March 24, 2006
Looming Health Plan Compliance Deadlines
March 31, 2006 Medicare Part D Notice to CMS
The Medicare Modernization Act (MMA) requires that health plans disclose to the Centers for Medicare and Medicaid Services (CMS) whether prescription drug coverage currently provided to Medicare Part D eligible individuals is creditable prescription drug coverage.
Group health plans that provide prescription drug coverage to Medicare Part D eligible individuals must provide the disclosure notice. However, plans that have been approved for the Medicare Retiree Drug Subsidy need not file a disclosure notice with CMS with respect to retirees for which the sponsor is claiming the subsidy.
For plan years that end in 2006, the disclosure notice is required no later than March 31, 2006. For plan years that end in 2007, the disclosure notice is required within 60 days after the beginning of the plan year. A disclosure notice is also required within 30 days after any change in creditable coverage status of the prescription drug plan and within 30 days after the termination of the plan.
Plans required to file the disclosure notice must file electronically by completing the form at https://www.cms.hhs.gov/CreditableCoverage/45_CCDisclosureForm.asp.
April 14, 2006 Privacy Notice Deadline
The HIPAA Privacy Rule requires health plans to remind participants, at least every three years, of the availability of the Plan’s Notice of Privacy Practices, as well as how to obtain a copy. Health plans, other than small health plans, were first required to distribute their Notice of Privacy Practices to participants by April 14, 2003.1 Therefore, those plans that have not already reminded participants must do so no later than April 14, 2006. Small health plans had until April 14, 2004 to first distribute their Notices.2 Thus, the small plan reminder deadline is April 14, 2007.
For notice and security purposes, a small plan is defined under HIPAA as a plan with annual receipts of $5 Million or less. For a fully insured plan, receipts are measured by premiums paid. For a self-funded plan, receipts are measured by claims paid.
Health plans may satisfy the notice requirement in a number of ways. Plans may send a copy of their notice to participants or mail only a reminder concerning the availability of the Notice of Privacy Practices and information on how to obtain a copy. Plans may also include the information in a plan-produced newsletter or other plan publication. The notice requirement is met by sending information concerning the plan’s Privacy Practices to the enrolled employee, rather than to the employee and each dependent.
Plans may have already satisfied the notice requirement. For example, if the Privacy Practice information is included in annual information sent to participants, nothing further needs to be done to meet the requirement.
1 45 CFR § 164.534
2 45 CFR §164.534(B)(2)
April 20, 2006 Security Deadline
The HIPAA security rule takes effect for small plans on April 20, 2006. The purpose of the security rule is to provide national standards of electronic healthcare information. The HIPAA security rule requires all health plans to comply with four general requirements. The plans must:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information (PHI) that they create, receive, maintain or transmit;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of electronic PHI;
- Protect against any reasonably anticipated uses or disclosures of electronic PHI that are not permitted or required by the HIPAA privacy rule; and
- Ensure compliance with the HIPAA security rule by the health plan’s workforce.3
Plans should conduct a risk analysis to determine whether the plan creates, receives, maintains or transmits electronic PHI.
3 45 CFR § 164.306(a)
If you have any questions regarding any of these issues, please contact us.