Employee Benefits and Executive Compensation Update

Entities that currently provide prescription drug coverage to Medicare Part D eligible individuals (for example, active employees age 65 or older) must disclose to the Centers for Medicare and Medicaid Services ("CMS") whether the coverage is creditable or non-creditable. Generally, coverage is "creditable" if it is equal in value to Medicare coverage. This disclosure requirement is different from the notice of creditable (or non-creditable) coverage provided to Medicare Part D eligible individuals, as described in our September 2005 alert. The disclosure to CMS is made through completion of the disclosure form on the CMS Creditable Coverage Disclosure Web Page at http://www.cms.hhs.gov/CreditableCoverage. The disclosure form must be completed and submitted to CMS at the following times:

No later than March 31, 2006 for plan years that end in 2006;
Within 60 days after the first day of the plan year for plan years that end in 2007;
Within 30 days after the termination of the prescription drug plan; and
Within 30 days after any change in the creditable coverage status of the prescription drug plan.

The information required on the disclosure form includes:

The name of the entity sponsoring the plan of coverage (e.g., the employer);
The Federal Tax Identification Number of the entity;
The street address of the entity;
The phone number of the entity;
The type of coverage (e.g., group health plan);
The benefit options offered to Medicare eligible individuals (e.g., an HMO option, a PPO option, and an indemnity option);
The creditable coverage status of the prescription drug coverage within each of the options;
The period covered by the disclosure notice;
The number of Medicare Part D eligible individuals expected to be covered by the plan as of the beginning of the plan year;
The estimated number of individuals expected to be covered by the plan;
The date the notice of creditable coverage (described in our September 2005 alert) was provided to Medicare Part D eligible individuals;
Any change in the creditable coverage status of previously disclosed information to CMS (and the date on which notice of such change was provided to Medicare Part D eligible individuals);
The name, title and email address of the authorized individual who completed the form; and
The date the disclosure is submitted to CMS.

CMS has indicated that transmitting the disclosure form via the Web page listed above is the sole method for compliance with the disclosure requirement. Feel free to call a lawyer identified below if you desire assistance in preparing the creditable coverage notice.

HIPAA Security Regulations Compliance Required by April 20, 2006 for Small Plans

Small group health plans are required to comply with the HIPAA Security Regulations by no later than April 20, 2006. (Large group health plans should have complied by no later than April 20, 2005. See our law Alert dated January 18, 2005.) The following provides background information useful as a starting point in achieving compliance.

I. The Security Regulations in General.

A group health plan must take various actions to protect the security of electronic protected health information, including:

Identifying a security official responsible for preparing the required security policies and procedures;
Preparing policies and procedures designed to prevent security violations and permit appropriate access to electronic protected health information;
Implementing a security awareness and training program;
Amending business associate agreements to add provisions necessary for the business associates to implement appropriate security measures; and
Amending plans to require the plan sponsor to implement security safeguards.

II. Electronic Protected Health Information.

The Security Regulations protect "Electronic Protected Health Information."

"Protected Health Information" refers to individually identifiable health information that is created, received, maintained or transmitted by a group health plan.
"Electronic" means that the information is maintained in Electronic Media or transmitted by Electronic Media.
"Electronic Media" means electronic storage media, including computer hard drives and any removable or transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card. Electronic Media also includes Transmission Media used to exchange information already in electronic storage media.
"Transmission Media" include, for example, the Internet, extranet (using Internet technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable or transportable electronic storage media. It is important to note that certain transmissions, including paper delivery, facsimile, voice (via telephone) and similar transmissions, are not considered to be transmissions via electronic media. This is so because the information being exchanged did not exist in electronic form before the transmission.

III. Preliminary Inquiries Re: Development of Policies and Procedures.

If you desire our assistance with HIPAA Security Regulations compliance, we would want to know on a preliminary basis the following information in order to begin creating the necessary policies and procedures:


1.		What types of items of Electronic Protected Health Information are maintained by the group health plan?
2.		Where is this Electronic Protected Health Information (and each backup copy) kept?
3.		Who at the plan sponsor works with the Electronic Protected Health Information?
4.		Is it necessary for each of those individuals to be involved in plan administration?
5.		From where is the information received? (Is it all created in-house?)
6.		Is the information transmitted? If so, where?
7.		By what means is the information transmitted?
8.		How is the information accessed?
9.		As the systems are currently set up, can individuals (other than the individuals identified above) access the information?
10.		The Regulations require the plans to appoint a "security official" who will have oversight authority with regard to the policies and procedures. We would need to discuss who will be designated to fulfill that role.

Final HIPAA Enforcement Rule Published

The United States Department of Health and Human Services has published a final HIPAA Enforcement Rule, which takes effect March 16, 2006. The Final Rule adopts unified enforcement procedures for all of the HIPAA Administrative Simplification Rules, such as the Privacy Rule and the Security Rule. In addition, the Final Rule establishes procedural and substantive requirements for the imposition of civil monetary penalties for violations of HIPAA. According to the Department of Health and Human Services, the adoption of the Final Rule completes the regulatory enforcement structure related to the Administrative Simplification Rules. The Final Rule contemplates enforcement through a complaint process or an audit process. In light of the publication of the Final Rule, it is especially important for each covered entity to ensure that it is in compliance with HIPAA.

* * * *

Only lawyers may properly give you legal advice, and the Schiff Hardin lawyers listed below are prepared to provide you with counsel with regard to this important legal matter.