March 3, 2009 – Children’s Health Insurance Program Reauthorization Act of 2009 Includes New HIPAA Special Enrollment Events
Prior to the stimulus legislation that included changes to the Consolidated Omnibus Budget Reconciliation Act of 1985 (“COBRA”) (see our Alert) and Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) (see below), Congress enacted the Children’s Health Insurance Program Reauthorization Act of 2009. The primary feature of the legislation is the funding and expansion of the State Children’s Health Insurance Program (“SCHIP”). The law also contains two provisions that may impact group health plans.
Subsidy for Employer-Provided Coverage. Historically, SCHIP coverage has been provided directly by states. The law now authorizes states to use SCHIP funds to subsidize employer-provided coverage instead of providing the SCHIP coverage directly. The law contains several restrictions regarding the type of employer-provided coverage that can qualify and includes a provision allowing employers to either (1) receive the subsidy directly, or (2) elect to have the subsidy paid to the employee. Employers will be required to provide notice of the availability of the subsidy if a state in which they operate implements the subsidy.
Note: To date, we are not aware that any state has elected to subsidize employer-provided coverage.
New Special Enrollment Events. The law also adds two new special enrollment events for group health plans otherwise subject to HIPAA’s special enrollment requirements.
Note: Not all group health plans are subject to HIPAA’s special enrollment requirements. Generally, stand-alone dental and vision coverages and many health flexible spending accounts that are part of a cafeteria plan are exempt from the requirements. However, major medical coverages, health reimbursement arrangements, and employee assistance plans and wellness programs that provide medical care are subject to the requirements.
Generally, under HIPAA’s special enrollment provisions, certain individuals are allowed to enroll in group health plans mid-year upon the occurrence of certain “special enrollment events.” Currently, special enrollment is allowed upon acquiring a new dependent (e.g., through marriage, birth, or adoption) and upon a loss of other group coverage.
Under the SCHIP law, special enrollment is also available upon:
- Ceasing to be eligible for Medicaid or SCHIP coverage; and
- Becoming eligible under Medicare or SCHIP for a subsidy of employer-provided coverage.
The new special enrollment events apply to eligible employees and eligible dependents who are not enrolled in the employer’s group health plan.
Unlike other special enrollment events, with respect to which employees must be given at least thirty (30) days to request special enrollment, individuals experiencing one of the new special enrollment events must request enrollment within sixty (60) days of the special enrollment event. Unlike special enrollment as the result of birth or adoption, which is effective retroactively to the date of the birth or adoption, the law does not provide that coverage obtained as a result of the new special enrollment events must be effective retroactively to the date of the event.
The special enrollment provisions of the SCHIP legislation are effective April 1, 2009.
Note: Because HIPAA special enrollment is an event that allows an employee to change his or her election under a cafeteria plan, the addition of these new special enrollments events also impacts administration of cafeteria plans that include HIPAA special enrollment as an exception to the irrevocable election rule. Because the coverage is not required to be retroactive, the change in election can be effective only prospectively, even if the underlying group health plan chooses to provide retroactive coverage.
Action Items. In light of the legislation, sponsors of group health plans (e.g., employers) and their third party service providers should take the following actions:
- Identify the group health plans subject to HIPAA’s special enrollment requirements.
- Monitor the actions of the states in which they operate for implementation of the subsidy and, if that occurs, provide the required notice to employees;
- Amend group health plan documentation (e.g., plan documents and summaries) for plans subject to the HIPAA special enrollment rules to add the new special enrollment events;
- Review cafeteria plan documentation to determine whether the provisions in documents describing the change in election rules need to be amended to add a description of the new special enrollment events; and
- Adjust communication materials and administrative forms to describe the new special enrollment events.
New HIPAA Privacy and Security Rules Included in the Stimulus Legislation
In addition to changing the rules under the Consolidated Omnibus Budget Reconciliation Act of 1985 (“COBRA”) (see our Alert), the stimulus legislation also includes significant changes to the privacy and security rules under Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). With some exceptions, the changes are not effective until February 17, 2010. In addition, regulatory agencies are required to issue regulations or other guidance regarding a number of the new provisions. Accordingly, this alert contains only a brief summary of the changes. We will provide more detailed information as additional guidance is issued.
The law includes changes in the following areas:
- Business Associates. The privacy and security standards will be directly applicable to business associates. In the past, the law applied only to covered entities (i.e., group health plans). To the extent the law applied to business associates, it applied indirectly through the business associate agreements. Beginning February 17, 2010, the privacy and security standards are directly enforceable against business associates. This change will likely require adjustments to your business associate agreements.
- Notification Requirements. Business associates and covered entities will have significant new notice requirements that apply upon discovering of an unauthorized acquisition, access, use, or disclosure of protected health information (PHI) that compromises the security or privacy of the PHI. Notice must be provided to the affected individuals and, in some cases, the Department of Health and Human Services (HHS) and the media. The law requires the issuance of regulations regarding the notification requirements within 180 days of February 17, 2009. The notification requirements will apply to breaches discovered on or after the date that is thirty (30) days after the publication of such regulations.
- Electronic Health Record (“EHR”). Individuals will have a right to an accounting of PHI disclosures made through an electronic health record (“EHR”) by a covered entity or business associate for purposes of treatment, payment, or health care operations. An EHR is an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by health care clinicians and staff. This provision is effective (1) January 1, 2014 for covered entities that currently have EHRs and (2) the later of January 1, 2011 or the date an EHR is acquired for covered entities that do not have EHRs.
- Minimum Necessary Standard. In general, a covered entity or business associate may use and/or disclose only the minimum PHI necessary to accomplish the intended purpose of the use or disclosure. The law requires the HHS to issue guidance regarding the minimum necessary standard. This guidance must be issued by August 17, 2010.
- Heightened Enforcement. Civil penalties will be increased and criminal penalties will be applicable to employees. In the past, it was unclear whether criminal penalties could be enforced against employees as opposed to the covered entity. The law clarifies this issue.
Note: This provision was effective upon enactment of the law on February 17, 2009.
Action Items. In light of the legislation, sponsors of group health plans (e.g., employers) and their business associates should take the following actions:
- Identify the plans that are subject to HIPAA’s privacy and security requirements;
- Monitor the release of the guidance and regulations required by the legislation; and
- Prior to the various effective dates, adopt or revise HIPAA privacy and security procedures, amend business associate agreements, and train employees with respect to the new requirements.
Please let us know if you have any questions regarding the Children’s Health Insurance Program Reauthorization Act of 2009 or need our assistance with any of the action items.
__________________________________________________________________
The information contained in this ALERT is intended for general information purposes only and does not constitute legal advice relative to a specific situation.