Every company providing health benefits should periodically review how the Health Insurance Portability and Accountability Act (HIPAA) applies to their benefit plans. HIPAA applies to employer provided medical benefits, and may also apply to dental and vision benefits, depending on plan design. The increasing popularity of self-funded medical benefits has made HIPAA compliance more important than ever before. Here are a few current HIPAA compliance considerations for companies with medical benefits.
- A key HIPAA principle is to obtain, use, and disclose the minimum amount of protected health information (or PHI) possible. PHI is individually identifiable health information subject to HIPAA. Service providers often need certain elements of PHI to fulfill their contracts and provide benefits to your employees, but by drafting documents appropriately, your plan can minimize the amount of PHI it receives and uses itself. This helps ensure compliance and minimize risk.
- Employers should never use PHI from its health plans to make or take employment-related actions.
- Employers must provide HIPAA notices to participants which include a summary of the employer’s privacy and security practices and a description of how PHI may be used or disclosed.
- Employers should ensure they have an executed and updated Business Associate Agreement (or BAA) with any other entity that uses, accesses, or discloses any PHI. A BAA is a short agreement that states what each party will do to ensure HIPAA compliance, and may also include other terms regarding responsibilities and indemnification.
- Risk assessments and risk reduction is also an important part of HIPAA compliance. Depending on the amount of PHI your plan receives, the scope and tyle of a risk assessment may vary. Regardless of plan design, employers should document that a risk assessment is being done and that appropriate action is being taken after the risk assessment is completed.
- HIPAA documentation is an important part of compliance. Beyond the notices, BAAs and risk assessments, employers should ensure their plans include necessary language and should maintain reasonable and appropriate HIPAA policies and procedures.
- Plan for potential problems by having a procedure in place for determining if there is a HIPAA violation or breach of PHI. Often bad actors or service providers are at fault. The best way to be prepared is to know how you will determine if there is a problem as well as who and how a response will be prepared. This is often part of a company’s larger disaster, emergency or contingency planning.
- Watch for changes. There are changes to HIPAA requirements going into effect in 2025 and additional changes are working through the courts. For more information, see our recent HIPAA advisory.
HIPAA compliance is important and is best done annual enrollment. By refreshing your HIPAA compliance now, updated documents can be effective for and integrated with your next open enrollment process. Contact a member of our benefits or health care teams to discuss how HIPAA impacts your business and how to help ensure compliance.