Note: The below is a full transcription of the 12/20/22 episode of Brews with Bruce. Here’s s a tip: ctrl- or command-F to find more details about the expanded HIPAA guidance, impact of the midterm elections, mental health guidance and regulations, or updates on telehealth.
Hi everyone, and thanks for joining our last episode of Bruce with Bruce for 2022. We are joined once again by Ben Conley, partner at Seyfarth Shaw and frequent collaborator.
Thrilled to be invited for the holiday edition, Bruce.
Right. Well, we can’t wrap up the year without having you on, right? It just wouldn’t be right.
There you go.
So, we’ve got several different topics to cover, but we’ll touching on some of the things we talked about in the recent Businessolver compliance webinar that we did a couple weeks ago.
We’ll start with HIPAA. There’s been some new activity from a HIPAA guidance perspective, and it’s always important to keep in mind the established needs and rules.
Ben, I’ll ask you to start us off with what’s going on with HIPAA and why is it important?
Yeah, great question. We all were scratching our heads saying, what’s new here? Because we know that HIPAA privacy has been around for more almost three decades now.
And before we get into the new stuff I’ll recap what HIPAA is: HIPAA privacy and security is a law that Congress passed in 1996 that effectively attempted to put privacy protections around individual protected health information (PHI) relating to healthcare benefits—medical, dental, vision, health FSA, HRAs and the like. And the idea is that they wrote one big law that applies to everybody who’s in this space.
HIPAA requires that organizations create policies and procedures that put parameters around their protected health information, establish processes for protecting that information, train their employees about that, and then contract with their vendors who they may be sharing the information with, to make sure their vendors are adhering to those protections as well.
Now what we know is that, for the most part, employer-sponsored plans are doing very little internal administration of the plan. Employers have very little protected health information internally.
Most of that resides with your vendors, but from the eyes of the law, you are considered the keeper of that information if the benefit is self-funded, as would be the case with health FSA, HRA, etcetera.
And as a result, you have the obligation to set up the processes and to ensure that your vendors are compliant as well.
So that’s a background, and that has been around for a long time.
But there has been a renewed focus on HIPAA privacy and security in the wake of some high-profile data security breaches, and then some developments that we’ll talk about a little later relating to some of the supreme court activity this year.
Well, and I know there’s been some recent guidance that has come out specific to HIPAA. Not necessarily new rules, just clarifying interpretations.
HHS released a bulletin clarifying how HIPAA regulations work alongside online tracking tools that essentially said, “Here are the ways that HIPAA can apply in the context of online tracking technologies.”
Now, to be clear, from our perspective, there wasn’t anything new here. This wasn’t an amendment to HIPPA, this wasn’t a new regulatory scheme, it’s really just more of a fresh look at how HIPAA applies in the advent of ever-changing technology.
High level, what this new guidance is attempting to do is to remind organizations that PHI can be pretty broad and expansive.
And frankly, all you need for PHI to exist is individually identifiable information that relates to past, present, or future medical treatment or mental health treatment that is created or received by a health plan.
And with that framework in mind, HHS reiterated that if your employees are going online, either through your website or through a vendor website, and interfacing with the website in a way that generates cookies or other tracking indicia, that information is likely protected health information governed by HIPPA.
Bruce, I don’t know if you want to elaborate, you’re more of a tech guy than I am.
But I think it’s a good reminder to a lot of employers: It’s not a new rule, it’s maybe just a new interpretation, but I think it’s a good reminder for employers for health plans, etcetera.
For example, when this guidance came out, we reviewed to make sure that we are not collecting protected health information via the cookies within our programs, and we’re not.
But it’s a good reminder that when we talk about protected health information about PHI, that these restrictions and these privacy requirements are not restricted by the technology that’s collecting them, it’s more about the data that’s collected.
So I think it’s an important point: if you’re a covered entity or if you’re a plan sponsor, and you’re looking at this, it’s not a bad thing to remind yourself and your vendors that you need to be aware and confident that your cookies are not tracking information, and therefore, potentially sharing information in a way that’s not permitted or appropriately disclosed in your privacy policies.
Yeah. And one important point on that, which is, what are cookies for? Broadly speaking, they allow aggregation of data about your online viewing profile, and then that data can be sold to other entities that want to advertise to you, sell you things, etcetera.
Needless to say, HIPAA also has restrictions on using PHI for marketing purposes. So that was probably one of the two reasons why HHS felt that it was appropriate to release this data right now, is the proliferation of ad-based, tracking based, on online profile. And then the other reason we’ll talk about in a couple minutes when we talk about Supreme Court activity.
Yeah. The opportunities for marketing data is a concern across the board, where it relates to protected health information.
One of the things that I do in my role at Businessolver is, we are very careful to make sure we’re not buying or selling data, we’re not marketing based on protected health information that we are housing on behalf of our clients.
There’s a lot of complexities to this, but we also have to look at, and I think employers and plans need to always keep in mind, all of your communications, there’s a so many different rules that layer in. Whether it’s emails and the ability to opt out of marketing communications, and transactional versus relationship communications.
I think cookies have, in the last couple months, have risen to the forefront of a lot of people’s attention.
Again, as employers are preparing for or having been preparing for the CPRA components to make sure that their websites have those things in place. But yeah, a good call out.
Again, came out a few days ago, updated guidance, not necessarily new requirements, just making sure that everybody is keeping this in mind. So employers, planned sponsors, something to make sure that you understand how your data or your participant’s protected health data is being collected.
There you go. Good point.
I mentioned the CPRA state privacy, data privacy developments. There’s a lot going on at the state level, at the EU with the GDPR and internationally, we could probably talk for, at least an hour on this topic.
I just want to mention briefly, we’re watching this stuff. I know there’s a lot we could talk about, even probably spend an hour just on what’s going on with California.
But I know that we’re going to spend some more time on this as we move into next year, and that we’ll be doing some deeper dives on some of the state components.
A lot of the state data to privacy requirements that are out there have exceptions specific to protected health information. And actually, let me even just pause for a minute to say, I think everybody needs to be very, very familiar with the definition of protected health information.
Not every piece of data that’s housed or that may exist is protected health information. There’s protected health information, personally identifiable information, and de-identified information.
And I would encourage everybody to make sure you are well-versed in the terminology so that you are confident when you’re looking at your data or a piece of data that you understand which category it may fall in. Because when you start looking at the various state rules, that becomes the material, because there are different exceptions, or different rules depending on the data types.
And just to piggyback off of that, Bruce, I do always like to reiterate that for employer plan sponsors, ERISA does preempt state law in many circumstances, but HIPAA does not have a parallel preemption provision.
In other words, HIPAA says, you have to comply with HIPAA, but you also have to comply with state privacy laws that are more expansive than HIPAA.
So this is not a circumstance where you can just say, “Well, if it deals with my health plan, all I have to comply with is HIPAA.” That is not the case. You have to focus on these other laws as well, unless they have an express carve out for HIPAA.
So staying in the same vein, when we talk about developments that are going on around the country, we just had some midterms wrap up, mostly wrapped up, at this point. And I want to get your thoughts about this, Ben.
I realize we’ve got a few topics for us to talk about here on our last episode of the year. Any one of these we could spend a lot of time on, but high level reactions, and expectations or maybe expectations and predictions?
Yeah, I think there two key takeaways from a benefits perspective, which is the lane we are desperately attempting to stay in here.
The message that I think many people have interpreted having been sent via midterm voting with regard to reproductive rights and reproductive health. I
think a very common take, and one that is hard to totally disregard, is that voters overwhelmingly expressed a backlash against states taking extensive action to restrict reproductive health in the wake of the Dobbs decision.
That obviously has implications for employers because we know that in the wake of the Dobbs decision, a number of employers took action to try to create parity in their benefits by adding a travel component to allow employees in impacted states where these restrictions exist to travel to another state to receive access to reproductive health services.
And that’s not to say that states are going to roll back restrictions that have been put in place, because we don’t think that’s necessarily in cards.
One big thing that many employers have been focusing on in this space is, will a state, and which state will, take the action to attempt to regulate employers who are offering a benefit, providing for interstate travel?
Which would take this to the furthest iteration and put much greater risk on employers who have implemented this type of benefit. And I think the takeaway and potential hope is that, acknowledging all the constitutional issues with a state taking that action, perhaps the message from the election was enough to dissuade state regulators from doing so.
Stay tuned on that one, I think we’ll know a lot more in the coming couple weeks because many state legislative sessions don’t start until January first.
So we will see fast and furious action in those legislative sessions, and it’s hard to tell whether that will involve reproductive health.
And so how successful it’ll be, right?
Because you did see some states that have historically been very keen on passing restrictions on reproductive health have a dog-catching-the-car type moment.
You look at South Carolina, where they finally had no federal restriction on implementing regulations in this regard, but understood the political pressures felt by their constituents and decided not to go as far as many had expected they would.
So before we move on to the second set of takeaways from the elections, Bruce, I know that this was an issue that you guys were dealing with a lot in the wake of the Dobbs decision and curious to hear both the trajectory on your end and other thoughts.
Well, agreed. The news was full of employers that were issuing press releases to call out the fact that they were putting travel programs in place or medical travel reimbursement programs, etcetera. A lot of interest. We continued through the midterm process and since hearing from employers that are looking for or have implemented medical travel reimbursement programs, and I think you’re right.
I think that it’s hard to not see some of the midterm results as being tied, because that was a very vocal aspect of the campaigning. But I haven’t seen employers that have backed off of their positions or shifted their positions, I think employers are, at least from my exposure, continuing forward with their plans.
Totally agree. I had a lull after July where employers were asking about this less, and then post-election had picked up again. So I think that a lot of employers were waiting on the sidelines to let the first wave of employers implement these types of benefits.
And now, many more are looking at doing this perhaps in conjunction with renewal, a one, one renewal.
So, I think second key set of takeaways are we now know that we will have divided government, with Republicans taking a narrow majority in the house. So, what does that mean from a benefits perspective?
I think the general take, which is certainly true, is that in a divided Congress, you’re much less likely to see any legislation pass because you need bipartisan consensus to do so. And that certainly will be the case going forward for the next two years.
Although, again, reiterate that the margins in the house are so slim, that there could be a better opportunity for bipartisan legislation because you only need the agreement of a handful of Congress people to get a majority, although there is some modicum of control exercised by the party in power in terms of what legislation even is advanced.
But I think we are expecting some potential action from Congress based on a series of bipartisan things.
The first I think I would flag relates to mental health, as everybody on the call knows, this has been an area that has experienced renewed focus in the wake of the Consolidated Appropriations Act of 2020.
It’s all blurring together in my head, but I think that that was what passed December of 2020, which put a renewed emphasis on non-quantitative treatment limitations within health plans.
So prior authorizations, or fail-first requirements, required plans to develop a written comparative analysis, analyzing whether their non-quantitative treatment limits were in parity.
In the wake of that, one of the things the Department of Labor said was, “Hey, we can root out audit, identify flaws in this space, but we don’t really have an enforcement mechanism by which we can go after employers in this regard. All we can do is make them fix this, and we think that employers would take this more seriously if there were a bigger stick.” which we in the employer community side don’t love for a variety of reasons.
By and large employers want to comply. It’s not that employers are saying, “How can I find an angle?” This is one in particular though, where it is very difficult to comply, for reasons we could talk about for several hours.
So adding a penalty does not necessarily move the needle on adding an incentive. What we think Congress needs to do is create an easier way to comply. A template comparative analysis or the like that would facilitate review and reporting in a more streamlined manner.
The second piece, Bruce, I don’t know if you want to take this one, relates to some potential movement in the telehealth space and in the wake of, I would say, broad-based adoption and success of telehealth during the pandemic.
Well, it is interesting, right? Because as we have seen, telehealth has become a mainstay, right? It’s been a much more heavily adopted support mechanism for health plans over the course of the pandemic.
And actually, just jumping back to where you referenced the Consolidated Appropriations Act, I now tell time by pre pandemic and post pandemic. Those are only my two categories.
So yeah, consolidated appropriations, oh, that’s post pandemic. Or during the pandemic. But telehealth is something that, since March of 2020, we’ve seen a lot of telehealth adoption. We’ve seen expansion of utilization of telehealth within plans. And of course, there was a lot of relief provided or temporary relief available to programs that are rolling these benefits out.
Sidebar comment: Do not forget that, if you have a telehealth program, it is also a COBRA-eligible benefit.
Something that is one of those things that employers or plans might overlook. But with this, there’s been a lot of interest in making the access to telehealth more permanent. And I think that’s where we’re seeing the shift.
And I think there’s a lot of broad interest in that, because I think employers, providers, there’s a lot of opportunities to do so. And I think, as the pandemic has shown, there are reasons why being able to provide this care remotely is both cost effective, time efficient, and in many cases, more secure from an infection perspective.
That’s right. I think that a lot of the resistance to telehealth originally derived from provider groups in various states banding together and saying, “This is going to undercut our practice.”
But one of the interesting things you saw, and I’m sure most people saw this during the pandemic, certainly if you had kids, was that, even your primary care provider started taking visits virtually.
So it used to be this nuanced thing where you could go to Teledoc or MD Live or whatever, and see doctors that you didn’t have any relationship with. And if you wanted to see your primary care physician, in-office was the only option. But that’s not the case anymore. So I think that resistance has fallen away.
And so the two key points that we’re seeing policy groups push for actions on are:
Number one, there was relief provided during the pandemic and then further extended that would allow individuals to receive first dollar care from telehealth without regard to the fact that they’re enrolled in a high deductible health plan without impacting HSA eligibility.
That relief expires in 15 short days. So we’re all, I think, hoping for an extension, otherwise employers are going to have to tell employees who have become fond of this benefit that “No, now you have to pay your 15, 20, $40 copay.”
Secondly, was that during the pandemic, there was an allowance to employers to offer telehealth on a standalone basis without regard to whether that individual was enrolled in your health plan. So due to ACA restrictions, generally, if you offer any health coverage, you have to offer a lot of health coverage.
There was an exception granted for telehealth that allowed that to be offered on a standalone basis, which would lapse at the end of the public health emergency. Which, Bruce, on that point, you and I have done, I think six sessions on preparing for the end of the public health emergency.
Prepare for session number seven here at some point. But those would be, I think, two very great employer friendly changes, participant friendly change. Really good for everybody, I think. So hopeful for some bipartisan action in that regard.
And I for one, I have utilized telehealth, totally appreciate the efficiency, the convenience factor. And at the height of the pandemic, when nerves were high and treatment options were limited, it was appreciated not to have to go and sit in an office waiting room and be around people where you don’t know what their health conditions are. Right?
So it really put a light on telehealth in a very favorable way, and think that people recognized that. I think there are still some conversations to be had, and I think there’s still some, maybe efficiencies, as I mentioned.
Every conversation where telehealth comes up, I point out that it could a COBRA eligible benefit because there are some. I occasionally find people that weren’t thinking of it in that way. And if it’s bundled in with your medical, then it doesn’t have to be a carved out or wouldn’t be a carved out COBRA item.
Yeah, from the perspective of the federal government, there is no distinction between a fully comprehensive major medical coverage and a tiny little telehealth benefit.
They’re viewed the same in the eyes of the law, so anything would apply in one context generally would apply in the telehealth context, but for these pandemic related exemptions.
And I know we’re covering a lot of ground in a lot of different areas. One additional item that I want to bring up that was mentioned in passing, I think, in our more recent compliance webinar, and that was around the budgets, federal budgets and their impact on the health plans.
That’s right. Yeah. And think this is a dance that people have become annually accustomed to, which is the budget dispute, budget fight. And I think Congress just recently did, or is on the verge of, kicking the can down the road for a couple more days.
But one thing you can always count on is that, when Congress passes these year-end omnibus budget acts, they always contain tidbits of benefits related impacts. So those can be things as simple as increasing limit tax, tax preferred limits within benefit plans, but they can certainly be more robust than that.
In fact, sometimes big pieces of legislation that are on benefits wish list will get paired to a budget act because it’s a must pass bill, and that’s the only way to force it through. So that is a short term thing we are absolutely keeping an eye on to see whether and to what extent this impacts the benefits community.
Great. So more to come. And I know we will be revisiting some of these topics in more detail next year in Bruce with Bruce in conversations. I always say, Brews with Bruce and Ben.
And tackling some of these topics in more detail, I know we are just about out of time, but I do want to, as always in these conversations. So, what are your key takeaways, your bullet items that you would want to make sure that people are taking away from this conversation and keeping on their watch list or to-do list?
Yeah, just circling back to our earlier topic, which is HIPPA privacy and security, and I made this point in our broader conversation earlier this month, Bruce, but that is a topic that is so easy to kick to the back burner, right? Because it doesn’t become a problem unless it becomes a problem, unless you have a data security breach, etcetera.
But I just reiterate the point, which is that the Department of Labor, which is another regulatory agency that oversees benefits plans, has recently layered onto the privacy debate and has said, not only because HIPAA applies and you have to comply with privacy restrictions, but from a fiduciary obligation standpoint with respect to ERISA, “We think that you have an obligation to ensure the privacy and sanctity of your participant health information.” So that is now two federal agencies that are shining a light in this space and imposing scrutiny.
And another important point, with HHS, I think it was always easy to say, “Well, they’re really going to go out to the hospital systems. They’re really going to go after the insurance carriers.”
I have a small employer plan with 2000 employees, 500 employees, whatever the case might be, that I’m not going to be their focus. But when you talk about Department of Labor, that’s their only focus, right? It is employer plans.
So my takeaway is, once again, I know it has been easy to kick the can down the road.
I know there are competing priorities, but 15% HIPAA compliance is better than 0% HIPAA compliance, and 40% is better than 15. So whatever you can start to do to chip away at those required steps involved in HIPAA privacy and security compliance, I think now is the time.
Awesome. Great. No, absolutely agree. HIPAA is critical. You talk about annual compliance training, and I know a lot of employers, a lot of vendors doing work for group health plans all have their annual training.
And to your point, when you look at the complexity of this, when you look at the importance of this and the continual evolution of the requirements around it, the conversations can’t be limited to one week a year or two weeks a year when you’re doing your training.
It is a daily and weekly conversation here at Business Solver around data privacy, security. There’s a lot of, not just requirements, the requirements are there because there’s a need.
And so I think it’s really important to look at this and say, “There is what you’re required to do, but it’s also what you should do.”
Right? This is important and sensitive data, the plans that the vendors hold on behalf of the participants, and there’s an obligation to protect it.
So I agree, I think that all the items we talked about carry weight and carry action into 2023. Privacy and security, HIPAA, protected health information specifically, always an area of concern that we want to make sure is getting appropriate attention.
For sure, for sure.
So with that, I encourage everybody to join us next year as we dive into some of these topics in more detail. Ben, thank you as always for joining us in the conversation.
Thanks for having me.
All right. And I hope everyone has a wonderful and happy holidays, and we look forward to talking soon.