Guest Article

(From the August 30, 2004 issue of Deloitte's Washington Bulletin, a periodic update of legal and regulatory developments relating to Employee Benefits.)

ABA Reports Various Employee Benefit Regulators' Views on Health Issues

Various government regulators gave their unofficial individual views on several employee benefit issues to members of the American Bar Association's Joint Committee on Employee Benefits in late April and early May. These question and answer sessions have become an annual, if informal and nonbinding, event which generally provides valuable hints on the agencies' thinking on various matters. The following health benefit items were discussed. Bear in mind these responses represent only the views of the individuals and cannot be relied upon as official government positions. The following discussion focuses only on the health benefit questions and responses by the Department of Labor and the Department of Health and Human Services. The IRS and EEOC declined to respond to the few health benefits questions posed to them.

HHS Responses -- HIPAA Privacy and Administrative Simplification

Enforcement: In response to questions on HIPAA privacy enforcement, the Department of Health and Human Services' Office of Civil Rights (OCR) noted their office receives about 100 complaints per week and has handled about 6,000 since April 2003. A "fair number" of those involved entities over which OCR has no regulatory authority, such as employers, or that involve incidents arising prior to HIPAA privacy's effective date or were filed more than 180 days after the incident occurred. OCR has not yet imposed civil penalties for privacy violations. HHS has closed about 50 percent of the cases. One-third to 40 percent of those cases were closed as "without merit."

While there have been a number of complaints involving employers, according to HHS some of those complaints involve data not covered by HIPAA such as employment records. HHS notes it also counsels with hospitals that are overreacting to the HIPAA privacy rules, reminding these organizations of "certain things that ARE permitted by the rule."

The five major privacy complaint issues have been:

Fraud on the Plan as Grounds for Dismissal. The group posed questions regarding what the employer or the plan could do in auditing the plan to detect fraud by the participants in cases in which the plan document and the SPD cautioned participants that such fraud would be grounds for disciplinary action, including dismissal. The ABA committee members had proposed the answer that the plan could use such information to terminate the individual from coverage, but was less sure about whether or how much information could be given to the employer. HHS refused to answer other than to say the question had generated considerable "discussion."

Stop Loss Insurer as a Business Associate. HHS has issued general guidance that a stop loss insurer does not become a business associate simply by selling stop loss insurance and that generally a reinsurer will be treated as a stop loss insurer. The OCR has issued a letter saying that as an "operation" of the plan, a group health plan may disclose information to stop loss insurers to obtain such coverage, or disclose information to the insurer to obtain payment under the reinsurance plan. Other than referring to the letter, the HHS gave no further guidance. This lack of guidance is especially unfortunate, since the questioner emphasized that the employer, not the plan, would be the owner and the beneficiary of the reinsurance policy.

Self-funded Plan Contracting with TPA. In response to whether a plan that contracts out all functions to a TPA must have policies and procedures in place with respect to the functions covered by the plan, HHS noted that the plan could contract out all these responsibilities, including having the TPA furnish the privacy officer. However, HHS warned the "covered entity," i. e. the plan, will still be responsible for compliance since HHS can only enforce compliance on the plan, not the TPA, who is a business associate.

Assisting Employees Without an Authorization. HHS rejected the idea that a plan sponsor/employer can receive PHI, except as provided under the regulations, even when helping an employee at the employee's request. However, HHS noted the regulations do give some flexibility on release of PHI. If the employee and the employer representative are on the phone together and the plan representative has no reason to believe the employee is not who he or she claims to be, PHI can be shared if the plan representative determines, in his or her professional judgment, that disclosure is appropriate. If the plan is a fully insured plan, the employer should get an authorization to avoid having PHI, which would then require the employer's compliance with the full panoply of HIPAA privacy rules.

Department of Labor

HSAs-- Welfare or Retirement Plan? DOL noted that Field Assistance Bulletin 2004-01 held HSAs generally will not constitute "employee welfare benefit plans" under ERISA Title I. However, this will depend on the limited employer involvement described in the FAB. Mere employer contributions to the HSA of an eligible individual will not result in ERISA coverage of HSAs. If employer involvement is sufficient for an HSA to be considered an ERISA plan, or part of a larger plan, DOL would treat an HSA that meets the conditions of the Internal Revenue Code as an employee welfare benefit plan, not as a pension plan.

HIPAA Special Enrollment Rights for Retirees. In a health plan that covers both employees and retirees, but only covers employees' spouses and dependents, do the special enrollment rights under HIPAA in ERISA sec. 701(f)(2) apply? (That section requires the plan to offer enrollment of spouses and children when certain life events occur, such as marriage or the birth of a child.) DOL acknowledged that the special enrollment rights under section 701(f)(1) do not apply to retirees; they apply only to current employees. But in this case, because the plan covers both current employees and retirees, the special enrollment provisions will apply. In such cases, a retiree can enroll his or her new spouse, child, etc. However, the occurrence of a life event does not entitle a retiree to enroll in the plan. The DOL also noted that if the plan only covered retirees, neither the special enrollment rules of sections 701(f)(1), which requires offering coverage to individuals that lose coverage under another health plan, or 701(f)(2) would apply.

Employer's Fiduciary Entitlement to Claims Data for a Plan Audit. In a situation where the employer would like to audit large payout claims under the plan to determine what corrective actions are necessary, the company that processed those claims refuses to release the records on the grounds the processor, not the plan, owns the records. The service contract is silent on the issue. The ABA-JCEB's suggested answer, in part, was that the absence of any specific language on records ownership will not prevent the employer, acting in its role as fiduciary to the plan, from receiving the records. DOL essentially agreed, but added that, in entering into service contracts, plan fiduciaries must ensure that they have access to all plan records necessary to fulfill their obligations in accordance with the plan documents and ERISA. This includes the ability to monitor the plan's service providers.

Consistent with the Department's views on electronic recordkeeping, plan recordkeeping arrangements may not be subject to any agreement or restriction that would, directly or indirectly, compromise a fiduciary's ability to comply with obligations under Title I of ERISA. Accordingly, fiduciaries should not interpret service contracts that are silent as to the plan fiduciaries' rights to review claims records as restricting the plan fiduciaries' rights to review such records. DOL staff also noted that if the recordkeeper is an insurance carrier or other organization which provides some or all of the benefits under the plan, ERISA section 103(a)(2) provides that the carrier or organization must transmit and certify to the plan administrator information the carrier or organization maintains that is necessary for the administrator to comply with the requirements of Title I.

DOL noted that general fiduciary standards in ERISA section 404 would apply to determinations regarding the scope of the records audit and the amount of plan assets that could properly be incurred in getting access to the necessary records.

The DOL cited the same answer in response to whether a recordkeeper could refuse to turn over plan records when the employer had not paid the recordkeeper's fees.

The information in this Washington Bulletin is general in nature only and not intended to provide advice or guidance for specific situations. If you have questions or need additional information about articles appearing in this or previous versions of Washington Bulletin, please contact: Robert Davis 202.879.3094, Elizabeth Drigotas 202.879.4985, Taina Edlund 202.879.4956, Mike Haberman 202.879.4963, Stephen LaGarde 202.879.5608, J. D. Lutz 202.879.5366, Bart Massey 202.220.2104, Diane McGowan 202.220.2077, Martha Priddy Patterson 202.879.5634, Tom Pevarnik 202.879.5324, Tom Veal 312.946.2595, or Deborah Walker 202.879.4955. Copyright 2004, Deloitte.