Cyberattacks have managed to invade all walks of life, and employee benefit plans are no exception. When a plan is attacked, the fallout can be overwhelmingly expensive and burdensome to correct. Many plan sponsors are purchasing cyber liability insurance coverage to supplement their data security measures. Understanding those policies – and their exclusions – is important for sponsors who are exploring such coverage.
Group Health Plans
Although the GOP tax reform bill reduces to zero the penalty for failing to comply with the Affordable Care Act’s individual coverage mandate, it does nothing to alleviate the employer ACA mandate. Coincidentally, the IRS has just started issuing notices of potential penalty assessments under that employer mandate (commonly known as the “play-or-pay” provision).
These notices take the form of a “Letter 226J” (this notation appears in the footer of each page), and the Letter makes crystal clear the amount of the potential penalty assessment (which can be substantial). This dollar amount appears in bold on the second line of the Letter’s text.
Final regulations issued by the Equal Employment Opportunity Commission (“EEOC”) under both the Americans with Disabilities Act (“ADA”) and the Genetic Information Nondiscrimination Act (“GINA”) will require modifications to many employee wellness programs. These modifications may include the deletion of certain questions from health risk assessments, additional employee notification requirements, and a reduction in the incentives used to discourage tobacco usage. Although certain aspects of these regulations will not apply until the first day of the 2017 plan year, others are already in effect.
The well-publicized cyber-attack on Anthem, Inc.’s information technology system may require employers to take prompt action to protect the rights of their health plan participants. Although neither the scope nor the cause of the security breach has yet been determined, the attack has been described as both “massive” and “sophisticated.”
In a series of notices and FAQs, the IRS has clearly enunciated its view that an employer’s reimbursement of an employee’s premiums for individual health insurance violates certain provisions of the Affordable Care Act (“ACA”). While reiterating this key point, Notice 2015-17 does grant a limited period of relief for smaller employers. Nonetheless, even those employers should be working toward a June 30 deadline to comply with these ACA constraints.
In the years since the 2010 enactment of the Affordable Care Act (“ACA”), the agencies charged with enforcing the ACA have worried that certain responses to the law’s requirements could negatively affect the overall health insurance system. For instance, because the ACA requires insurers to issue individual health insurance coverage without regard to health status, sponsors of self-funded employer plans may be tempted to shift their high-risk employees into the individual market. But by leaving only healthier employees in the self-funded plans, this approach could result in “adverse selection” – leading to an erosion of the individual insurance market.
The HIPAA Electronic Transactions and Code Sets rule requires most group health plans to obtain new health plan identifier numbers (HPIDs) by November 5, 2014. While insurers will likely obtain the HPID on behalf of fully insured plans, the task of obtaining the HPID for a self-funded plan will fall upon the plan sponsor. While the process is relatively simple, plan sponsors should begin identifying which group health plan arrangements are subject to the HPID requirement and communicating with plan vendors regarding the requirements.