Understanding Health Insurance Portability and Accountability Act

John D. Arendshorst

Email

616-336-6560

Bio and Articles

Charles M. Russman

Email

734-372-2939

Bio and Articles

Carolyn M. H. Sullivan

Email

616-336-6972

Bio and Articles

Find Your Next Job !

Legal Support Specialist
Greenberg Traurig, LLP

Litigation Paralegal
Greenberg Traurig, LLP

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Chief Operating Officer / Business Manager
On Balance Search Consultants

Explore More Job Openings

HIPAA and Employee Benefits: The Basics of Compliance

by: John D. Arendshorst , Charles M. Russman, Carolyn M. H. Sullivan of Varnum LLP - Employer's Resource Main

Thursday, July 11, 2024

Print Mail Download info_icon_img

/>i

Every company providing health benefits should periodically review how the Health Insurance Portability and Accountability Act (HIPAA) applies to their benefit plans. HIPAA applies to employer provided medical benefits, and may also apply to dental and vision benefits, depending on plan design. The increasing popularity of self-funded medical benefits has made HIPAA compliance more important than ever before. Here are a few current HIPAA compliance considerations for companies with medical benefits.

A key HIPAA principle is to obtain, use, and disclose the minimum amount of protected health information (or PHI) possible. PHI is individually identifiable health information subject to HIPAA. Service providers often need certain elements of PHI to fulfill their contracts and provide benefits to your employees, but by drafting documents appropriately, your plan can minimize the amount of PHI it receives and uses itself. This helps ensure compliance and minimize risk.
Employers should never use PHI from its health plans to make or take employment-related actions.
Employers must provide HIPAA notices to participants which include a summary of the employer’s privacy and security practices and a description of how PHI may be used or disclosed.
Employers should ensure they have an executed and updated Business Associate Agreement (or BAA) with any other entity that uses, accesses, or discloses any PHI. A BAA is a short agreement that states what each party will do to ensure HIPAA compliance, and may also include other terms regarding responsibilities and indemnification.
Risk assessments and risk reduction is also an important part of HIPAA compliance. Depending on the amount of PHI your plan receives, the scope and tyle of a risk assessment may vary. Regardless of plan design, employers should document that a risk assessment is being done and that appropriate action is being taken after the risk assessment is completed.
HIPAA documentation is an important part of compliance. Beyond the notices, BAAs and risk assessments, employers should ensure their plans include necessary language and should maintain reasonable and appropriate HIPAA policies and procedures.
Plan for potential problems by having a procedure in place for determining if there is a HIPAA violation or breach of PHI. Often bad actors or service providers are at fault. The best way to be prepared is to know how you will determine if there is a problem as well as who and how a response will be prepared. This is often part of a company’s larger disaster, emergency or contingency planning.
Watch for changes. There are changes to HIPAA requirements going into effect in 2025 and additional changes are working through the courts. For more information, see our recent HIPAA advisory.

HIPAA compliance is important and is best done annual enrollment. By refreshing your HIPAA compliance now, updated documents can be effective for and integrated with your next open enrollment process.