Shining a Light on HIPAA Compliance for Health and Welfare Plans
By Elizabeth Kay
Compliance and Retention Analyst for AEIS
A UBA Partner Firm
With the passage of the Affordable Care Act (ACA), the federal government became much more involved in what had always been a heavily regulated, but predominately private industry. What many people have forgotten is that the ACA was not the first legislation to be passed that involved private and employer-sponsored health and welfare plans.
The Employee Retirement Income Security Act (ERISA) is not just about retirement plans. For example, it requires health and welfare plans to generate and retain certain documents related to the plan, such as the Summary Plan Description (SPD), and requires the plan sponsor to distribute certain notices to plan participants and beneficiaries. (For more in formation about how ERISA may impact you, request UBA’s publication, “Reporting and Plan Documents under ERISA and Cafeteria Plan Rules.”)
The Health Information Technology for Economic and Clinical Health (HITECH) Act has affected the way private health information is handled when it is stored on or transmitted via an electronic device. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has also had a strong impact on health and welfare plans but, like ERISA, it has not always been heavily regulated.
The passage of the ACA has shined a light on many other prior pieces of legislation. With both the Employee Benefits Security Administration (EBSA) and the IRS having enforcement rights over the ACA, and everyone looking for revenue, the searchlight is starting to shine brighter, and the beam is becoming wider.
What does this mean for sponsors of health and welfare plans? Basically, it means that regulations that were previously considered to be guidelines now need to be taken more seriously, and where there are gaps, plan sponsors need to be sure to take the time to address them before an audit by the EBSA or Office of Civil Rights (OCR) results in fines. While the OCR has always conducted health plan audits for HIPAA compliance, the agency is really going to be stepping up enforcement in 2017, and is compiling a list of potential plans to audit before the end of 2016.
One of the requirements of HIPAA is that the covered entity must safeguard the Protected Health Information (PHI) of plan participants. HIPAA defines a covered entity as a health care provider or health plan, which includes insurance carriers, government programs, and welfare benefit plans. However, many plans require other entities to have access to that same information in order to fulfill the benefit obligations of the plan to the plan participants. For example, the plan has to transmit participant data or enrollment forms to the insurance broker or carrier so the participant can begin receiving benefits of the plan, such as going to see a doctor.
In order for the covered entity to be sure that the PHI of the plan participant is kept safe under the HIPAA requirements, it can enter into a Business Associate Agreement (BAA) with the other party so that they can exchange PHI information for business purposes. A business associate could be an insurance broker, COBRA vendor, HR or benefits database vendor, IT vendors, or offsite shredding vendor. A BAA outlines the responsibilities for each party, helps to protect the other party in case of a security breach, and defines how the PHI that is exchanged can be used.
A covered entity should also outline policies and procedures that identify the employees who need access to PHI and limit access to those employees, in addition to limiting the amount and type of information disclosed.
Subscribe to the UBA blog for ongoing information about HIPAA compliance issues and ways to ensure your health and welfare plan policies and procedures are HIPAA compliant.
For questions about how to comply with HIPAA, contact your local UBA Partner Firm and speak with a Benefits Consultant or Compliance Specialist.