The Health Insurance Portability and Accountability Act
of 1996 (HIPAA) provides federal protections for "individually
identifiable health information" (i.e. plan participant information) held
by health care plan providers (including VEBAs) and their business
associates. Among its many mandates, HIPAA requires that health
care plans (among other entities) may not use or disclose individuals’ health
information for purposes unrelated to providing healthcare, managing their
organization, or meeting their obligations under state and federal law, unless
individuals specifically authorize them to do so.
The Department
of Health and Human Services (HHS) requires annual privacy and health
information security training to ensure that HIPAA rules are being utilized and
that the persons dealing with identifiable health information understand their
duties.
While such training for health care administration companies (i.e. third
party administrators), hospitals, physician offices and medical laboratories is
regularly provided to their employees, many VEBA fiduciaries and/or Board
Members are unaware that this mandatory training applies to them as well.
Many VEBAs have been created in the context of Chapter 11
bankruptcy cases, usually one of the last important steps to be taken by an
official Retiree Committee. These VEBAs
typically offer some sort of healthcare plan, and are considered "covered
entities" -- subject to ERISA and HIPPA regulations. Usually, a group of volunteer retirees will
serve as the VEBA fiduciaries (usually as a Board), while the day-to-day
operations are handled by a third party administrator. Often, VEBA
Board Members handle and/or are provided with information relating to
VEBA plan participants in the context of appeals, unsolicited correspondence
from plan members, or reports provided by third party administrators. Such information often contains
"individually identifiable health information" (as defined in
HIPAA). As such, any Board Member or similar fiduciary of a VEBA must receive
annual privacy and health information security training.
Training for VEBA Board members
may be overlooked, but with disastrous potential results and potential
liability. By way of example only,
imagine that a Board Member of a VEBA has a laptop computer stolen that
contains information about hundreds or thousands of VEBA plan participants.
Alternatively, perhaps a Board Member merely has a computer virus that results
in the sending out of plan participant information to third parties?
In short, VEBA Board Members need
HIPAA privacy training. There needs to
be a Security Officer appointed on each Board.
Board Members need training on how to identify plan participant
information and to learn how such information can be properly used and safely
discarded (i.e. shredding or deleting files), email addresses used by Board
Members should not be accessible by other family members, and documentation
should be maintained reflecting the HIPAA training obtained by each VEBA Board
Member.
Even when proper precautions are
taken, there may be an incident (large or small) of a HIPAA violation. Impacted plan participants must be notified
and remedial actions must be taken to address the source of the problem. Importantly, however, liability of a Plan
and/or Board Members can be avoided if proper training was in place--despite an
unintentional disclosure. By the same
token, a failure to have HIPAA training can lead to liability and increased
penalties.
There are many HIPAA training
options available through inexpensive on-line training courses. Such on-line courses, however, tend to be
fairly generic and are rarely tailored for VEBAs or VEBA fiduciaries. Accordingly, this author suggests consulting
with an attorney to obtain the right level and type of HIPAA training
appropriate for those administering a VEBA.
No comments:
Post a Comment