Employers With Health Care Plans Should Keep HIPAA Risks in Mind
If your organization sponsors a health care plan for its employees, you’re probably focused on ensuring it’s robust enough to satisfy participants and impress job candidates — all while trying to control the costs involved.
Totally understandable. But don’t lose sight of your obligations under the Health Insurance Portability and Accountability Act (HIPAA). Among the law’s primary requirements is for plan sponsors to formally notify all persons from whom medical information is collected, whether directly or indirectly, of their rights to privacy.
How often should you update?
Generally, plan sponsors fulfill their notification obligation by distributing a “Notice of Privacy Practices,” which is sometimes alternatively referred to as a “Notice of Information Practices.” But a question that often arises is: How often should you update this document?
The good news is you don’t need to update a notice according to an annual deadline or the like. However, the most current notice must accurately describe:
- Your plan’s uses and disclosures of protected health information (PHI),
- Participants’ HIPAA rights, and
- The plan’s legal duties with respect to PHI.
Thus, you must promptly revise the notice whenever there’s a “material” change to any of the information or privacy practices stated therein. Except when required by law, material changes to a plan can’t be implemented until they’re reflected in the notice.
HIPAA regulations don’t define when a change is material. Historically, many employers have looked to the preamble to the 2000 HIPAA Privacy Rule. In it, the U.S. Department of Health and Human Services (HHS) encouraged covered entities to refer to other notice laws to understand the concept of materiality. One example given was how material changes are typically defined for Summary Plan Descriptions under the Employee Retirement Income Security Act. Also, HHS considered changes made by the 2013 HIPAA Omnibus Rule, a significant update to the law, to be material and required updated notices at that time.
Evaluate amendments to the HIPAA rules carefully when they occur to determine whether they’re material and require changes to your plan and notice. Revisions to plan operations, such as new procedures for giving someone access to PHI in a designated record, could require an updated notice as well.
How soon must you distribute?
Let’s say there’s a material change to your plan and notice. You might wonder, as many employers have, how soon must you issue an update?
HIPAA rules establish deadlines by which your plan must distribute updated notices that incorporate material changes. The requirements vary depending on whether your plan maintains a website.
If your plan has a website, you can — and, in fact, must — satisfy the requirement to distribute an updated notice by posting it on the plan website by the effective date of the material change. You need to then provide a hard copy of the updated notice, or information about the material change and how to obtain the revised notice, in the plan’s next annual mailing to participants.
If your plan doesn’t have its own dedicated website, you must furnish the revised notice — or information about the material change and how to obtain the revised notice — to participants within 60 days after the revision.
Note: Mailing a hard copy is always required unless a participant has consented to receiving electronic notices only.
Manageable risk
Suffice to say, there’s no such thing as sponsoring a health care plan in today’s employment environment without incurring HIPAA compliance risks. Fortunately, these risks are manageable with clearly worded policies and rigorously followed procedures. Contact us for help identifying and managing the costs, as well as the tax impact, associated with your organization’s fringe benefits.
© 2024