Employee Benefit Plans Need to Check Business Associate HIPAA Compliance

This is an excellent article describing how important it is for employee benefit plans to pay attention to their business associates and their sub-contractors.

“Plan sponsors should note that the Omnibus Rule expands the definition of business associate and those parties subject to HIPAA’s Privacy and Security Rules and applies HIPAA’s civil and criminal penalties directly to business associates. Under the Omnibus Rule, business associates, including subcontractors of business associates, are directly liable for compliance with the Privacy and Security Rules if they create, receive, maintain or transmit PHI on behalf of the company or the plan. Such business associates for group health plans may include:

Brokers;

Consultants;

Attorneys;

Third-party administrators; and

Health information organizations, e-prescribing gateways and other entities that transmit protected health information or access PHI.

Insurance companies, which are generally HIPAA covered entities, may also be business associates to the extent that they take on business associate functions on behalf of the plan, such as acting as a third-party administrator for a self-insured plan."

“To ensure timely compliance with the Omnibus Rule, employee benefit plan sponsors and their attorneys should:

1. Identify all plans that may be subject to the Omnibus Rule, including major medical plans, wellness programs, healthcare FSAs, employee assistance programs and other programs where PHI may be generated or received;

2. Review the scope of services with vendors to determine whether business associate and subcontractor relationships exist and whether business associate agreements should be put in place;

3. Review and revise existing business associate agreements to comply with the new requirements of the Omnibus Rule;

4. Ensure that business associates execute business associate agreements with their subcontractors;

5. Review HIPAA language in health, wrap and cafeteria plan documents;

6. Revise each plan’s NPP and distribute to participants in accordance with the new requirements of the Omnibus Rule;

7. Train employees, independent contractors and contract workers to comply with the new rules;

8. Prepare the appropriate parties to comply with requests from individuals for copies of their PHI;

9. Adopt or update written breach notification procedures; and

10. Review each plan and the plan sponsor’s use of genetic information to ensure compliance with GINA and the Omnibus Rule.”

http://www.jdsupra.com/legalnews/final-hipaahitech-rules-compliance-act-70692/