The Dobbs Decision: Client Talking Points for Brokers and Advisors

The decision of the United States Supreme Court on June 24, 2022 in Dobbs v. Jackson Women’s Health Organization means that, for the first time in almost 50 years, employers that sponsor group health plans are subject to state-level regulation of abortion access. Employers will naturally turn to their group health brokers and advisors for initial guidance. Below are some talking points for brokers and advisors, including tips on when legal guidance from ERISA counsel may be required.

  1. First, be aware that there will be no one-size-fits all approach. Each client’s path forward will vary depending upon whether their group health plan is self-insured, or insured, what states they operate and have employees in, and on whether they offer additional benefits such as health flexible spending accounts (health FSAs), health reimbursement arrangements (HRAs), or Health Savings Accounts (HSAs).
  2. With that in mind, you can start by cataloguing the plans each client has in place, and the states in which they have group health insurance policies in place and employ personnel. Remote work in the post-COVID environment may make it challenging to identify all states in which employees perform services for your client.
    a. If, for instance, a client has a fully insured group health plan under a policy issued in a state that has a trigger law, such as Kentucky, then abortions will likely become unavailable under the insured plan. (A discussion of state trigger laws prepared for the American Society for Reproductive Medicine is found here.) You will want to work with the carrier and the client to communicate potential changes to the policy and coverage around abortion services.
    b. If, for instance, your client has a self-insured group health plan, it is not directly impacted by state laws prohibiting abortion due to ERISA preemption. However, state criminal laws of general application are not preempted by ERISA. Employers with self-insured group health plans with employees in states that make abortion a crime may need to address potential liability and ERISA preemption issues with legal counsel.
  3. Medical travel benefits are trending as an area of interest for clients with insured plans in states that prohibit abortion, and for all clients with employees living in those states that may need to travel for abortion services. There are a variety of ways to provide medical travel benefits and a whole host of potential compliance issues that arise. You may not be in a position to advise on all of the issues, some of which cross over into legal advice, but you should be familiar with key points, as follows:
    a. Whether to offer the benefit pre-or post-tax – medical travel reimbursements are fairly limited under the tax code and fairly low dollar limits apply under health FSAs ($2,850) and Excepted Benefit HRAs ($1,800). An integrated HRA or a post-tax arrangement can be in an amount the employer chooses.
    b. ERISA compliance – a medical travel reimbursement arrangement will be subject to ERISA disclosure requirements and ERISA reporting requirements depending upon the number of participants eligible under the arrangement.
    c. Mental Health and Addiction Equity Act and HIPAA Privacy issues – if the arrangement covers medical travel only for abortion services, parity for mental health benefits is a problem. For this reason, it may be preferable to offer benefits for all types of medical travel. Processing reimbursements for such plans will involve review of protected health information and trigger HIPAA compliance if the arrangement covers 50 or more participants or is an arrangement of any size that is administered by a third party. For this latter reason some employers are offering generalized travel reimbursement plans that do not require proof of medical treatment. Note that such arrangements would not be subject to ERISA (and ERISA preemption would not apply to any aiding and abetting laws asserted against employers offering them). Such arrangements would also potentially trigger wide uptake among employees and considerable employer expense.
    d. Medical travel reimbursement arrangements will need to be coordinated with other arrangements such as health FSAs and eligibility under a medical travel arrangement will impact HSA eligibility. A careful survey of clients’ benefit landscape is necessary before implementing a medical travel reimbursement arrangement.
    e. States such as Texas and Oklahoma have laws that prohibit “aiding and abetting” abortion – including through provision of insurance and reimbursements – which could be directed at employers offering these benefits. Further, a group of Texas legislators (the “Texas Freedom Caucus”) has threatened criminal prosecution of at least one employer that offers travel benefits for those seeking abortion services. The ultimate enforceability of these provisions against employers will need to be determined through litigation, which may take years to unfold. In the meantime, clients contemplating medical travel benefits for abortion services will need competent legal counsel on potential liability and ERISA preemption issues that are raised.
  4. Be mindful of stop-loss coverage and the need to involve the stop-loss carrier in discussions of any change in self-insured plan design, around abortion services.
  5. Be aware that the compliance landscape is shifting constantly and that it is important to closely monitor your sources for benefits news. Even as this post was being finished, it was announced that the Dick’s Sporting Goods chain, which had offered a $4,000 travel benefit to employees seeking out-of-state abortions, was sued by “America First Legal,” a conservative group, on the grounds that the travel benefit violated Title VII of the Civil Rights Act by discriminating against female employees who choose to give birth. As many of the key issues in this area will be litigated, fast answers are not available. The safest strategy for the foreseeable future is to stay informed and proceed with caution. The above information is a brief summary of legal developments that is provided for general guidance only and does not create an attorney-client relationship between the author and the reader. Readers are encouraged to seek individualized legal advice in regard to any particular factual situation. © 2022 Christine P. Roberts, all rights reserved.

Photo credit: Cody Engel, Unsplash

Is EEOC Wellness Guidance Coming Out of the Deep Freeze?

Currently, guidance on permissible incentives (whether in the form of a reward or penalty) to participate in a wellness program is in a state of flux, but some clarity may be forthcoming sometime after July 1, 2022.

That is the date on which one of the five seats on the Equal Employment Opportunity Commission (EEOC), currently held by Republican Janet Dhillon, becomes available for President Biden to fill.  The Commission’s current roster of three Republicans and two Democrats has been blamed for delays, including two consecutive failures, in the fall of 2020 and spring of 2021, to publish the Commission’s regulatory agenda. President Biden’s pick for the slot, Cohen Milstein, et al. attorney Kalpana Kotagal, failed to secure confirmation upon initially appearing before the Senate in May of this year.  However Senate Majority Leader Chuck Schumer may bring Ms. Kotagal’s nomination to a full Senate Floor vote under rules that apply when there is no majority for either party in that house of Congress.

By way of background, the EEOC issued proposed regulations in January of 2021 that would have required that, to be considered “voluntary,” incentives for “participatory” wellness programs must be “de minimis,” such as a water bottle or t-shirt.  Voluntariness is a requirement under the Americans with Disabilities Act whenever an employer performs a medical examination – which would include biometric testing under a wellness program – or makes a disability-related inquiry, which could be part of a Health Risk Assessment under a wellness program.  Both biometric testing and HRAs are examples of participatory wellness programs in that they do not require any physical activity or health outcome, and these types of wellness programs are in wide use across the country.   (For more background information on the EEOC and wellness incentives, including removal of incentive provisions under 2016 EEOC regulations, check out our earlier post.) 

The Biden Administration required the EEOC to withdraw the 2021 wellness regulations before they were published in the Federal Register, as part of a regulatory freeze pending review.  It is possible that, if Biden’s nominee to the EEOC secures confirmation, the proposed regulations containing the de minimis rule may be revived in their original or a modified form.  Below is a brief summary of existing wellness incentive rules and some thoughts on what a de minimis incentive rule might look like, if enforced. 

  • If we ignore the EEOC withdrawn proposed regulations, what are the rules on wellness incentives?

Keep in mind that withdrawal of the 2021 EEOC proposed regulations followed withdrawal of the incentive provisions of 2016 EEOC final wellness regulations, which would have capped incentives even for participatory programs at 30% of the cost of self-only coverage if the program involved a physical examination or asked disability-related questions. Many employers are still using the 30% cap even for participatory wellness programs that involve biometric testing or HRAs.

In the absence of both sets of withdrawn EEOC guidance, the rules are set forth in HIPAA regulations and are as follows:

Participatory wellness programs (require no physical activity or health outcome) do not have any limit on incentives.

Health-contingent programs (require physical activity or health outcome) have a maximum incentive that is an amount equal to 30% of the individual premium under the most affordable group health plan option, or 50% if the program is designed to reduce or stop tobacco use.

Important Note:  the cap on financial incentives is just one aspect of wellness compliance; there are also design parameters, notification duties, and other criteria that apply under HIPAA wellness regulations.  One example of a required design criteria for a health-contingent wellness program is that an alternative means of earning a wellness incentive be made available to persons who are prevented from meeting (or attempting to meet) the original criteria due to medical conditions or issues.  Another is that a participatory wellness program be made available to all similarly situated individuals. 

  • If the de minimis incentive rule is revived, for participatory wellness programs that include physical exams/disability-related questions, what type of incentive might qualify as de minimis?

The withdrawn regulations give the example of a water bottle or gift card of modest value and indicate that premium surcharges of $50 per month ($600 per year), an annual gym membership, or airline tickets would be more than de minimis.  If a water bottle suffices, presumably other low-cost items – such as a t-shirt, towel, or stress ball – would also work.  “Modest value” gift cards probably mean $10 or $15 or less.  Note that these items may be taxable compensation.  Any gift card would be, but a water bottle, t-shirt or other small item may qualify as an excludible de minimis fringe benefit under Internal Revenue Code Section 132(a)(4).

Clearly, there is a good bit of daylight between the HIPAA rules for participatory programs (unlimited incentive) and the de minimum rule under withdrawn EEOC guidance.  And the voluntariness of incentives to take part in biometric testing is still being challenged in the courts, as evidenced by a recent court case from the Northern District of Illinois.  Hopefully changes in the EEOC will be followed by guidance that brings some clarity to an area that has been frustratingly confusing for employers for a number of years.

The above information is a brief summary of legal developments that is provided for general guidance only and does not create an attorney-client relationship between the author and the reader. Readers are encouraged to seek individualized legal advice in regard to any particular factual situation. © 2022 Christine P. Roberts, all rights reserved.

Photo credit:  Dev Benjamin, Unsplash

Call Me Maybe?  Prerecorded Wellness Messages Trigger Anti-Telemarketing Laws

WellCare Health Plans, Inc., which primarily services Medicare and Medicaid enrollees, fell afoul of federal laws governing unsolicited telephone calls when it reached out with voicemail and pre-recorded messages about preventive services, and medical management and educational health programs.  In Fiorarancio v. WellCare Health Plans, Inc., 2022 WL 111062 (D.N.J. 2022), a New Jersey federal trial court denied WellCare’s motion to dismiss a compliant that the calls violated the Telephone Consumer Protection Act and related FCC regulations, even though the calls promoted free services.  The case provides some helpful insight on when wellness outreach via automated phone calls might cross the border of solicitation. 

First, some background.  The TCPA dates back to 1991 when telemarketing and unsolicited faxes reached their peak.  Facilitation of the TCPA included creation of the National Do Not Call Registry in 2003.  The specific Federal Communications Commission regulations under the TCPA that are were at issue in the Fiorarancio case were as follows:

  • 47 C.F.R. § 64.1200(a)(1) prohibits any calls using an automatic telephone dialing system (robocalls) or an artificial or prerecorded voice, other than calls made for emergency purposes, or with the express consent of the called party.
  • 47 C.F.R. § 64.1200(a)(2) requires prior written consent if the robocall or pre-recorded calls include or introduce an advertisement or constitute telemarketing.  Exceptions to the written consent requirement apply if the call is made by or on behalf of a tax-exempt nonprofit organization, or delivers a “health care message” made by or on behalf of a covered entity or its business associate as defined under HIPAA. 

Next, the relevant facts of the Fiorarancio case.  Mr. Fiorarancio had no relationship to WellCare or any of its plans.  Between February and December 2019, his cell phone received 18 voice mail messages, of which 4 were pre-recorded, intended for a third party (apparently WellCare was dialing a wrong number).  The messages addressed the third party by name and requested the person call back in relation to a number of matters including free preventive care, an educational health program, an in-home health assessment, and the Healthy Living program, which was a free service WellCare offered to those who were at risk of experiencing a drug therapy problem.  During that same time his cell phone also received two text messages with flu shot reminders.

Mr. Fiorarancio brought a class action on the TCPA violations.  With regard to the National Do Not Call Registry, WellCare moved to dismiss the complaint on the grounds that that the calls were not telephone solicitations because they were merely intended to inform the recipient about WellCare benefits or health care in general.  The court disagreed, noting that even though the messages may have been informational on their face it was plausible that they were part of a larger marketing or profit-seeking scheme and thus within the TCPA’s scope.  It noted that the sizeable number of calls and their direct relation to WellCare’s business permitted the inference that they were a pretext to commercial activity, and the complaint did not need to specify the underlying purpose of the calls in order to survive a motion to dismiss.

With regard to the 4 prerecorded messages falling within the scope of the consent requirement of the FCC regulations cited above, WellCare argued that as health care messages they were exempt from all prior consent requirements under the TCPA, not just the written consent requirement applicable to advertisements and telemarketing.  Plaintiffs rebutted that the health care messages were still subject to the general consent requirement.  The court agreed with this narrower interpretation of the health care message exception and upheld this aspect of the complaint.  It dismissed the compliant, however, with respect to the two text messages with flu shot reminders, due to prior case law that flu shot reminders were not solicitations under the TCPA.

In its decision the court noted an Ohio case decided on similar grounds, Less v. Quest Diagnostics Inc., 515 F. Supp. 3d 715-757-18 (N.D. Ohio 2021) , in which a prerecorded message reminding of annual no-cost wellness visits were at issue; in that case a motion to dismiss the complaint under the TCPA also failed and the case went on to the discovery process in order to reveal more about whether or not the messages were a pretext to a solicitation.

The lesson in this case is that wellness outreach does not have blanket immunity from laws prohibiting unwonted telephone solicitation, particularly where, as here, the number and persistence of the phone contacts suggests an overriding commercial aim.  Further, the health care message exception applies only to the written consent component of applicable FCC regulations, and the general consent requirement still applies if robocalls or recorded messages are put in use.

The above information is a brief summary of legal developments that is provided for general guidance only and does not create an attorney-client relationship between the author and the reader. Readers are encouraged to seek individualized legal advice in regard to any particular factual situation. © 2022 Christine P. Roberts, all rights reserved.

Photo credit: Wesley Hilario, unsplash

Stanford Health Privacy Breach Highlights Downstream Vendor Risks, Issues

In an earlier post I described a HIPAA privacy breach that occurred when a spreadsheet detailing the emergency room treatment of nearly 20,000 patients of Stanford Hospital was posted online, for the better part of a year, at a “homework for hire” website, The New York Times has published an article tracing the breach to a job applicant who received the spreadsheet from a one-person marketing agency hired by the Hospital’s third party billing contractor.

The spreadsheet was originally transmitted in encrypted format from the Hospital to the marketing agent, who had represented himself as a vice-president of the billing contractor and was in fact the hospital’s main contact for the billing contractor. In fact, he was not an executive of the billing contractor, but the billing contractor nonetheless condoned his use of that title in order to get access to various health executives and generate customers for its billing services. The marketing agent unencrypted the spreadsheet and provided it to the job applicant with the request that she demonstrate her skills converting it to bar graphs and charts. Without recognizing that the names and treatment codes on the spreadsheet were “real world” data, the job applicant then sought help with the assignment by posting the spreadsheet on, where it was discovered almost a year later by the parent of a Hospital patient named in the chart.

In other words, the breach was not attributable to a Hospital employee, or an employee of the Hospital’s business associate, the billing contractor, but to a “downstream vendor” or “subcontractor” of the billing contractor, and not even to an employee of the downstream vendor but to a mere job applicant. One of the patients disclosed in the spreadsheet has since sued Stanford Hospital and the billing vendor in L.A. County Superior Court, seeking damages of $1,000 for each of the 20,000 affected individuals.

This is a frightening object lesson for covered entities – the Stanford Hospitals of the world – and for business associates such as the billing contractor – about the risks presented by “downstream” vendors, and the need to ensure that their handling and use of protected health information and e-PHI meets HIPAA and applicable state law privacy and data security standards. HIPAA as amended by HITECH now demands that business associates vouch in this manner for their downstream vendors in their business associate agreements. Clearly, to do so, the parties first must clearly identify downstream vendor relationships, and not disguise the vendor’s staff as business associate employees, as occurred in the Stanford case. Even where the vendors clearly are identified, business associates should also address, in business associate agreements, whether the covered entity can share data directly with the downstream vendors, and if so, under what conditions. The Stanford case is unusual due to the disguising of the marketing agent’s true status, but it suggests that business associates might always want to be at least notified of such communications, if this is administratively practical. Or, they might want to vouch for privacy/security compliance only when data passes through them to the downstream vendor, but require the covered entity to be responsible for breaches resulting from its direct communications with the downstream vendors.

Trying to stay ahead of the technological curve in data transmission is almost impossible, but we can learn from others’ mistakes and take whatever steps are necessary not to repeat them.

Outside Contractor the Weak Link in Stanford Health Data Security Breach

August 8th’s New York Times contains an article that details a HIPAA data security breach traced to an outside billing and payment data contractor for the Stanford Hospital in Palo Alto, California. The item that was disclosed was a detailed spreadsheet, prepared by the billing contractor, tracking the emergency room treatment of 20,000 individuals seen at the hospital during a 6-month period in 2009, including their names and diagnosis codes. Somehow, the spreadsheet made its way to a commercial Web site as an example of how to convert data into a bar graph. The site in question, “Student of Fortune,” provides online tutoring and help with homework to students for a fee. The spreadsheet was made publicly available in this manner for over a year before a patient brought it to the hospital’s attention. It is not clear how the spreadsheet was disclosed in this manner but the article suggests that investigation cleared hospital employees of any involvement.

The hospital provided written notification to affected patients of the breach four days after learning it had occurred. This is within the 5-day time period required under California Health and Safety Code § 1280.15 (scroll down), governing health data security breaches occurring at California medical facilities. The hospital also paid for identify theft protection for the affected patients, even though the spreadsheet did not contain Social Security Numbers or other information commonly leading to identity theft. The Times article notes that in an earlier incident involving theft of a laptop from its Children’s Hospital, Stanford had waited 19 days to notify affected patients’ families, and even though no PHI was released in the incident the California Department of Public Health fined the hospital $250,000 for its delay.

Statistics quoted in the article attribute 20 percent of health data security breaches to outside contractors to the health care providers, insurers and other “covered entities” which were HIPAA’s original focus. HIPAA designates outside contractors whose role requires them regularly to maintain or access protected health information (PHI) as “business associates” and requires that they comply with HIPAA privacy rules to the same degree as the covered entity (hospital, insurer, etc.) they work for, and also enter into a “business associate agreement” to that effect.

Until recently, business associates’ duties and liability under HIPAA were limited to the written terms of their business associate agreements with covered entities. However, HITECH made business associates individually accountable under HIPAA for the first time. Further, proposed regulations under HITECH extend business associate status to downstream subcontractors of business associates, and require that they enter into written agreements with business associates confirming their duties under HIPAA. This brings within the sweep of HIPAA compliance entities — such as document shredders and other peripheral businessplace vendors and service providers — that prior HIPAA regulations had expressly carved out from compliance duties.

Bottom line this means a new level of scrutiny must be brought to service agreements between a business associate, on the one hand, and any other entity that routinely could be considered within the “chain of custody” of hard copy documentation or digital data comprising PHI. A weakness at any point in that chain may result in liability to the business associate and, as occurred in the Stanford Hospital/Student of Fortune matter, to the covered entity itself.

California Legislature to Clarify, Expand Data Breach Notice Requirements

A bill that is close to final passage in Sacramento will clarify and slightly expand notification requirements upon a breach of unsecured personal data of California residents, including financial, health or health insurance information. Currently the law requires written or electronic breach notification, but does not mandate any particular content for notifications. Senate Bill 24 will amend California Civil Code § 1798.29 (applicable to state agencies) and § 1798.82 (applicable to private owners or licensors of data) to specify what information must be conveyed in notification of a breach. Specifically, the measure requires that the notification:

• Be written in plain language
• Be dated
• Include contact information regarding the breach, the types of information breached, and the date, estimated date, or date range of the breach
• Include toll-free phone numbers for the major credit reporting agencies
• Describe whether notification was delayed due to law enforcement investigation.

Optional language that may be added to the notice includes information about what the notifying party has done to protect individuals whose information has been breached, and advice on steps affected individuals can take to protect against identity theft or other consequences of the breach.

The new law also slightly expands notice duties, by requiring that an electronic copy of the breach notification be sent to the Attorney General in each instance where a single breach affects more than 500 California residents. Additionally, it requires those making use of “substitute” notification to also notify the Office of Privacy Protection within the State and Consumer Services Agency (state agencies must instead notify the Office of Information Security within the California Technology Agency). Substitute notice may be provided upon demonstrating that the cost of providing notice would exceed $250,000, or where more than 500,000 individuals’ data is affected. In addition to the new agency notification duty, substitute notice requires all of the following:

• E-mail notice where valid e-mail addresses are available;
• Conspicuous posting of the notice on the breaching party’s web page; and
• Notification to statewide media.

Similar to rules under HIPAA/HITECH, notification is only required if unencrypted data is released, and notice is not required where the data exposure is limited to “good faith acquisition by an employee or agent of the business for purposes of the business.” Civil Code § 1798.82(g). Under both federal and state law, however, notice is required not only upon discovery of an actual security breach but also upon formation of a reasonable belief that a breach occurred.

Unlike HIPAA/HITECH, which specify a maximum 60-day notice period, the California law does not specify a notice time period, requiring only that it be provided “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, [ . . . ] or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Civil Code § 1798.82(a). A business that simply maintains data but does not own or license it must “immediately” provide notice of the breach to the owner or licensee of the data, which in turn will notify the affected individuals.

Finally, there are two “safe harbors” exist in regard to notification:

• Businesses that are “covered entities” under HIPAA need only satisfy HIPAA/HITECH notification duties to be deemed to have complied with the new notice content provisions under California law. Notification of the Attorney General must still be made if more than 500 California residents are affected by the breach, and all California notice duties would appear to apply to business associates under HIPAA.

• Businesses that provide notification under their own notice procedures as part of an information security policy are deemed to have complied with California notice requirements in total , so long as their internal procedures are “otherwise consistent with the timing requirements” of Civil Code §§ 1798.29 and 1798.82; i.e., notice is provided expediently and without unreasonable delay.

SB 24 was just approved on the Senate Floor by a vote of 34-4, has no formal opponents, and may go to the Governor’s desk by the end of the month, depending on the time needed to engross and enroll the bill. If the bill is not signed by September 9, Governor Brown will have an additional 30 days to sign it into law. Keep an eye out for a follow-up post confirming passage of the bill into law.

State Privacy Breach Laws May Trump HIPAA/HITECH

When HITECH amended HIPAA in 2009 it empowered state attorneys general to sue breaching parties to enforce the privacy and security rights of their respective state’s citizens. Prior to this time only the Department of Health and Human Services (DHHS) was permitted to enforce HIPAA. However, § 13410(e) of the HITECH Act limits the money damages that attorneys general can collect to $100 per individual affected, however not to exceed $25,000 for all violations of an identical requirement or prohibition during a calendar year.

Some state health privacy laws impose higher money penalties on breaching parties, and recently the Indiana Attorney General invoked state law, over HIPAA/HITECH, when prosecuting a privacy breach by insurer WellPoint, Inc. In that instance, the applicable Indiana statute permitted recovery of up to $150,000 per failure to disclose a health data security breach.

In the WellPoint breach, applications for individual health insurance policies containing Social Security numbers, financial and health information for 32,051 Indiana residents were accidentally made available on the internet for at least 137 days between October 2009 and March 2010. A member of the public notified WellPoint of the problem on February 22, and ultimately the individual filed a class action lawsuit against WellPoint on March 8. After being sued WellPoint quickly fixed the online problem, which had occurred during a system upgrade. However, WellPoint did not begin notifying its customers of the breach until June 18. And, when it did notify customers in Indiana, it did not notify the Attorney General, as required under state law.

WellPoint notified the DHHS of the breach in accordance with HITECH. However when Greg Zoeller, the Indiana Attorney General, filed suit against WellPoint in October 2010, it did so not under HITECH but under a provision of the Indiana Code allowing recovery of up to $150,000 per “deceptive act,” which term included a failure to disclose a breach of the security of personal data. The Indiana statute also allows recovery of the Attorney General’s reasonable investigation and prosecution costs.

Regarding this choice of law, a spokesperson for the Indiana Attorney General’s office stated:

“While the option to file under HITECH/HIPAA in federal court was considered, Indiana’s notification laws and enforcement options allow greater remedies . . . . [u]nder HITECH/HIPAA, the possible penalties maximum would have been $25,000 vs. $300,000 under Indiana law.” (Presumably the two “deceptive acts” were delayed notification of the public and failure to notify the Indiana AG).

WellPoint ultimately reached a settlement with the Attorney General on June 23, 2011, pursuant to which it will pay a $100,000 fine to a state fund providing restitution to defrauded consumers and will provide two years of credit monitoring and identity theft protection to affected individuals in Indiana. In addition, it will reimburse victims of identity theft for losses up to $50,000 per individual.

Prior to this case, the Connecticut Attorney General sued Health Net under HITECH/HIPAA following the insurer’s delayed notification of its loss of an unencrypted portable disk drive holding records for more than 500,000 insureds in Connecticut and more than 1.5 million nationwide. In that settlement HealthNet agreed to pay $250,000 in damages, provide two years of credit monitoring, $1 million of identity theft insurance and reimburse the costs of security credit freezes.

When HITECH first empowered attorneys general to prosecute data security breaches, little thought was given to the possibility that they might have more leverage under state laws than under the new federal statute. With state budgets stretched to the limit, this may prove more of a factor in which security breaches are prosecuted, and under which laws.

California law permits individuals to sue over breaches of their personal security data and recover up to $3,000 per violation as well as attorneys’ fees, but neither mandates the contents of security breach notices, nor requires notification of the California Attorney General. This may change, however, as a California Senate bill would specify the contents of breach notifications and, and for breaches affecting more than 500 California residents would require that breach notifications be sent electronically to the Attorney General. The Senate passed SB 24 in April 2011 and it is easily passing committee votes in the State Assembly. I will continue to update the progress of the bill in future posts.

Nondiscrimination Rules for Insured Health Plans Put On Hold

The Internal Revenue Service just issued Notice 2011-1 today, stating that compliance with nondiscrimination rules for insured group health plans, otherwise slated to go into effect on January 1, 2011 for non-grandfathered plans, will not be required (and no excise tax for failure to comply need be reported) until after regulations or other administrative guidance on the nondiscrimination rules issues.   The Notice has the support of the other agencies that enforce health care reform, the Department of Labor and the Department of Health and Human Services.

Further, the Service anticipates that any such regulations or guidance will not apply until plan years beginning after a specified period following publication of the new guidance (often this is a 6-month period).   Before the beginning of those plan years, employers will not need to file IRS Form 8929 reporting excise taxes as a result of plan designs that discriminate in favor of highly compensated individuals.   

This is extremely welcome relief for plan sponsors and advisors.   In essence, the Notice appears to bring back the status quo before the Patient Protection and Affordable Care Act by essentially stating that employers with insured health plans cannot realistically be expected to comply with laws that are “similar to” existing nondiscrimination rules for self-funded plans.  For employers that maintained executive carve-out plans prior to the Affordable Care Act, maintenance of those plans in 2011 would not appear, from the Notice, to subject them to any enforcement efforts or excise taxes. 

What does this mean for employers going forward? Employers who already redesigned their group health plan in anticipation of the January 1, 2011 compliance deadline should hesitate before rolling back any newly-compliant, nondiscriminatory plan designs.  Reversing steps taken in order to comply with the law is never a good idea, and nondiscrimination rules eventually will apply so it is unwise to get re-attached to a plan design that ultimately will be obsolete, especially now that employees may be aware that discriminatory plan designs are disfavored.  For employers with a discriminatory insured plan that was never redesigned, maintenance of the plan “as-is” should not result in any excise tax penalties or other enforcement action. Again, however, this grace period will end as of the first day of the plan year first following the year in which nondiscrimination regulations are published, and if regulations issue later this year then nondiscrimination compliance could be required as soon as January 1, 2012. Employers that are subsidizing former executives’ COBRA or other continuation group health coverage through this year and into the next (e.g., under a severance plan) should be aware that maintenance of the plan into 2012 could violate the nondiscrimination rules and result in excise taxes.

As an indication of how complex the nondiscrimination issue is, the Notice requests further commentary from the public on no fewer than 13 different topics, ranging from “safe harbor” plan designs for automatic compliance, application of different rules for plans offered in different geographic regions by the same employer, what constitutes “benefits” for purposes of nondiscriminatory plan design (e.g., rate of employer contributions, versus percentage or amount of employee contributions), and whether compliance can be met merely by making coverage available to employees, whether or not they enroll (as applies in the 401(k) context).  Notably, none of the requests for commentary refer to the transition period beginning with publication of the Notice, and ending with publication of final regulations on nondiscrimination rules for insured plans.  This further confirms that, for pre-existing, discriminatory plans, we are entering a “no enforcement” zone for the immediate future at least.