As the Novel Coronavirus (COVID-19) pandemic spreads, employers and plan sponsors are growing more concerned about the impact on group health plan administration. For the most part, except where deviation is required by state or federal mandates, group health plans should continue to be operated as they have been without regard to COVID-19. Nevertheless, there are several things group health plan sponsors and administrators should consider.
Cost-sharing waivers
Several states have directed fully-insured health plans to waive cost-sharing for testing and, in some cases, treatment for COVID-19. Additionally, many claims administrators providing services to self-funded group health plans have notified plan sponsors that they will automatically waive cost-sharing for COVID-19 testing and treatment unless the sponsors opt-out. In response to the cost-share waiver mandates, the Internal Revenue Service issued Notice 2020-15 to allow high-deductible health plans (“HDHPs”) to cover without cost-sharing COVID-19 testing and treatment prior to satisfaction of the statutory minimum deductible. In the absence of that guidance, there was some concern that cost-share waivers under HDHPs would disqualify contributions to health savings accounts (HSAs).
Note that we are aware of several claims administrators that are also waiving telehealth cost-sharing requirements regardless of the reason for the visit. The rationale for this waiver is that it is safer to keep patients out of brick-and-mortar clinics, but IRS Notice 2020-15 does not appear to cover non-COVID-19-related services. It is possible that the IRS will provide supplemental guidance on this issue, but until then, sponsors of HDHPs should consider the potential HSA disqualification risk before proceeding with broad-based telehealth cost-sharing waivers.
Vendor management
Most administrative services agreements with claims and network administrators contain “force majeure” clauses that exclude performance under the agreement in the event of extreme, unavoidable circumstances. An epidemic or pandemic is often included as a force majeure triggering event, so employers and plan sponsors should consider the impact that COVID-19 might have on the ongoing operation of their health plans. The good thing is that whether or not required under the administrative services agreement, most claims and network administrators have business continuity and disaster recovery protocols in place to ensure administrative services continue in extreme circumstances. Given that COVID-19 and related quarantines are rapidly spreading, employers and plan administrators should consider coordinating with service providers to ensure that business continuity and disaster recovery plans are in place and have been recently tested.
HIPAA requirements
Considering the impact that COVID-19 has on public health, it can be easy for employers to overlook their privacy obligations as administrators of HIPAA covered entities (i.e., group health plans are covered entities under HIPAA). For that reason, in February 2020, the Department of Health and Human Services (“HHS”) issued a bulletin reminding covered entities that despite the heightened public concern regarding COVID-19, HIPAA’s use and disclosure restrictions remain in place. Under HIPAA, disclosures of identifiable health information for reasons other than treatment, payment, or health care operations generally require written authorizations from the subjects of the information. However, HHS noted that group health plan administrators are permitted to disclose health information without written authorization in five specific situations particularly relevant in connection with COVID-19.
- HIPAA permits disclosures of health information to public health authorities for the purpose of preventing or controlling a disease. Therefore, for example, a plan administrator could disclose COVID-19-related health information to the CDC or other public health authority.
- Plan administrators could disclose COVID-19-related health information to a foreign government if directed to do so by a public health authority that is acting in collaboration with the foreign government.
- Plan administrators may disclose COVID-19-related health information to persons who are at risk of contracting or spreading the disease if another law (such as a state law) permits the disclosure.
- HIPAA permits COVID-19-related health information to be disclosed to an individual’s family and friends or other person involved in the individual’s care. When possible, the covered entity should get verbal permission from the plan participant. When that is not possible, disclosure is permitted if the plan administrator determines that it is in the best interest of the individual.
- If a plan administrator determines in good faith that disclosure of COVID-19-related health information is necessary to prevent or lessen a serious or imminent threat to the health and safety of a person or the public, the information may be disclosed to a person or entity reasonably able to prevent or lessen the threat.
These exceptions to the written authorization requirement are not without important limitations. For example, even if disclosure is permitted, HIPAA’s basic “minimum necessary” principle still applies—only the minimum amount of information may be disclosed to achieve the purpose of the disclosure. Also, employers should be aware that they could obtain sensitive health information outside of their role as group health plan administrators (e.g., an employee calls out from work because they are quarantined due to COVID-19 diagnosis or exposure). In those cases, HIPAA would generally not apply, but employers still must consider other state and federal privacy obligations when determining whether to disclose that information.
Although state and federal guidance regarding the impact that COVID-19 has, or will have, on group health plan design and administration is limited at this time, we expect significant state and federal guidance to be released in the future. Employers and plan administrators should work closely with their health insurance providers, consultants, and legal counsel to ensure that their health plans remain compliant as this guidance is released.