As employers look toward open enrollment for their group health plans, now is a good time to review action items needed for those plans by year-end, as well as upcoming deadlines in the near future. While fully-insured health plans generally have their compliance obligations satisfied by the insurer, self-insured health plans usually rely on the employer or the plan's third-party administrator (TPA) to meet the compliance requirements. Below is a brief summary of items that employers should be aware of for their health plans and, as appropriate, we have delineated when such compliance is limited only to self-insured health plans.
1. HIPAA Privacy Extends Special Protections to Reproductive Health Care: Employer Action Required by 12/23/24
Earlier this year, new regulations were issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that impose new restrictions on the use and disclosure of "protected health information" or "PHI" that is classified as "reproductive health care." These changes require most group health plans to update their HIPAA policies and procedures and training practices by 12/23/2024 and their Notice of Privacy Practices by 2/16/ 2026.
The new regulations expand the prohibitions on the use or disclosure of PHI involving "reproductive health care" to include any of the following purposes:
- To conduct a civil, criminal, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;
- To impose liability on a person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care; or
- To identify any person described in the above two bullet points.
These prohibitions only apply if:
- The activity relates to a person seeking, obtaining, providing, or facilitating reproductive health care; and
- The health plan or any of its business associates that receives a request for PHI reasonably determines that:
- the reproductive health care was lawful in the state where it was provided;
- the reproductive health care was protected by federal law; or
- the reproductive health care was presumed to be lawful.
The new regulations provide that reproductive health care is presumed to be lawful unless the health plan or business associate has actual knowledge it was unlawful or factual information that provides a substantial basis that it was unlawful. Therefore, it is likely the expanded prohibitions will apply in the majority of circumstances.
An additional attestation is required in circumstances where the use or disclosure of reproductive health-care-related PHI is deemed not to be a prohibited use or disclosure.
Action Items by December 23, 2024
By December 23, 2024, plan sponsors will need to do the following:
- Update business associate agreements to ensure no PHI related to reproductive health care will be released without the correct authorizations;
- Amend the health plan's HIPAA privacy policies and procedures to incorporate the new requirements regarding using and disclosing reproductive health-care-related PHI;
- Train applicable workforce members to ensure they know and understand the new use and disclosure restrictions, including being able to identify when an attestation is required; and
- Review administrative forms, notices, and templates to ensure that all HIPAA references reflect the modifications.
Action Item by February 16, 2026
Update Notice of Privacy Practices to include reproductive health protections. Updated notices must be provided to employees. We expect that a model form will be issued prior to the compliance date.
2. Additional Health Plan Compliance Concerns for 2024 and Beyond
Gag Clause Attestation. Plan sponsors are required annually to file an attestation that no "gag clause" applies regarding the health plan. This attestation is due by December 31, 2024, and is filed online at the CMS website. This applies to all group health plans, and a plan's TPA generally submits the attestation for a self-insured plan, and the insurance company typically does so for a fully-insured plan; however, we advise confirming compliance with the TPA/insurer.
NQTL Compliance. The Mental Health Parity and Addiction Equity Act generally prohibits group health plans from imposing both quantitative (e.g., deductibles and co-pays) and non-quantitative (e.g., pre-authorizations, medical management techniques, standards related to network composition, or methodologies to determine out-of-network reimbursement rates) treatment limitations (NQTLs) on services for mental health and substance use disorder benefits that are more restrictive than those applied to ally all medical/surgical benefits. On September 9, 2024, the DOL, IRS, and HHS issued final regulations that apply to most all group health plans regarding these NQTL restrictions. The new regulations become effective for plan years beginning on and after January 1, 2026, but the proposed regulations issued in 2023 continue to apply until then. The regulations have made clear that the responsibility for compliance rests with the plan sponsor. Therefore, it is incumbent on employers to assure that the necessary data and compliance validation will be provided by the plan's insurer and/or third-party administrator. Plan Sponsors must be able to provide any requested NQTL report within 10 business days of its request by the government and within 30 days of its request by plan participants "who have received an adverse benefit determination."
Transparency Requirements. The No Surprises Act requires a host of disclosures, claim adjudication requirements, determination of the amount to be paid for out-of-network health care providers, and the dispute resolution process for determining the amount to be paid. Self-insured health plan sponsors should ask the health plan's TPA to provide assurances of their compliance with the No Surprises Act. The Transparency in Coverage rules were issued in November 2020 and had a phased implementation process. Self-insured health plan sponsors should request that their TPA provide them with a status update on the disclosure of fees and cost-sharing information because as of January 1, 2024, all covered items and services must be part of the disclosure to participants.
Fiduciary Obligations. For several years the DOL has been reminding employers of their fiduciary obligations under the Employee Retirement Income Security Act of 1974, as amended (ERISA) regarding fees related to health and welfare plans. Self-insured health plan sponsors should request their health plan TPA or broker to provide the required fee disclosure of all direct and indirect fees they will receive related to the health plan.
Cybersecurity Compliance. On September 6, 2024, the DOL issued guidance confirming that cybersecurity compliance applies to all types of plans governed by ERISA, including health and welfare plans. The DOL updated its 2021-released Compliance Assistance, which provides best practices in cybersecurity for plan sponsors, plan fiduciaries, recordkeepers, and plan participants.
Prescription Drug Reporting. Applicable law requires group health plans to provide reporting on medical and drug costs, commonly referred to as the RxDC Reports. For fully-insured plans, the carrier will provide this reporting. Sponsors of self-insured plans should confirm that the TPA is filing the report for the health plan or when it will provide such a report to the plan sponsor for filing.
M&A Events. Review any corporate transactions that occurred during the calendar year to determine when they became employees of an entity in the controlled group and you became responsible for their reporting obligations on Forms 1095-C and 1094-C, and verify that such reporting will be completed for such employees.
As compliance requirements evolve, it's essential for employers to stay updated and ensure their health plans meet the latest regulations.