking data to promote misinformation, identity theft, stalking, and harassment.

OCR has expressed concern about covered entities and business associates relying on third-party tracking technologies rather than technologies developed internally. Therefore, the bulletin is primarily concerned with regulated entities’ obligations when using third-party tracking technologies that send information directly to those third parties that may continue to track users and gather information about them even after they navigate away from the original website to other websites.

The bulletin update clarifies that no PHI is accessed when the tracking technology connects the IP address of a user’s device with a visit to a webpage addressing specific health conditions, so long as the visit to the webpage is not related to an individual’s past, present, or future health, healthcare, or payment for healthcare. For instance, when a user visits a hospital’s website to find visiting hours, employment opportunities, or other such general information, no access to PHI occurs. Additionally, there is no access to PHI when an individual accesses a HIPAA-regulated entity’s landing page by mistake, nor is there access when a student is conducting academic research.

While OCR has not provided an official reason for this modification, it does come in the midst of an ongoing lawsuit brought by the American Hospital Association along with the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System, alleging that OCR exceeded its statutory authority in the original guidance by interpreting the definition of individually identifiable health information too broadly when applied to individuals’ access to unauthenticated webpages.

Other than the change announced on March 18, 2024, the original guidance, through which OCR has determined that tracking technologies have access to PHI where they can access information regarding an individual who is seeking medical services (e.g., seeking treatment options for a health condition, scheduling an appointment, or using a symptom tracker tool), remains substantially the same, meaning that HIPAA-regulated entities still need to have a business associate agreement with any third-party technology vendor it uses or a HIPAA compliant authorization for the sharing of the information.

In February 2024, HHS and the National Institute of Standards and Technology (NIST) released an updated cybersecurity resource guide to help HIPAA-regulated entities, which include group health plans and their business associates, comply with the HIPAA Security Rule (the Security Rule). This practical guide is organized into five main sections, followed by a wide variety of related resources in the appendices.

Section 1, the introduction, explains the purpose of the guide and outlines its contents. Specifically, the guide is designed to assist regulated entities in their understanding and implementation of the Security Rule but does not replace, modify, or supersede the Security Rule itself. The guide provides a brief overview of the Security Rule, information on assessing and managing cybersecurity risks, and considerations for implementing an information security program.

Section 2 provides a brief overview of the Security Rule, which all regulated entities must comply with. The Security Rule focuses on safeguarding electronic protected health information (ePHI). The ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. Each regulated entity must develop a compliance approach that is tailored to their size, environment, and circumstances.

Sections 3 and 4 focus on risk assessment and management, which provide the foundation for a regulated entity’s Security Rule compliance efforts and the protection of ePHI. A risk assessment identifies conditions where ePHI could be used or disclosed without proper authorization, improperly modified, or made unavailable when needed. As explained in the guide, a regulated entity’s risk assessment process requires an understanding of where ePHI is created, received, maintained, processed, and transmitted, including by portable computing devices, remote workers, and service providers (e.g., cloud service providers). A regulated entity should identify all reasonably anticipated threats to ePHI (e.g., via phishing, ransomware, or insiders) and any vulnerabilities (e.g., in an information system) that could be exploited. The regulated entity should determine the likelihood of a vulnerability being exploited and the risk level and potential impacts.

The risk management process requires regulated entities to implement policies and procedures to prevent, detect, contain, and correct security violations. Ultimately, the regulated entity’s risk assessment processes should inform its decisions regarding the implementation of necessary security measures to reduce risks to ePHI. The risk assessment and management processes should be documented, including the analyses, decisions, and any adjustments to security controls.

Finally, Section 5 provides guidance to help regulated entities comply with security standards and implementation specifications required by the Security Rule. The guidance, which is presented in tabular format, specifies key activities, descriptions, and sample questions for each standard that a regulated entity can review “through the lens of its own organization.”

Group health plans and business associates may find the updated NIST guide (and significant resources referenced in the appendices) very useful for understanding and complying with the Security Rule. These regulated entities should work with their information technology support teams to determine if their current risk assessment and management procedures are adequately tailored to address potential cybersecurity threats to ePHI.

Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide (NIST SP 800-66r2) »

On January 31, 2024, the US District Court for the Northern District of California (the court) filed a ruling on motions for summary judgement in Zavislak v. Netflix, Inc., determining, among other issues, that an ERISA health plan beneficiary is not entitled to receive copies of all plan documents under ERISA Section 104.

In this case, Zavislak (the plaintiff), as a covered beneficiary (the spouse of an employee/participant) of the self-funded ERISA health plan sponsored by Netflix, Inc. (the defendant), requested copies of various health plan documents, including the Plan Document (capitalized here to indicate that it is a reference to the Plan Document required by ERISA, as opposed to other documents, generically referred to as plan documents, that could refer to various other documents relating to the plan and its operation), a TPA agreement, and any other documents related to making benefit determinations under the plan. The plaintiff received no response to their January 2021 request and sent another request in February 2022. At that point, the defendant began to provide responsive documents, and the plaintiff asked for more documents, including certain administrative services agreements between the plan’s TPA and claims administrators. The defendant refused to provide the additional documents. The plaintiff eventually filed suit against the defendant and requested the maximum penalties under ERISA Section 502(c)(1) of $110 per day for the failure to provide requested plan documents.

The court noted that the Ninth Circuit Court of Appeals (Ninth Circuit), which includes California, narrowly interprets the disclosure requirements of Section 104. Specifically, the court quoted the Ninth Circuit in that “the documents contemplated by § 104(b)(4) [those that must be disclosed] are those that allow the individual participant [to] know exactly where he stands with respect to the plan—what benefits he may be entitled to, what circumstances may preclude him from obtaining benefits, what procedures he must follow to obtain benefits, and who are the persons to whom the management and investment of his plan funds have been entrusted.” And, although the statute specifically mentions “contracts” as being subject to production, it does not necessarily encompass all contracts between a plan and TPAs that render services to the plan. According to the Ninth Circuit, “[d]ocuments which ‘relate only to the manner in which the plan is operated’” need not be disclosed under the statute.

Thus, the court ruled that the administrative services agreements (contracts) between the plan and its TPAs “relate only to the manner in which the plan is operated” and need not be disclosed under the statute. The court ruled that several other documents requested by the plaintiff were not required to be produced because they were included in documents that were produced by the defendant.

As to the issue of statutory penalties for failure to produce documents requested by a participant or beneficiary, the court declined to award the full $110 per day, as requested by the plaintiff, due to the suspension of deadlines by the DOL because of the COVID-19 pandemic. The court did, however, award penalties in the amount of $15 per day from the date of the first request in January 2021 to the date documents were produced in March 2022 for a total of $6,465.

In addition to the notable ruling that contracts with TPAs are not included in the documents that ERISA requires to be produced at the request of a participant or beneficiary (specifically, those contracts that “relate only to the manner in which the plan is operated”), this case is a reminder that the issue of which documents must be produced to participants and beneficiaries under ERISA may depend on where (which jurisdiction) the plan sponsor is. It also illustrates the need for plan administrators to have procedures in place for receiving and responding to requests for documents within the 30 days that ERISA allows. It would be prudent for a plan sponsor to include consultation with counsel as part of those procedures when a request for documents is received. This case went on for over three years, and the awarded statutory penalties were probably the least expensive part of the process for the defendant.

Zavislak v. Netflix, Inc. »

On February 29, 2024, the Federal District Court of Northern District of California denied Aetna Inc. and Aetna Life Insurance (collectively, Aetna)’s motion to dismiss a case alleging that Aetna health insurance plans discriminate against LGBTQ members seeking fertility treatment coverage by placing additional burdens on couples in same-sex partnerships.

As background, in April 2023, a participant (plaintiff) of a self-insured health plan filed a class action complaint against the plan’s administrator, Aetna, under ACA Section 1557, which prohibits health insurers from discriminating based on a number of characteristics, including sex. The plaintiff alleged that the plan discriminated against her, her wife, and other participants in similar situations based on their sexual orientation by denying them equal access to fertility treatments.

Prior to 2023, the plaintiff’s plan covered fertility treatments for enrollees who were “infertile” based on their inability to conceive after one year (or six months for older participants) of frequent, unprotected heterosexual sexual intercourse or, for women without a male partner, after 12 cycles of donor insemination (six months/six cycles for older participants). The plaintiff alleged that this provided heterosexual couples the option to establish infertility in either of the two ways while giving same-sex couples only one way to be eligible for fertility benefits. In response, the plan was amended to base its coverage determination on “egg-sperm contact” rather than intercourse or insemination, with the definition applicable to “all individuals regardless of sexual orientation or the presence/availability of a reproductive partner.”

Yet the plaintiff claimed that the plan continues to discriminate against LGBTQ members by imposing additional and more arduous prerequisites for fertility treatment access than those applicable to heterosexual couples, and the plan merely removed the references to “heterosexual” and the reference to a “woman without a male partner” in the revised policy. Specifically, the plaintiff contended that heterosexual couples could demonstrate infertility simply by representing that they had had 12 months of frequent intercourse, while same-sex couples were forced to undergo up to 12 cycles of donor insemination, in which each cycle “costs at least hundreds of dollars” and requires the patient to undergo intrusive procedures.

Aetna contended that the plaintiff’s claim of intentional discrimination under Section 1557 should be dismissed because its fertility coverage does not base its definition on a member’s sex or sexual orientation. But the court determined that the plaintiff’s allegation that access to fertility coverage is more burdensome for same-sex partners than different-sex partners was enough to support an adequate claim for adjudication. Therefore, the court denied Aetna’s motion to dismiss on this basis.

This case is in an early stage and at the district court level; courts in other jurisdictions may have ruled differently on the motion to dismiss. However, employers should be aware of the ruling and may want to review their fertility coverage with legal counsel to ensure that their benefits are drafted, offered, and administered in a nondiscriminatory manner. Employers should follow developments in this unsettled area of the law involving the application of Section 1557.

Berton v. Aetna Inc. »

Executive Summary

A recently filed lawsuit focuses on ERISA fiduciary obligations of employers in their role as group health plan sponsors, particularly the “duty of prudence” in selecting and monitoring health plan vendors. Specifically, the lawsuit involves a prescription drug plan’s benefits and management, including the plan’s usage of pharmacy benefit managers (PBMs). The lawsuit alleges that as a result of fiduciary failures, plan participants and beneficiaries were required to pay increased costs and premiums and thus harmed.

The case is still pending, making it difficult to ascertain the specific employer fiduciary obligation takeaways in the prescription drug context. Additionally, this lawsuit involves the use of a trust for benefit payments, which may differentiate it from other employer sponsored group health plan designs and may limit the application of any court decision. Nevertheless, the lawsuit serves as a helpful reminder for employers—particularly those sponsoring self-insured plans—to review their fiduciary obligations and maintain robust fiduciary procedures. NFP will continue to monitor the lawsuit.

Background

In early February 2024, a class action complaint was filed against pharmaceutical company Johnson and Johnson (in its capacity as the plan sponsor of their group health and prescription drug plan) and its benefits committee (collectively, J&J). According to the complaint, J&J failed to meet ERISA fiduciary obligations in its selection of a PBM (Express Scripts) and failed to negotiate more favorable pricing terms for the plan and participants in their PBM services agreement. The complaint claims that this resulted in increased costs (e.g. higher plan premiums, deductibles, copayments, cost-sharing) thus harming participants and beneficiaries. The lawsuit raises some interesting and challenging questions regarding an employer’s obligations in selecting, monitoring, and overseeing plan vendors, including PBMs.

Health Plan Fiduciaries and ERISA Obligations

To help understand the allegations, it’s important to have a solid grasp of ERISA and fiduciary obligations. At a high level, ERISA was – in part – enacted to protect the interests of participants and beneficiaries of employer-sponsored welfare benefit plans (employees and their dependents in the group health plan context). ERISA sets levels of conduct for those who manage employee benefit plans and their assets, called fiduciaries. Under ERISA, employers are considered fiduciaries in their role as health plan sponsors and administrators. Certain other individuals (e.g., a person, committee, or entity) or service providers may also be named as fiduciaries in the related plan documents (at least one fiduciary must be named). An individual or service provider could also be considered a fiduciary if they exercise discretionary authority or control over the plan or its assets. Note that merely being named as a contact for the plan does not make an individual a fiduciary.

Fiduciaries have a heightened responsibility to follow certain standards when operating, administering, or making (non-settler) plan decisions, and those responsibilities are generally referred to as “fiduciary obligations” or “fiduciary duties.” Two primary duties are the duty of loyalty and the duty of prudence. The duty of loyalty requires the plan fiduciary to act in the best interests of plan participants and beneficiaries. The duty of prudence requires fiduciaries to act with the same care, skill, prudence, and diligence as a comparably knowledgeable plan fiduciary acting under similar circumstances. The duty of prudence focuses on the decision-making process as opposed to the actual results and outcomes. This focus highlights the importance of recording activities, keeping minutes of meetings and discussions, and maintaining relevant documents, reports, legal opinions, or expert advice that were considered in reaching final conclusions on plan-related decisions.

Additionally, under both duties, plan fiduciaries have an obligation to monitor plan service providers, including third-party administrators (TPAs), PBMs, or other vendors that service the plan. When considering potential service providers, fiduciaries should compare their services, experience, fees and expenses, customer references, or other information relating to the quality of services. Importantly, fiduciaries must understand the terms of any agreements entered with service providers and whether the fees and expenses to be charged to the plan are reasonable. Fiduciaries also must periodically review the performance of their service providers to ensure that they are providing the services in a manner and at a cost consistent with the agreements.

ERISA Fiduciary Compliance Obligations for Fully Insured Plans Versus Self-Insured Plans
For fully insured plans, the carrier and plan sponsor generally share fiduciary responsibility and the carrier plays a significant role in complying with the duties of loyalty and prudence. For self-insured plans, the employer plan sponsor assumes a much higher level of fiduciary duty to administer the plan prudently and in the best interest of plan participants.

PBM Pricing Models

To understand the allegations, it’s important to consider PBM pricing methodologies. PBMs generally receive compensation through one of three methods, as outlined below.

• Pass-Through Pricing. The PBM charges the drug’s acquisition cost (i.e., the amount paid to the drug manufacturer for the drug) to the plan. The PBM receives compensation from the plan via a per-employee or per-month rate.
• Spread Pricing. The PBM receives compensation on the difference (spread) between the PBM’s drug acquisition cost and the PBM’s charge to the employer plan. For example, if the PBM pays a drug manufacturer $20 for a drug, and the PBM charges the plan $30 for the drug, the PBM keeps the difference ($10) as compensation.
• PBMs, as bulk buyers, negotiate rebates from drug manufacturers. The PBM retains a portion or all the negotiated rebate as its compensation.

J&J Lawsuit Allegations: Plan Sponsor Failures and Participant Harms

At a high level, the lawsuit alleges that J&J breached its ERISA fiduciary duties in several ways, resulting in the plan – and by extension its participants – overpaying for prescription drugs. Specifically, the allegations include:

• Failure to Use Prudence in Negotiating Contract Pricing Terms. The complaint alleges that J&J overly relied on its PBM’s formulary (generally, the list of covered drugs) development rather than negotiating or assisting in the formulary development itself — allegedly allowing the PBM’s favoring of more expensive brand name drugs over generic drugs, thus increasing the PBM’s compensation and the overall plan’s expenses. Additionally, the complaint alleges that J&J agreed to pay the PBM exorbitant prices for generic prescription drugs that could be obtained without insurance at some pharmacies for a much lower price.
• Failure to Use Prudence in Selection of PBMs. The complaint alleges that J&J did not regularly conduct requests for proposal and failed to consider non-traditional PBMs (those compensated via pass-through pricing instead of spread pricing and rebates) and asserts that these failures incentivize the PBM to overcharge the plan.
• Failure to Use Prudence in Prescription Drug Plan Design. The complaint asserts that J&J overly relied on the PBM’s specialty pharmacy service instead of using a carve-out specialty pharmacy through a third-party vendor — allegedly incentivizing the PBM to direct participants towards PBM-owned specialty drugs rather than lower-cost options.

As a result of those failures, the lawsuit alleges harm to plan participants in the form of increased premium rates and cost-sharing. The complaint alleges that the increase in overall expenses relating to prescription drug costs increases premium rates, to which participants (employees) contribute. The complaint also alleges that the plan’s failure to negotiate lower drug rates caused participants to overpay for drug costs through higher copayments, cost-sharing, and co-insurance. Even though certain drugs were available at a cheaper rate from an unaffiliated pharmacy, J&J plan participants paid more for the drugs through the PBM-owned or affiliated pharmacy.

Potential Impacts

It is still quite early in the litigation process and unless and until the case reaches a final conclusion, it is impossible to ascertain how prescription drug plans and employer fiduciary duties might be affected. Perhaps other lawsuits will follow, particularly considering recently enacted transparency requirements under the Transparency in Coverage Final Rule and CAA 2021 (both generally make information concerning drug prices publicly available). Arguably, these laws provide employers with greater access to healthcare pricing information so that they can make better informed cost-conscious decisions regarding plan benefits.

In any event, employers concerned about possible litigation should ensure they are engaging in prudent fiduciary decision-making processes with respect to the selection of PBMs and other vendors. Employers speculating about the impact this lawsuit might have on their specific plan design should consult with legal counsel for advice and guidance.

As noted earlier, the J&J plan funding is distinct from the typical funding of employer-sponsored group health plans because it is funded through a voluntary employee benefits association (VEBA). A VEBA is a special tax-advantaged trust funded by employer and participant/employee contributions. This is meaningful because any funds held in such a trust – segregated from the employer’s general assets – are considered ERISA “plan assets” and subject to ERISA fiduciary protections, including the duties of loyalty and prudence. As a result, certain aspects of the case, and perhaps any resulting decision, may be limited in applicability. Thus, only time will tell if similar lawsuits will be brought against plans that are funded via a more common plan design, such as through the employer’s general assets.

Employer Takeaways

At the moment, no immediate action is needed as a result of this initial court filing. That said, while this case plays out in court, employers – as ERISA plan sponsors – should carefully consider their fiduciary obligations. At a high level, employers should actively engage in a prudent process when selecting and overseeing plan service providers and vendors, including prescription drug and PBM vendors. Employers should consider that ERISA does not mandate a singular or one-size-fits-all approach to fiduciary decision making. Rather, ERISA requires employers to consider the totality of facts and circumstances of their own situation.

More specifically, in consultation with their legal counsel, employers may consider:

• Establishing and documenting an annual process by which the employer obtains, reviews, and monitors PBM and other vendor proposals, agreements, benchmarking, clinical programs, and vendor performance (and memorializing the process in formal policies and procedures).
• Establishing a process through internal or external resources to actively manage and oversee key aspects of the prescription drug program with a focus on ensuring costs remain reasonable. If necessary, implementing a process whereby beneficiaries may be steered towards more cost-effective options (information could be gathered from other prescription drug vendors and pharmacies and compared against the current vendor’s prices and value).
• Establishing a fiduciary committee for health and welfare benefits, including adopting a charter and delegating fiduciary responsibility to the committee.
• Identifying and reviewing PBM and other vendor contracts to compare related fee and rebate arrangements and formularies. Prudency may require hiring an independent expert, if necessary, to interpret and explain the specific pricing and terms.
• When selecting a PBM, developing a process to review and consider the terms of PBM and other prescription drug options with a focus on value received for the cost (lowest cost choice does not always mean most reasonable and prudent choice).
• Periodically running PBM and other vendor contracts through the RFP process.
• When completing an RFP, consider implementing a transparent PBM pricing model (such as the pass-through model described above).
• Engaging subject matter experts that understand the changing landscape of pharmacy benefits; reliance on medical insurance carriers or PBMs may not be sufficient.
• Contracting arrangements that involve direct to pharmacies or manufacturers or direct to consumer pricing.
• Implementing a formal training program for fiduciaries relating to fiduciary obligations and duties.
• Acquiring fiduciary liability insurance to protect plan sponsors and fiduciaries from fiduciary breach liabilities.

Importantly, with respect to prescription drugs specifically, ERISA does not require that plan fiduciaries always use the lowest cost vendor. For a variety of reasons, employers may choose not to work with non-traditional PBMs, even if they supposedly offer lower drug pricing. There are other considerations that impact the prudent actor analysis, including network access, claims processing, and drug formulary selection, all of which may be significant to plan participants.

NFP will continue to closely monitor the J&J and other notable court decisions and report on them via NFP’s Compliance Corner newsletter.

On March 6, 2024, the IRS issued an alert (IR-2024-65) to remind taxpayers and health spending plan administrators that personal expenses for general health and wellness are not considered medical care. Therefore, these expenses are not reimbursable through health FSAs, HRAs, HSAs, and MSAs.

As background, medical care expenses that are defined in Section 213(d) are generally eligible to be paid or reimbursed under health FSAs, HRAs, HSAs, and MSAs unless the expenses were reimbursed by an individual’s healthcare coverage (e.g., an employer-sponsored health insurance plan). Medical expenses under Section 213(d) are the costs of diagnosis, cure, mitigation, treatment, or prevention of disease and for the purpose of affecting any part or function of the body. Further, medical expenses must be primarily to alleviate or prevent a physical or mental disability or illness and they exclude expenses that are merely beneficial to general health.

The IRS alert explains that some companies are misrepresenting the circumstances under which food (e.g., for weight loss) and wellness expenses can be paid or reimbursed under FSAs and other health spending plans using an example. These companies erroneously advertise that a doctor’s note based merely on self-reported health information can convert non-medical food, wellness, and exercise expenses into qualified medical expenses.

However, the IRS clarifies that such a doctor’s note does not satisfy the requirement that it be related to a targeted diagnosis-specific activity or treatment, and these types of personal expenses do not qualify as medical expenses. The IRS reminds plan administrators that FSAs and other health spending plans that pay for, or reimburse, non-medical expenses are not qualified plans. Accordingly, if the plan is not qualified, all reimbursements, even reimbursements for actual medical expenses, are includible in income. The IRS frequently asked questions outline whether certain costs related to nutrition, wellness, and general health are medical expenses.

Employers who sponsor health FSAs and other spending accounts should review their vendors’ current claim adjudication factors to ensure that non-medical expenses, such as personal general health expenses, are not reimbursed through health FSAs and other spending accounts. Additionally, it is important for employers to educate their employees regarding medical expenses related to nutrition, wellness, and general health to determine whether a food or wellness expense is a medical expense.

For further information about qualified medical expenses as defined in Section 213(d), please ask your broker or consultant for a copy of the NFP publications Qualified Medical Expenses and Quick Reference Chart: HSAs, Health FSAs, and Traditional HRAs.

IRS Alert: Beware of Companies Misrepresenting Nutrition, Wellness and General Health Expenses as Medical Care for FSAs, HSAs, HRAs and MSAs »
IRS Frequently Asked Questions About Medical Expenses Related to Nutrition, Wellness, and General Health »

On February 7, 2024, in Schinnerer v. Wellstar Health, Inc., the Federal District Court for the Northern District of Georgia denied the defendant’s motion for summary judgment on the issue of failing to timely provide a COBRA election notice. Although not a focus of this article, the court also addressed the defendant’s motion for summary judgment on the plaintiff’s False Claims Act retaliatory termination claim, which was granted.

The plaintiff was an employee of the defendant from May 2020 to October 2021, when his employment was terminated. Prior to his termination, the plaintiff was placed on administrative leave from May 18, 2021, until he was terminated. During the administrative leave, the plaintiff had no access to the defendant’s systems. Also, during the leave, the defendant changed his residence. Because he had no access to the defendant’s systems, the plaintiff could not change his address in the system, so he called the defendant’s human resources department and gave them his new address in August 2021.

Upon the plaintiff’s termination, a COBRA election notice was sent by the defendant’s COBRA administrator by first-class mail to the plaintiff’s address in the defendant’s system, which was the plaintiff’s former address. Since the notice was not sent to his current address, the plaintiff did not receive the election notice until months after his termination.

COBRA regulations do not require actual delivery of COBRA notices to the intended recipient. Rather, the regulations require that notices be sent in a manner “reasonably calculated to ensure actual receipt.” Defendant contended that they had met that standard and filed their summary judgment motion (judgment without a trial) based on that contention. But the court denied the defendant’s motion for summary judgment, observing that it could not conclude as a matter of law that mailing the notice to the wrong address after being informed of the correct address “months before” counts as “reasonably calculated to ensure actual receipt.”

Summary judgment on this issue does not end the case — it only means that there will now be a trial (unless the parties settle first) on the timeliness of the COBRA notice question. But the result does act as a reminder for plan sponsors/administrators to keep employees’ records up to date in all their systems and to pass that information to vendors who use the information to complete their tasks. Failure to do so can result in time-consuming and costly litigation. One way to avoid this situation is by confirming departing employees’ current addresses in writing and correcting the information immediately in the system if it does not match.

Schinnerer v. Wellstar Health, Inc., 2024 WL 476960 (N.D. Ga. 2024) »

The DOL's Advisory Council on Employee Welfare and Pension Benefit Plans (the Council) recently issued a report examining the scope and impact of limitations on long-term disability (LTD) benefits for mental health and substance use disorder (MH/SUD) conditions. The report highlights the lack of parity in duration limits for coverage of MH/SUD as compared to medical/surgical conditions under LTD benefit plans and makes recommendations to address this disparity.

LTD insurance coverage protects employees by providing income replacement if sickness or injury prevents them from working for a prolonged period. State insurance laws regulate disability insurance, including LTD insurance. However, only one state, Vermont, currently requires mental health parity in disability insurance. Notably, the federal MHPAEA, which requires parity for coverage of medical/surgical and MH/SUD conditions, applies only to medical benefits and not disability benefits.

According to the report, most employer-sponsored LTD plans fund benefits through the purchase of insurance and do not require employee contributions. Significantly, insured LTD benefits typically have a 24-month limit on the duration of benefits for disabilities resulting from MH/SUD conditions, while benefits for disabilities due to other medical conditions generally continue until retirement age. According to industry sources cited in the report, only 1% of group disability policies sold in the US do not have MH/SUD limitations.

To better understand the rationale for and prevalence and effects of the LTD benefit limitations, including whether certain health conditions have been misclassified as being subject to such limitations, the Council sought testimony from numerous medical and industry experts and stakeholders. Several testified regarding the difficulty of assessing MH/SUD claims to make a disability determination and the misclassification of MH/SUD conditions leading to claim denials. Numerous individuals viewed the current lack of parity requirements for disability benefits as discriminatory.

Other stakeholders testified regarding employer sensitivity to cost when purchasing an LTD policy and the difficulty of assessing the cost of a policy without MH/SUD duration limitations (due to the small percentage of such policies currently issued). They noted that most insurers offer policies without MH/SUD benefit limitations, although these are neither promoted by brokers nor chosen by employers. In contrast, a retiree of Vermont’s insurance department indicated that the state’s implementation of a parity requirement had little impact on the cost or frequency of disability policies.

The Council, upon consideration of the testimonials and available data, concluded the report by recommending the DOL to take the following actions to address the current mental health disparity in LTD insurance benefits:

1. Encourage Congress to adopt LTD insurance parity requirements like the MHPAEA mandates applicable to group health plans and urge employers to reconsider whether current MH/SUD exclusions and limitations for LTD benefits are necessary.
2. Authorize research of LTD insurance to determine the basis for duration limits for MH/SUD conditions and the actuarial and cost implications of removing such limits.
3. Advise insurers to present plan sponsors with LTD coverage options without duration limits for MH/SUD conditions.
4. Educate plan sponsors on the impact of duration limitations in LTD policies, including with respect to employees’ well-being.

The Council’s recommendations are only advisory; the DOL has the discretion to determine whether to adopt any of these measures. However, in recent years, the DOL has focused on mental health parity enforcement with respect to group health plans. Accordingly, the DOL’s consideration and possible implementation of the report’s parity recommendations with respect to LTD benefits would seem consistent with their current priorities.

Employers that offer LTD benefits to their employees should be aware of this report and monitor for further developments. Employers should also make sure they are complying with MHPAEA requirements applicable to their group health plan benefits.

Report to the Honorable Julie A. Su, United States Acting Secretary of Labor Long-Term Disability Benefits and Mental Health Disparity »

In February 2024, the DOL issued several revised FMLA Fact Sheets to help employers better understand their compliance obligations under the FMLA. One such fact sheet is Fact Sheet #28J, which discusses how FMLA requirements are applied to airline flight crew employees, as it may be difficult for employers to easily calculate eligibility and leave entitlement for these employees.

Pilots, co-pilots, flight attendants, flight engineers, and flight navigators are all considered to be airline flight crew for purposes of FMLA compliance. Due to the unique nature of these positions, the FMLA’s standard eligibility, leave calculation, and recordkeeping requirements apply differently and, thus, Fact Sheet #28J outlines how employers should handle FMLA for these employees.

Eligibility. To determine eligibility, during the 12 months prior to requested leave, the airline flight crew employee must have worked or been paid for “not less than 60 percent of the applicable total monthly guarantee – or its equivalent – and not less than 504 duty hours.” The applicable total monthly guarantee is the minimum number of hours an employer has agreed to schedule the employee during the previous 12 months. Duty hours are the number of hours the employee has worked or been paid during the previous 12 months. However, duty hours do not include vacation, medical, or sick leave, or personal commute time.

Calculation of Leave. Unlike traditional employees who have up to 12 workweeks of leave under FMLA, the workweek for airline flight crew employees is based on a six-day workweek, so eligible employees may receive up to 72 days (six days x 12 weeks). Qualifying leave due to military caregiver leave provides up to 156 days (six days x 26 weeks). This leave allowance is more complex to calculate, so the fact sheet provides examples that employers can use to calculate both traditional and intermittent leave.

Recordkeeping. To support the unique eligibility calculation, employers must maintain additional documentation, including support for the applicable monthly guarantee and records of actual hours worked or paid.

Employers who are subject to the FMLA and employ airline flight crews should review their current administrative practices to ensure their employees’ leave eligibility and usage are calculated correctly, as outlined in the fact sheet.

Fact Sheet #28J: Special Rules for Airline Flight Crew Employees Under the Family and Medical Leave Act »

On January 17, 2024, HHS released its Annual Update of the HHS Poverty Guidelines for 2024. The notice provides an annual update on poverty guidelines based on the prior calendar year’s increase in prices as measured by the Consumer Price Index. These guidelines are used, in part, to help determine eligibility for federal programs such as Medicaid and to determine eligibility for subsidies in the individual marketplace. Further, these guidelines impact employers who use the Federal Poverty Line (FPL) safe harbor to determine affordability under the ACA’s employer mandate.

The FPL safe harbor uses the federal poverty line for a one-person household (for its respective geographic location) multiplied by the affordability threshold for the respective year; that total is then divided by 12 to derive the maximum self-only cost-share per month. For plan years beginning between January and June of a calendar year, plan sponsors can rely on the prior calendar year’s federal poverty line for the FPL safe harbor calculation since the annual update generally occurs after the plan year has already begun.

The 2024 federal poverty line for a one-person household in the 48 contiguous states and the District of Columbia is $15,060; the poverty guideline increases by $5,380 for each additional household member. In Alaska, the poverty guideline is $18,810 for a one-person household and increases by $6,730 for each additional household member. In Hawaii, the poverty guideline is $17,310 for a one-person household and increases by $6,190 for each additional household member.

For example, using the federal poverty line for the 48 contiguous states, the maximum self-only monthly cost-share should not exceed $105.29 for employers using the FPL safe harbor.

Employers who use the FPL safe harbor should be mindful of the 2024 update, although they can continue to rely on 2023 guidelines through June 2024 if desired. For further information regarding affordability and the ACA’s employer mandate, employers should contact their NFP consultant for a copy of our ACA Resources toolkit.

Annual Update of the HHS Poverty Guidelines »

On February 9, 2024, in Watson v. EMC Corp., the US Court of Appeals for the Tenth Circuit ruled that an employer may be liable for the value of group life insurance benefits that would have been available under an insured policy absent the employer’s failure to adequately inform the employee of the plan’s conversion requirements.

The plaintiff in this case, Marie Watson, sued EMC Corporation, her husband’s former employer, for leading her husband to believe his basic life insurance coverage remained in force following the termination of his employment. EMC’s group life insurance policy was issued by MetLife. EMC was an ERISA plan fiduciary with a duty to act in the interests of participants and beneficiaries. Ms. Watson’s husband, Thayne Watson, was insured under the group plan for basic life insurance benefits totaling $663,000.

Mr. Watson was a participant under EMC’s group life plan for many years before accepting a voluntary separation plan (VSP) in 2015. Under the VSP, Mr. Watson stopped working for EMC, but EMC continued to pay him without interruption to his employee benefits through November 24, 2016. At the end of the VSP, Mr. Watson emailed EMC to ensure his benefits would remain in place. EMC informed Mr. Watson that his benefits would remain active and that he would be billed by EMC’s payroll vendor ADP to continue benefits. Nine months later, Mr. Watson unexpectedly passed away. He paid all bills sent to him by ADP prior to his death.

Following Mr. Watson’s passing, MetLife denied Ms. Watson’s beneficiary claim based on a failure to convert his group life insurance coverage to individual coverage at the end of the VSP period. Ms. Watson sued EMC for an ERISA breach of fiduciary duty, alleging that EMC provided misleading information, which led to Mr. Watson’s failure to convert his group life insurance coverage to an individual policy. The district court found in EMC’s favor, reasoning that because Mr. Watson failed to convert or pay any premiums on converted coverage, there was no policy under which Ms. Watson could recover.

On appeal, the Tenth Circuit found that even though no benefits were due under the terms of the group life insurance plan (because coverage had ended prior to Mr. Watson’s death) or an individual policy (because Mr. Watson did not convert his group coverage to an individual policy), Ms. Watson may be able to recover under ERISA’s equitable remedy. Specifically, in addition to offering plan beneficiaries the right to recover benefits due under the terms of a plan, ERISA also offers a “catchall” equitable relief for beneficiaries harmed by breaches of fiduciary duties. The Tenth Circuit sent the case back to the district court to consider Ms. Watson’s claim for breach of fiduciary duty under ERISA’s equitable relief provision separately, regardless of whether benefits are due under the terms of either the group plan or a converted individual policy.

The Tenth Circuit’s ruling here is not unique. Rather, it aligns with other circuit courts that have addressed similar issues and found that ERISA can provide monetary relief for breaches of fiduciary duties even when there is no claim for benefits under the terms of the plan. While not a final judgment against EMC, the Watson case serves as yet another illustration of the risk imposed by inaccurate or incomplete communications with employees on life insurance coverage. ERISA plan sponsors should always take great care to adequately communicate with plan participants about when group life insurance coverage terminates under the terms of the plan, including any conversion options.

Watson v. EMC Corp. »

On February 12, 2024, the IRS released Revenue Procedure 2024-14, which in part provides indexing adjustments for penalties under the ACA employer mandate. As a reminder, the ACA requires applicable large employers (ALEs), those with 50 or more full-time employees (FTEs) and full-time equivalent employees, to offer affordable minimum value (MV) coverage to all FTEs and their dependents or risk a penalty.

Notably, the employer mandate penalty amounts for 2025 are reduced from the 2024 penalty amounts. For plan years beginning on or after January 1, 2025, the annual penalties are calculated as follows:

• Penalty A (failure to offer minimum essential coverage to 95% of all FTEs and their dependents and at least one FTE who receives a premium tax credit):
  • (Total Number of FTEs - 30*) x $2,900 (for 2024: $2,970)
  • *If applicable, the 30-employee reduction is allocated ratably among controlled group members based on the number of FTEs employed by each member.
• Penalty B (failure to offer affordable coverage that meets MV standards):
  • (Number of FTE(s) who receive a premium tax credit) x $4,350 (for 2024: $4,460)

Both penalties, although commonly expressed as annual amounts, are assessed monthly.

ALEs should regularly verify that employees who generally work at least 30 hours per week are offered affordable MV coverage to avoid ACA employer mandate penalties. The IRS uses Letter 226-J to inform employers of their potential liability for such penalties. Employers should promptly review and respond to any IRS Letter-226-J they receive and consult with counsel as necessary.

For further information regarding the ACA employer mandate and penalties, please ask your broker or consultant for a copy of the following NFP publication ACA: Employer Mandate Penalties and Affordability.

Revenue Procedure-2024-14 »

On February 14, 2024, the HHS Office for Civil Rights (OCR) released two annual reports to Congress summarizing the agency's key HIPAA enforcement activities during the 2022 calendar year as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The first report, HIPAA Privacy, Security, and Breach Notification Rule Compliance, identifies the number of complaints received, the method by which those complaints were resolved, and other OCR HIPAA compliance enforcement activities. The second report, Breaches of Unsecured Protected Health Information, identifies the number and nature of breaches of unsecured protected health information (PHI) that were reported to the HHS and the actions taken in response to the breaches.

Highlights from the HIPAA Privacy, Security, and Breach Notification Rule Compliance report are as follows:

• OCR received 30,435 new complaints alleging violations of the HIPAA Rules.
• OCR resolved 32,250 complaints alleging violations of the HIPAA Rules.
• OCR resolved 17 complaint investigations with Resolution Agreements and Corrective Action Plans (RA/CAPs) and monetary settlements totaling $802,500, and one with a civil money penalty of $100,000.
• OCR completed 846 compliance reviews and required subject entities to take corrective action or pay a civil money penalty in 80% (674) of these investigations. Three compliance reviews were resolved with RA/CAPs and monetary payments totaling $2,425,640.

The Breaches of Unsecured Protected Health Information report noted that 77% of the reported breaches that occurred in 2022 and affected 500 or more individuals were hacking/IT incidents — 58% of the reported large breaches involving 500 or more individuals involved network servers. Accordingly, the report emphasized a continued need for increased compliance with the HIPAA Security Rule in such areas as risk analysis and risk management, audit controls, and information system activity review.

These annual reports are an important reminder of the agency's HIPAA compliance enforcement activities. So, it is crucial that employers are educated in overall HIPAA rules and review their HIPAA policies and procedures, as well as their security policies and procedures for handling electronic PHI.

Press Release »
Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for CY 2022 »
Annual Report to Congress on Breaches of Unsecured Protected Health Information for CY 2022 »

On February 9, 2024, the IRS updated its frequently asked questions (FAQs) for the premium tax credit. These FAQs superseded earlier FAQs that were posted on February 24, 2022. Nine existing FAQs were updated, and four new FAQs were added. Among other items, the FAQs explain the basics of the premium tax credit, the eligibility requirements, and how the affordability of employer coverage affects eligibility.

The updates include the addition of a new section, “Affordability of employer coverage for employees and for family members of employees,” with new FAQs 12, 13, 14 and 22. FAQs 12, 13 and 14 document that coverage is affordable to an individual (making the individual not eligible for the credit) if they are offered coverage under more than one employer’s plan and either of those plans are affordable to the individual as an employee or family member. FAQ 13 sums up the changes:

“Q13. What if I receive an offer of coverage from multiple employers?

A13. If you receive offers of coverage from multiple employers, whether the coverage is offered by your employer or someone else’s employer, you are generally considered to have an offer of affordable coverage if at least one of the offers of coverage is affordable for you.”

New FAQ 22 clarified the treatment of Individual Coverage Health Reimbursement Arrangements (ICHRAs). The response explains that if an employer offers an ICHRA, the employee is not allowed a premium tax credit for marketplace coverage unless 1) the ICHRA is considered unaffordable and 2) the employee opts out of receiving reimbursements under the ICHRA. As referenced in the response, the IRS has issued specific rules for determining when an ICHRA is considered affordable.

The IRS notes that guidance, including FAQs, that is not reported in an Internal Revenue Bulletin will not be relied on, used, or cited as precedents by service personnel in the disposition of cases. But taxpayers “who show that they relied in good faith on an FAQ and that their reliance was reasonable based on all the facts and circumstances will not be subject to a penalty that provides a reasonable cause standard for relief, including a negligence penalty or other accuracy-related penalty, to the extent that reliance results in an underpayment of tax.”

Employers that sponsor group health plans and are subject to the employer mandate should be aware of these FAQ updates.

IRS Fact Sheet »

On February 2, 2024, the DOL, HHS, and IRS (the departments) issued FAQ guidance on the implementation of certain requirements under the Transparency in Coverage (TiC) Final Rules. This FAQ clarifies the participant cost-sharing tool compliance requirements where a plan is providing cost estimates based on claims data, but there is extremely low utilization of the item or service at issue.

As background, the TiC Final Rule issued in October 2020 requires non-grandfathered group health plans to disclose certain data, such as in-network (INN) provider negotiated rates and historical out-of-network (OON) allowed amounts, to the public via machine-readable files posted to a website. (See the October 10, 2023, edition of Compliance Corner for additional information.) Additionally, these plans must provide participants with personalized cost-sharing information for covered services via an online self-service tool, in paper form (upon request), as well as over the phone. The rule has phased-in effective dates from 2022 to 2024, with all items and services required to be available via an online self-service tool for plan years beginning in 2024.

Under the cost-sharing tool requirement, plans must disclose the following cost-sharing information at the request of a participant:

• Estimate of cost-sharing liability for the covered item or service.
• Accumulated amounts incurred to date.
• INN rate (as a dollar amount) for an INN provider (includes negotiated rate and fee schedule).
• OON allowed amount for item or service (if the provider is OON).
• If a bundled payment arrangement, a list of the items or services.
• Any prerequisites for the item or service.

In this FAQ, the departments recognize that in certain limited circumstances, plans and insurers may not be able to provide accurate cost-sharing estimates as required by the TiC Final Rules for items and services with extremely low utilization rates. The departments advise that they are likely to exercise discretion, on a case-by-case basis, not to bring enforcement actions against plans and insurers that fail to include in their self-service tool or fail to provide over-the-phone cost-sharing information for items and services for which a cost estimate for such items and services would need to be based on past claims data and for which there have been fewer than 20 different claims in total over the past three years. For these items and services, the plan or insurers should indicate on the self-service tool that the item or service is covered but that a specific cost estimate is not available according to the TiC Final Rules because of insufficient data. The self-service tool should also encourage the enrollees to contact the plan or insurer for more information on applicable cost-sharing requirements. Where the participant or beneficiary reaches out to the plan directly (rather than using the self‑service tool), the plan should provide all available relevant information (e.g., information available on the SBC).

Employers that sponsor non-grandfathered group health plans should be aware of the recently released FAQ. For further information regarding the cost-sharing tool or other TiC or CAA 2021 requirements, employers should contact their NFP consultant for a copy of our Transparency and CAA 2021 Obligations of Group Health Plans publication.

FAQ About Affordable Care Act Implementation Part 65

On December 5, 2023, in Ian C. v. United Healthcare Ins. Co., the Tenth Circuit Court of Appeals (Tenth Circuit) reversed the district court’s ruling that the defendant’s claim denial was not arbitrary and capricious because the defendant did not provide a “full and fair review” of the plaintiff’s claims.

The plaintiff was a participant covered by an employer-sponsored group health plan. The plaintiff’s son underwent inpatient residential treatment for mental health and substance abuse issues, and the plaintiff submitted claims to the plan on behalf of his son. The defendant, UnitedHealthcare Insurance Company, was the claims fiduciary for the plan and was responsible for determining whether the plan would cover the treatment. After approving coverage for the first two weeks of treatment, the defendant determined that further treatment was medically unnecessary and denied coverage. The plaintiff exhausted the plan’s appeals process, but the appeal reviewers supported the defendant’s determination that further coverage was unnecessary. The plaintiff then took the defendant to court, where the court found for the defendant. The plaintiff then appealed to the Tenth Circuit.

The Tenth Circuit applied an arbitrary and capricious standard to the defendant’s denials. Under ERISA, which governs employer-sponsored group health plans, the plan can authorize the plan administrator to determine benefits on a discretionary basis, which is the case here. Accordingly, the arbitrary and capricious standard is a deferential standard that will uphold the administrator’s decisions so long as they are made on a reasoned basis and are supported by substantial evidence. In addition, under ERISA, the administrator must provide a full and fair review of claims, in which the administrator must consider the claimant’s evidence and consider all grounds for coverage raised by the claimant.

Applying this standard to the defendant’s initial denial, the Tenth Circuit determined that the defendant failed to consider evidence provided by the plaintiff that supported their claim for coverage and did not consider all the grounds for coverage put forth by the claimant. The arbitrary and capricious standard also requires that administrative appeals of adverse decisions provide a full and fair review, which means that the appeal must reevaluate the claims with a clean slate. Despite the presence of the evidence in the record that supported the plaintiff’s grounds for coverage, the subsequent denials deferred to the initial reviewer’s findings. After making these determinations, the Tenth Circuit concluded that the defendant’s actions were arbitrary and capricious and remanded the matter back to the district court for further deliberation.

Employers should make sure that their plans’ appeals process considers all of the evidence provided by claimants and all grounds that the claimants put forth to justify coverage.

Ian C. v. United Healthcare Ins. Co.

The IRS recently released the updated Publication 969: Health Savings Accounts and Other Tax-Favored Health Plans for use in preparing 2023 tax returns. This publication provides information about consumer-directed healthcare vehicles such as Health Savings Accounts (HSAs), Medical Savings Accounts (MSAs), Flexible Spending Arrangements (FSAs) and Health Reimbursement Arrangements (HRAs).

The update includes reminders on important guidance and other provisions for these plans, including:

Sunsetting of COVID-19 relief for HDHPs. In accordance with the COVID-19 public health emergency, the IRS released Notice 2020-15, which allowed HDHPs to provide COVID-19 testing and other treatment benefits without a deductible or below the applicable HDHP minimum deductible without jeopardizing HSA eligibility. After the announced end of the COVID-19 emergency in May of 2023, the IRS released Notice 2023-37, which made the 2020 relief applicable only for plan years ending on or before December 31, 2024. Additionally, Notice 2023-37 clarified that COVID-19 testing would be treated as preventive care under HSA eligibility rules where the testing was designated with an “A” or “B” rating by the United States Preventive Services Task Force.

Telehealth and other remote care service provisions. HDHPs may have a $0 deductible for telehealth and other remote care services for plan years beginning before 2022, months beginning after March 2022 and before 2023, and plan years beginning after 2022 and before 2025. Also, an “eligible individual” remains eligible to make contributions to their Health Savings Account (HSA) even if the individual has coverage outside of the HDHP during these periods for telehealth and other remote care services.

Surprise billing for emergency services or air ambulance services. For plan years beginning after 2021, HDHPs may provide benefits under federal and state anti-“surprise billing” laws with a $0 deductible without affecting HSA eligibility. Also, an HSA-eligible individual will remain HSA-eligible even if the individual receives anti-"surprise billing” benefits outside of the HDHP.

Insulin products. For plan years beginning after 2022, HDHPs may have a $0 deductible for selected insulin products without affecting HSA eligibility.

COVID-19 home testing and personal protective equipment (PPE). The cost of home testing for COVID-19 and the costs of PPE, such as masks, hand sanitizer and sanitizing wipes, for the primary purpose of preventing the spread of COVID-19 are eligible medical expenses that can be paid or reimbursed under health FSAs, HSAs, HRAs and MSAs.

Over-the-counter (OTC) medicine. OTC medicine (whether or not prescribed) and menstrual care products are treated as medical care for amounts paid after 2019 and, as such, are eligible expenses for FSAs, HSAs, HRAs, and MSAs.

2023 Publication 969

On February 8, 2024, HHS released a final rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations under 42 CFR Part 2 (referred to as “Part 2”). The final rule implements confidentiality rules required under the CARES Act to align certain aspects of Part 2 with HIPAA rules.

The final rule implements many of the proposed modifications originally published in the December 2, 2022, Notice of Proposed Rulemaking (NPRM), which we discussed in a prior Compliance Corner article. Among other items, these changes include the following:

• With respect to patient consent, include allowing a single consent for all future uses and disclosures, while also allowing HIPAA-covered entities and business associates to redisclose records in accordance with HIPAA regulations.
• Permit disclosure of de-identified records without patient consent to public health authorities in accordance with the HIPAA Privacy Rule.
• Restrict use of records and testimony in proceedings against patients absent consent or a court order.
• Align Part 2 penalties with HIPAA civil and criminal enforcement.
• Update breach notification requirements to HHS and affected patients that follow the HIPAA Breach Notification Rule.
• Create safe harbor limits on civil and criminal liability for investigative agencies in certain circumstances.

In addition to the changes from the NPRM, the final rule further modifies Part 2 in the following ways:

• Expressly states that segregating Part 2 records is not required.
• Informs of the right to file a complaint directly with the secretary.
• Expands patient consent requirements, including the need for a clear explanation of the scope of consent, the need for separate consent for the use and disclosure of SUD counseling notes, and the prohibition on combining consent for disclosure except for civil, criminal, administrative, or legislative proceedings.
• Expands the safe harbor limits from the NPRM to include reasonable steps the agencies must follow to be eligible for the safe harbor.
• Allows patients to opt out of receiving fundraising communications.

Persons subject to the rule must comply within two years of publication of the final rule. HHS will develop guidance on how to comply with the new requirements. Group health plan sponsors should be aware of the final rule and consult with their insurers or service providers regarding implementing the changes to Part 2 record protections.

Fact Sheet 42 CFR Part 2 Final Rule

In January, the DOL issued five fact sheets that focus on different aspects of the FMLA.

Fact Sheet 28D explains employers’ obligations to provide employees with information about their FMLA rights and responsibilities. The FMLA requires employers to distribute the following notices to employees who request leave that could qualify as FMLA leave: the General Notice; the Eligibility Notice; the Rights and Responsibilities Notice; and the Designation Notice. The fact sheet describes the function of each notice, as well as the appropriate time to distribute them. The fact sheet also reminds employers of the consequences of failing to provide the notices and notes that the FMLA does not preclude any requirements imposed by state law.

Fact Sheet 28E explains how employees request FMLA leave. To start, the fact sheet summarizes who is eligible for FMLA leave and the reasons for which eligible employees can take this leave. The fact sheet then reminds employees to follow procedures for requesting leave as outlined in their employers’ leave policies. Although an employee does not have to state that they are seeking FMLA leave, they should provide the employer with enough information to allow the employer to conclude that the leave is FMLA leave and designate it accordingly. In any event, the fact sheet reminds employees that they should provide at least 30 days’ notice, if possible. The fact sheet also reminds employees of the consequences of failing to provide a proper request for FMLA leave and notes that the FMLA does not preclude any requirements imposed by state law.

Fact Sheet 28H explains the four options that employers may use to establish the 12-month period for taking FMLA leave for most leave reasons. The fact sheet reminds employers that eligible employees may use up to 12 workweeks of FMLA leave in a defined 12-month period or “leave year.” The four options for establishing the leave year are:

• The calendar year.
• Any fixed 12-month period, such as a year starting on the employee’s anniversary date, a fiscal year, or a 12-month period required by state law.
• A 12-month period measured forward from the first date an employee takes FMLA leave.
• A “rolling” 12-month period measured backward from the date an employee takes FMLA leave.

Fact sheet 28I explains how to count the amount of leave available and the amount of leave used under the FMLA. The fact sheet states that an employee’s entitlement to FMLA leave may be converted from workweeks to an hourly equivalent, a process based on the employee’s total normally scheduled hours. The fact sheet provides examples and highlights special rules for situations when it is physically impossible for an employee using intermittent leave or working a reduced leave schedule to begin or end work midway through a shift, as well as rules for airline flight crews.

Finally, Fact Sheet 28L explains the amount of FMLA leave available to spouses who work for the same employer. Under the FMLA, spouse means a husband or wife as defined or recognized in the state where the individual was married, including individuals in a common-law marriage and married same-sex couples. Under the FMLA, spouses who work for the same employer share the total number of workweeks of FMLA leave available for certain reasons:

• The birth of a child.
• Placement of a child with the employee for adoption or foster care.
• Care for a parent with a serious health condition.

Spouses may each use a total of 12 workweeks of FMLA leave in a leave year for:

• Their own serious health condition.
• To care for a spouse or child with a serious health condition.
• Due to a qualifying exigency.

The fact sheet provides examples of how this is administered.

Covered employers with eligible employees should be aware of these fact sheets.

Fact Sheet 28D »
Fact Sheet 28E »
Fact Sheet 28H »
Fact Sheet 28I »
Fact Sheet 28L »

On January 22, 2024, the DOL, HHS, and IRS (the departments) issued FAQ guidance addressing required coverage of contraceptive drugs under the ACA in response to reports of “unreasonable medical management techniques and other problematic practices” imposing barriers to contraceptive coverage without cost-sharing.

The ACA requires non-grandfathered group health plans and insurers to cover without any cost-sharing at least one form of contraception in each of 17 FDA-identified contraceptive categories, as well as any newer contraceptive service or FDA-approved, -cleared, or -granted contraceptive products that an individual and their medical provider have determined to be medically appropriate for an individual, regardless of whether those products have been specifically categorized.

With respect to those newer contraceptive products and services, the departments have allowed plans and insurers to use reasonable medical management techniques to determine which specific products or services to cover without cost-sharing so long as at least one of multiple, substantially similar products or services have been made available, and provided that it is medically appropriate for the individual.

The FAQs state that despite past attempts by the departments to clarify medical management techniques they have considered reasonable, provided there is an “easily accessible, transparent, and sufficiently expedient” exceptions process available, potentially unreasonable techniques and other problematic practices have nevertheless proliferated, including:

• Requiring individuals to satisfy step therapy protocols using other products within the same category of contraception before approving coverage for the newer product.

• Applying age-related restrictions for a product.

• Imposing onerous documentation requirements or multiple levels of processes that result in denials of coverage or the imposition of cost-sharing requirements.

• Requiring cost-sharing for services (e.g., anesthesia, pregnancy tests needed before the provision of certain forms of contraceptives, etc.) that are integral to the preventive services provided.

In response, the FAQs provide for an alternative “therapeutic equivalence approach” to compliance for contraceptive drugs and drug-led devices. Under this approach, a medical management technique will be deemed reasonable if all FDA-approved contraceptive drugs and drug-led devices in a category are covered without cost-sharing, not including any for which there is at least one therapeutic equivalent drug or drug-led device that the plan or insurer covers without cost-sharing. Additionally, there must be an exceptions process available to individuals that allows them to access a specific therapeutic equivalent determined to be medically necessary by their attending provider.

Coverage of contraceptive products and services has been and will likely remain a subject of primary concern for the departments. Plans and insurers should review these FAQs carefully as well as any contraceptive coverage requirements imposed by various states to whose laws they may be subject.

FAQS about Affordable Care Act Implementation Part 64 (dol.gov) »

On December 19, 2023, the US Court of Appeals for the Eleventh Circuit (the Eleventh Circuit) filed an opinion in W.A. Griffin, MD v. Blue Cross Blue Shield Healthcare Plan of Georgia, Inc., per curiam, affirming the decision of the district court that an assignment of benefits by a patient to a medical provider did not include sufficiently explicit language to transfer the right to bring nonpayment, statutory penalty suits under ERISA.

Plaintiff W.A. Griffin (Griffin) is a medical provider who sued Blue Cross Blue Shield (BCBS) under ERISA Section 502(c)(1)(B), seeking statutory penalties of up to $100 per day for failing to comply with requests to provide plan documents. Griffin had obtained an assignment of benefits from a patient and claimed a derivative right to sue BCBS under that assignment. The district court dismissed Griffin’s complaint and the Eleventh Circuit affirmed that dismissal.

As in South Coast Specialty Surgery Center, Inc. v. Blue Cross of California dba Anthem Blue Cross (the South Coast case), reported in the Compliance Corner article on January 17, 2024, the Eleventh Circuit quoted itself from a 2021 opinion that a healthcare provider “may obtain derivative standing for payment of medical benefits through a written assignment from a plan participant or beneficiary.”

The Eleventh Circuit also reiterated that a written assignment of the right to recover benefits provided by an ERISA plan does not necessarily transfer the right to pursue nonpayment claims, including statutory penalties. This case, therefore, turned on whether the assignment of benefits gives Griffin the right to bring both payment and nonpayment (breach of fiduciary duties and statutory penalties) claims.

The Eleventh Circuit concluded that the assignment upon which Griffin relied did not include sufficiently explicit language to transfer the right to bring nonpayment, statutory penalty suits under ERISA. In the South Coast case, the provider was allowed to submit claims to the plan administrator and to sue the administrator when the administrator declined to pay. But in Griffin, the provider could not sue the administrator for failing to comply with a request for plan documents.

In a second case brought by Griffin, also based on an assignment of benefits and decided two days later, the Eleventh Circuit found that the health plan contained an express anti-assignment provision prohibiting participants from assigning benefits to third parties. Holding that an “unambiguous anti-assignment provision in an ERISA-governed welfare benefit plan is valid and enforceable,” the Eleventh Circuit affirmed the district court’s dismissal of Griffin’s case.

Although the ultimate outcomes of these decisions differ, the takeaway is that medical providers may generally submit claims and sue the plan administrator for the payment of claims through an assignment of benefits. However, an assignment of benefits does not convey a participant’s (patient’s) right to sue to enforce nonpayment claims (such as the failure to abide by fiduciary duties like providing plan documents upon request) unless the assignment has specific wording to that effect.

Although insurers and TPAs typically address claims on behalf of a group health plan, plan sponsors should be aware of these recent decisions and the provisions of their plan documents regarding the limitations of participants’ assignment of benefits to healthcare providers.

W.A. Griffin, MD v. Blue Cross Blue Shield Healthcare Plan of Georgia, Inc. »

On January 9, 2024, the DOL announced its final rule on worker classification for purposes of the Fair Labor Standards Act (FLSA).

The FLSA became law in 1938 and established the federal minimum wage, overtime pay requirements, and other protections for employees. However, the FLSA defines “employee” very generally as “any individual employed by an employer.” Accordingly, a multifactor test eventually emerged in the federal courts to determine whether a worker was an employee subject to the FLSA or, in the alternative, an “independent contractor,” to whom FLSA protections would not apply.

The DOL ultimately adopted a substantially similar version of this test – called the “economic realities” test – which applied six factors, equally weighed, to the question of worker classification:

1. The opportunity for profit or loss depending on managerial skill
2. Investments by the worker and the employer
3. The permanence of the work relationship
4. The nature and degree of the worker’s control over the work
5. Whether the work performed is integral to the employer’s business
6. The worker’s skill and initiative

In early January 2021, the DOL under President Trump issued regulations identifying just two of these – control over the work and the opportunity for profit and loss – as the two “core” factors for classifying workers, with other factors playing a secondary role in the analysis at best.

Set to go into effect on March 11, 2024, this new rule rescinds and replaces this “core factor” rule with the six-factor “economic realities” test, essentially restoring the traditional framework for worker classification used for decades before 2021.

While this change applies to the determination of employee status under the FLSA, there is an indirect yet still significant impact on similar analyses undertaken by employee benefit plans for purposes of determining employee status under ERISA or the Internal Revenue Code (e.g., for determining employer shared responsibility penalties) which also generally employ multifactor standards similar to that reinstated by the DOL for purposes of FLSA application. Employers should be aware of the issuance of the final rule and consult with employment law counsel if they have any concerns regarding the proper classification of their workers.

Federal Register: Public Inspection – Combined Filings »
Fact Sheet 13: Employment Relationship Under the Fair Labor Standards Act (FLSA) »

On January 11, 2024, the DOL published a final rule adjusting civil monetary penalties under ERISA. The annual adjustments relate to a wide range of compliance issues and are based on the percentage increase in the consumer price index for all urban consumers (CPI-U) from October of the preceding year. The DOL last adjusted certain penalties under ERISA in January of 2023.

Highlights of the 2024 penalties that may be levied against sponsors of ERISA-covered plans include:

• Failure to file Form 5500 maximum penalty increases from $2,586 to $2,670 per day that the filing is late.
• Failure to furnish information requested by the DOL penalty increases from $184 per day, not to exceed $1,846 per request, to $190 per day, not to exceed $1,906 per request.
• Penalties for failure to comply with GINA and failure to provide CHIP notices increase from $137 to $141 per day.
• Failure to furnish Summary of Benefits Coverage (SBC) penalty increases from $1,362 to $1,406 maximum per failure.
• Failure to file Form M-1 (for MEWAs) penalty increases from $1,881 to $1,942 per day.

These adjusted amounts are effective for penalties assessed after January 15, 2024, for violations that occurred after November 2, 2015. The DOL will continue to adjust penalties no later than January 15 of each year and will post any changes to penalties on its website.

To avoid the imposition of penalties, employers should ensure ERISA compliance for all benefit plans and stay updated on ERISA’s requirements. For more information on the new penalties, including the complete list of changed penalties, please consult the final rule linked below.

Final Rule »

On January 10, 2024, the Ninth Circuit Court of Appeals (the Ninth Circuit) ruled that an assignment of benefits includes the right of South Coast Specialty Surgery Center, Inc. (South Coast) to sue Blue Cross of California dba Anthem Blue Cross (Anthem) under ERISA Section 502(a) for Anthem’s alleged failure to fully reimburse the costs of medical services provided to South Coast’s patients. The Ninth Circuit reversed the district court’s dismissal of South Coast’s claim and remanded the case to the district court for further action.

Prior to 2019, South Coast submitted claims for services provided to Anthem participants and received payment from Anthem pursuant to assignments of benefits, which South Coast required patients to sign as a condition of treatment. The relevant wording of the assignment read, “I hereby authorize my insurance company to pay by check made payable and mailed directly to (South Coast) for the medical and surgical benefits allowable, and otherwise payable to me under my current insurance policy, as payment toward the total charges for the services rendered. I understand that as a courtesy to me, (South Coast) will file a claim with my insurance company on my behalf.” In 2019, however, Anthem instituted a “prepayment review“ process, which significantly curtailed its coverage for the costs of South Coast’s procedures. South Coast alleges that Anthem failed to follow ERISA plan requirements and failed to provide appropriate benefits for approximately 150 claims, resulting in a potential shortfall exceeding $5.4 million.

ERISA allows plan participants, plan beneficiaries, and plan fiduciaries to sue insurers and plan administrators but South Coast is not a plan participant, beneficiary, or fiduciary in the Anthem plans. The district court ruled that the assignment of benefits gave South Coast the right to bill Anthem directly, but the assignment did not include the right to sue to enforce collection. The Ninth Circuit, however, concluded that “an assignment of the right to receive benefits generally includes the right to sue for nonpayment of benefits,” a conclusion, the Ninth Circuit said, that aligns with its prior opinions as well as other circuits’ opinions. But the Ninth Circuit noted they were not holding that all assignments of the right to benefits – regardless of who made the assignment and who received it – necessarily confer the right to sue under ERISA. Rather, the decision was limited to whether Section 502(a) of ERISA permits a healthcare provider to bring a suit seeking the payment of benefits when it has been given a valid assignment to do so.

Although carriers and TPAs typically address claims for most group health plans, employers may want to be aware of this decision.

South Carolina Specialty Surgical Center, Inc. v Blue Cross of California dba Anthem Blue Cross »

Recently, HHS released a set of FAQs concerning an individual’s right to access health information. HIPAA requires covered entities, which include insurers and self-insured group health plans, to provide individuals with access to their protected health information (PHI), such as medical records, information related to enrollment, payment, or claims adjudication, and other records used by the covered entity to make decisions about those individuals. This right of access includes the right to obtain copies (paper or electronic) of the PHI and the right to direct the covered entity to transmit copies of the PHI to persons or entities designated by the individual. This right of access remains for as long as the covered entity maintains the PHI, and it extends to archived material too.

The new guidance clarifies details concerning this right of access. First, the guidance confirms that a covered entity can charge the requesting individual a fee for providing the PHI. However, that fee can only include the cost of the labor for creating and delivering the PHI (not for searching and retrieving, or reviewing the PHI), supplies (although this does not allow the covered entity to require the individual to purchase portable media), and postage. Covered entities cannot pass on the costs they may pay to business associates for creating or delivering the PHI, nor can they pass on costs authorized by state-authorized fees. The guidance provides several methods for calculating the fee, including an “actual costs” method, an “average costs" method, and a “flat fee" method. Covered entities must provide an estimate of the fee to the requesting individual before fulfilling their request.

Although the covered entity can impose these fees, the guidance asserts that covered entities should provide PHI to requesting individuals free of charge, especially in cases where the individual may not be able to afford the fees. The guidance also states that if the individual can access the PHI electronically via a certified electronic health record technology (CEHRT) established by the covered entity, then the covered entity should not charge a fee for that access.

The guidance also clarifies the individual’s right to send PHI directly to a third party. If an individual submits a written request to a covered entity that clearly identifies where and to whom the PHI should be sent, then the covered entity is obliged to send the PHI to that third party. The individual’s personal representative, as determined by state law, also has the right to direct a covered entity on behalf of the individual.

The covered entity may rely on the information provided in writing by the individual about the identity of the designated person and where to send the PHI for purposes of verification of the designated third party as an authorized recipient. However, they must implement reasonable safeguards in otherwise carrying out the request, such as taking reasonable steps to verify the identity of the individual making the access request and to enter the correct information into the covered entity's system, as well as safeguarding the PHI in transit to the third party.

The covered entity is obligated to notify the individual and HHS of any breach that occurs when it provides the PHI to a third party and comply with other breach notification obligations imposed by HIPAA. However, the covered entity is not responsible for breaches that occur when transmitting the PHI to a third party if it does so in an unsecured manner as directed by the individual (after being warned of the risks). The covered entity is also not responsible for any breaches that occur once the PHI is delivered to the third party.

The guidance also clarifies what information is subject to this right of access. As mentioned above, the individual has access to a large amount of data (collectively, this data is referred to as “designated record sets”). Examples of this type of information include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. Note that individuals do not have a right to access information about the individual compiled in reasonable anticipation of, or for use in, a legal proceeding (but the individual retains the right to access the underlying PHI from the designated record set(s) about the individual used to generate the litigation information).

Covered entities may deny a request for information compiled in reasonable anticipation of, or for use in, a legal proceeding, included in psychotherapy notes, or determined by a licensed healthcare professional to be reasonably likely to endanger the physical safety of the individual or someone else if it is provided. The guidance stresses that these are very limited circumstances and that covered entities are generally obliged to provide requested information.

Finally, the guidance discusses the timelines within which a covered entity must provide the requested information. Under the HIPAA Privacy Rule, a covered entity must act on an individual's request for access no later than 30 calendar days after receipt of the request. If the covered entity is not able to act within this timeframe, the entity may have up to an additional 30 calendar days as long as it provides the individual – within that initial 30-day period – with a written statement of the reasons for the delay and the date by which the entity will complete its action on the request. The 30-day clock starts on the date that the covered entity receives a request for access. The guidance also stresses that the 30-day deadline is an outer limit and that HHS expects covered entities to provide requested information sooner than that.

Although insurers and TPAs for self-insured group health plans typically address requests regarding an individual’s access to health information, plan sponsors should be aware of this guidance.

HHS Guidance on Access to Individual Information »

The IRS recently published the 2024 IRS Publication 15-B, the Employer's Tax Guide to Fringe Benefits. This publication provides an overview of the taxation of fringe benefits and applicable exclusion, valuation, withholding, and reporting rules.

The IRS updates Publication 15-B each year to reflect any recent legislative and regulatory developments. Additionally, the publication provides the applicable dollar limits for various benefits for 2024.

The “What’s New” section of the publication includes:

• Information on the 2024 business mileage rate under the “cents-per-mile rule.”
• The monthly exclusion for qualified parking and commuter transportation benefits.
• The contribution limit on a health flexible spending arrangement (FSA).

Qualified parking exclusion and commuter transportation benefit. The monthly exclusion for qualified parking is $315, and the monthly exclusion for commuter highway vehicle transportation and transit passes is $315 in 2024.

Contribution limits for health FSAs. For plan years beginning in 2024, a cafeteria plan may not allow employees to request salary reduction contributions to health FSAs greater than $3,200.

The complete list of the IRS-released 2024 inflation-adjusted limits was covered in the December 5, 2023, edition of Compliance Corner.

Additionally, the publication includes important reminders, including additional permitted mid-election changes for health coverage under a cafeteria plan (Notice 2014-55).

Employers should be aware of the availability of the 2024 Publication 15-B.

IRS Publication 15-B »

On December 13, 2023, the US Court of Appeals for the Eleventh Circuit (Eleventh Circuit) held in Lapham v. Walgreen Co., that to prove Family and Medical Leave Act (FMLA) retaliation or interference claims, an employee must establish that an adverse employment decision was because of an FMLA leave request, not just motivated by the request.

Plaintiff Doris Lapham worked for Walgreens in various roles and at multiple store locations for over a decade. Between 2011 and 2016, Ms. Lapham took intermittent FMLA leave to care for her disabled son. During that same period, Ms. Lapham received poor to average performance evaluations. In early 2017, Ms. Lapham was placed on a sixty-day Performance Improvement Plan, which is required for all of Walgreens’ employees who score below a certain level on performance evaluations. Around the same time, Ms. Lapham submitted a request for intermittent FMLA leave over the next 12 months, similar to her previous requests.

While the FMLA leave request was pending, Ms. Lapham’s manager discussed Ms. Lapham’s poor work performance with Walgreens’ HR, citing instances of her disregarding instructions, lying to management, and sabotaging the store. That HR discussion included a reference to the pending FMLA leave request. Walgreens’ HR instructed Ms. Lapham’s manager to properly document instances of insubordination and refrain from disciplining Ms. Lapham for any attendance issues until the FMLA leave request was approved or denied. Soon thereafter, Walgreens terminated Ms. Lapham’s employment, citing poor performance, insubordination, and dishonesty. Ms. Lapham’s FMLA leave request was denied based on the termination.

Ms. Lapham then sued her former employer, alleging FMLA retaliation and interference, arguing that her FMLA leave request was a motivating factor in Walgreens’ decision to terminate her employment. The Eleventh Circuit ruled in favor of Walgreens, finding that in order to succeed on an FMLA claim of retaliation or interference, an employee must prove the employment termination was because of the leave request (or “but-for”), not merely a motivating factor. It’s important to note that this standard differs among federal courts across the country — some courts apply a more lenient “motivating factor” standard, making it easier for employees to succeed on FMLA interference or retaliation claims.

The Lapham case serves as a good reminder to employers to have clear and consistent FMLA leave processes. Supervisors, managers, or other employer-designated agents handling FMLA leave requests must be trained to not interfere with an employee’s right to seek FMLA leave. Beginning with an employee’s initial inquiry, communications regarding leave should be documented in a way that prevents any misunderstanding between employer and employee. Especially given the varying standards for proving FMLA claims, any contemporaneous employee disciplinary actions should be reviewed with employment law counsel.

Lapham v. Walgreen Co.

On December 20, 2023, the DOL proposed rescinding a 2018 rule that created alternative criteria that could be used to determine whether a group or association of employers could establish an association health plan (AHP). The rule allows employers without a commonality of interest to form AHPs if they are in the same state or metropolitan area. Further, AHPs can form for the primary purpose of providing benefits (something that was prohibited before 2018) if they can show a “substantial business purpose,” which includes minimal proof — anything from setting business standards and practices to publishing a newsletter. Importantly, the 2018 rule also allows an AHP to cover non-employees (sole proprietors, independent contractors, partners, and other businesses without any employees).

However, in 2019, the US District Court for the District of Columbia, in New York v. DOL, invalidated the 2018 rule. The court concluded that the DOL did not reasonably interpret ERISA and that the primary provisions of the 2018 rule must be invalidated. Those primary provisions are the expanded definition of “commonality of interest” and the inclusion of working owners. Specifically, the court stated that the commonality of interest expansion in the 2018 rule failed to meaningfully limit the types of associations that could qualify as sponsors of an ERISA plan. In addition, because ERISA is meant to regulate benefit plans that arise from employment relationships, the inclusion of working owners impermissibly expanded ERISA’s regulation to plans outside of such employment relationships. The court concluded that the rule ignored ERISA’s definitions and structure, case law, and ERISA’s 40-year history of excluding employers without employees. Accordingly, the court remanded the matter back to the DOL.

The DOL states that the 2018 rule was never fully implemented, and the department is not aware of any existing AHP formed based on the rule. Accordingly, the DOL proposes to “rescind in full the 2018 rule to resolve any uncertainty regarding the status of the standards established under the rule, allow for a reexamination of the criteria for a group or association of employers to be able to sponsor an AHP, and ensure that guidance being provided to the regulated community is in alignment with ERISA’s text, purposes and policies.”

Employers who are considering creating an AHP should be aware of this proposal. The deadline to submit comments is February 20, 2024.

US Department of Labor, Press Release

FederalRegister.gov, Rule Proposal: Definition of Employer – Association Health Plans

On December 21, 2023, the IRS, DOL, and HHS (collectively, the agencies) issued a final rule related to fees established by the No Surprises Act for the federal independent dispute resolution (IDR) process under the Consolidated Appropriations Act, 2021 (CAA). The IDR process comes into play when health plans and issuers and providers, facilities and providers of air ambulance services cannot agree on an appropriate payment for out-of-network items and services. Two types of fees apply to the process: an administrative fee paid to the applicable federal agency and a fee paid to the certified IDR entity.

The final rule, finalizing the proposed rule from September 2023, amends the existing regulations following an August 3, 2023, Texas court case (Texas Medical Association v. HHS; see August 15, 2023, NFP Compliance Corner article) that set aside an increase in IDR fees that were established without official regulatory action. The final rule provides that, going forward, the administrative and IDR entity fees will be established by the agencies in notice and comment rulemaking (no more frequently than once per calendar year) rather than by guidance published annually. The CAA requires that the administrative fees paid each year should be estimated to be equal to the amount of expenditures that are estimated to be made by the agencies each year in carrying out the IDR process.

The final rule also sets the fees for disputes initiated on or after the effective date of the final rule, which is January 20, 2024. The administrative fee will be $115 per party. The certified IDR entity fee will range from $200 to $840 for single determinations and $268 to $1,173 for batched determinations. Certified IDR entities may establish an additional fee, ranging from $75 to $250 for each increment of 25 dispute line items included in a batched dispute, beginning with the 26th line item. The agencies also issued a fact sheet that summarizes the Final Rule.

Most plan sponsors rely upon their carrier or TPA to resolve out-of-network payment disputes subject to the No Surprises Act but should have a general awareness of the IDR process and related guidance.

FederalRegister.gov, Federal Independent Dispute Resolution (IDR) Process Administrative Fee and Certified IDR Entity Fee Ranges Final Rule

CMS.gov, Federal Independent Dispute Resolution (IDR) Process Administrative Fee and Certified IDR Entity Fee Ranges Final Rule Fact Sheet