HIPAA compliance for employers is a complicated and nuanced topic. No employer group is the same when it comes to supplying health benefits to their employees. Smaller employers (fewer than 50 lives) usually outsource the day-to-day administrative tasks to their carriers, a Third-Party Administrator (TPA), and/or insurance agent to help manage their plan. Other employers will have a more hands-on approach and more exposure to Personally Identifiable Information (PII) and Protected Health Information (PHI). Though you may believe you’re not affected by HIPAA, many groups usually have access to more PHI than they realize. In this article, we outline some of the issues that you may face as a benefits specialist and the connection between ERISA and HIPAA.
What is ERISA?
Let’s start at the beginning, ERISA, or the Employee Retirement Income Security Act of 1974 (29 U.S. Code § 1002)1 set minimum standards for benefit plan participation, vesting, benefit accrual, and funding. ERISA requires a benefit plan to establish a grievance and appeals process for participants, which allows participants to sue if benefits are denied or misused, plans are underfunded, and other “fiduciary duties” are mishandled.
Who are the Plan’s Fiduciaries?
According to ERISA, fiduciaries are plan trustees, plan administrators, and members of the plan’s investment committee. A plan is required to have at least one fiduciary, which can be a person or entity. Fiduciaries oversee the administration of your benefits plan and are tasked with acting solely in the interest of the plan participants and their beneficiaries. The fiduciary also has a duty to “act prudently.”
Employers and the Duty of Prudence
Fiduciaries are required to act with “care, skill, prudence, and diligence under the circumstances that a prudent man acting in a like capacity and familiar with such matters would use.”1 Translated, this means an employer is responsible for protecting all of their employees’ Personally Identifiable Information.
Personally Identifiable Information (PII)
PII is any data that could be related to an individual. There is both sensitive and non-sensitive PII. Non-Sensitive is any information that is public, like email addresses and phone numbers. What your fiduciaries need to protect is sensitive PII. This includes any non-public PII like, biometric information, Social Security Numbers, and financial information; this includes health information. Under ERISA, you have a duty to protect information about your employees from privacy and security breaches.
Enforcement for ERISA falls to the DOL and the State Attorneys General office in the states you have plan participants. Plan participants are also allowed to sue under §502(a)(2), (5)3. Under this provision, plan participants can sue an employer for breach of their fiduciary duties. Normally, this is reserved for mismanaged plans when it comes to financial concerns. However, we’ve recently witnessed this provision extend to cover a plan’s privacy and security breaches.
HIPAA and ERISA
Your health plan is part of your benefits package, and ERISA defines your company as a plan sponsor. HIPAA goes one step further and defines group health plans as Covered Entities. According to HIPAA 45 CFR § 164.504(f)(iii)4, a plan sponsor is a Covered Entity and is required to work through the appropriate steps towards HIPAA compliance.
The health plan’s designated administrator (Privacy and/or Security Officer) is wearing two hats: (1) they work as an employee of the company, and (2) as a plan administrator for the group health plan. You can take one hat off and be the plan administrator, and then put on the employee hat, but you are still the same person. Changing your hat doesn’t draw a clear separation. Thus, the plan and the company are one and the same in the eyes of regulators; therefore, your company will need to comply with both ERISA and HIPAA regulations.
Employers and HIPAA Security
If your company transmits any PHI electronically (through email or fax) then you must comply with the HIPAA Security Rules. Examples of this would be collecting health care screening forms and sending them to the carrier, helping employees address claims issues, or receiving benefits information from your insurance agent. If you are performing any electronic transactions, you must comply with HIPAA. There are no exceptions!
Where Employers See PHI:
We hear from a lot of employers, “We don’t see or hold any PHI,” or “We only see a little PHI.” The reality is, you’re probably seeing more PHI than you realize. Where PHI lives in your office:
- Health Insurance Portal
- Employees self-reporting health issues (written, electronic, or oral)
- Employees asking for help with submitting claims
- Enrollment forms
- Information on premium payments
- Claims issues
- HSA and FSA accounts
- Coordination of benefits
It doesn’t matter what form the PHI is in. If you can hear, physically see or hold, or receive in some electronic format (e.g. email or PDF) you have information that must be protected. Once the plan administrator or executive of the company is in possession of it, the employer is required to protect that information and fully comply with both the Privacy and Security HIPAA Rules.
Information disclosed about a family member undergoing cancer treatment, the birth of a child, or other medical conditions shared by an employee with a plan administrator is PHI. Remember PHI is any health information with an identifier.
How an Employer Becomes HIPAA Compliant
If you’ve come this far in the article, you’re probably wondering what you need to do as an employer to become HIPAA compliant. Under the law you are required to do the following:
- Adopt and implement written Privacy Policies and Procedures that meet the requirements of the regulations, 45 C.F.R 164.503(i);
- Provide a Notice of Privacy Practices – to each plan participant, 45 C.F.R. 164.520;
- Train employees on the company’s Privacy Policies and Procedures, 45 C.F.R. 164.530(b);
- Appoint a Privacy Officer, 45 C.F.R. 164.530(a);
- Obtain authorization to use PHI for purposes other than payment and health care operations, 45 C.F.R. 164.508(a); and
- Disclose only the minimum necessary PHI, 45 C.F.R. § 164.502(b).
Remember, there are no exemptions for the Security Law. If the plan administrator is sending PHI to the carrier or insurance agent, that information is required to be protected in transmission, at rest, and in storage. Additionally, your company is required to perform a Risk Assessment, create Privacy and Security Policies and Procedures, and have a breach plan in place.
HIPAA in the News for Employers
Why are HIPAA Privacy and Security so important? Employees entrust you with their sensitive personal information, and they have a reasonable expectation that you will protect it. Beyond HIPAA, there are state laws and even some lawsuits have been brought against carriers, employers, and healthcare providers who failed to safeguard that information.
Most businesses are not prepared to deal with the consequences of a breach. That is because they do not have a plan in place to protect their employees’ information. To stay compliant with HIPAA and ERISA guidelines, it is imperative that you have a privacy plan, security plan, and train your staff. With the vague privacy and security guidelines in ERISA, HIPAA is the best option for your company to protect itself and your employees.
JorgensenHR is a partner with TotalHIPAA Compliance and can assist you with HIPAA Compliance.
Source: TotalHIPAA Compliance