View From Groom: DOL and HHS Enforcement Activities Targeting Health Plans and Insurers

Now that the Patient Protection and Affordable Care Act’s (the “ACA”) “insurance market reforms” and the changes required by the Mental Health Parity and Addiction Equity Act (“MHPAEA”) have gone fully into effect, many health plan sponsors and insurers are now focusing on compliance and how these laws will be enforced – and more specifically, the audit and investigation risks they face from regulators. Frequently, the issue is phrased as follows: who can investigate, and what is the investigator looking for? Unfortunately, the answer to both of these seemingly straight-forward questions is complex, given that the ACA and MHPAEA’s enforcement scheme splits regulatory authority between state governments and the federal government—and even federal enforcement is split among three different agencies, depending on the type of health plan at issue. This tangled enforcement scheme runs the risk of overlapping enforcement actions that could impose significant and unnecessary compliance costs on plan sponsors and insurers.

This article provides a high-level overview of how ACA and MHPAEA enforcement authority is allocated between the states and the federal government, and how (and when) three federal agencies – the Department of Health and Human Services (“HHS”), the Department of Labor (“DOL”) and the Internal Revenue Service (the “IRS”) – may enforce the ACA and MHPAEA. We then discuss current enforcement activities by HHS and DOL against insurers and plan sponsors. And finally, the article offers suggestions on how insurers and plan sponsors can best prepare for ACA and MHPAEA audits.

I. The ACA’s Insurance Market Reforms

The ACA requires that insurers and sponsors of group health plans modify their coverage to comply with various mandates set forth in Subtitle A (relating to individual and group market reforms) and Subtitle C of Title I of the ACA (relating to health insurance market reforms) (collectively, the “insurance market reforms”). Specifically, the ACA amended title 27 of the Public Health Service Act (“PHSA”) directly, and then the insurance market reforms were incorporated by reference into section 715 of the Employee Retirement Income Security Act (“ERISA”) and section 9815 of the Internal Revenue Code (the “Code”).

Some of the ACA insurance market reforms apply with equal force to health insurance companies as well as group health plans—such as the requirements to extend coverage to adult children until the age of 26, ¹PHSA section 2714. and the elimination of annual and lifetime dollar limits and pre-existing condition exclusions. ²PHSA sections 2711 and 2704. Some ACA market reforms, however, apply solely to health insurance companies, including medical loss ratio rules (which require insurers to spend a specified amount on the reimbursement of health care claims or quality improvement activities), ³PHSA section 2718. the offering of the essential health benefits package (a statutorily specified package of health benefits that insurers in the individual and small group markets must cover), ⁴PHSA section 2707. guaranteeing the issuance or renewal of health insurance coverage (without regard to medical underwriting or preexisting conditions), ⁵PHSA sections 2702 and 2703. and community rating rules (which limit the factors that insurers may consider when setting premium rates). ⁶PHSA section 2701(a). And even the application of these rules may differ, depending on whether the group health plan or insurance coverage is considered a “grandfathered” plan that is exempt from some – but not all – of the ACA’s insurance market reforms. ⁷A grandfathered plan is a group health plan or insurance coverage that was in effect on the date of the ACA’s enactment (March 23, 2010) with benefits and cost-sharing that have remained essentially unchanged since that date. HHS, DOL, and the IRS have published regulations detailing specific changes to either benefits or cost-sharing that will trigger loss of grandfather status. See
75 Fed. Reg. 34538 (June 17, 2010). The specific changes that will trigger loss of grandfather status are codified at 26 CFR §54.9815-1251T(g), 29 CFR §2590.715-1251(g), and 45 CFR §147.140(g). Once grandfather status is lost, the plan or coverage at issue must comply with all applicable ACA market reforms. A list of the insurance market reforms and their statutory effective dates is summarized in a chart on the next page.

II. MHPAEA Changes Regarding Mental Health and Substance Use Benefits

MHPAEA amended the PHSA, ERISA and the Code to prohibit group health plans that provide mental health/substance use benefits from applying ‘‘financial requirements’’ or ‘‘treatment limits’’ to those benefits that are more restrictive than the ‘‘predominant’’ financial requirements or treatment limits that apply to ‘‘substantially all’’ medical/surgical benefits. MHPAEA defines ‘‘financial requirements’’ to include deductibles, copayments, coinsurance and out-of-pocket expenses; ‘‘treatment limitations’’ to include limits on the frequency of visits, number of visits, days of coverage, or other similar limits on the scope or duration of treatment; and the term ‘‘predominant’’ to mean the most common or frequent of such type of limit or requirement. ⁸ERISA section 715(a)(3)(A).

In 2010, HHS, DOL and the IRS jointly published an interim final regulation (the “IFR”) implementing MHPAEA. ⁹75 Fed. Reg. 5410 (February 2, 2010) (codified at 26 CFR Part 54, 29 CFR Part 2590, 45 CFR Part 146). The IFR is applicable to group health plans and group health insurance issuers for plan years beginning on or after July 1, 2010. ¹⁰Id. at 5410. The IFR is in effect until the final MHPAEA regulations discussed below (the “Final Rule”) become applicable — which is the plan year beginning on or after July 1, 2014 (i.e., January 1, 2015 for calendar year plans).

The IFR provides that the MHPAEA’s parity requirement applies to both quantitative and non-quantitative treatment limitations (“NQTL”). An NQTL is a limitation that restricts coverage under the plan which is not expressed numerically. This requirement extends to medical management standards limiting benefits based on, for example, medical necessity or an exclusion for experimental/investigational treatments; prescription drug formulary designs; and standards for determining provider admission in a network, including reimbursement rates. ¹¹29 CFR §2590.712(c)(4) The IFR requires that any processes, strategies, evidentiary standards or other factors used in applying ‘‘non-quantitative treatment limits’’ to mental health/substance use benefits be comparable to – and applied no more stringently than – those applicable to medical/surgical benefits in the same ‘‘classification.’’ The classifications for which parity is required as to both financial requirements and treatment limitations are as follows:

• inpatient, in-network;

• inpatient, out-of-network;

• outpatient, in-network;

• outpatient, out-of-network;

• emergency care; and

• prescription drugs. ¹²75 Fed. Reg. at 5433; 29 CFR §2590.712(c)(2)(ii).

The NQTL requirement is a key issue for virtually all plans and employers. Probably its most important impact has been the high level of scrutiny now applied to prior authorization requirements for outpatient mental health/substance use services, particularly if no (or very few) similar requirements are applied to medical/surgical outpatient services.

The Final Rule, which takes effect for plan years beginning on or after July 1, 2014, builds on the foundation established by the IFR with some changes that codify guidance issued through frequently asked questions released after the IFR and expand the reach of the MHPAEA’s application, including:

• Addition of new sub-classifications for the six categories of benefits;

• Inclusion of new NQTLs that plans and issuers must consider in their parity analysis;

• Inclusion of new disclosure requirements for documents evidencing the parity analysis;

• Clarification that plans and issuers do not have to test plan designs that have not changed for parity each year;

• Clarification that a plan that provides coverage for a mental health/substance use condition solely to comply with the ACA’s preventive services mandate does not have to provide the full range of benefits for the mental health/substance use disorder under MHPAEA;

• Clarification that employee assistance plans (“EAPs”) that do not provide significant medical benefits may be treated as ‘‘excepted benefits’’ and will not be subject to the MHPAEA or the Final Rule; and

• Clarification of the intersection of the MHPAEA parity requirements and state law mandates.

III. The ACA and MHPAEA’s Complex Enforcement Scheme

The discussion above provides just a high-level summary of the ACA insurance market reforms and the MHPAEA rules, but even this summary makes clear that compliance with the myriad of complex new rules will be challenging for even the most sophisticated plan sponsors and insurers.

Adding to the complexity is the rather Byzantine means by which the ACA market reforms and MHPAEA are enforced by public agencies.

Specifically, the enforcement mechanism for both the ACA and MHPEAEA is based on the enforcement provisions of the Health Insurance Portability and Accountability Act (“HIPAA”). ¹³See Preamble to the HHS Final Premium Rate Review Regulation, 78 Fed. Reg. 13406, 13419 (February 27, 2013) (“[T]he HIPAA enforcement standard, as originally codified in [PHSA] section 2722 and redesignated as section 2723 by the Affordable Care Act, applies to the market reform provisions of the [PHSA] created by the Affordable Care Act.”). HIPAA created a detailed framework that allocates enforcement authority to states and HHS with respect to health insurance issuers, and then further allocates enforcement authority among HHS, DOL, and the IRS with respect to varying types of group health plans. ¹⁴The agencies have entered into a formal memorandum of understanding (“MOU”) that details the agencies’ agreement to coordinate their respective HIPAA regulatory, interpretive, and enforcement strategies. See 64 FR 70164 (December 15, 1999). Pursuant to this MOU, the agencies have issued joint regulations interpreting HIPAA and the ACA’s requirements as applied to health insurers and group health plans. The agencies also share enforcement data under the MOU, and specifically agree to notify each other in writing prior to the commencement of any administrative or judicial proceeding relating to enforcement. Specifically, enforcement authority under HIPAA is divided as follows:

A. States Are Primary Enforcers Against Health Insurers, With HHS Having a ‘Fallback’ Role

Under the PHSA, HHS has enforcement authority over health insurance issuers and nonfederal governmental plans. HIPAA contemplates, however, that states will have primary enforcement authority over health insurers, ¹⁵PHSA section 2723(a)(1) (states “may require that health insurance issuers … meet the requirements of this part”). with states having their traditional power to conduct market conduct exams, to levy fines for non-compliance with state insurance laws, and/or to withhold or withdraw approval of products that do not conform to applicable legal requirements. It is only if a state notifies HHS that it does not have authority to enforce, or HHS determines that a state has failed to “substantially enforce a provision”—that HHS is then authorized to enforce all or part of HIPAA, MHPAEA, or the ACA’s market reforms against health insurance issuers operating in that state, ¹⁶PHSA section 2723(a)(2). See also 45 CFR section 150.201, which provides that “each State enforces HIPAA requirements with respect to health insurance issuers that issue, sell, renew, or offer health insurance coverage in the State.” HHS is permitted to enforce a HIPAA provision against a health insurance issuer in a state only if a state notifies HHS it is not enforcing, or HHS determines – after notice to the state and an opportunity for the state to correct any alleged deficiencies – that the state either does not have the authority to enforce such provisions, or fails to substantially enforce such provisions. See 45 CFR sections 150.207-219. via the imposition of civil penalties of up to $100 per day, per individual with respect to whom a failure to comply has occurred, which are subject to administrative and judicial review. ¹⁷PHSA section 2723(b)(2). HHS may only impose these penalties on health insurance issuers and nonfederal government plans; HHS is not authorized to impose penalties on ERISA-covered group health plans. ¹⁸PHSA section 2723(b)(2)(A).

In enacting the ACA, Congress also provided HHS with the authority to establish criteria for the certification of qualified health plans (“QHPs”) that may be offered on state-based Exchanges or the federally-facilitated Exchanges or Marketplaces established by HHS (the “FFM”). ¹⁹ACA section 1311(c). HHS has issued regulations relating to QHP certification standards, and such regulations provide that HHS may, among other things, assess penalties against issuers that fail to satisfy applicable QHP certification standards. ²⁰45 CFR section 156.805(a) (listing specific grounds for imposing civil monetary penalties).

B. DOL Enforces Against ERISA-Covered Plans—But Not Insurers

ERISA, as amended by HIPAA, provides that group health plans and health insurance issuers must comply with HIPAA’s preexisting condition and portability provisions. ²¹ERISA sections 701-702. ERISA provides a combined scheme of public and private enforcement by the DOL and plan participants. Specifically, plan participants and beneficiaries may bring suit to recover benefits due under the terms of a plan. ²²ERISA section 502(a)(1)(B). And participants, beneficiaries, plan fiduciaries, and the DOL may sue to enforce the requirements of ERISA Title I (which includes Part 7, codifying the HIPAA, MHPAEA and ACA rules) or to enforce the terms of the plan. ²³ERISA sections 502(a)(3) and (a)(5). Importantly, however, DOL generally does not have the authority to assess civil monetary penalties against plans (or their fiduciaries) for non-compliance with the HIPAA reforms, or those enacted by MHPAEA or the ACA.

At the time of enacting HIPAA, however, Congress also added new section 502(b) to ERISA. Section 502(b)(3) provides that with an exception not relevant here (relating to the assessment of civil penalties for failing to provide certain disclosures), the DOL is “is not authorized to enforce under this part any requirement of [ERISA] part 7 against a health insurance issuer offering health insurance coverage in connection with a group health plan[.]” ²⁴empty footnote In other words, DOL may not enforce any provisions of ERISA Part 7—which includes MHPAEA and the ACA market reforms—against health insurers.

C. The IRS Enforces Against ERISA-Covered Plans and Church Plans

The HIPAA enforcement framework also provides the IRS with enforcement authority over group health plans, including church plans, and their sponsors. The IRS exercises this enforcement through the imposition of an excise tax of $100 per day, per individual affected by such noncompliance. ²⁵Code section 4980D(b)(1). Group health plans are required to self-report violations of HIPAA’s rules (as well as violations of the ACA’s market reforms) on the IRS Form 8928, and to pay the resulting penalties.

IV. Recent Enforcement Activities by HHS and DOL Targeting Health Plans

Now that MHPAEA’s Final Rule has been issued and the ACA’s insurance market reforms are fully in effect, it is not surprising that regulators are auditing plans and insurers for compliance with the new rules. What is surprising, however, is just how wide-ranging these audits by HHS and DOL are, and how much documentation and verification is required to establish compliance with MHPAEA and the ACA’s insurance market reforms.

A. MHPAEA Audits By HHS and DOL

In the past year, there has been a discernable uptick in MHPAEA audits conducted by HHS and states (targeting health insurers) and DOL (targeting both group health plans and insurers). HHS audits frequently examine the insurer’s compliance with MHPAEA across the insurer’s entire book of insured business, and can thus be enormously time consuming and intensive given all the variations that may exist in product and plan designs. DOL audits are usually more targeted in terms of the number of plans at issue, usually focusing on just one or a relatively small number of plans that an insurer may be administering. In either case, though, the information sought by HHS and DOL is voluminous, focusing on, among other things:

• Comparison of financial benefits for medical/surgical coverage versus mental health/substance use coverage;

• Parity of participant cost-sharing for medical/surgical benefits and mental health/substance use benefits;

• Comparison of treatment limits for medical/surgical and mental health/substance use benefits;

• Comparison of NQTLs for medical/surgical benefits and mental health/substance use benefits, such as the stringency with which prior authorization or utilization review may be applied to mental health/substance use benefits;

• Criteria used to determine and define medical necessity for mental health/substance use benefits, as compared to criteria for medical/surgical benefits;

• Placement of mental health/substance use drugs on a prescription drug formulary and how it compares to drugs to treat medical/surgical conditions;

• Standards for classifying mental health/substance use disorder services and medical/surgical services as outpatient, inpatient, or emergent or urgent care services, as well as any sub-classifications for office visits or multi-tiered networks;

• Coverage of residential treatment facilities for mental health/substance use services, as compared to coverage of skilled nursing facilities for medical/surgical benefits;

• A list of all mental health/substance use benefits that are either covered by the plan at issue or excluded, as well as a comparable list for all covered or excluded medical/surgical benefits;

• Information on how plans and insurers process claims and appeals involving mental health/substance use benefits;

• Disclosure of denied or partially denied mental health/substance use claims, and how they compare to denied medical/surgical claims;

• All external review decisions relating to mental health/substance use claims

• Internal analyses prepared by a plan or insurer (or a consultant), testing the plan or product’s medical/surgical benefits for parity against mental health/substance use benefits.

B. ACA Audits by HHS and DOL

HHS and DOL have also been quite active in launching investigations of insurers and plans to assess compliance with the ACA’s insurance market reforms. As discussed above, the HIPAA enforcement framework contemplates that states will be the primary enforcers of the ACA’s market reforms as applied to insurance companies, and to be sure, many states are enforcing these reforms through their product review and approval processes. ²⁶HHS has expressly noted that “[t]he vast majority of states are enforcing the Affordable Care Act health insurance market reforms.” See http://www.cms.gov/CCIIO/Programs-and-Initiatives/Health-Insurance-Market-Reforms/compliance.html (last visited January 23, 2015). But in five states – Alabama, Missouri, Oklahoma, Texas and Wyoming – HHS has assumed the sole enforcement role. ²⁷Id. Moreover, we understand that in the context of reviewing compliance with federal Exchange certification standards, HHS may have sought information about some QHP issuers’ compliance with the ACA’s insurance market reforms—even in states where insurance regulators are themselves enforcing the reforms. ²⁸If so, such review would conflict with HHS’s earlier pronouncements about its intended enforcement strategy. Specifically, HHS announced that “[b]ecause QHPs are one of several commercial market insurance products operating in State markets, HHS will seek not to unnecessarily duplicate or interfere with the traditional regulatory roles played by State DOIs.” 78 Fed. Reg. 37032, 37060. Rather, HHS stated that it wanted “to focus its QHP oversight to Exchange standards applicable to issuers offering QHPs (for example, correctly administering advance payments of the premium tax credits and cost-sharing reductions and offering benefits consistent with those set forth in the QHP applications approved by HHS),” given that “oversight of market-wide standards will generally be performed by States in their traditional regulatory roles.” Id.

DOL has also announced a comprehensive national enforcement initiative, known as the Health Benefits Security Project (“HBSP”), which involves a broad range of health care investigations—including examinations of plans (and, indirectly, their insurers) ²⁹As noted above, ERISA section 502(b)(3) provides that subject to one exception not relevant here, DOL “is not authorized to enforce … any requirement of [ERISA] part 7 against a health insurance issuer offering health insurance coverage in connection with a group health plan[.]” (Emphasis added). Given that ERISA section 715 – which incorporates the ACA’s insurance market reforms into ERISA – is included within part 7 of ERISA (as is MHPAEA), it follows that section 502(b)(3) also bars the DOL from directly enforcing those ACA reforms (and MHPAEA) against health insurance issuers that provide insured coverage to group health plans. But DOL can enforce the ACA against group health plans that purchase group health insurance, who will then notify the insurer of the DOL’s findings of non-compliance, perhaps triggering a change in the terms of the insurance product or the manner in which it is administered. for compliance with the ACA’s insurance market reforms and other provisions of ERISA Part 7 (including MHPAEA). Importantly, DOL has announced that this enforcement initiative will focus not only whether plans have amended their governing documents to comply with the ACA, but also on the plan’s actual operations and administration—meaning that DOL will be seeking actual claims data to verify compliance with the ACA. The DOL’s audit letters to health plans are usually quite lengthy and seek documents relating to a range of issues, such as COBRA and HIPAA, but with respect to the ACA insurance market reforms, DOL letters usually seek, among other things:

• Documents related to dependent coverage up to age 26 (including plan provisions and notices sent to participants describing enrollment opportunities for any such children who may have previously “aged out” of coverage);

• A list of any participants who had coverage rescinded, and detailed information as to the basis for such rescissions;

• Information concerning eligibility determinations by the plan, and compliance with the ACA’s 90-day limit on waiting periods;

• A list of all individuals denied coverage, or who had claims denied, because of preexisting condition exclusions codified in the plan, as well as documentation that such exclusions had been removed by the date required by the ACA;

• Information about any lifetime or annual limits that the plan imposes, including information as to how a plan determined that a particular benefit was not an “essential” health benefit;

• Copies of disclosure notices sent to participants regarding their choice of providers;

• Information about the plan’s coverage of emergency department services and compliance with ACA rules regarding cost-sharing limits and pre-authorization requirements;

• Documents describing the plan’s coverage of preventive services with no cost-sharing;

• Detailed information about the plan’s claims and appeals procedures, including updated notices of adverse benefit determinations and copies of contracts with independent review organizations (“IROs”);

• Claim processing and claim denial files for a representative sample of participants;

• Copies of any IRO decisions that overturned claim denials by the plan; and

• For plans claiming grandfather status, detailed information concerning the current benefits and cost-sharing provisions as compared to those in effect on March 23, 2010, and required notices to participants disclosing the election of grandfather status. This would include copies of plan documents, summary of benefits coverage and summary plan descriptions for each of the years at issues, and all meeting minutes relating to the health plan for the years in question.

C. DOL Audits of Plan and Insurers’ Claims Processing Systems

Plan sponsors and insurers should also be aware that various regional offices of the DOL have recently undertaken very close reviews of the claims processing systems – both manual and automated – through which health plan benefits are adjudicated. Indeed, we have seen extremely broad document requests or subpoenas from DOL, seeking, among other things:

• Internal and external audits and quality reviews (including customer audits);

• Details regarding claims systems architecture and software, and access to full claims systems and data;

• Claim and appeal processing and procedure manuals;

• Claim litigation files;

• Information regarding customer, participant, and health care provider complaints;

• Copies of all guidelines, manuals and standards (such as medical guidelines) used by the plan or insurer as part of the claims or appeal process;

• Information regarding the compensation, training, and performance evaluations for all personnel involved in the claims and appeal process; and

• Interviews with line and supervisory personnel at all levels of the claims and appeals process.

V. Responding to an HHS or DOL Investigation

Given the increasing frequency of health plan audits and the enormous amount of time and resources that could be incurred in responding to an HHS or DOL investigations, plans and insurers should proactively take steps to prepare for a federal agency audit. These steps include:

• Maintaining a centralized file (both electronic and hard copy) of all:

—Plan documents (including insurance contracts)

—Plan amendments or resolutions amending plan terms

—Meeting minutes that discuss potential changes to plan terms

—Summary Plan Descriptions (SPDs)

—Summary of Benefits and Coverage (SBCs)

—Service provider contracts

—Reports of benefit consultants or brokers discussing compliance issues

—Memoranda from legal counsel discussing legal requirements imposed on the plan and the plan’s compliance with such laws

—Participant disclosures required by the ACA and other provisions of ERISA

—Stop-loss policies

—Fidelity bonds

—Fiduciary liability insurance

• Conducting periodic internal compliance reviews, and correcting any errors identified.

—DOL has published a 68-page “compliance checklist” that provides a helpful roadmap of the broad range of health plan issues that DOL investigates, which should be helpful to many plans and insurers in preparing for an audit. ³⁰http://www.dol.gov/ebsa/pdf/cagappa.pdf (last visited January 26, 2014).

—Note: proactively correcting any identified errors before a government investigation commences should expedite the audit process and mitigate the risk of adverse finding and potential penalties.

• Consulting with experienced ACA and MHPAEA counsel upon receipt of a DOL or HHS audit, to work with the agency in narrowing the scope of information sought and establishing a rolling production schedule, and to provide technical expertise to assist in responding to the regulators’ inquiries and concerns.