Why Employers Need to be HIPAA Compliant
October 14, 2019
HIPAA compliance for employers is a complicated and nuanced topic. No employer group is the same when it comes to supplying health benefits to their employees. Smaller employers (fewer than 50 lives) usually outsource the day-to-day administrative tasks to their carriers, a Third Party Administrator (TPA), and/or insurance agent to help manage their plan. Other employers will have a more hands-on approach and more exposure to Personally Identifiable Information (PII) and Protected Health Information (PHI). Though you may believe you’re not affected by HIPAA, many groups usually have access to more PHI than they realize. In this article, we outline some of the issues that you may face as a benefits specialist and the connection between ERISA and HIPAA.
What is ERISA?
Let’s start at the beginning, ERISA, or the Employee Retirement Income Security Act of 1974 (29 U.S. Code § 1002)1 set minimum standards for benefit plan participation, vesting, benefit accrual, and funding. ERISA requires a benefit plan to establish a grievance and appeals process for participants, which allows participants to sue if benefits are denied or misused, plans are underfunded, and other “fiduciary duties” are mishandled.
Who are the Plan’s Fiduciaries?
According to ERISA, fiduciaries are plan trustees, plan administrators, and members of the plan’s investment committee. A plan is required to have at least one fiduciary, which can be a person or entity. Fiduciaries are in charge of the administration of your benefits plan and are tasked with acting solely in the interest of the plan participants and their beneficiaries. The fiduciary also has a duty to “act prudently.”
Employers and the Duty of Prudence
Fiduciaries are required to act with “care, skill, prudence, and diligence under the circumstances that a prudent man acting in a like capacity and familiar with such matters would use.”1 Translated, this means an employer is responsible for protecting all of their employees’ Personally Identifiable Information.
Personally Identifiable Information (PII)
PII is any data that could be related to an individual. There is both sensitive and non-sensitive PII. Non-Sensitive is any information that is public, like email addresses and phone numbers. What your fiduciaries need to protect is sensitive PII. This includes any non-public PII like, biometric information, Social Security Numbers, and financial information; this includes health information. Under ERISA, you have a duty to protect information about your employees from privacy and security breaches.
Privacy and Security Guidance – Department of Labor (DOL)
Up to now, the DOL has been relatively quiet on privacy and security concerns, though they did convene a conference in 2016 to address this issue.2 In this conference, we saw calls for more proactive approaches like HIPAA or the National Institute of Standards Technology Risk Management Framework (NIST RMF) implementation. Currently, there are no explicit privacy and security standards for ERISA. Your plan has troves of information on plan participants, and it falls to your company to develop a privacy and security plan to proactively protect it.
Enforcement for ERISA falls to the DOL and the State Attorneys General office in the states you have plan participants. Plan participants are also allowed to sue under §502(a)(2), (5)3. Under this provision, plan participants can sue an employer for breach of their fiduciary duties. Normally, this is reserved for mismanaged plans when it comes to financial concerns. However, we’ve recently witnessed this provision extend to cover a plan’s privacy and security breaches.
HIPAA and ERISA
Your health plan is part of your benefits package, and ERISA defines your company as a plan sponsor. HIPAA goes one step further and defines group health plans as Covered Entities. According to HIPAA 45 CFR § 164.504(f)(iii)4, a plan sponsor is a Covered Entity and is required to work through the appropriate steps towards HIPAA compliance.
The health plan’s designated administrator (Privacy and/or Security Officer) is wearing two hats: (1) they work as an employee of the company, and (2) as a plan administrator for the group health plan. You can take one hat off and be the plan administrator, and then put on the employee hat, but you are still the same person. Changing your hat doesn’t draw a clear separation. Thus, the plan and the company are one and the same in the eyes of regulators; therefore, your company will need to comply with both ERISA and HIPAA regulations.
The Rule of 50 Exception
Health plans with fewer than 50 lives that are completely self-funded and self-administered are exempt. If your plan meets all these requirements, you’re in luck, from a HIPAA standpoint, because you are exempt from complying with HIPAA.
Meeting all three criteria is an incredibly rare situation because employers cannot afford the risk and financial exposure. Most smaller companies don’t have a large enough pool of money to cover catastrophic claims and must go into a larger pool with a carrier to mitigate risk. Make sure you check with your attorney if your plan claims this exception!
The Privacy Rule Exceptions
HHS released guidelines in 2004 that stated there are situations in which a company with a health plan does not need to implement HIPAA.
What HIPAA Says About the Exception for Health Plans
§ 164.530 Administrative requirements5
(k) Standard: Group health plans. (1) A group health plan is not subject to the standards or implementation specifications in paragraphs (a) through (f) and (i) of this section, to the extent that:(i) The group health plan provides health benefits solely through an insurance contract with a health insurance issuer or an HMO; and (ii) The group health plan does not create or receive protected health information, except for:(A) Summary health information as defined in § 164.504(a); or (B) Information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan.
There are 2 items your health plan must have to qualify for this exemption.
- You have to provide benefits solely through an insurance contract with a health insurer or HMO (fully-insured plan) AND
- Your plan must NOT create or receive any PHI, except for Summary Health information.
It’s important to note that you must meet BOTH elements of this test in order to qualify for the privacy exemption. If any part of your plan is self-funded, you do not qualify for this exemption because of the types of information you have access to. Even if you don’t access it, you still have a responsibility to protect this information. Collecting or coming in contact with even a little bit of PHI means you must comply with HIPAA.
Many companies become ineligible for exemptions when employees voluntarily reveal PHI or health information is shared with plan administrators; then the employer could have a serious liability issue on their hands if they are not HIPAA compliant.
Employers and HIPAA Security
If your company transmits any PHI electronically (through email or fax) then you have to comply with the HIPAA Security Rules. Examples of this would be collecting health care screening forms and sending them to the carrier, helping employees address claims issues, or receiving benefits information from your insurance agent. If you are performing any electronic transactions, you must comply with HIPAA. There are no exceptions!
Where Employers See PHI:
We hear from a lot of employers, “We don’t see or hold any PHI,” or “We only see a little PHI.” The reality is, you’re probably seeing more PHI than you realize. Where PHI lives in your office:
- Health Insurance Portal (self-funded and level-funded plans)
- Employees self-reporting health issues (written, electronic, or oral)
- Employees asking for help with submitting claims
- Enrollment forms
- Information on premium payments
- Claims issues
- Health care discount forms
- HSA and FSA accounts
- Coordination of benefits
- High dollar claim report, if the information can be used to identify the persons covered
It doesn’t matter what form the PHI is in. If you can hear, physically see or hold, or receive in some electronic format (e.g. email or PDF) you have information that must be protected. Once the plan administrator or executive of the company is in possession of it, the employer is required to protect that information and fully comply with both the Privacy and Security HIPAA Rules.
Information disclosed about a family member undergoing cancer treatment, the birth of a child, or other medical conditions shared by an employee with a plan administrator is PHI. Remember PHI is any health information with an identifier.
How an Employer Becomes HIPAA Compliant
If you’ve come this far in the article, you’re probably wondering what you need to do as an employer to become HIPAA compliant. Under the law you are required to do the following:
- Adopt and implement written Privacy Policies and Procedures that meet the requirements of the regulations, 45 C.F.R 164.503(i);
- Provide a Notice of Privacy Practices – to each plan participant, 45 C.F.R. 164.520;
- Train employees on the company’s Privacy Policies and Procedures, 45 C.F.R. 164.530(b);
- Appoint a Privacy Officer, 45 C.F.R. 164.530(a);
- Obtain authorization to use PHI for purposes other than payment and health care operations, 45 C.F.R. 164.508(a); and
- Disclose only the minimum necessary PHI, 45 C.F.R. § 164.502(b).
Remember, there are no exemptions for the Security Law. If the plan administrator is sending PHI to the carrier or insurance agent, that information is required to be protected in transmission, at rest, and in storage. Additionally, your company is required to perform a Risk Assessment, create Privacy and Security Policies and Procedures, and have a breach plan in place.
HIPAA in the News for Employers
Why are HIPAA Privacy and Security so important? Employees entrust you with their sensitive personal information, and they have a reasonable expectation that you will protect it. Beyond HIPAA, there are state laws and even some lawsuits have been brought against carriers, employers, and healthcare providers who failed to safeguard that information. Here are some examples of employers that were sued for breaches of employee information using ERISA.
Sony Pictures Hack (2014)6
Sony was hacked in 2014 after the movie “The Interview” was released. C-SPAN reported over 47,000 unique Social Security numbers were stolen from current and former benefit plan participants. A class-action lawsuit was settled for $15 million; most plaintiffs received between $1,000 – $3,000 with a maximum of $10,000.
Lincare (October 2017)7
This is another example of employees suing using the breach of fiduciary duty under ERISA. Three employees filed a suit after a breach of over 14,000 current and former employees’ PII was released. This class action lawsuit was settled for $875,000.
Briggs and Stratton8
Briggs and Stratton, the lawnmower engine manufacturer, self-reported a breach of their self-funded health plan affecting 13,000 employees. (Not only is self-reporting the responsible thing to do; it is required under HIPAA.) So far, we have seen no action by HHS or a class-action lawsuit brought by employees. However, the result of previous lawsuits leads us to believe that courts would likely side with employees if they decided to sue for breach of their employer’s fiduciary duty.
Most businesses are not prepared to deal with the consequences of a breach. That is because they do not have a plan in place to protect their employees’ information. To stay compliant with HIPAA and ERISA guidelines, it is imperative that you have a privacy plan, security plan, and train your staff. With the vague privacy and security guidelines in ERISA, HIPAA is the best option for your company to protect itself and your employees.
Other resources: the Leavitt Group’s “Think You Don’t have PHI? Check Again” and the University of Miami Law Review’s “Breaches Within Breaches: The Crossroads of ERISA Fiduciary Responsibilities and Data Security.”
January 6, 2020
HIPAA breaches involving fewer than 500 individuals, which occurred during 2019, must be reported to the US Department of Health and Human Services (HHS) by Saturday, February 29, 2020. Reporting… Read More ›Read More