Legal Requirements: Get The Facts
As you move forward with VBBD, it is critical that your company comply with all legal requirements, particularly those related to privacy and nondiscrimination. Although there is no substitute for legal expertise, the following overview gives employers a sense of the many federal laws and regulations that govern this space and the issues that have yet to be resolved.
Privacy and The Health Insurance Portability and Accountability Act (HIPAA)
The general rule under HIPAA is that no one can be denied group health insurance or charged more for coverage than other “similarly situated” people because of health status, genetic history, evidence of insurability, disability, or claims experience. “Similarly situated” is not based on health factors—but rather if a person is a full-time or part-time employee.
HIPAA was enacted in 1996 and the privacy provisions took effect in April 2003. In addition to addressing health insurance portability and access for group health plans, the law includes strict regulations on the use, transfer and security of protected health information (PHI) by “covered entities,” which include providers, health plans, and health clearinghouses. Protected information includes, but is not limited to, actual medical records and payment/billing information. The law provides specific direction on the disclosure of health information for research and public health activities. In general, data disclosures for any purpose are guided by the law’s requirement to use the minimum information necessary. In addition to these requirements, a section concerning electronic protected health information, known as the Security Rule, defines the administrative, physical and technical security measures that covered entities must have in place.
The American Recovery and Reinvestment Act of 2009 included several provisions to significantly strengthen the privacy protections in HIPAA, which took effect in February 2010. These HIPAA amendments include an expansion of the privacy protections to business associates of covered entities and vendors of personal health records. The law mandates new requirements for patient notification in the event of a data breach, and, in limited circumstances, a requirement that covered entities comply with patient requests not to share certain health information with the patient’s insurer.
The American Recovery and Reinvestment Act of 2009 included several modifications to the Privacy and Security Rules in HIPAA. Some of the key modifications are:
- “Covered entities” are now required to notify patients whose protected information has been improperly accessed and business associates of covered entities are required to notify the entity of security breaches related to the entity’s data. Notification must be made within 60 days of discovery of the breach. If the security breach concerns more than 500 people, the covered entity must notify prominent media outlets in the area where the people live. No notice is required if the data is encrypted.
- Patients who pay a covered entity in full for service may request that the entity not share information related to the transaction with a health plan and the covered entity must comply. Prior to the change, providers were not required to comply with such requests.
- Covered entities that use electronic health records (EHR) are now required, upon request, to provide an individual with a copy of the information in electronic format or transmit the information directly to a person or entity identified by the individual.
- The law requires the Secretary of Health and Human Services to issue guidance on the “minimum necessary use” within 18 months of enactment. Prior to the issue of guidance, the law requires covered entities to use the “limited data set,” in which the identifying information has been almost entirely removed, whenever practicable.
- Vendors of personal health records and other businesses that offer services through the website of a personal health record vendor are required to notify affected individuals and the Federal Trade Commission of any security breaches. The FTC is directed to issue regulations regarding breach notification requirements within 180 days of enactment.
- The penalties for violations of the HIPAA Privacy and Security rules are revised, with the amount of the financial penalties increasing significantly.
On July 8, 2010 (published in the Federal Register on July 14, 2010), the Department of Health and Human Services announced proposed changes to HIPAA which includes significantly increased penalties for HIPAA violations if subcontractors, exposed to personal health information, do not comply with the more detailed HIPAA security standards. However, in question is how far removed from the business associate does subcontractor compliance extend.
The Americans with Disabilities Act (ADA) and Wellness Programs.
The Americans with Disabilities Act (ADA) Amendments Act of 2008 was signed into law on September 25, 2008, and became effective January 1, 2009. Simply put, ADA limits an employer's ability to make disability-related inquiries or require medical examinations at three stages: pre-offer, post-offer, and during employment. Wellness programs must comply with the ADA’s “reasonable accommodation” requirements to allow people with disabilities to participate in such programs. Employers must develop reasonable and accessible alternatives to satisfy both the goals of their wellness programs and an individual’s needs for reasonable accommodation. For example, a smoking cessation program offered ten miles away from the workplace may be reasonable for a physically-capable person, but may be difficult for a person with disabilities. Such person would reasonably need additional accommodation.
HIPAA and Wellness Programs
In the 2010 health care reform law, HIPAA was amended to allow employers to expand discounts on premiums, copays or deductibles from 20 percent (current law) to 30 percent as a reward for employees participating in wellness programs.
HIPAA makes it easy for health plans to reward members for participating in health-promotion programs but more challenging to reward them for achieving a particular health standard. The rules divide wellness programs into two categories:
1. Rewards Based on Participation
An employer is allowed to reward employees who participate in wellness programs if the reward is offered to all similarly situated employees. Examples include:
- A program that reimburses for all or part of a gym membership.
- A program that rewards employees who undergo diagnostic testing regardless of the results.
- A program that encourages preventive care through the waiver of the copayment or deductible requirement under a group health plan.
- Waiving co-pays for prenatal care.
- Reimbursing enrollees for the cost of smoking cessation programs irrespective of whether they quit smoking.
2. Rewards Based on Achievement
An employer is also allowed to reward employees who attain certain health goals or standards—such as maintaining a certain body-mass index, stopping smoking, lowering cholesterol or losing a specified amount of weight. The program must meet the following standards:
- The reward cannot exceed 20% of the cost of the employee-only coverage under the plan (cost includes employee and employer portions). In 2014, the reward threshold increases to 30%.
- Program must be designed to promote health and prevent disease, and cannot impose an overly burdensome time commitment.
- Program must give eligible individuals the opportunity to qualify for the reward under the program at least once a year.
- The reward is available to all similarly situated individuals, including a “reasonable alternative standard” for obtaining the reward if a person cannot satisfy the health standard because of a medical condition (an ADA provision). To be “reasonable,” the individual must be able to satisfy it without regard to any health factor. The program must disclose the availability of the reasonable alternative standard in all materials that describe the wellness program.
The Genetic Information Nondiscrimination Act (GINA).
HIPAA was the primary federal law addressing medical information privacy until GINA was passed in 2008 and became effective on November 21, 2009. Because of its relative newness and the fact that the final regulations are still pending, many employers may be unaware of how this law impacts their activities. GINA prohibits employers from discriminating in the terms or conditions of employment—such as hiring, promotion, pay, and fringe benefits—based on “genetic information,” which includes information about an employee’s or family member’s request for or receipt of genetic services, or an employee’s family medical history. The term “family” is applied to an employee’s dependents, relatives of the employee, and the employee’s dependents from the first to the fourth degree.
Under the ADA, if the inquiries or examinations are job-related and consistent with business necessity, employers may make disability-related inquiries or require medical examinations of employees. In addition, both the ADA and GINA allow employers to offer "voluntary" wellness programs, but prohibit employers from requiring involuntary disclosure of disability-related information and genetic information. A wellness program is voluntary if employees are neither required to participate nor penalized for nonparticipation. The Department of Health and Human Services, only one of the three federal departments that oversee wellness programs, advises: “While in general these laws do not prohibit wellness programs, their bearing on specific employer or health plan incentives for health and wellness is a matter of legal interpretation. Therefore, employers and health plans may want to seek legal guidance in designing and implementing wellness programs.”
Legal and Privacy Issues Related to Value-Based Benefit Design
Here is a brief list of issues to consider when undertaking value based benefit design. Again, you must consult with your legal advisors to ensure that you have a full understanding of all legal issues involved, particularly as regulations are issued or revised. It is also crucial to consult with your attorneys to obtain guidance on communicating with your employees about the scope of protection provided by federal regulations.
Check all state and federal privacy laws.
HIPAA sets federal privacy standards for protected health information. State laws may be considerably more stringent. HIPAA in no way preempts stricter state privacy laws. The 2009 stimulus bill increased financial penalties for violations of HIPAA, up to fines of $50,000 per violation.
- Remove all references to family medical history in your materials and health risk appraisals (HRA).
EEOC officials have said that the initial GINA enforcement will be focused on GINA’s prohibition against obtaining family history. Most employers have and receive information about their employee’s family history, so this is one area where employers need to make efforts right away to get into compliance.
- Make sure that you communicate early and often, in easily understood words, that an employee’s health information is covered under privacy laws and will not be shared with their employer or fellow employees.
HIPAA requires covered entities to notify employees of their privacy rights and how their information may be used. Employees should be reassured that the health care providers, insurance companies, and wellness program providers cannot reveal protected health information to employers without the employee’s authorization.
- Make sure that you have appropriate business associate contractual arrangements with all health care vendors and data integrators.
A business associate is an organization that, on behalf of a covered entity, performs a function or activity that involves disclosure of individually identifiable health information. Examples of such functions include claims management, billing, or data analysis. Under the original provisions of HIPAA, a business associate was subject to HIPAA’s privacy provisions only as such provisions are included in the contract with the covered entity. The 2009 American Recovery and Reinvestment Act requires business associates to comply with the HIPAA Security Rule’s administrative, technical and physical requirements for electronic health information in the same way that covered entities must do. In addition, contractual agreements with business associates, including those already in place, must include the information security requirements. Business associates will also now be subject to the civil and criminal penalties for violations of the rule’s provisions.
- Check to make sure that the outreach utilized within the benefit (i.e. health management vendor outreach) meets the marketing rules contained within HIPAA.
HIPAA requires covered entities to allow individuals to decide if they want their protected health information shared for marketing purposes, although the definition of what is marketing allows for situations that do not require patient authorization. The 2009 stimulus legislation placed further restrictions on what is considered “marketing” when covered entities contact patients or beneficiaries. For example, contact about services or treatments that encourage the patient/beneficiary to buy or use a product may be considered marketing if the entity has received payment for making the communication and the treatment described is not one the patient is currently taking.
- Assure that you are utilizing the “minimum necessary” rules within HIPAA when sharing personal health information with the value-based benefit design program and with associated vendors. Be sure to comply with ADA privacy requirements as well.
Included in the 2009 stimulus bill is a requirement for the Secretary of Health and Human Services to issue new regulations on the “minimum necessary” standard, which has been criticized for being too vague.
- Have a data breach reporting process in place and make sure it complies with state privacy laws, HIPAA and GINA.
The data breach provision included in the stimulus legislation requires notification of those whose information was compromised. For large data breaches, there are also requirements to notify the media in the affected market as well as the Secretary of Health and Human Services. The notification requirements include several additional provisions, including direction on the timing of the notification following a breach.
- Make sure that there is compliance with any tax obligations related to the health care incentives put in place.
Some incentives may be taxable to the patient or the employer. It will be necessary to ensure that any tax obligations are fully understood as the value-based plan is designed and implemented. It will also be important to communicate clearly to the patient or employer how any such taxes will affect them.
- There are other legal issues to take into consideration when putting a value-based benefit design together. It is important to make sure that the design you are looking to implement complies with all up-to-date federal regulations and any state laws you may be subject to.
- Make sure your wellness programs include reasonable accommodation and reasonable access in compliance with ADA requirements.
- If the value-based design being developed includes incentives, make sure the incentive structure complies with HIPAA and ADA wellness program nondiscrimination regulations.
Guidance is available to help employers determine plan features that could be considered discriminatory. If the benefits require individuals to meet a standard relating to a health factor, the nondiscrimination rules: 1) limit the maximum amount of the incentive, 2) require that the plan be designed to promote health or prevent disease, 3) require that individuals be given the opportunity to qualify for the incentive at least once per year, 4) require that the incentive be made available to all similarly situated individuals, and 5) require that a reasonable alternative standard be made available and communicated to plan participants. As long as the incentive structure in a wellness program meets these conditions, it is possible to use health factors as part of the plan’s value-based design.
 Plank KC. HHS Releases Proposed HIPAA Rule Extending Mandate to Business Associates. Bureau of National Affairs’ Health Care Policy Report. July 12,2010:18(28):1032.
 Lazzarotti J. An Introduction to Wellness Programs: The Legal Implications of Bona Fide Wellness Programs. Bender’s Labor and Employment Bulletin. June 2006;274.