🗓️ April 2025
Keeping HR pros updated with important compliance, benefits, and human resources information.
New EEOC and DOJ Guidance for DEI Initiatives
On March 19, 2025, the EEOC and DOJ announced new guidance focused on DEI initiatives in the workplace. This includes a One Page Summary outlining the agencies’ view on unlawful DEI-related discrimination, in addition to a Q&A.
The joint agency guidance emphasizes longstanding anti-discrimination principles prohibiting employers from setting the terms, conditions or opportunities of employment based upon protected class. These terms and conditions broadly include hiring, firing, demotion, promotion, compensation, and benefits eligibility among others. The new guidance focuses on DEI initiatives such as affinity groups, employee resource groups, student fellowships, networking events, mentorship programs, recruitment and retention, and employee programming and workshops.
Properly designed and applied DEI initiatives continue to remain lawful employment practices. Their message is clear – DEI initiatives will come under significant during the current administration. The new guidance is in line with the Trump administration’s challenge to DEI initiatives, which has already issued multiple executive orders targeting DEI.
RxDC Reporting Due June 1, 2025
Each year, group health plans and insurers must submit detailed information about healthcare and prescription drug spending to the Center for Medicare and Medicaid Services (CMS). This is known as Prescription Drug Data Collection (RxDC) reporting.
The upcoming deadline is Sunday, June 1, 2025, and will cover calendar year 2024 data.
The RxDC submission includes several data files, including:
- Plan-level information such as enrollment numbers, premiums paid, and plan year dates.
- Detailed medical and pharmacy spending data, submitted by insurers, TPAs, and/or PBMs.
Most employers work with one or more vendor partners (carrier, TPA, or PBM) to complete this submission. A plan’s reporting is considered complete as long as all required files are submitted – even if they come from multiple sources.
Reporting Resources
- RxDC reporting webpage (links to reporting resources)
- Frequently Asked Questions
- Reporting Instructions (updated Jan 2025, no changes from last year)
- User Manual for submitting RxDC reports
Paid Family & Medical Leave (PFML) Benefits by State
Navigating PFML just got easier. The Paid Family & Medical Leave (PFML) Benefits by State guide gives you a clear, side-by-side breakdown of paid leave programs nationwide. From eligibility and funding to benefit amounts and durations—this is the tool HR teams and employers need to stay one step ahead.
Price Transparency Enforcement Steps Up
In a move that signals a renewed focus on healthcare price transparency, Executive Order 14221, issued by President Donald Trump, directs federal agencies to intensify enforcement efforts around existing transparency rules. While the Order doesn’t introduce new regulations, it underscores the federal government’s commitment to making sure consumers have access to clear and accurate healthcare pricing information.
Background: Building on Executive Order 13877
The foundation for this was laid back in 2019, when Executive Order 13877 was introduced. That Order led to finalize transparency rules in 2020, requiring most group health plans to:
- Offer consumer-friendly tools to compare costs for common medical services (in-network rates, out-of-network allowed amounts, service estimates).
- Publicly post machine-readable files with negotiated rates, historical out-of-network payments, and prescription drug pricing data.
Although these rules are not new, enforcement efforts have varied – and this new Executive Order suggests more consistent oversight may be coming.
What Executive Order 14221 Does
EO 14221 doesn’t create new laws, but it gives clear direction to federal agencies to take enforcement more seriously. Within 90 days, the Departments of Treasury, Labor, and Health and Human Services are instructed to:
- Require the disclosure of actual prices for healthcare services and prescription drugs, not just estimates.
- Standardize pricing formats to make comparison easier for consumers.
- Enforce compliance more rigorously, holding noncompliant entities accountable.
What Employers Should Know
The main responsibilities for compliance typically fall to carriers or third-party administrators, especially for fully insured plans. That said, employers – particularly those with self-funded plans – should be aware of the following:
- The requirement for cost estimator tools and public pricing files remains in effect.
- Most employers have already delegated these responsibilities to their insurance carrier or TPA.
- There is no new employer action required at this time.
Nulty is proactively working with our carrier partners to confirm how they are managing these requirements in light of the renewed enforcement focus.
HIPAA BREACH REPORTING
When a breach occurs that compromises the confidentiality, integrity, or availability of protected health information (PHI), the Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities and their business associates report the breach to affected individuals, to the Department of Health and Human Services (HHS), and in some cases, to the media.
If a breach occurs within a business associate (such as a third-party vendor handling PHI), they must notify the covered entity promptly, as the covered entity is ultimately responsible for reporting the breach.
Steps and Requirements for Reporting a HIPAA Breach
Determine if a breach occurred
A breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the information. Not all incidents that involve PHI are considered breaches (for example, unintentional access by an employee within their scope of employment).
The Risk Assessment process is required to assess if the breach poses a significant risk of harm to the individuals. This includes evaluating the nature of the PHI involved, whether it was acquired or viewed, and the likelihood of re-identification of the data.
Notify Affected Individuals
Individuals must be notified within 60 days of discovering the breach. The notification should include:
- A description of the breach
- The types of PHI involved
- Steps affected individuals can take to protect themselves
- Actions taken to investigate and mitigate the breach
- Contact information for further inquiries
Notify the Department of Health and Human Services (HHS)
If the breach affects 500 or more individuals, the breach must be reported to the HHS within 60 days. The report is made using the HHS breach portal.
For breaches involving fewer than 500 individuals, the covered entity can submit an annual summary of all breaches by March 1 of the following year.
Notify the Media
If a breach involves more than 500 residents of a state or jurisdiction, the entity must notify prominent media outlets serving that area. This is also to be done within 60 days of discovering the breach.
Question of the Month
Q: Can an employee still participate and receive reimbursements in the dependent care FSA if their spouse is a stay-at-home mom? Can they still contribute up to the $5,000 maximum as they are married and filing taxes jointly?
A: An employee cannot contribute to a dependent care FSA if the spouse is a stay-at-home mom. The only exceptions would be if the mom is actively searching for gainful employment, a full-time student, or physically/mentally incapable of self-care.
An employee who is married and filing jointly is limited to $5,000 per year in a dependent care FSA. But this is only available if the spouse is working or meets one of the limited exceptions above.
Answers to the Question of the Month are provided by Kutak Rock LLP. Kutak Rock provides general compliance guidance through the UBA Compliance Help Desk, which does not constitute legal advice or create an attorney-client relationship. Please consult your legal advisor for specific legal advice.
