By Stacey Stewart
Any seasoned benefits professional knows and loves the acronym HIPAA, am I right? It refers, of course, to that multi-faceted law that can make heads spin with its complexity and of which each of us has wondered, at least once in our career, “Does it have two As or two Ps?” (come on, be honest!). Some parts of the law are relatively straightforward, but the privacy and security rules can present a real challenge to apply and many employers still struggle to understand how these rules impact their employee benefit plans.
How confident are you that your plans comply with the HIPAA privacy and security rules? Are you clear on which plans these rules apply to and whether you or a vendor is responsible for the applicable compliance responsibilities? Now is an important time to get it straight and shore up any inadequacies in compliance, as the United States Department of Health & Human Services (HHS) has begun actively auditing plans.
Let’s start with who the HIPAA privacy and security rules cover. These rules apply to “covered entities,” which generally include health plans (our focus in this article), certain health care providers and health care clearinghouses. Business associates who perform functions for or on behalf of covered entities also must comply if they can access protected health information (PHI).
You will notice one conspicuous absence from the list of covered entities – employers. However, while not a covered entity, the rules affect employers since they are generally the plan sponsor and frequently also the plan administrator of their health plans, even if a third party assists with claims administration. In the end, it is often the employer who is ultimately responsible for ensuring full compliance and who suffers sanctions relating to HIPAA violations by its health plan(s).
HIPAA privacy and security rules apply to plans beyond what is traditionally considered a health plan. In fact, the rules define the term “health plan” broadly to include most employer-sponsored plans that provide or pay for medical care. This means the definition covers not just major medical, dental and vision, but also health FSAs, HRAs… and even many wellness plans and EAPs! Hence, when assessing HIPAA compliance, an important first step many employers miss is to determine which plans must comply so as to tailor the approach accordingly.
Why tailor your approach? It is necessary because the extent of your HIPAA compliance obligations depends on the type of plans you have (e.g., an ERISA plan with fiduciary responsibilities). Of particular importance is how you fund and administer each plan – do you fully insure or self fund, administer in-house or contract with a third party? These factors impact the potential ability and/or need to touch PHI, the protection of which is the overall motivation behind the HIPAA privacy and security rules.
If HIPAA applies to your plan(s), what does it require? Let’s start with the privacy rule. To take a 1000 foot view, this rule provides standards for the use and disclosure of PHI and conveys rights to individuals with respect to their PHI. It also requires covered entities to put administrative safeguards and procedures in place to protect PHI including some very specific requirements, such as designating a privacy officer, providing a privacy notice, training employees, developing a complaint process and establishing sanctions for privacy violations.
Moving on to the HIPAA security rule, it applies to PHI electronically maintained or transmitted (ePHI). It requires the plan protect the confidentiality, integrity, and availability of any ePHI that it may touch and guard against anticipated threats to, and unauthorized uses or disclosures of, ePHI. To this end, the rules outline standards to guide plans in meeting their obligations, but allow flexibility to select among a variety of security measures to achieve compliance. Generally, the first and most important step is to conduct a risk analysis to identify potential security risks and necessary safeguards.
Many employers mistakenly believe that they need not worry about HIPAA privacy and security since their major medical plan is fully-insured. While insurers must handle certain privacy rule-related requirements for fully-insured health plans (such as the privacy notice), compliance responsibilities generally depend on whether the employer takes a “hands-off” approach – meaning it receives only certain limited health information without participant authorization. But, could an ERISA-covered plan sponsor ever be completely hands-off and satisfy its fiduciary responsibilities under ERISA? And what about other plans beyond major medical, such as health FSA?
Further, all health plans are subject to the security rule, regardless of funding status. Yes, this includes fully-insured plans! Very limited obligations may exist if ePHI is beyond reach, but it is unwise to assume no action is needed based merely on a plan’s funding status.
Another widely-held misconception is that the plan’s insurer, third-party administrator or other vendor automatically handles HIPAA compliance. These parties may handle certain compliance obligations if the law so requires, such as the privacy rule requirements placed on the insurer of a fully-insured health plan, but it is doubtful they would take on additional responsibilities absent a contractual obligation to do so. Plus, certain actions, for example, designating privacy and security officers and conducting a security risk analysis, may require input from the plan sponsor and administrator.
Now that 2017 is off and rolling, perhaps it is a good time to review your HIPAA privacy and security compliance strategy. Keep in mind that compliance obligations vary over time based on your plan design choices and offerings, changes in how you/who administer plans, the extent to which you (or other parties) may access PHI and even on things like business acquisitions and office relocations. Consider conducting an internal audit to assess compliance – better to ask questions now rather than with the weight of an audit or participant complaint on your mind!