A new tool for employee temperature checks ensures safety and security of workers

As employers begin to move employees back into the workplace, they have to be mindful of new legal guidance that has come from the CDC and HIPAA. In regards to new legal guidelines set into place, employers and management teams will now have to check employee temperatures. Read this blog post to learn more.

Temperature checks will be mandated at workplaces once employees return to the office, due to legal guidance from the Centers for Disease Control and Prevention, but privacy concerns could heat up among workers concerned for their security.

“It’s now permissible to take employee temperatures, but if employers store it and keep track of it, there’s no exemption from HIPAA and identity laws,” says Dan Clarke, president of IntraEdge — an Arizona-based tech company.

IntraEdge developed a kiosk that privately takes employees’ temperatures, and only shares the results with the employee, keeping any health information concealed from HR. Instead, managers are simply notified if the kiosk gave their employee permission to enter the office, or not, which completely eliminates the potential for HIPAA violations, Clarke says. The kiosk, called Janus, can also prevent sick employees from entering the office if their temperature is too high.

Clarke spoke in a recent interview about how Janus can help employers protect their workforce, while adhering to privacy laws.

How does Janus help prevent the spread of COVID-19?

If we want to limit exposure to COVID-19, we can’t assign someone in the office to take everyone’s temperature; it’s not efficient and it puts more people at risk. Employers need a digital solution, one that puts them in compliance with HIPAA and privacy laws.

Janus uses an accurate thermal camera to take the temperature of the user. Before using it, employees would need to sign up online and provide information to confirm their identity. After that’s done, they’d go to the kiosk and present their identification through their phone. The kiosk will ask them a few questions about how they’re feeling and the camera will take their temperature. The normal temperature range for each employee is personalized based on the individual’s age and medical history. Many people don’t realize our normal temperature increases as we age. If an employee reads at an unhealthy temperature, they’re not allowed inside the office.

How does this help employers stay compliant with HIPAA and other privacy laws?

Employers don’t have access to their worker’s medical history, or the temperatures read by Janus. The kiosk doesn’t display an employee’s temperature on screen. Instead, the employee will receive a text message telling them their temperature and whether they’re allowed inside the office. Printouts are also available for employees who don’t have smartphones.

Is HR or a manager notified when employees aren’t allowed in the office?

Janus doesn’t share with HR what employees’ temperatures were, only if they were given a “yes” or “no” to enter the office. They can receive a text message whenever an employee is given a “no.” This helps employers stay compliant with HIPAA and privacy laws because they never see the full results, and they’re not stored. But it also helps them keep track of their workforce.

It can also be programmed to notify a security officer that someone didn’t pass the temperature check to ensure compliance. We can also program the kiosk to distribute security badges only to employees who pass the temperature check.

Before coronavirus, employees sometimes came to work sick out of fear their colleagues/managers would question their dedication to their job. Do you think this product will help change that after the crisis is over?

I think the crisis is changing the perception of remote work enough that people will be comfortable saying they’re going to work from home when they don’t feel well. Janus can definitely help enforce it, if the employer chooses, but we wanted to ensure it was useful for employers after the crisis is over. It can also be used to clock employees in and out for work and as office security.

SOURCE: Webster, K. (08 June 2020) "A new tool for employee temperature checks ensures safety and security of workers" (Web Blog Post). Retrieved from https://www.employeebenefitadviser.com/news/a-new-tool-for-employee-temperature-checks-ensures-safety-and-security-of-workers

Five frequently overlooked mistakes in HIPAA compliance

HIPAA regulations can be confusing and often healthcare entities overlook certain HIPAA regulations. Read this blog post to learn about the 5 most frequent tripwires.

HIPAA was enacted in 1996. In the years since, most healthcare entities have adapted to the major requirements imposed by HIPAA, HITECH and the Privacy and Security Rules. Nevertheless, the thicket of regulations still leaves some traps for the unwary. Here are the most frequent tripwires.

First, the goal of HIPAA is integrity and availability of records along with confidentiality. For workflow or other reasons, hospitals or other covered entities are often reluctant to share patient records.

With the exception of certain specific carve outs, such as psychotherapy notes, this violates HIPAA. Patients are entitled to their records. Compliance programs must accommodate this legal reality

Second, HIPAA requires that disclosure of healthcare records be minimized to the extent necessary to accomplish the objective. In other words, a contractor or other entity with access to personal health information is only entitled to those data points necessary to perform their function e.g. names and addresses.

For practical purposes, a technical solution is not always available — a covered entity may have a single computer system, and cannot realistically reconfigure it for every purpose.

Also see: 

In such instances however, compliance may not be left by the wayside. It must be accomplished by alternative means such as administrative safeguards. For example, a covered entity and business associate may contractually agree to limit access, and combine this restriction with random audits to ensure compliance.

Third, the requirement of minimal disclosure also extends to individual employees and contractors. They are entitled only to those records they need to perform their job functions.
Of course, in the real world those functions continually evolve. Employees often switch roles, go on leave, rotate to different units or complete the tasks that entitled them to access in the first place.

Yet access is rarely calibrated to fluctuating business needs. Excessive access is a regulatory risk. Any compliance program needs to regularly reassess employee access. It must adjust PHI access rights to conform to current responsibilities.

Fourth, HITECH and the Security Rule require a security assessment and the institution of safeguards to protect against reasonably anticipated disclosure. They also require that all business associates be bound to adhere to the safeguards program.

The Business Associate Agreement needs to specifically incorporate this requirement. Technically, the failure to do so, even in the absence of a breach, is a violation. Yet many covered entities overlook this requirement.

If the business associate is unwilling to accommodate the requirement, the covered entity needs to evaluate the contractual arrangement, ensure that it meets the identified security criteria, and document the basis for this determination.

Finally, the healthcare sector is consolidating. The acquisition and consolidation of practices results in transition periods where the successor entity has multiple sets of PHI records under multiple compliance regimes.

The result is a program that is either incomplete, incompatible, or is otherwise deficient. This is a serious regulatory risk. While a seamless transition may not be possible, incorporating compliance into the succession plan at the earliest possible stage is the prudent approach.

None of these five steps require mastery of particularly arcane aspects of the HIPAA regulatory scheme. Yet covered entities and business associates regularly stumble on them. Each of these pitfalls is easily remedied. In compliance, as in medicine, an ounce of prevention is worth a pound of cure.

SOURCE: Gul, S (2 August 2018) "Five frequently overlooked mistakes in HIPAA compliance" (Web Blog Post). Retrieved from https://www.employeebenefitadviser.com/opinion/five-frequently-overlooked-mistakes-in-hipaa-compliance

EEOC Proposed Rule on Wellness and the Americans with Disabilities Act – What Employers Need to Know

Originally posted by M. Brian Magargle and Robin E. Shea on April 30, 2015 on www.thinkhr.com.

The employer community has been waiting for years to receive guidance from the Equal Employment Opportunity Commission on wellness programs and how an employer’s obligations under the Americans with Disabilities Act intersect with its rights and obligations under the Health Insurance Portability and Accountability Act (as amended by the Affordable Care Act).

The EEOC finally issued a proposed rule on April 20. The following is what employers need to know in a “Q&A” format.

What problem is the EEOC trying to resolve?

The quick answer is an apparent conflict between the ADA rules on employer “medical inquiries,” on the one hand, and the “wellness program” provisions of the HIPAA/ACA, on the other.

Title I of the ADA (the part of the ADA that applies to private sector employers) generally prohibits employers from making “medical inquiries” of current employees unless the inquiries are “job-related and consistent with business necessity” (for example, to verify the need for a reasonable accommodation). The general rule is that employers are not supposed to be asking for medical information from current employees.

There are some limited exceptions to this rule, including an exception for medical inquiries made in connection with a “voluntary wellness program.”

As employer wellness programs have become more popular, many employers began offering specific rewards or penalties to employees based on whether they participated in the programs and even on whether they achieved certain “results.” As will be discussed in more detail below, the HIPAA and the ACA specifically authorize wellness programs to offer incentives for “participation” and “outcomes” under certain circumstances. However, the question arose whether the use of such incentives would render the wellness program not “voluntary” for ADA purposes. If the wellness program was not voluntary because of the incentives, then any requests for employee medical information made in connection with the wellness program would violate the ADA.

(Title I of the ADA would not have an impact on medical inquiries made, say, to the family member of an employee who might also be eligible to participate in the employer’s wellness program.)

Thus, it was possible that an employer could offer a wellness program that was authorized and lawful under the HIPAA/ACA but still be vulnerable to charges and lawsuits under the ADA. The EEOC’s proposed rule seeks to address this problem, and for the most part, it should be welcomed by employers who offer wellness programs.

What does the proposed rule say, in a nutshell?

The proposed rule says that a wellness program can still be “voluntary” for ADA purposes if the program provides “incentives” for employees (both rewards and penalties), as long as the employer complies with the wellness incentive requirements of the HIPAA/Affordable Care Act.

There are two caveats: The wellness program would have to be associated with a group health plan (either insured or self-insured), and the EEOC proposals do not exactly match the HIPAA/ACA rules, although they are reasonably close.

Can you give us a recap of the HIPAA/ACA requirements?

Under the HIPAA/ACA scheme, there are two types of wellness programs. A “participatory” program is one that rewards employees just for participating and does not require a specific goal to be met. (An example would be an employer who reimburses employees for fitness club memberships.) Under the HIPAA/ACA, participatory programs can be offered without limitation, as long as they’re available to all similarly situated individuals.

The other type of wellness program is a “health-contingent” program. There are two types of “health-contingent” programs: (1) activity-only programs, in which the employee is rewarded for completing an activity but doesn’t have to achieve or maintain an outcome (for example, “we’ll pay you $100 if you walk a mile three days a week for a year”); and (2) outcome-based programs, in which employees are rewarded for achieving or maintaining results (for example, “we’ll pay you $100 if you keep your BMI at or below 25 for a year, or if you quit smoking”).

If the program is health-contingent, employers are allowed to offer incentives (carrots or sticks) if –

  • Employees are allowed to try to qualify at least once a year,
  • The total reward offered doesn’t exceed 30 percent of the total cost of employee-only coverage under the plan or the total cost of family coverage if dependents are also allowed to participate in the program (“total” means the employee’s and the employer’s share). The percentage is up to 50 percent for tobacco prevention or cessation,
  • The program is reasonably designed to promote health or prevent disease,
  • The full reward must be available for all similarly situated individuals, and reasonable alternatives must be offered to those who can’t qualify, and
  • The availability of reasonable alternatives must be disclosed in plan materials and in any disclosure telling an individual that he or she did not meet an initial outcome-based standard.

Under the HIPAA/ACA, the 30 percent/50 percent incentive limit applies only to “health-contingent” programs. HIPAA and the ACA have no limit on rewards that apply to “participatory” programs (if the programs are available to all similarly situated individuals).

The EEOC’s proposed rule is slightly different.

How does the EEOC proposed rule contrast with the HIPAA/ACA rule?

The EEOC would allow employers to offer incentives for employee participation in wellness programs associated with group health plans if the total reward does not exceed 30 percent of the total cost of employee-only coverage under the plan for both participatory and health-contingent wellness programs. The EEOC proposed rule does not allow a 50 percent reward level for tobacco cessation programs (unless there are no associated disability-related questions or medical exams), and the total cost used in the reward calculations does not take into account family-level coverage, even where dependents can participate in the program.

In addition, the wellness program must be completely voluntary. The EEOC would define “voluntary” as follows:

  • Employees aren’t required to participate in the wellness program,
  • Health insurance coverage is not denied or made more difficult to get if the employee chooses not to participate (with the exception of the permitted “incentives”), and
  • The employer does not take adverse action against an employee for refusing to participate . . .as this employer allegedly did.

The EEOC invites the public to comment on the proposed rule through June 19. The agency is particularly interested in comments pertaining to how much medical information an employee should be required to disclose to be eligible for an incentive, whether the rule should require that the incentives not render health insurance “unaffordable” within the meaning of the ACA, issues related to the “notice” requirement, how to treat wellness programs that are not associated with group health insurance, as well as other topics.

The employer would also be required to provide a notice “that clearly explains what medical information will be obtained, who will receive the medical information, how the medical information will be used, the restrictions on its disclosure, and the methods the covered entity will employ to prevent improper disclosure of the medical information.”

The wellness program would be required to disclose medical information to the employer only in aggregated, non-individually-identifiable form, “except as needed to administer the health plan.”

Are there any other issues to consider under the HIPAA/ACA?

Although the EEOC rule is currently in proposed form, we expect any final version to still be somewhat different from the HIPAA/ACA requirements for wellness programs. For example, one of the primary requirements of a outcome-based program under HIPAA is the ability of an employee to meet a “reasonable alternative standard” to receive the reward. Participants in the program must be clearly informed of that option, and it remains to be seen how that notification will be coordinated with the notice proposed by the EEOC. A related issue is the intersection of the “reasonable alternative standard” under HIPAA with the reasonable accommodation and interactive process obligations under the ADA. The EEOC’s Interpretive Guidance to the proposed rule says that provision of a “reasonable alternative standard” along with the required notification will generally satisfy the employer’s reasonable accommodation obligations under the ADA, but no specifics are given. Moreover, the Interpretive Guidance notes that under the ADA an employer would have to make reasonable accommodations for an employee who could not be in a “participatory” program because of a disability, even though the HIPAA/ACA rules do not require a “reasonable alternative standard” for participatory programs.

Also, details about wellness programs commonly appear in ERISA-governed summary plan descriptions, so will the EEOC rules also have to appear there as well?

There are similarities between the employee benefits issues affecting wellness programs, on the one hand, and the ADA and employee-relations issues, on the other, but the differences are equally important and will hopefully be addressed by the EEOC in the final rules expected to be issued later this year.

What should employers do?

The proposed rule describes certain employer “best practices,” as follows:

  • Employers should ensure that employees who handle medical information know their obligations under the laws.
  • Employers should adopt privacy policies for collection and handling of employee medical information, assuming that they have not already done so.
  • If medical information is stored electronically, it should be encrypted and other security measures implemented such as password protection and firewalls.
  • If possible, employees who handle medical information should not be “making decisions related to employment, such as hiring, termination, or discipline.” If this is not possible, then the employer should ensure that there is no discrimination based on an employee’s disability.
  • Breaches of confidentiality should be promptly and effectively addressed, and the affected employees should be informed immediately.
  • Employers should take appropriate action against an employee who breaches confidentiality, and should “consider discontinuing” their relationships with vendors who breach confidentiality.

Why doesn’t the EEOC proposed rule have a 50-percent incentive for tobacco-related programs, since the HIPAA/ACA does?

The EEOC explained that it did not include the 50 percent incentive for tobacco programs because, it said, most of those programs do not seek employee medical information at all. If not, there would be no ADA issue. But if a tobacco program does seek such information (for example, through testing for nicotine, or monitoring blood pressure), then the tobacco program would have to be included in computing the 30-percent limit for incentives.

Did the proposed rule address the employer’s right to get medical information from an employee’s family members, who may be covered under the employee’s health insurance and might be eligible for participation in the wellness program?

No, because Title I of the ADA applies only to employers and employees. Medical inquiries about an employee’s family member would, of course, be covered under the Genetic Information Nondiscrimination Act, which is also enforced by the EEOC. The EEOC says it will issue guidance on wellness and the GINA “in future EEOC rulemaking.”

Did the proposed rule contain anything else of interest?

Yes. The EEOC has explicitly disagreed with a wellness/ADA decision from the U.S. Court of Appeals for the Eleventh Circuit, Seff v. Broward County. At issue in the Seff case was a $20-per-paycheck penalty that employees had to pay if they chose not to participate in the county’s wellness program. The court found that the county’s program fell within a “safe harbor” in the ADA, which provides that a covered entity is not prohibited “from establishing, sponsoring, observing or administering the terms of a bona fide benefit plan that are based on underwriting risks, classifying risks, or administering such risks that are based on or not inconsistent with State law.” Because the program fell within the safe harbor, the court said, it was irrelevant whether the program was “voluntary” or whether medical inquiries made in connection with the program violated the ADA.

The EEOC’s position is that this “safe harbor” provision in the ADA does not apply to wellness programs.

Employers who operate in the Eleventh Circuit states of Alabama, Florida, or Georgia can continue to follow Seff for the time being. However, employers who operate in other states may choose to follow the EEOC’s position once its proposal becomes final. The conflict between the EEOC and the Eleventh Circuit will probably be resolved eventually by the courts.

CMS delays enforcement of health plan identifiers in HIPAA transactions

Originally posted by Alden Bianchi on EBN on November 6, 2014.

In a surprise move, the Centers for Medicare & Medicaid Services (CMS) announced an indefinite delay in enforcement of regulations pertaining to “health plan enumeration and use of the Health Plan Identifier (HPID) in HIPAA transactions” that would have otherwise required self-funded employer group health plans (among other “covered entities”) to take action as early as November 5, 2014.

The CMS statement reads as follows:

Statement of Enforcement Discretion regarding 45 CFR 162 Subpart E – Standard Unique Health Identifier for Health Plans

Effective Oct. 31, 2014, the CMS Office of E-Health Standards and Services (OESS), the division of the Department of Health & Human Services that is responsible for enforcement of compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) standard transactions, code sets, unique identifiers and operating rules, announces a delay, until further notice, in enforcement of 45 CFR 162, Subpart E, the regulations pertaining to health plan enumeration and use of the Health Plan Identifier (HPID) in HIPAA transactions adopted in the HPID final rule (CMS-0040-F). This enforcement delay applies to all HIPAA covered entities, including health care providers, health plans, and healthcare clearinghouses.

On Sept. 23, 2014, the National Committee on Vital and Health Statistics (NCVHS), an advisory body to HHS, recommended that HHS rectify in rulemaking that all covered entities (health plans, health care providers and clearinghouses, and their business associates) not use the HPID in the HIPAA transactions. This enforcement discretion will allow HHS to review the NCVHS’s recommendation and consider any appropriate next steps.

The CMS statement followed, but was not anticipated by, a recent series of FAQs that provided some important and welcome clarifications on how employer-sponsored group health plans might comply with the HPID requirements.


Congress enacted the HIPAA administrative simplification provisions to improve the efficiency and effectiveness of the health care system. These provisions required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. As originally enacted, HIPAA directed HHS to establish standards for assigning unique health identifiers for each individual, employer, health plan, and health care provider. The Affordable Care Act modified and expanded these requirements to include an HPID. On Sept. 5, 2012, HHS published final regulations adopting HPID enumeration standards for health plans (“enumeration” is the process of getting an HPID).

For the purposes of HPID enumeration, health plans are divided into controlling health plans (CHPs) and sub-health plans (SHPs). Large CHPs (i.e., those with more than $5 million in annual claims) would have been required to obtain HPIDs by Nov. 5, 2014. Small controlling health plans had an additional year, until November 5, 2015.

The Issue(s)

While we have no idea what led the NCVHS to recommend to CMS that it abruptly suspend the HPID rules, we can make an educated guess—two guesses, actually.

What is it that is being regulated here?

The HIPAA administrative simplification rules apply to “covered entities.” i.e., health care providers, health plans, and health care data clearing houses. Confusingly, the term health plan includes both group health insurance sponsored and sold by state-licensed insurance carriers and employer-sponsored group health plans. Once HHS began issuing regulations, it became apparent that this law was directed principally at health care providers and health insurance issuers or carriers. Employer-sponsored group health plans were an afterthought. The problem for this latter group of covered entities is determining what, exactly, is being regulated. The regulatory scheme treats an employer’s group health plan as a legally distinct entity, separate and apart from the employer/plan sponsor. This approach is, of course, at odds with the experience of most human resource managers, employees and others, who view a company’s group health plan as a product or service that is “outsourced” to a vendor. In the case of an insured plan, the vendor is the carrier; in the case of a self-funded plan, the vendor is a third-party administrator.

The idea that a group health plan may be treated as a separate legal entity is not new. The civil enforcement provisions of the Employee Retirement Income Security Act of 1974 (ERISA) permit an employee benefit plan (which includes most group health plans) to be sued in its own name. (ERISA § 502(d) is captioned, “Status of employee benefit plan as entity.”) The approach taken under HIPAA merely extends this concept. But what exactly is an employee benefit plan? In a case decided in 2000, the Supreme Court gave us an answer, saying:

“One is thus left to the common understanding of the word ‘plan’ as referring to a scheme decided upon in advance . . . Here the scheme comprises a set of rules that define the rights of a beneficiary and provide for their enforcement. Rules governing collection of premiums, definition of benefits, submission of claims, and resolution of disagreements over entitlement to services are the sorts of provisions that constitute a plan.” (Pegram v. Herdrich, 530 U.S. 211, 213 (2000).)

Thus, what HHS has done in the regulations implementing the various HIPAA administrative simplification provisions is to impose rules on a set of promises and an accompanying administrative scheme. (Is there any wonder that these rules have proved difficult to administer?) The ERISA regulatory regime neither recognizes nor easily accommodates controlling health plans (CHPs) and subhealth plans (SHPs). The FAQs referred to above attempted to address this problem by permitting plan sponsors to apply for one HPID for each ERISA plan even if a number of separate benefit plan components (e.g., medical, Rx, dental, and vision) are combined in a wrap plan. It left in place a larger, existential problem, however: It’s one thing to regulate a covered entity that is a large, integrated health care system; it’s quite another to regulate a set of promises. The delay in the HPID enumeration rules announced in the statement set out above appears to us to be a tacit admission of this fact.

Why not permit a TPA to handle the HPID application process?

One of the baffling features of the recently suspended HPID rules is CMS’ rigid insistence on having the employer, in its capacity as group health plan sponsor, file for its own HPID. It was only very recently that CMS relented and allowed the employer to delegate the task of applying for an HPID for a self-funded plan to its third party administrator. By cutting third party administrators out of the HPID enumeration process, the regulators invited confusion. The reticence on CMS’ part to permit assistance by third parties can be traced to another structural anomaly. While HIPAA views TPAs in a supporting role (i.e., business associates), in the real world of self-funded group health plan administration, TPAs function for the most part autonomously. (To be fair to CMS, complexity multiplies quickly when, as is often the case, a TPA is also a licensed carrier that is providing administrative-services-only, begging the question: Are transmissions being made as a carrier or third party administrator?)

HIPAA Compliance

That the HPID enumeration rules have been delayed does not mean that employers which sponsor self-funded plans have nothing to do. The HIPAA privacy rule imposes on covered entities a series of requirements that must be adhered to. These include the following:

Privacy Policies and Procedures: A covered entity must adopt written privacy policies and procedures that are consistent with the privacy rule.

Privacy Personnel: A covered entity must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.

Workforce Training and Management: Workforce members include employees, volunteers, and trainees, and may also include other persons whose conduct is under the direct control of the covered entity (whether or not they are paid by the entity). A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must also have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule.

Mitigation: A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.

Data Safeguards: A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.

Complaints: A covered entity must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the Privacy Rule. The covered entity must explain those procedures in its privacy practices notice. Among other things, the covered entity must identify to whom individuals at the covered entity may submit complaints and advise that complaints also may be submitted to the Secretary of HHS.

Retaliation and Waiver: A covered entity may not retaliate against a person for exercising rights provided by the Privacy Rule, for assisting in an investigation by HHS or another appropriate authority, or for opposing an act or practice that the person believes in good faith violates the Privacy Rule. A covered entity may not require an individual to waive any right under the Privacy Rule as a condition for obtaining treatment, payment, and enrollment or benefits eligibility.

Documentation and Record Retention: A covered entity must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the Privacy Rule requires to be documented.

The HIPAA security rule requires covered entities to conduct a risk assessment, and to adopt policies and procedures governing two dozen or so security parameters.

Compliance Alert- Self-Funded Health Plans Must Obtain a Health Plan Identifier Number

Beginning November 5, 2014, employers with large self-funded health plans are required by federal government to obtain a national health plan identifier number (HPID). All health plans with more than $5 million in annual receipts must require an HPID, but since health plans don’t have receipts, the Department of Health and Human Services says insured plans should use the premiums from the prior plan year, and self-funded plans should look at claims paid for the prior plan year. Small health plans have an extra year to obtain an HPID with a deadline set for November 5, 2015.

The federal government requires this from all health plans, however, for practical purposes; the insurer will obtain the HPID for those plans that are fully insured. On the other hand, all self-funded plans must obtain an HPID, even if a third party administrator is involved to handle claims.

What exactly, is an HPID?

A health plan identifier number is 10 digits long and consists of only numbers and is used as an identifier for transactions covered by HIPAA.

Why are health plans required to have an HPID?

In an effort to make the claim processing more efficient, the HPID will help with electronic processing and faster automation. HPID’s will be required to be used in HIPPA transactions by November 7, 2016.

How do I know if my health plan is required to have an HPID?

First you must determine which health plan you have. There are two categories of health plans – a Controlling Health Plan (CHP) and a Subhealth Plan (SHP). A Controlling Health Plan is required to obtain an HPID, while a Subhealth Plan is eligible, but not required to get an HPID. To determine whether a Subhealth Plan should get an HPID, the CHP and/or the SHP should consider whether the SHP needs to be identified in the standard transactions. A CHP may get an HPID for its SHP or may direct a SHP to get an HPID. These categories can be confusing, and are intended for insurance companies to determine. If you need help determining which health plan you have, please contact us and we will be happy to help.

If you have a self-funded plan, how does one obtain an HPID?

Employers can apply at the Centers for Medicare and Medicaid Services (CMS) website. It is likely that most employers will be required to register and set up a health insurance oversight system (HIOS) account at https://portal.cms.gov/wps/portal/unauthportal/home/ .

After an account has been established, the employer can register for an HPID. More information on applying can be found here: http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/Affordable-Care-Act/Downloads/HPOESTrainingSlidesMarchSlideDeck.pdf

We are always happy to help, so please contact us if you have any questions or need help obtaining an HPID.






How to prepare for a health and welfare compliance audit

Source: http://ebn.benefitnews.com

by John F. Galvin

When I speak with employers about health and welfare plan compliance, I’m often asked the question: “What happens if I don’t do everything?”

It’s not that employers don’t want to follow the rules. Rather, it’s that in the mid-market, especially with employers who have fewer than 500 employees, the benefit program is often managed by HR professionals who are wearing so many hats that they know the chances are high that something will fall through the cracks — and, thanks to ERISA, HIPAA and other laws, there are lots of cracks.

When I explain that they could be subject to an audit by the Department of Labor, I’m usually met with some doubts. Some want to know if the DOL really goes after mid-market employers, or if it just focuses on large corporations. Others will wonder if the DOL would be interested in their particular industry. But we’ve seen more and more DOL compliance audits in the mid-market, and with the myriad new compliance responsibilities that benefits professionals will need to deal with as a result of health care reform, this trend may continue to grow.

Summary plan descriptions

So what does the DOL tend to focus on with health and welfare audits? Much of the typical DOL audit goes back to employer requirements outlined in the original ERISA legislation – summary plan descriptions. SPDs were the government’s way of requiring employers to provide information on benefit plans that can be understood by the average participant.  However, unlike an average benefits summary, the requirements of what must be included in an SPD are numerous. Detailed descriptions of benefit provisions, eligibility, and a variety of legislation passed since 1974 all must be part of the SPD. In fact, by the time all this is information is included, the document can hardly be called a “summary.”

Given all of the work that goes into the creation of SPDs, it isn’t surprising to find out that many mid-market employers aren’t compliant. In the event of an audit, the chances are high that an SPD will need to be produced, along with some assurance that the document is actually making its way to employees correctly.

Many small and mid-market employers erroneously believe this is a requirement only for large employers. But employers of every size in any industry should review the guidelines for the creation and distribution of SPDs, and ensure their practices are compliant. In fact, once an SPD is in place, many of the other compliance responsibilities associated with health and welfare plans become much easier since the document becomes the plan’s “bible.”

HIPAA compliance

The second-most frequent item in DOL audits is related to the Health Insurance Portability & Accountability Act, or HIPAA. HIPAA is like a large tree trunk with many different branches. When discussing HIPAA, one could be talking about its rules for handling pre-existing conditions under a health plan, rules for issuing certificates of creditable coverage to terminating participants, rules for informing participants about enrollment rights, protecting private health information, and more. Any one of those items might show up in a DOL audit. Employers should review HIPAA rules thoroughly to make sure their plan is in compliance.

One of the most common errors I see with mid-market employers is in regards to the requirement under HIPAA that plans inform participants about enrollment rights, or more specifically “special enrollment rights.” The HIPAA Notice of Special Enrollment Rights informs participants who are eligible for your health plan about when they can join your plan or change their election due to certain qualifying life events such as marriage, birth of a child, or loss of eligibility under another employer’s plan.

The notice is important because it informs your participants about the timeframes in which they must request these enrollment rights. While some employers may have trouble during a DOL audit because they don’t have this notice at all, more employers are making mistakes with the actual distribution of the notice. For example, it’s not uncommon for employers who have an SPD to include the notice right in that document. However, unless your SPD is being distributed to those employees who are eligible for the plan but choose not to enroll, then the distribution requirements for special enrollment rights under HIPAA are not being met. Employers should take the time to review the HIPAA notice and its requirements for distribution to make sure they are compliant.


Regulation Roundup: The Hits Keep On Coming

Source: United Benefit Advisors

The federal government in the past few weeks has kept up the fast pace of pumping out benefits-related guidance -- a trend that started at the end of 2012 --  with a set of final and proposed regulations for the health care reform law, a final HIPAA rule and a compromise on the Obama administration's coverage requirement for contraceptives.

HIPAA: The Department of Health and Human Services (HHS) released its HIPAA omnibus final rule in late January. The final rule establishes new rights for individuals to access their health information, calls for updates to business associate contracts, beefs up privacy protections for patients and gives the government more power to enforce the law, according to a HealthLeaders Media article.

Employers should expect tougher policing of HIPAA-related infractions by federal agencies, experts say.

"The 'good old days' of voluntary compliance and 'slaps on the wrist' seem to be a thing of the past," Brad M. Rostolsky, a partner with Reed Smith, LLP, told HealthLeaders Media. "As a result, it's important that regulated businesses, from the top down, are seen to have buy-in to HIPAA compliance efforts."

Contraception Compromise: HHS has tweaked its requirement that religious nonprofit organizations provide their female members coverage for birth control, according to a PPACA Advisor release from United Benefit Advisors (UBA). Instead, insurance companies, after being notified of the employer's objection to the coverage, would be required to provide coverage at no cost to workers through separate policies. If the employer is self-insured, it can use a third party to set up a separate health policy that would provide coverage for contraceptives. The costs for this action may be be offset by the fees that insurers will pay to participate in the government-run health care exchanges, slated to go online in 2014.

Affordability: The IRS finalized a rule that clarified that the health coverage "affordability" requirement (that an employee's premium contribution not exceed 9.5 percent of household income) under the Patient Protection and Affordable Care Act (PPACA) will be based on self-only coverage, according to a Business Insurance online report. Employers with plans that fail that test face a $3,000 penalty for each full-time employee who is not offered affordable coverage and instead receives a premium subsidy from the government to purchase insurance in a health care exchange. The proposed regulation left open the possibility that the affordability test might have applied to family coverage, but the IRS removed that scenario with its final rule.

HRAs: A new set of frequently asked questions posted by federal agencies limits the use of health reimbursement arrangements (HRAs) in the coming government-run health insurance exchanges, an online report by the Society for Human Resource Management (SHRM) notes. The FAQs state that an HRA that is not integrated with a group health plan but instead functions as a "stand-alone" benefit falls under the PPACA provision that limits the annual amount an individual is required to spend on health care coverage. The report points out that this restriction means funds from stand-alone HRAs can't be used to buy individual coverage through the online exchanges, slated to open in 2014.

Timothy Jost, a professor at Washington and Lee University School of Law, told SHRM that many employers were hoping to offer employees "a fixed-dollar contribution" through an HRA. Such a move "would permit the employee to take advantage of the tax subsidies currently available through HRA coverage but get the employer out of the health insurance business." For many employers, this now will not be possible.

Minimum Coverage: A proposed PPACA rule clarifies what types of services would be considered "minimal essential coverage," UBA reports. Services such as on-site clinics, limited-scope dental and vision, long-term care, disability income and accident-only income would not qualify as employer-sponsored minimal essential coverage. More details can be found in the Federal Register: http://www.gpo.gov/fdsys/pkg/FR-2013-02-01/pdf/2013-02141.pdf

Exchange Notice Delay: Employers who were concerned about a fast-approaching deadline to distribute notices on the exchanges can relax for a few more months. The Department of Labor (DOL) has pushed the date (originally March 1) to late summer or early fall. The DOL is preparing model language for the notice, and a final date will be announced later, the agency said.


Significant Changes for Health Care Providers, Health Plans, and Their Business Associates and Subcontractors in Final HIPAA Privacy Regulations

Source: United Benefit Advisors
By: Jackson Lewis LLP

The Office for Civil Rights ("OCR") of the U.S. Department of Health and Human Services published its long-awaited final privacy and security regulations ("Final Rule") under the Health Insurance Portability and Accountability Act ("HIPAA") on January 25, 2013. The Final Rule becomes effective March 26, 2013, and, in general, covered entities and business associates are required to comply by September 23, 2013.

The Final Rule addresses four key areas: (i) changes made by the Health Information for Economic and Clinical Health Act ("HITECH Act"); (ii) the HIPAA enforcement rule; (iii) updates to the data breach notification regulations; and (iv) changes made by the Genetic Information Nondiscrimination Act. Some significant changes are summarized below.

Business Associates and Subcontractors

One of the most significant changes under the HITECH Act is that it makes Business Associates (“BAs”) directly liable under certain provisions of the HIPAA privacy and security rules (“HIPAA Rules”). In addition, the Final Rule provides further guidance concerning which entities are BAs, resulting in the treatment of certain subcontractors of BAs as BAs themselves, directly subject to the HIPAA Rules. The Final Rule, for example, clarifies that a BA is a person who performs functions or activities on behalf of, or certain services for, a covered entity or another BA that involve the use or disclosure of protected health information (“PHI”).

Importantly, the Final Rule establishes that a person becomes a BA by definition, not by the act of contracting with a covered entity or otherwise. Therefore, direct liability for the BA under the HIPAA Rules and HITECH Act for impermissible uses and disclosures and other provisions attaches immediately when a person creates, receives, maintains, or transmits PHI on behalf of a covered entity or BA and otherwise meets the BA definition. As a result of some of these changes, covered entities and BAs should consider re-examining their relationships with their subcontractors to ensure they obtain the appropriate, satisfactory assurances concerning the PHI they make available to those subcontractors. For more information about identifying BAs and subcontractors, see Final HIPAA Regulations: “Business Associates” Include Subcontractors, Data Storage Companies (Cloud Providers?).

The Final Rule also clarifies the BAs are directly liable under the HIPAA Rules for:

  1. uses and disclosures of PHI not permitted under HIPAA;
  2. a failure to provide breach notification to the covered entity;
  3. a failure to provide access to a copy of electronic PHI to the covered entity, the individual, or the individual's designee (as specified in the business associate agreement ("BAA");
  4. a failure to disclose PHI to the Secretary of Health and Human Services to investigate or determine the BA's compliance with the HIPAA Rules;
  5. a failure to provide an accounting of disclosures; and
  6. a failure to comply with the HIPAA Security Rule.

BAs remain contractually liable for the other provisions of BAAs.

In attempting to minimize this liability, the Final Rule also confirms that OCR does not endorse any "certification" process for compliance with the HIPAA Rules or HITECH Act. Thus, BAs and subcontractors should not rely on such programs that may be available. However, it is critical that BAAs be updated to reflect new requirements and to allocate certain liabilities and responsibilities. A transition rule under the Final Rule permits covered entities and BAs to continue operation under certain existing contracts for up to one year beyond the compliance date (September 23, 2013). A qualifying BAA will be deemed compliant until the earlier of (i) the date such agreement is renewed or modified on or after September 23, 2013, or (ii) September 22, 2014. The transition rule applies only to the language in the agreements, the parties must operate as required under the HIPAA Rules in accordance with the applicable compliance dates.

Breach Notification Rule

The Final Rule retains many requirements from the interim final breach notification rule. However, it removes the "risk of harm" standard in exchange for a more objective standard for determining whether a "breach" has occurred. (Thus, inquiry into whether there is a significant risk of harm to privacy and security is no longer appropriate.) The Final Rule establishes a presumption that impermissible uses and disclosures of PHI are breaches, unless an exception applies. Covered entities can rebut that presumption (removing the notification requirement) by engaging in a risk assessment to determine whether there is a low probability that PHI has been compromised. However, because of the presumption, covered entities may avoid the risk assessment and provide notification.

A risk assessment would examine at least the following four factors:

  1. the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  2. the unauthorized person who used the PHI or to whom the disclosure was made;
  3. whether the PHI was actually acquired or viewed; and
  4. the extent to which the risk to the PHI has been mitigated.


If no exception applies and, after reviewing all of these factors, the covered entity cannot demonstrate that there is a low probability of compromise to the PHI, notification is required. The OCR cautioned that, when working through these factors, many forms of health information can be sensitive, not just information about sexually transmitted diseases, mental health diseases or substance abuse. In addition, the OCR confirmed that violations of the minimum necessary rules also could result in breaches requiring notification.

OCR clarified other aspects of the breach notification rule:

  • The time for notification begins to run when the incident is known to have occurred, not when it has been determined to be a breach. However, a covered entity is expected to make notifications after a reasonable time to investigate the circumstances surrounding the breach in order to collect and develop the information required to be included in the notice to the individual(s).
  • The obligation to determine whether a breach has occurred and to notify individuals remains with the covered entity. However, covered entities can delegate these functions to third parties or BAs.
  • Written notification by first-class mail is the general, default rule. However, individuals who affirmatively agree to receive notice by e-mail may be notified accordingly. In limited cases, individuals who affirmatively agree to be notified orally or by telephone may be contacted though those means with instructions on how to pick up the written notice.
  • Notices of Privacy Practices must include a statement that covered entities must notify affected individual following a breach.


Enforcement Rule

The Final Rule implements the changes HITECH Act made to the enforcement provisions of the HIPAA rules, including penalty amounts, which now also apply to BAs. The HITECH Act penalty scheme can be summarized as follows:

  • "Did not know" penalty - amount not less than $100 or more than $50,000 per violation when it is established the covered entity or BA did not know and, by exercising reasonable diligence, would not have known of a violation;
  • "Reasonable cause" penalty - amount not less than $1,000 or more than $50,000 per violation when it is established the violation was due to reasonable cause and not to willful neglect;
  • "Willful neglect-corrected" penalty - amount not less than $10,000 or more than $50,000 per violation when it is established the violation was due to willful neglect and was timely corrected;
  • "Willful neglect-not corrected" penalty - amount not less than $50,000 for each violation when it is established the violation was due to willful neglect and was not timely corrected.

A penalty for violations of the same requirement or prohibition under any of these categories may not exceed $1,500,000 in a calendar year.

In addition, OCR made clear in the Final Rule that it will investigate a complaint and it will conduct a compliance review when the circumstances or its preliminary review suggests willful neglect is possible. Willful neglect is defined at 45 CFR § 160.401 as the "conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated." The term not only presumes actual or constructive knowledge a violation is virtually certain to occur, but also encompasses a conscious intent or degree of recklessness with regard to compliance obligations. The proposed regulations provided examples of where willful neglect may be found:

  • A covered entity disposed of several hard drives containing electronic PHI in an unsecured dumpster, in violation of § 164.530(c) and § 164.310(d)(2)(i). HHS's investigation reveals the covered entity had failed to implement any policies and procedures to reasonably and appropriately safeguard PHI during the disposal process.
  • A covered entity failed to respond to an individual's request that it restrict its uses and disclosures of PHI about the individual. HHS's investigation reveals the covered entity does not have any policies and procedures for consideration of restriction requests it receives and refuses to accept any requests for restrictions from individual patients who inquire.
  • A covered entity's employee lost an unencrypted laptop that contained unsecured PHI. HHS's investigation reveals the covered entity feared its reputation would be harmed if information about the incident became public and, therefore, decided not to provide notification as required by § 164.400 et seq.


Genetic Information Nondiscrimination Act

The Genetic Information Nondiscrimination Act (GINA) prohibits discrimination on the basis of an individual's genetic information. GINA also contains privacy protections for genetic information that requires HHS to modify the HIPAA Rules. The protections require (i) clarification that genetic information is health information and (ii) health plans, health plan issuers and issuers of Medicare supplemental policies be prohibited from using or disclosing genetic information for underwriting purposes. The Final Rule implements these protections by incorporating certain definitions from GINA and other provisions relating to health plans (health care providers are generally not subject to these provisions). In addition, the Final Rule requires a change to the Notice of Privacy Practices for health plans. Namely, if a covered health plan will be using PHI for underwriting purposes (such as in a wellness program), the plan's Notice of Privacy Practices must include a statement that PHI that is genetic information may not be used for this purpose.

Action Needed

The Final Rule includes substantial changes to the HIPAA Final Rules for covered health care providers and health plans, as well as their BAs. These entities will need to review these regulations carefully and make appropriate adjustments in their policies and procedures, workforce training, privacy and other notices, systems, as well as their agreements. Most of this will need to be completed by September 23, 2013, although a transition rule will allow a one-year extension until September 23, 2014 to amend certain existing business associate agreements.

Employer Compliance Alert: The HIPAA Police are Here

After several years during which the Department of Health and Human Services (HHS) operated essentially in “complaint-driven” mode with respect to enforcement of the HIPAA Privacy and Security Rules, recent activity suggests a trend toward stricter HIPAA enforcement.  The latest evidence comes in a recently-announced settlement between HHS and the Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, MEEI).

In this settlement, MEEI has agreed to pay $1.5 million to settle potential violations of the HIPAA Security Rule.  MEEI also agreed to develop a corrective action plan that includes reviewing and revising its existing Security Rule policies and procedures and retaining an independent monitor for a three-year period to conduct semi-annual assessments of MEEI’s compliance with the corrective action plan and report back to HHS.

HHS began its investigation of MEEI after MEEI submitted a breach report, as required by the HIPAA Breach Notification Rule.  The report indicated that an unencrypted personal laptop containing the electronic protected health information (ePHI) of MEEI patients and research subjects had been stolen.  The HHS investigation concluded that MEEI had failed to comply with certain requirements of the HIPAA Security Rule – particularly with respect to the confidentiality of ePHI maintained on portable devices – and that those failures had continued over an extended period of time.

The MEEI settlement is just the latest in a string of recent penalties and settlements stemming from alleged HIPAA privacy and security violations.  From 2003 through 2010, HHS reported that it had received nearly 58,000 privacy complaints and, of those, had resolved more than 52,000.  In fact, during this initial eight-year period after the HIPAA Privacy Rule went into effect, HHS did not impose a single civil monetary penalty for HIPAA violations.

In February of 2011, however, HHS imposed a $4.3 million penalty against Cignet Health of Prince George’s County, Maryland.  HHS found that Cignet had failed to respond to patients’ requests for access to their medical records and that Cignet refused to cooperate in HHS’s investigation.  Later that same month, Massachusetts General Hospital entered into a $1 million settlement with HHS arising out of an incident in which an employee left paper records containing the PHI of 192 patients, including patients with HIV/AIDS, on the subway.

The recent increase in enforcement efforts may be partially attributable to the fact that the available civil penalties increased dramatically as a result of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009.  The HITECH Act provides HHS with substantial leverage in settlement negotiations.

These steep penalties and settlements should serve as a reminder of how important it is to comply with the HIPAA Privacy and Security Rules.  Health plan sponsors should review their existing policies and procedures and remain vigilant in their training of employees.

Julia M. Vander Weele