March 1 brings two annual deadlines for employers that sponsor a group health plan for their employees.
Medicare Part D—Creditable Coverage Disclosure to CMS
An employer with a group health plan that provides prescription drug coverage to Medicare-eligible individuals must make an annual disclosure to the Centers for Medicare & Medicaid Services (CMS). The disclosure is due 60 days after the beginning of the plan year—no later than March 1, 2023 for calendar-year plans. Employers must complete and submit the annual disclosure electronically on the CMS website.
In order to complete this disclosure, an employer will need to provide the following information: (i) the employer's name, address, federal tax identification number, and phone number; (ii) the name, title, and email address of the person completing the form; (iii) the type of coverage offered; (iv) the total number of prescription drug options available to Medicare-eligible individuals; (v) the creditable coverage status of each prescription drug option; and (vi) the total number of Medicare-eligible individuals covered by each option (less the number of Medicare Part D individuals, if any, being claimed under the Retiree Drug Subsidy Program).
In addition to the above, if a plan's prescription drug coverage is terminated or if there is a change in the plan's creditable coverage status, the employer must update its CMS disclosure within 30 days.
HIPAA—Breach Report to OCR
Employer group health plans are "covered entities" under HIPAA and must report breaches of unsecured protected health information to the Office of Civil Rights (OCR) with the Department of Health and Human Services. As relevant here, the plan must report small breaches occurring in 2022 no later than March 1, 2023. (A "small" breach is one affecting 500 or fewer individuals.) For a self-funded employer group health plan, it is the employer's obligation to ensure that the report is made in a timely manner, though the report may actually be submitted by a business associate, such as the plan's third-party administrator. The report must be submitted electronically on the OCR web portal.
In addition to the above, the plan must notify affected individuals of a HIPAA breach within 60 days of the breach being discovered. If the breach is large (affects more than 500 individuals), then in addition to notifying affected individuals, the plan must notify HHS within 60 days of discovery. If the breach affects more than 500 individuals within a single state, then in addition to the above, the plan must report the breach to prominent media outlets serving that state within 60 days of discovery.
* * *
If you have questions or concerns regarding this client alert, please contact the authors, any member of Venable's Employee Benefits and Executive Compensation Group, or your regular Venable lawyer.