Health & Welfare Notes
Vol. 22, Issue 2 Spring 2017
Reminder: PCORI Fee Due by July 31, 2017. The Affordable Care Act (ACA) imposes a fee on health insurance issuers and self‑insured plan sponsors in order to help fund the Patient‑Centered Outcomes Research Institute (PCORI). The fee is required to be reported and paid once a year, no later than July 31 of the calendar year immediately following the last day of the plan year.
The PCORI fee that is due by July 31, 2017 is $2.26 per covered life for plan years ending October – December 2016 and $2.17 per covered life for plan years ending January – September 2016.
“Covered lives” include all covered participants and dependents, including retirees and those on COBRA. The IRS allows several different methods for determining the average number of covered lives. For more information about these methods, fee amounts, and the health plans that are required to pay the PCORI fee, see https://www.irs.gov/uac/newsroom/patient‑centered‑outcomes‑research‑institute‑fee.
Form 720 (Rev. April 2017), along with related payment voucher Form 720‑V, should be used to report and remit the PCORI fee to the IRS (see Part II, lines marked “IRS No. 133” on the second page of the Form 720). Although the Form 720 is designed for quarterly payments of certain excise taxes, the PCORI fee is paid only annually. The instructions also note that deposits are not required for PCORI fees (that is, the fees are paid when the Form 720 is filed), so plan sponsors are not required to use the IRS’s Electronic Federal Tax Payment System (EFTPS) to pay these fees. Self-insured multiemployer plans may pay the PCORI fee from plan assets.
Checklist Released Identifying Steps to Take Under HIPAA Immediately After Cyber Attack. Health and Human Services, Office for Civil Rights (OCR) has issued a Quick‑Response Checklist in response to the recent WannaCry ransomware attacks. This Checklist is a guide explaining the steps a HIPAA covered entity or its business associate (the entity) must do to properly respond to a ransomware attack or cyber‑related security incident. The Checklist provides a timely reminder of the need for robust breach preparation, response, and recovery plans. The Checklist provides that affected entities—
- Must execute its response and mitigation procedures and contingency plans. For example, affected entities should take immediate actions to fix any technical or other problems to stop the incident and mitigate any impermissible disclosures of protected health information (PHI). Noting HIPAA’s broad definition of security incidents that trigger an obligation to act, the Checklist refers to OCR’s ransomware guidance for some specific recommendations.
- Should report the crime to other law enforcement agencies. Entities may report to local or state law enforcement agencies, the FBI, and/or the Secret Service. Their reports generally should not include PHI (unless otherwise permitted by the HIPAA Privacy Rule).
- Should report all cyber threat indicators to federal and information‑sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs. Federal law defines cyber threat indicators as information that is necessary to describe or identify security vulnerabilities and other attributes of cybersecurity threats. Disclosure of cyber‑threat indicators is intended to alert other entities and the federal government to possible
or actual threats and vulnerabilities to information systems, and associated harms. Any such reports, which generally are not forwarded to OCR, should not contain PHI. - Must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals. The Checklist notes that OCR presumes all cyber‑related security incidents in which PHI was accessed, acquired, used, or disclosed are reportable breaches unless the PHI was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there is a low probability that the PHI was compromised during the breach. The breach notification rule establishes the content and timing requirements for notices to affected individuals, OCR, and, if a breach affects more than 500 individuals in a state, the news media. If the breach affects less than 500 individuals, the entity must report to OCR no later than 60 days after the end of the calendar year. If it is determined that there was no breach of electronic PHI, the entity must document and retain all information considered during the risk analysis of the cyber‑attack to include how it was determined that the incident was not considered a breach.
The Checklist is available at https://www.hhs.gov/sites/default/files/cyber‑attack‑checklist‑06‑2017.pdf .
[Thomson Reuters EBIA Weekly Newsletter, June 15, 2017; Total HIPAA Compliance, Blog, June 13, 2017]
CMS Issues 2018 Medicare Part D Benefit Parameters for Creditable Coverage Disclosures
Under Medicare Part D regulations, most group health plan sponsors offering prescription drug coverage to Part D eligible individuals (including active or disabled employees, retirees, COBRA participants, and beneficiaries) must disclose to those individuals and to the Centers for Medicare & Medicaid Services (CMS) whether the plan’s prescription drug coverage is creditable or non‑creditable. For coverage to be creditable, its actuarial value must equal or exceed the actuarial value of defined standard Medicare Part D coverage under CMS guidelines. Basically, the actuarial equivalence determination measures whether the employer’s coverage is, on average, at least as good as standard Medicare prescription drug coverage; if it is, the employer’s coverage is creditable.
On April 3, 2017, CMS released the following 2018 parameters for the defined standard Medicare Part D prescription drug benefit:
- Deductible: $405 (a $5 increase from 2017);
- Initial coverage limit: $3,750 (a $50 increase from 2017);
- Out‑of‑pocket threshold: $5,000 (a $50 increase from 2017);
- Total covered Part D spending at the out‑of‑pocket expense threshold for beneficiaries who are not eligible for the coverage gap discount program: $7,508.75 (an $83.75 increase from 2017);
- Estimated total covered Part D spending at the out‑of‑pocket expense threshold for beneficiaries who are eligible for the coverage gap discount program: $8,417.60 (a $346.44 increase from 2017); and
- Minimum cost‑sharing under the catastrophic coverage portion of the benefit: $3.35 for generic/preferred multi‑source drugs (a $.05 increase from 2017), and $8.35 for all other drugs (a $.10 increase from 2017).
These parameters will be used to determine whether a plan’s prescription drug coverage is creditable for 2018. The Notice of Creditable Coverage must be provided: (1) at least once a year before October 15; (2) whenever a Medicare-eligible employee enrolls in the health plan; (3) whenever there is a change in the creditable or non-creditable status of the health plan’s prescription drug coverage; and (4) whenever an individual requests a notice.
[Thomson Reuters EBIA Weekly Newsletter, April 6, 2017]
Disclaimer – This newsletter’s purpose is to inform our clients and colleagues of recent legislative health care-related developments. It is not intended, nor should it be used, as a substitute for specific legal advice.
Health and Welfare Notes is prepared four to six times annually and will accompany Retirement News. If there are questions concerning the information discussed, call richard Gabriel associates and ask for Gabe Zinni, Cindy Swartz, Nancy Cunningham or Karen Irwin.
richard Gabriel associates
Actuarial and Employee Benefits Consultants
601 Dresher Road, Suite 201
Horsham, PA 19044-2203
Phone (215) 773-0900 — Fax (215) 773-9907 — Email: rga@rgabriel.com