The Vita Blog September 2022

U.S. Department of Health and Human Services regulations require annual notice to all plan participants regarding the Medicare Part D Prescription benefit “creditability” of your group health plan. This notice must be provided by October 14 to coincide with the annual Medicare open enrollment period which runs from October 15 to December 7. This notification provides Medicare-eligible employees with important information to help determine whether they need to enroll in Medicare Part D.
 

Again?  Didn’t I just do this after my medical plan renewal? 

Not quite. Same law, different requirement. In addition to this annual employee disclosure requirement each fall, plan sponsors must report creditability information directly to the Centers for Medicare and Medicaid Services (CMS) within 60 days of the first day of the medical policy year. Many Vita clients have a January 1 plan renewal, so for many employers, the deadline is the end of March.
 

How Do We Know If Our Prescription Benefit Is “Creditable”?

A prescription drug plan is considered "creditable" if the prescription drug benefits are expected to pay as much as or more than standard Medicare Part D prescription drug coverage. If a plan will not pay out as much as Medicare prescription drug plans pay, it is considered "non-creditable".

If you are a Vita client, you can confirm the creditability of your own plan(s) by referring to your ERISA Welfare Plan Summary Plan Description (SPD).
 

Employer Action Item

The ERISA SPD that Vita provides to clients has been designed to incorporate all of the necessary disclosure language for the Medicare Part D Creditability requirement.  If you have distributed this SPD to your employees in 2022 (or since October 15 of last year), you are already in compliance with the annual disclosure requirement. Not a Vita client and need some help? Let's chat!

If you prefer to send a separate Medicare Part D creditability notice, you may use the sample documents (model notices) available through the Center for Medicare & Medicaid Services website. There you can find sample documents for plans that are creditable or non-creditable for Medicare Part D purposes. Please note that the vast majority of group health plans include prescription benefits that are creditable.

At Vita, protecting the data entrusted to us is among our top priorities. We are pleased to demonstrate to our clients the highest standards for data protection and information security by achieving HITRUST certification for key implemented services and platforms.
 

The HITRUST Risk-based, 2-year (r2) Certified status demonstrates that Vita has met key regulations and industry-defined requirements and is appropriately managing risk. This achievement places Vita in an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards, and frameworks, and incorporating a risk-based approach, the HITRUST Assurance Program helps organizations address security and data protection challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.

The following is an overview of the critical standards and protocols of the Vita Security Program. These tenets outline Vita’s strong technical controls and commitment to maintaining best security practices: 
 

1. Formal, Well-Documented Security Program

Vita’s information security policies are documented and aligned with NIST Cybersecurity Framework v1.1 standard for cyber defense and information security policies. In addition, Vita incorporates HIPAA privacy and security best practices. A comprehensive Information Security Program has been adopted to guide the organization in compliance and cyber safety.
 

2. Prudent Annual Risk Assessments

Vita performs and documents a comprehensive annual risk assessment. This process meets the standards of the DOL’s Cybersecurity best practices guidance for annual risk assessments.
 

3. Reliable Annual Third-Party Audit of Security Controls

Vita’s external third-party auditor performs bi-annual attestations of adherence to our security controls to confirm HITRUST Certification reports. This certification is the industry standard for healthcare businesses as proof of compliance and security program thoroughness.
 

4. Defined and Assigned Information Security Roles and Responsibilities

Vita has clearly defined and assigned roles and responsibilities, including strategy and operational management from our Chief Compliance Officer, Chief Information Security Officer, and the Vita Leadership Team.
 

5. Strong Access Control Procedures

At Vita, access to information is provisioned on the principle of least privilege (PoLP). Vita employs strong data access controls, including multi-factor authentication (MFA). Unique user IDs are issued and forced password complexity rules are enabled that include, but are not limited to, minimum length, invalid attempts, password history, and a mixture of characters and numbers.
 

6. Comprehensive Due Diligence Program

Vita deploys a rigorous and formal vendor management program for third-party vendors, partners, and cloud data storage platforms to ensure data security is prioritized and maintained at compliant levels. Extensive security reviews are conducted for critical suppliers and partners and risk is assessed prior to contracting. This includes a review of financial, technical, and operational controls as well as specific management elements such as background checking of employees, data security reviews, business oversight of performance, service level agreements (SLAs), and system and organization controls that meet the standards of SOC2 Type 2, ISO 27001, or HITRUST certification. All vendors and partners must meet or exceed minimum security practices, policies, and protocols.
 

7. Cybersecurity Awareness Training

Vita team members are systematically assigned mandatory security awareness, privacy, and fraud awareness training on an annual basis. In addition, security training and alert programming is provided throughout the year to reflect risks identified from assessment and the cyber security community.
 

8. Secure System Development Life Cycle Program (SDLC)

Vita has implemented a systems development life cycle (SDLC) methodology, which covers analysis, design, build and test, quality assurance and installation, and governs the development, implementation, and maintenance of application systems. Elements of the SDLC include procedures, guidelines, and standards that ensure all in-house applications are developed securely, comprehensive change management tracking, a vulnerability management plan, and annual penetration testing.
 

9. Encryption of Sensitive Data

Vita encrypts all sensitive data at rest (stored) and in transit. Data is encrypted using the advanced encryption standard (AES-256). All Vita laptops and desktops are fully encrypted. Vita does not allow the copying of data to USB drives or any such portable media.
 

10. Sophisticated Layers of Security

Vita employs industry-leading technology and sophisticated layers of security measures designed to defend against security threats and safeguard client and participant-sensitive information. Protection methods and resources include, but are not limited to:
 

Network and application firewalls Virus and vulnerability scans Intrusion Detection and Prevention system Data Loss Prevention solutions Endpoint security measures Malicious code and anti-virus protection Access controls programming Change management controls

Dual controls and separation of duties Secure destruction of data Team member background checks External audits Threat intelligence resources Routine patch management Network segregation Routine data backup

11. Business Continuity and Disaster Recovery Plan

Vita has an established and mature Security Incident Response Team, documented a business continuity/disaster recovery plan (BC/DR), and Incident Response Plan to help ensure that business services remain available in the unlikely event of a major business interruption. The BC/DR plan incorporates business impact analyses and contingency planning at multiple levels, incident management guidelines, emergency notification protocols, clearly defined roles, responsibilities and authority levels, and disaster declaration processes.
 

12. Responsiveness to Cybersecurity Incidents or Breaches

Vita’s Incident Response Plan ensures a rapid and comprehensive response should a cybersecurity incident or breach occur. A Vita-wide security incident response team (SIRT) has been trained and provided with action guides. All response activities are coordinated with internal and external stakeholders.
 

13. Culture of Safety and Security

Vita is committed to creating a culture of safety and security in every respect. Vita maintains high standards of security commitment for all team members, vendors, and partners. The commitment to security is reflected in cutting-edge technology resources being deployed to protect client and participant data and the Vita network and system. Lastly, Vita’s comprehensive Security Program addresses and manages not only cyber security risks but also physical and organizational security realities.
 

14. Certification to Prove It

Vita maintains HITRUST CSF® v9.4 Risk-based, 2-year (r2) certification of security practices. This external assessment both reflects and validates Vita’s commitment to security.

In litigation involving the Affordable Care Act's (ACA's) preventive health services requirements, a Texas district court held that the coverage mandate for preexposure prophylaxis (PrEP) to prevent HIV infections violated an employer's rights under the Religious Freedom Restoration Act of 1993.

On September 7, 2022, U.S. District Judge Reed O’Connor ruled that the ACA’s requirement for employers and insurance companies to provide free coverage of HIV prevention drugs was unconstitutional. The judge’s rationale for his decision rested on the fact that he deemed it a violation of a Christian business owner’s freedom of religion.

For context, according to the U.S. Centers for Disease Control and Prevention, medications can reduce a person’s risk of getting HIV from sexual activity or intravenous drug use and is a highly effective preventive treatment for HIV. PrEP drugs reduce the risk of getting HIV from sex by 99% and from injectable drug use by 74%. The cost for a PrEP prescription can run as high as $22,000 annually.

The district court also found that the appointment process for the entities that determine which preventive services must be covered under the ACA is unconstitutional.
 

Background of Preventive Health Services Under the ACA

The ACA requires group health plans and health insurers to cover preventive care and screenings without cost-sharing. Plans and insurers must provide first-dollar coverage for the following four categories of preventive health services:
 

• Evidence-Based Services: Evidence-based items or services with a rating of "A" or "B" under current recommendations from the U.S. Preventive Services Task Force (USPSTF), including PrEP drugs to prevent HIV infections.
• Immunizations: Routine immunizations are recommended by the Advisory Committee on Immunization Practices (ACIP) of the Centers for Disease Control and Prevention (CDC), including the human papillomavirus (HPV) and the COVID-19 vaccine.
• Preventive Care and Screenings through Age 21: Preventive care and screenings for infants and children through age 21 under guidelines supported by the Health Resources and Services Administration (HRSA), including screenings and counseling related to tobacco use, obesity, alcohol abuse, and sexually transmitted infections.
• Preventive Care and Screenings for Women: Preventive care and screenings for women under HRSA guidelines, including contraceptives.

 

Details of the Case

Braidwood Management v. Becerra involved a small business owner who was joined by six individuals and one other business. The plaintiff objected on religious grounds to obtaining or providing health insurance coverage that included HPV vaccines, STI and drug-related screenings and counseling, PrEP, and contraceptives.

The plaintiff claimed that he did not want to “facilitate and encourage homosexual behavior, intravenous drug use, and sexual activity outside of marriage between one man and one woman” and that he felt he would be complicit in behaviors he believed to be immoral if he provided insurance coverage for PrEP medications to his employees under his self-insured plan. The business owner further claimed that this was due to his Christian beliefs and how he interpreted the Bible.

Government lawyers argued that it was wrong to assume that PrEP drugs “facilitated or encouraged” these behaviors. However, the Court found the argument to be irrelevant as the “correctness” of beliefs does not matter. Only the “sincerity” of those held beliefs matters. Ultimately, the Court ruled that this mandate imposed a substantial burden on the religious freedom of the small business owner that was not permitted under the Religious Freedom Restoration Act (RFRA). The RFRA requires that the government use the least restrictive means of promoting a compelling governmental interest when it burdens religious freedom. In this case, the Court determined that requiring coverage for PrEP was not the least restrictive means to promoting a compelling governmental interest.

Importantly, the Court also ruled that the appointment process for the USPSTF, ACIP, and HRSA (entities that determine which items and services must be covered under the ACA's preventive health services rules) is unconstitutional. In short, according to the rules, the appointees needed to be nominated by the President and confirmed by the Senate, and, without such a formal appointment process, they would not be permitted to make these authoritative binding decisions. The court found that ACIP and HRSA appointments were valid, however, the USPSTF appointment process was not, leaving the question of the legality of the decisions made by that entity.
 

The Potential Impact

This ruling is significant in that it shows the increasing tension between the public health of employees and society at large on the one hand and the religious rights of private employers on the other.

It is likely that this ruling will be challenged in a higher court. Notably, Judge O’Connor had previously faced off against the ACA when he ruled that the ACA was unconstitutional in 2018 based on the zeroed-out individual mandate penalty. That ruling was later overturned by the U.S. Supreme Court. Those disagreeing with the ruling would point out that Judge O’Connor’s reading of what is constitutional vs. not is likely seen through a biased filter.

Public health officials have expressed concerns that if this ruling stands, it could weaken the ACA mandate to provide no-cost preventive care such as vaccines or cancer screenings like colonoscopies or mammograms. Some have postulated that coverage for contraception and Plan B could stand next in line to be challenged under the religious freedom argument.

Opponents would argue that the religious freedom of an employer to deny lifesaving coverage to employees who have different beliefs is discriminatory. In addition, the Court failed to comment on the lack of factual support for the business owner’s statement that access to such medication could encourage behaviors like intravenous drug use and premarital sex.
 

A Crystal Ball

It is reasonable to wonder what we might see in response. Given the ongoing nature of the case, it is unlikely that insurers and group health plans will rush to drop coverage without cost sharing for 2023. However, should the ruling be finalized, it is likely that insurers and some group health plans would react by imposing copays and deductibles to many of the preventive services that are now required to be covered on a zero-cost basis. 

We also might see more liberal states choosing to be proactive and try to recreate preventive mandates for fully insured plans (similar to how we saw states recreate the individual mandate). Recall, however, that states cannot govern self-funded plans, which would only create a partial solution. That solution might also be problematic, since, if certain preventive care measures are restricted on a federal level but mandated on a state level, plans would face a conflict relative to providing first-dollar coverage under an HDHP plan and then running afoul of the restrictions for HSA contributions.

This is a complex issue, especially since the current mix in the high court would likely lean toward favoring the religious freedom argument. It is thus unlikely that challengers will rush to appeal the issue. Unfortunately, the crystal ball in this case is solidly cloudy. We think it is too early to say what we might expect in the future as this issue unfolds.