Compliance Reminders to Keep You Out of Trouble Part 1

While Congress and the Administration are deciding what to do about the Affordable Care Act, it’s a good time to brush up on the benefits compliance topics employers should be attending to for 2017. Outside of the ACA, four major topics come to mind: HIPAA, mental health parity, the EEOC wellness regulations and state leave laws. We’ll address the first three here and cover state leave laws in a separate post.


The Office of Civil Rights’ Phase II HIPAA audits are ongoing, and investigators are finding that many “covered entities” still haven’t gotten their arms around some basic issues -- like terminating access to sensitive data when someone leaves the organization. OCR recently reached a $5.5 million resolution agreement with a health system in Florida for this reason. And termination of access is only one point of HIPAA compliance.

OCR has issued several pieces of guidance on cloud computing, and how to protect e-PHI from ransomware and man-in-the-middle attacks. These address the increasing complexity of protecting data in an era of accelerated—and sophisticated—malicious hacking attempts, and signals awareness at OCR of the need to stay on top of evolving security issues.

Mental Health Parity

An ongoing enforcement priority of the Department of Labor is compliance with the mental health parity rules. Based on recent FAQs, the DOL is finding various violations of the non-quantitative treatment limits (NQTL) rules in its investigations.

To assist plan sponsors and insurers in determining whether coverage complies, the DOL and HHS issued a list of example NQTLs that may be hidden in a given plan. According to this list, an NQTL may be anything from periodic reauthorization requirements for a prescription drug to a lack of adequate number of mental health providers in a plan’s network.

The rules can be tricky: limits that appear consistent between mental health and medical/surgical benefits may not be. Both financial testing and reviewing the processes used to arrive at a particular limit are critical in assessing compliance risk.

Wellness Regulations

The final EEOC wellness regulations continue to befuddle employers sponsoring wellness programs with incentive components. Points-based programs are especially difficult, given that program entry may -- or may not -- be contingent upon completing a health assessment. Any program that offers more than one way to obtain points toward certain rewards should be analyzed to determine whether and how the Americans with Disabilities Act (ADA) or HIPAA applies.

Wellness programs that are open to spouses must also consider the Genetic Information Nondiscrimination Act (GINA) to ensure that the reward for spousal participation is within prescribed limits and complies with new rules requiring notices prior to participation in any activity in which the employee or spouse may be disclosing health information to the employer. These activities could be a biometric screening, health assessment or an annual physical exam.

All the provisions discussed above seem likely to remain an enforcement priority for the respective agencies. You can reduce your risk of penalties with diligence in reviewing your programs now and taking action to address any issues you uncover.

Register for Mercer US Health News to receive weekly e-mail updates.