Here is your latest FYI: Employee Benefits
Update from Cindy Van Bogaert, Partner and Chair of the Employee
Benefits Practice Group at Boardman Law Firm LLP.
This FYI addresses some HIPAA privacy compliance issues for employers sponsoring
health benefit plans. HIPAA stands for the Health Insurance Portability and Accountability
Act of 1996. Employers have had to deal with the flurry of implementation requirements
for their medical, dental, vision, health flexible spending account, and other
health-related benefit plans.
HIPAA rules relating to handling health information have been
rolling in with different effective dates over the last several
years. For example, May 23, 2008 is the deadline for compliance
with the HIPAA NPI (National Provider Identifier) for small plans.
Here are some compliance tips to help employers keep on top of
HIPAA:
- Conduct an annual HIPAA self-audit. Establish a date (at
least annually) to review and evaluate whether your HIPAA compliance
program is complete and accurate.
The extent of compliance will
vary depending on your plans and situation, but a partial list
of questions might include:
- Are you referring back to
your HIPAA documentation in ongoing plan administration?
- Do you have a list of employees
with access to protected health information? Is it complete?
- Do you have procedures for
routine and recurring uses and disclosures of protected health
information?
- Are you in compliance with
the EDI (Electronic Data Interchange) requirements?
- Have you considered whether
your employer's ERISA fiduciary duties require the employer
as plan fiduciary to have access to information held by an
insurer?
- Are HIPAA security protections
in place to handle electronic information? Is there a procedure
for regular monitoring and reporting of information system
activity?
- On an ongoing basis, make adjustments to deal with changes
in the law, your benefit plans, your business, your workforce,
your outside vendors, and anything that may affect your plan's
health care information.
A partial list of questions might include:
- Has your Privacy Official,
Security Official, or Contact Official changed?
- Have your benefit plans
or service providers changed?
- Have you had any changes
in your employees who work on employee benefit matters?
- Have you trained new employees
(and temporary employees) working with benefit plans about
HIPAA privacy?
- Have your HIPAA policies
and procedures been reviewed for changes and evolution in
this new law?
- Has your location or business
changed?
- Does your record retention
(including that of your service providers and storage facilities
or personnel) meet any applicable HIPAA requirements?
This is not a complete list of questions, but should give you
an idea of what issues will be included in a HIPAA self-audit.
Please contact me if you have questions or need assistance, such
as help in training employees, preparing documentation, or conducting
a HIPAA privacy review of your plans.
This FYI is not legal advice. Individuals should seek advice based
on their particular circumstances from their own counsel. Nothing
in this FYI is intended to be used, and no information can be used,
for the purpose of avoiding penalties under the Internal Revenue
Code, or promoting, marketing, or recommending to another party
any transaction or matter addressed in this FYI.
If you have any questions or need assistance, please contact Cindy
Van Bogaert at (608) 281-7543 or cvanbog@boardmanlawfirm.com.
Would you like to have FYI: Employee Benefits Update sent
directly to your e-mail inbox? If so, please send your request,
with e-mail address, to Cindy Van Bogaert at cvanbog@boardmanlawfirm.com. |
