On December 21, 2009, the President signed H.R. 3326, which includes the COBRA subsidy changes discussed in yesterday's blog entry. The enactment of this law means that by February 19, 2009, administrators of group health plans must issue a notice describing the COBRA changes to individuals who were eligible for the subsidy or who experience(d) a COBRA qualifying event at any time on or after October 31, 2009. This notice should describe:

• The extension of the maximum COBRA subsidy period from 9 months to 15 months;
• The extension to February 28, 2010, of the qualifying date for an involuntary termination entitling the COBRA qualified beneficiary to the COBRA subsidy as an "assistance eligible individual";
• The right of qualified beneficiaries whose COBRA terminated after October 31, 2009 (due to failure to pay the higher COBRA premium) to reinstate coverage retroactively by paying the subsidized premium (the 35% amount) by February 19, 2010, or by 30 days after the notice is provided, whichever is later;
• The right of assistance eligible qualified beneficiaries who paid the unsubsidized premium for COBRA for periods after October 31, 2009, to receive a refund or obtain a credit of the overpaid amount. (The administrator can choose the option it prefers: refund or credit).

Watch the U.S. Department of Labor website, www.dol.gov/cobra, for more information and, possibly, a model notice.
 

On Saturday, the Senate passed the 2010 Defense Appropriations Bill, which contains an extension of the ARRA subsidy for COBRA continuation of health coverage. The Senate Bill is identical to the House Bill, and the President is expected to sign the bill this week. That signature date is important because it is the "enactment date," which drives some of the payment and notice requirements described below.
 

The Appropriations Bill does the following with respect to the 65% COBRA subsidy:

• Individuals who are involuntarily terminated through February 28, 2010, will be eligible for the subsidy (the previous date was December 31, 2009);
• The maximum subsidy period is extended to 15 months from the original 9 months; 
• Individuals whose subsidized COBRA coverage has already ended (some may have ended during November, 2009) have 60 days from the date of enactment (or 30 days after the notice discussed in the next bullet point, if later) to pay the 35% subsidized premium amount and obtain retroactive coverage by the subsidized COBRA. If the full premium was already paid, the "overpayment" amount can be refunded or credited towards future coverage;
• Within 60 days of the enactment of the law, Administrators of group health plans must provide a notice describing the foregoing to individuals who were eligible for the subsidy or who experienced a COBRA qualifying event at any time on or after October 31, 2009;
• The bill also "fixes" a problem recently identified in Department of Labor Q&As: The subsidy will be available to individuals who have a COBRA qualifying event (involuntary termination) through February 28, 2010. The previous law said that a terminated employee had to be eligible for COBRA by the expiration date. This is a subtle difference, but it caused an earlier termination of the subsidy than had been contemplated by Congress.
   

Among other things, the Health Insurance Portability and Accountability Act (“HIPAA”) requires heath care plans, third party health plan administrators, pharmacy benefit managers, health care providers, and other so-called “covered entities” and “business associates” to maintain the confidentiality and security of an individual’s “protected health information” or “PHI.” The Health Information Technology for Economic and Clinical Health Act (the “Act”), passed earlier this year as part of the economic stimulus package, introduced substantial changes to the HIPAA privacy and security rules, including the addition of new notification requirements that may apply in the event that the privacy or security of PHI is compromised.

Under the Act, if the confidentiality or security of PHI is compromised by a “covered entity,” notification of the “breach” may have to be provided to (i) affected individuals, (ii) the United States Department of Health and Human Services (“HHS”), and (iii) in certain cases, the media. If a “business associate” compromises the confidentiality or security of PHI, the business associate may be required to notify the covered entity of the breach.

On August 24, 2009, HHS issued interim final rules (“Final Rules”) that clarify the breach notification requirements. Although the Final Rules are effective September 23, 2009, and although HHS expects covered entities to comply as of that date, sanctions will not be imposed for noncompliance that occurs prior to February 23, 2010. Until then, HHS has indicated that it will take appropriate corrective action to help covered entities achieve compliance. Covered entities and business associates should not delay implementing appropriate measures to comply with the requirements of the Final Rules, despite the delayed enforcement date. The most significant aspects of the Final Rules are discussed below.

 

Covered Entities, Business Associates and PHI Defined

For purposes of the Final Rules, a “covered entity” is defined as a health plan, health plan clearinghouse, or health care provider that transmits any health information electronically in connection with a covered transaction (such as submitting health care claims to a health plan). A “business associate” is defined as a person who performs functions on behalf of, or certain services for, a covered entity that involve the use or disclosure of individually identifiable health information (e.g., third party administrators or pharmacy benefit managers for health plans). PHI is defined as individually identifiable health information held or transmitted by HIPAA covered entities and business associates, subject to certain limited exceptions.

 

When Does a Breach Occur?

The Final Rules define a breach to mean the unauthorized acquisition, access, use, or disclosure of unsecured PHI which compromises the security or privacy of such information. The security or privacy of PHI is considered to be “compromised” under the Final Rules if its disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

HHS previously issued guidance regarding when PHI is considered “secure,” and therefore not subject to the breach notification requirements. Generally, the guidance stated PHI is not considered secure unless it is either destroyed or encrypted in accordance with National Institute of Standards and Technology guidelines.

Under the Final Rules, a breach does not include certain unintended and inadvertent disclosures of unsecured PHI, nor disclosures where the recipient would not have been able to retain the disclosed information (e.g., instances where unsecured PHI is mailed to the wrong individual and the envelope is returned unopened).

 

What are the Notification Requirements With Respect to Individuals?

• General Requirement: After the discovery of a breach of unsecured PHI, the Final Rules require covered entities to notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of such breach. Breaches are treated as discovered as of the first day that the covered entity knows, or reasonably should have known, of the breach.
   
• Timing of Notice: The notification must be provided without “unreasonable delay” (i.e., as soon as reasonably possible) and in no event later than 60 calendar days after the breach is first discovered by the covered entity.
   
• Content of Notice: The notification must include, to the extent possible:

1. A brief description of the breach, including the date of the breach and the date of the discovery of the breach;

2. A description of the types of unsecured PHI involved in the breach;

3. Steps individuals should take to protect themselves from potential harm resulting from the breach;

4. A brief description of the actions taken by the covered entity to investigate the breach, to mitigate potential harm, and to protect against further breaches; and

5. Steps that can be taken to obtain additional information.
 

• Method of Notice: The notice must be provided by first-class mail to the individual at his or her last known address, or by electronic mail, if such method was previously agreed to by the individual. If the covered entity knows that the individual is deceased, written notice may be provided to the address of the next of kin or the individual’s personal representative.
   
• Substitute Notice: If the covered entity has insufficient or out-of date contact information with respect to the covered individual, the covered entity must provide notice through alternative means. If insufficient or out-of-date information is available for fewer than 10 individuals, substitute notice may be provided by an alternative form of written notice, telephone, or other means. If insufficient or out-of-date information is available for 10 or more individuals, the covered entity must either post a conspicuous notice of the breach on the web site of the covered entity involved, or provide conspicuous notice in local major print or broadcast media. Such notice must include a toll-free telephone number where an individual can learn whether the individual’s unsecured PHI was included in the breach (the number must remain active for at least 90 days).

 

When is Media Notification Required?

In the case of breaches involving more than 500 residents of a State or jurisdiction, the covered entity must notify “prominent media outlets” of the State or jurisdiction. Such notice must be provided without unreasonable delay, and no later than 60 calendar days of the discovery of the breach, and must include the same content as described above with respect to the notification of individuals.

 

When is Notice Required to be Provided to HHS?

Breaches Involving 500 or more Individuals: For breaches involving 500 or more individuals, a covered entity must notify HHS of the breach at the same time notice is provided to the affected individuals as described above, and in the manner specified on the HHS web site (www.hhs.gov).

Breaches Involving Less than 500 Individuals. For breaches involving less than 500 individuals, a covered entity is required to maintain a log of such breaches and submit it to HHS on an annual basis. The log must be filed with HHS within 60 days after the end of the calendar year, and in the manner specified on the HHS web site (www.hhs.gov).

 

What Notification Requirements Apply to Business Associates?

Upon discovery of a breach, business associates are required to notify the covered entity of the breach without unreasonable delay, and no later than 60 calendar days after discovery of the breach. Such notice must include, to the extent possible, the identification of each affected individual as well as any other information that the covered entity is required to provide to the individual pursuant to the covered entity’s notice obligations.

As an exception to the notification requirements described above, the Final Rules allow covered entities to delay the notification of a breach if requested by a law enforcement official.

 

Recommended Action

The Final Rules require covered entities and business associates to take immediate steps to ensure compliance. Such steps include, among other things:

1. Establishing internal procedures to determine when breaches of unsecured PHI have occurred and ensure compliance with the notification requirements;
2. Creating and maintaining a breach log to track any breaches so that they are properly reported to HHS;
3. Training appropriate personnel on the notification requirements;
4. Revising business associate agreements to account for the new requirements; and
5. Modifying existing HIPAA policies and procedures and the notices of privacy practices to comply with the new notification requirements.

Governor Paterson recently signed legislation that will affect the administration of insured medical plans in New York State. The legislation generally extends the period that terminated employees may elect continuation coverage under an insured plan from 18 months to 36 months and requires medical insurers to offer continued coverage to employees’ unmarried children through age 29, regardless of financial dependence. Each aspect of the new legislation is explained below.

 

Extension of Continuation Coverage (“mini-COBRA”) in New York

The New York Insurance Law provisions that govern continuation coverage (so-called “mini-COBRA”) generally extend federal COBRA-like continuation coverage requirements to employers with insured group health plans covering less than 20 employees in New York. However, under the recent changes to the New York mini-COBRA requirements, all employers, regardless of size, must make continuation coverage in an insured medical plan available to New York employees for up to 36 months following the date of the qualifying loss of coverage. For employers subject to federal COBRA, this change will require an additional 18 months of continuation coverage to be provided under New York mini-COBRA, once 18 months of federal COBRA is exhausted.

This extension of the continuation coverage period from 18 months to 36 months applies to group hospital, surgical and other medical expense insurance contracts (including those contracts issued by not-for-profit corporations and health maintenance organizations (“HMOs”)) that are issued, renewed or amended on or after July 1, 2009. The extension does not apply to self-insured group health plans (including health flexible spending accounts and similar benefits paid from an employer’s general assets). The extension also is not applicable to dental, vision or employee assistance programs, as the New York mini-COBRA provisions do not apply to those types of programs.

Employers that sponsor insured medical plans that are (or will be) affected by the extension should check with the plans’ insurance providers to review the implementation of the extension. Among the implementation issues to discuss are whether individuals who are already on continuation coverage when the insurance contract renews or is amended will be entitled to extended coverage and how notification of the additional continued coverage period will be provided. Affected plan sponsors should amend the COBRA provisions in affected plans and summary plan descriptions (“SPDs”) to reflect the continuation coverage extension. Likewise, COBRA notices should be reviewed and amended as appropriate.

Employers should also be aware of the potential cost impact on experience-rated insurance contracts. Additional claims experience, due to continued coverage, could cause insurance premiums to rise.

Coverage of Dependents Through Age 29

Under the new legislation, health insurance providers must allow an unmarried child of an insured employee to continue health insurance coverage through age 29, regardless of financial dependence. The child must live, work or reside in New York (or the service area of the insurer), and must not be eligible for another employer-sponsored medical plan or be covered by Medicare.

Extended coverage through age 29 is effective for insurance contracts issued, renewed or amended on or after September 1, 2009 (including not-for-profit corporations and health maintenance organizations (“HMOs”)). Children whose coverage terminated prior to the effective date of the legislation may elect prospective coverage during the 12-month period after the effective date.

Unlike the mandatory extension of the mini-COBRA continuation coverage period, an employer that sponsors an insured health plan is not required to amend its plan to extend coverage through age 29, or to subsidize the coverage beyond the age limitation set forth in the plan. Rather, this extension is triggered when the child ceases to be an eligible dependent under the plan, and works much like COBRA continuation coverage – the child must elect the coverage and is responsible for full payment of any required premium. The child must elect coverage within 60 days of termination of coverage, or during the annual enrollment period. Coverage will terminate when the child ceases to satisfy the eligibility requirements, or fails to pay the required premium within the 30-day grace period.

As with the extension of the mini-COBRA continuation coverage period, the changes to the dependent coverage rules do not apply to self-insured group health plans, health flexible spending accounts or similar reimbursement plans, or to dental, vision or employee assistance programs.

Employers that sponsor insured plans that are (or will be) affected by the new dependent coverage rules should consider whether affected plans should be amended to change the plans’ definition of covered “dependent.” An insurance carrier must allow an employer to purchase a policy to cover dependents through age 29. Affected employers that extend employer-provided dependent coverage through age 29 under the plan, or that otherwise subsidize extended dependent coverage, also should be aware that employer-provided coverage for an employee’s child who is no longer a “dependent” for federal income tax purposes will result in imputed income for the employee (generally equal to the employer subsidy).

As with the extension of mini-COBRA, premiums on experience-rated insurance contracts may rise due to continued coverage and claims experience.