If you’ve been taking concrete steps towards implementing and maintaining HIPAA compliance across your organization, you may have also come across some information about ERISA compliance. Now you might be asking: Who does ERISA apply to? Do HIPAA and ERISA have overlapping guidelines? And if so, what does that mean for my company? Look no further, because we’ve got answers. Here’s what you need to know about ERISA and HIPAA compliance.
What Are ERISA and HIPAA, and How Do They Differ?
ERISA (the Employee Retirement Income Security Act) regulates group-sponsored employee benefits. This may include things like medical coverage, HSAs (Health Savings Accounts), dental coverage, vision coverage, disability, and more. The law establishes deadlines for employers when it comes to providing plan information to their employees, like a Wrap Summary Plan Description (SPD), a welfare benefit plan, information about how benefits are paid, when benefits are not paid, and employees’ rights and responsibilities.
The employer, also acting as the plan sponsor, is legally required to follow a rigid fiduciary code of conduct. This code of conduct requires that the fiduciary, a person acting in the best legal interest of another individual (in this case, the fiduciary is the employer), prioritizes the needs of the employee over his or her own. It’s a role that should create a relationship of trust and confidence between parties. The code of conduct includes requirements for the fiduciary to act with integrity, competence, and diligence. For example, if the employer does not provide an SPD to his or her employees within the allotted time, this would not only be a break in the code of conduct, but it could cause the employer to be fined or audited by the Department of Labor.
HIPAA (the Health Insurance Portability and Accountability Act) requires organizations with a health plan that meets certain requirements to protect all PHI (protected health information) in their care. Compliance with HIPAA requires employers with health plans to enforce and maintain policies and procedures to make sure that all electronically transmitted or stored PHI is safe. This should involve documenting and implementing security practices such as patching systems, backing up data, configuring firewalls, installing anti-malware software, and training staff on company security standards. Employers are also required to provide a HIPAA Notice of Privacy Practices to employees annually or when there is a change in coverage.
To summarize the purposes of ERISA and HIPAA, we could say that ERISA’s main aim is to regulate group-sponsored employee benefits, while HIPAA’s is to protect PHI. Both are regulatory frameworks with their own security standards and documentation requirements, which may require forms of compliance entirely separate from what the other requires. Next, we’ll distinguish between the kinds of organizations that must be compliant with each (or potentially, both).
How Do I Know Whether to Comply with ERISA and/or HIPAA?
If you have a self-insured, level-funded health plan, a Health Savings Account (HSA) that HR administers, and/or a fully-insured Group Health Plan over 100 lives, your company will need to be HIPAA compliant. There are exceptions, like life insurers and workers’ compensation carriers, but make sure to speak with your legal counsel before making a final decision about whether your company needs to be HIPAA compliant.
If you are an employer who is offering a benefit plan that includes one or more of the benefits listed in ERISA (medical coverage, surgical coverage, hospital care, etc.), then you need to make sure that you comply with ERISA. Basically, if you offer any sort of group-sponsored health plan, then you must comply and follow any notice, disclosure, and reporting requirements that are laid out in current ERISA policies and procedures. Exempt organizations may include churches and government entities.
If you decide to become only ERISA compliant and not HIPAA compliant, you risk data breaches, fines, loss of employee or client trust, and audits. Something as seemingly simple as lack of compliance has the power to destroy years of hard work, not to mention years of hard-earned money and reputation-building. It is important to stay up-to-date with the latest compliance requirements. That way, if and when you are audited, your business will be unaffected. Plus, keeping employee and client information safe and secure is of the utmost importance, and maintaining HIPAA compliance is the most effective way of achieving that.
How Do I Make Sure My Business Is HIPAA Compliant?
HIPAA compliance requires conducting annual training, performing a risk assessment each year, and keeping detailed documentation of your policies and procedures. At Total HIPAA, our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your business.
Want to know more about how you can become HIPAA compliant?
Email us at firstname.lastname@example.org to learn more about how we can help your organization become (and stay!) HIPAA compliant. Or, get started here.
You can find more info on HIPAA and ERISA here.