Viewing posts from: April 2016

HIPAA Compliance Reviews and Audit Protocol

Posted April 26, 2016 by Megan DiMartino

The Department of Health and Human Services (HHS) has launched the second phase of its HIPAA audit program, which focuses on compliance with HIPAA’s Privacy, Security and Breach Notification Rules. HHS’ Office for Civil Rights (OCR) is responsible for conducting these audits.

HIPAAThis second phase of the HIPAA audit program covers both covered entities and business associates. According to OCR, these HIPAA audits are primarily a compliance improvement activity. However, if an audit reveals a serious compliance issue, OCR may initiate a compliance review to investigate.

In connection with this second phase of HIPAA audits, OCR released an updated audit protocol that identifies potential areas of audit inquiry. To prepare for a possible HIPAA audit, covered entities and business associates should review their compliance with HIPAA’s Rules and make any necessary changes. OCR’s audit protocol can be used as a guide for self-audits of HIPAA compliance.

Also, even if a health plan or business associate is not selected for a Phase 2 audit, it is still important to remain prepared for a HIPAA compliance review – OCR will likely continue its enforcement efforts after the Phase 2 audits are complete.

Audit Protocol

OCR published an audit protocol to provide clarity on the HIPAA standards that auditors may assess during an audit. OCR first made its HIPAA audit protocol available in 2012 in connection with its pilot audit program. In 2016, OCR released an updates audit protocol, which includes changes made by the HIPAA Omnibus final rule from 2013.

The audit protocol is organized around modules, representing separate elements of privacy, security and breach notification. The updated audit protocol identifies approximately 180 areas for potential audit inquiry. According to OCR, the areas that are assessed during an audit will vary based on the type of covered entity or business associate selected for review.

The audit protocol identifies “key activities” (HIPAA standards) and provides information on the legal requirements for each standard (“established performance criteria”), as well as potential audit inquiries related to the HIPAA requirements.

Also, although the audit protocol’s requirements depend on the specific HIPAA standard being assessed, there are some recurring themes that indicate what the auditors may be looking for. For example, many of the protocols direct auditors to ask whether policies or procedures exist for a given HIPAA standard, and whether these policies and procedures have been updated on a periodic basis.

HIPAA Self-Audits

Covered entities and business associates should perform periodic self-assessments of their HIPAA compliance and can use the audit protocol as a guide during this process. If a covered entity or business associate discovers an area of noncompliance, it should take steps to remedy the problem.

Based on the audit protocol’s recurring themes, a HIPAA self-audit should emphasize the following HIPAA standards:

  • Does the covered entity or business associate have the required HIPAA policies and procedures for privacy, security and breach notification in place?
  • Have there been periodic updates to these policies and procedures?
  • Has the covered entity or business associate trained its workforce on HIPAA compliance, including any policy and procedure updates?
  • Has the entity performed a risk analysis to assess the potential risk and vulnerabilities for its electronic PHI (ePHI)?
  • If an entity has decided not to implement an “addressable” security standard, does it have documentation supporting its decision?

Also, to prepare for a potential audit, an organization should confirm that its HIPAA documents (including its policies and procedures) are comprehensive, well-organized and easy to comprehend.

Special rules for fully insured health plans
How the HIPAA Privacy Rule impacts the sponsor of a fully insured plan depends on whether the plan sponsor has access to PHI for plan administration purposes. Sponsors of fully insured plans that do not have access to PHI are only subject to a few of the Privacy Rule’s requirements. Sponsors of fully insured plans that have access to PHI and sponsors of self-funded plans, however, have additional compliance obligations under the Privacy Rule.

Privacy Rules Requirements

The audit protocol includes 89 areas of potential audit inquiry under the HIPAA Privacy Rule. For example, the audit protocol includes compliance questions regarding the Privacy Rule’s:

  • Use and disclosure rules
  • Privacy notice requirement
  • Individual rights requirements
  • Minimum necessary standard
  • Business associate contract requirement

Security Rules Requirements

The audit protocol includes 72 potential areas of audit inquiry that address the HIPAA Security Rule’s requirements for administrative, technical and physical safeguards for ePHI. Under the Security Rule, each type of safeguard has certain standards and implementation specifications associated with it. In an effort to provide covered entities and business associates with some flexibility, the Security Rule provides two categories of implementation specifications – “required” and “addressable.” While addressable implementation specifications are not optional, organizations have more options in determining how they will comply with these requirements.

The audit protocol also addresses whether the entity has performed a risk analysis to assess the potential risks and vulnerabilities to all of the ePHI that it creates, receives, maintains or transmits. Conducting a risk analysis is a crucial first step in an organization’s efforts to comply with the Security Rule. The risk analysis directs what reasonable steps a covered entity or business associate should take to protect the ePHI it creates, receives, maintains or transmits. Failing to conduct a timely and thorough risk assessment has routinely been identified by OCR as a common HIPAA compliance problem.

HHS, through its Office of the National Coordinator for Health Information Technology (ONC), has developed an interactive Security Risk Assessment Tool (SRA Tool) to assist organizations in performing and documenting security risk assessments.

The SRA Tool is a software application that can be used by a covered entity or business associate as a resource (among other tools and processes) to review its implementation of the HIPAA Security Rule. HHS has also provided a User Guide and tutorial video to help organizations begin using the SRA Tool.

Breach Notification Rules

The audit protocol addresses HIPAA’s breach notification requirements for unsecured PHI, and, in addition to other breach notification standards, instructs auditors to review covered entities’ policies and procedures regarding breach notification. For example, the protocol asks whether the covered entity has policies and procedures in place for determining whether an impermissible use or disclosure triggers a breach notification requirement.

The HIPAA Omnibus final rule from 2013 changed some of the standards for determining whether a breach notification is required. As part of their HIPAA compliance review, covered entities should make sure that their breach notification policies have been updated for the final rule and that their workforce has been trained on the notification standards.

Links and Resources:
audit protocol for covered entities and business associates

HIPAA’s Security Risk Assessment Tool (SRA Tool)
Download the SRA tool here
SRA Tool User Guide
  – SRA User

Source: AssuredPartners, Inc. Compliance Observer Alert | HIPAA Compliance Reviews – Audit Protocol 

For more information contact The information contained in this post, and any attachments, is not intended and should not be misconstrued as legal advice. You should contact your employment, benefits or ERISA attorney for legal direction.

Help Celebrate Earth Day!

Posted April 22, 2016 by Megan DiMartino

Earth Day HeaderThe first Earth Day was celebrated on April 22, 1970, thanks to the efforts of Senator Gaylord Nelson, a passionate advocate of protecting the environment and bringing to light environmental issues, after seeing the damaging effects of a massive oil spill in 1969 in Santa Barbara, California. Through much struggle and resistance to this issue, Nelson designated April 22 as a “national day for the environment” in hopes to impress upon politicians that humans have an enormous impact on the environment. More than 20 million Americans participated in the first Earth Day, which prompted politicians to take notice and generate focus on the environment. That focus has become increasingly global, with more people celebrating Earth Day worldwide today than ever before.

Senator Gaylord Nelson was recognized for his hard work and awarded the Presidential Medal of Freedom Award in 1995. This is the highest honor given to civilians in the United States.

In 2009, the United Nations renamed Earth Day as International Mother Earth Day.

2016 Earth Day Network’s Theme – Trees for the Earth. Over the next 5 years, leading up to Earth Day’s 50th anniversary, Earth Day Network’s goal is to plant 7.8 billion trees!

But why trees?

Trees help combat climate change – They absorb excess and harmful CO2 from the atmosphere. In a single year, an acre of mature trees absorb the same amount of CO2 produced by driving the average car 26,000 miles.

Trees help us breathe clean air – Trees absorb odors and pollutant gases (nitrogen oxide, ammonia, sulfur dioxide and ozone) and filter particulates out of the air by trapping them on their leaves and bark.

Trees help communities – Trees help communities achieve long-term economic and environmental sustainability and provide food, energy and income.

So do your part and plant a tree this Earth Day! #trees4earth


Infoplease | Earth Day Stats and Facts about the environment, conservation tips and more | Earth Day Facts
Live Science | Earth Day: Facts & History
Earth Day Network | Earth Day 2016 – Trees for the Earth

For more information contact The information contained in this post, and any attachments, is not intended and should not be misconstrued as legal advice. You should contact your employment, benefits or ERISA attorney for legal direction.

HR Document Spring Cleaning

Posted April 20, 2016 by Megan DiMartino

leaning-stack-of-papers-and-filesSpring has sprung! And so has the need to clean out those old, pesky documents that keep cluttering up our lives…and office…and desk…and computer! But where to start?!

Follow these simple guidelines to help steer you in the right direction:

  • Hiring – Under Title VII, job applications and resumes must be kept for one year from the date of submission. Pre-employment tests must be kept for one year from the date of test. The Immigration Reform and Control Act requires Form I-9 to be retained for three years from the date of hire or one year after termination, whichever is later.
  • Termination – Per Title VII, documents related to layoff, recall and reduction-in-force must be kept for one year from the date of the action.
  • Promotion and Demotion – Per Title VII, records of promotions and demotions must be kept for one year from the date of action.
  • Work Hours – Under the Fair Labor Standards Act (FLSA), time sheets or time cards must be kept for two years after the record is made.
  • Leave – Under FLSA, records of the dates of leave taken under the Act must be kept for three years.
  • Accommodation – Requests for reasonable religious accommodation must be kept for one year after the record is made, per Title VII. Under the Americans with Disabilities Act, requests for disability-related reasonable accommodation must also be kept for one year after the record is made.
  • Training – Under Title VII, documents related to the selection of employees for training opportunities must be kept for one year.

For emailed documents it is recommended that folders be created for business needs and emails appropriately sorted into them as needed. Consult with your IT team if necessary to turn off automatic deletion features.

Happy Spring cleaning!

Source: Business Management Daily | Spring cleaning: 7 records to avoid discarding

For more information contact The information contained in this post, and any attachments, is not intended and should not be misconstrued as legal advice. You should contact your employment, benefits or ERISA attorney for legal direction.

The ‘Snooki’ Tax: PPACA Tanning Bed Tax

Posted April 15, 2016 by Megan DiMartino

taxesSince July 1, 2010, a 10% tax has been imposed on tanning sessions at indoor tanning salons through the provisions of the Patient Protection and Affordable Care Act (PPACA) and the amendments made through the Health Care and Education Reconciliation Act of 2010. The tax entails that anyone utilizing any indoor tanning services is required to pay an excise tax equal to 10% of the amount paid for their tanning services.

PPACA’s initial funding vehicle was to revolve around “Elective Cosmetic Procedures” and collect 5% tax on elective surgeries such as breast augmentation, tummy tucks, Botox injections, and other elective surgeries. But after successful lobbying from medical and dermatology interests, the appropriately named “Botax” was nullified by Section 10907 and the “Snooki Tax” took its place. The tanning bed tax was expected to bring in $2.7 billion over ten years, which is considerably less than the “Botax” projected income of $5.8 billion. The tanning industry was an easier target, but left many of the women owners of the industry infuriated as their middle-class status was far less able to absorb the tax hit than the original target of the cosmetic service industry.

The “Snooki Tax” is aimed at services that use electronic products designed to incorporate one or more ultraviolet lamps, and intended for the irradiation of an individual by ultraviolet radiation, with wavelengths in air between 200 and 400 nanometers, to induce skin tanning.

Exclusions include:

  • Phototherapy Services – a service that exposes an individual to specific wavelengths of lights for treatment of:
    • Dermatological conditions (e.g., acne, psoriasis, eczema)
    • Sleep disorders
    • Seasonal Affective Disorder (SAD) or other psychiatric disorders
    • Neonatal jaundice
    • Wound healing; or
    • Other medical conditions determined by a licensed medical professional to be treatable by exposing the individual to specific wavelengths of light.
  • Qualified Physical Fitness Facilities – defined by the following:
    • the predominant business of activity is providing facilities, equipment and services to its members for purposes of exercise and physical fitness,
    • indoor tanning services is not a substantial part of its business, and,
    • it does not offer tanning services to the public for a fee or offer different pricing options to its members based on indoor tanning services.
  • Other exclusions:
    • Spray tans or topical creams and tanning creams
    • No exemptions from the tax for tax-exempt entities such as education institutions or charities

Over the past six years the excise tax has brought in significantly less income than what was originally projected. In 2014, the tax was expected to collect $300 million, but the Office of Management and Budget reported $92 million was collected. The original estimated income of $2.7 billion has nearly been cut in half by the Joint Committee of Taxation as they now estimate the ten-year revenue to be closer to $1.5 billion and an even gloomier projection from the Office of Management and Budget, estimating $955 million.

There has been no success in the appeal efforts, so even more small businesses could potentially close in the wake of nearly half of all estimated tanning salons closing since the implementation of the tax.

Source: BenefitsPro | The ‘Snooki’ tax: 4 things to know about the PPACA tanning bed tax

For more information contact The information contained in this post, and any attachments, is not intended and should not be misconstrued as legal advice. You should contact your employment, benefits or ERISA attorney for legal direction.

DOL Issues Final SBC Template and Instructions

Posted April 12, 2016 by PHaynes

SBC_page_5_April_2017On Wednesday, April 6, 2016, the DOL (United States Department of Labor) issued final regulations on the new SBC (Summary of Benefits and Coverage) template and related documents, intended for use as of April 1, 2017. Final documents and a completed sample SBC are available on the DOL website, see the link below.

PPACA (aka the Affordable Care Act) requires insurers and plan sponsors to use SBCs as a means to provide plan participants with standard information so they can better understand and compare one medical plan to another.  (You may recall the uniform “food label” analogy we often refer to in our web-seminars).  The final SBC template and instructions keep the “material changes”  that were proposed to in late February 2016.  These changes include:

  • Streamlined content, for example, the removal of Q&A about Coverage Examples, which reduced the template to five (5) pages (SBC limit remains 8 pages/4 double-sided pages).
  • An additional cost example for a foot fracture treated in an emergency room.
  • Updated claims/pricing data for the coverage example calculator.
  • New MEC (Minimum Essential Coverage) and MV (Minimum Value) language, as well as new continuation and appeals/grievance rights language.
  • Revised language for some sections of the template.
  • An updated Uniform Glossary.

Any impact on Expatriate Plans?

No.  Both U.S. issued fully insured and self-funded expatriate plans will continue to be exempt from the SBC requirements. This new/revised template does not impact expatriate plans.


Prior guidance


The Importance of Executing HIPAA Business Associate Agreements

Posted April 12, 2016 by Megan DiMartino

Businessman with money in purse in hands on a gray background

Violation of the Health Insurance Portability and Accountability Act (HIPAA) can come at a hefty price! Just ask North Memorial Health Care of Minnesota, as they recently had to pay $1.55 million in settlement charges that they potentially violated the HIPAA Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to establish an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Officer for Civil Rights (OCR), stated that two major HIPAA rules were overlooked. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

OCR’s investigation found that a password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, which contained important health information and impacted 9,497 individuals out of their 289,904 patients. They found that North Memorial failed to have a business associate agreement in place (which is required under HIPAA’s Privacy and Security Rules) with its business associate, Accretive Health, Inc., so that they could perform certain payment and health care operations on North Memorial’s behalf. North Memorial also failed to conduct a risk analysis of all the potential risks and vulnerabilities to the electronic protected health information (ePHI) that they maintained, accessed or transmitted across their entire IT infrastructure.

North Memorial, along with their $1.55 million payment, is now also required to develop an organization-wide risk analysis and risk management plan to satisfy the requirements of the HIPAA Privacy and Security Rules.

Lesson learned!

HHS Links:

Source: | $1.55 million settlement underscores the importance of executing HIPAA business associate agreements

For more information contact The information contained in this post, and any attachments, is not intended and should not be misconstrued as legal advice. You should contact your employment, benefits or ERISA attorney for legal direction.

The Burdens of Compliance

Posted April 8, 2016 by Megan DiMartino

Due to the fact that health and welfare have become ever-present, employees now expect medical, dental, life, and other insurance when they are hired as part of their benefits package. Employers offer this coverage to attract and reward employees and to avoid penalties under the Affordable Care Act (ACA). There are burdens of compliance, which means that penalties for noncompliance are more threatening than before. Any employer that offers benefits to employees must meet certain requirements within a number of laws that include the ACA, ERISA, Internal Revenue Code, HIPAA, and other laws. These laws can require reporting by the government, disclosures and notices to employees, certain administrative processes, and mandatory coverages.

Some of the key penalties include SPD, COBRA, Federal Insurance Market Reforms, Form 5500, and the ACA Employer Shared Responsibility Mandate.

  • Summary Plan Description (SPD): If a plan sponsor neglects to supply an SPD to a participant within the 30 days of them making a request of that document, the sponsor can be held liable for a civil penalty of up to $110 per day from date of neglect.
  • COBRA: If an individual fails to comply with COBRA, including the notice requirements, they can be inflicted upon ERISA and Internal Revenue Code. Any plan administrators who fail to provide COBRA notices to participants within 30 days of that participant requesting the document can become liable and hold a civil penalty of $110 per day from date of neglect. The participant, beneficiary, or Secretary of Labor can also bring civil action against plan sponsors under ERISA. Plan administrators can also be taxed with a penalty of $100 per qualified beneficiary for every day of non-compliance.paying-cash
  • Federal Insurance Market Reforms: If there is failure to satisfy the requirements then that could lead to enforcement and penalties under ERISA, Public Service Health Act, and Internal Revenue Code. Plans that are both insured and self-insured can be exposed to a $100 penalty per person, per day within non-compliance under Internal Revenue Code. Also, insured plans can be the focus of enforcement by the Department of Health and Human Services (HHS). HHS can submit to the state and can impose a $100 penalty for non-compliance if the state does not take action. Plans can be exposed to civil enforcement suits under ERISA. Some of these reforms include standards that relate to benefits of mothers and newborns, mandated coverage for children to age 26, mandated preventive care, and others.
  • Form 5500: The Secretary of Labor can tax a civil penalty of up to $1,100 a day from the date of the plan sponsor’s neglect to file a 5500.
  • Affordable Care Act “Employer Shared Responsibility” Mandate: Employers that fail to offer medical coverage, or offer insufficient coverage, to full-time employees are exposed to penalties under Code Section 4980H and can add up to $167 per month, per full-time employee. Employers that neglect to meet reporting and disclosure requirements under Code Section 6055 and 6056 can face penalties of maximum $250 per return.

Employers should know how to handle these situations, and a good way to handle that is by utilizing a welfare wrap document. The wrap document contains everything that is required for an ERISA SPD and contains other disclosures that are required by ERISA and COBRA. The wrap document also includes certificates and booklets of individual benefits per reference, which completes an SPD. Employers can satisfy an ERISA SPD requirement, and other disclosure requirements, by using the wrap document.

Source: Employment Matters | Health and Welfare Plans: Big Compliance Burdens, Big Penalty Exposures

For more information contact The information contained in this post, and any attachments, is not intended and should not be misconstrued as legal advice. You should contact your employment, benefits or ERISA attorney for legal direction.

AP Benefit Advisors Webinar Series: PPACA Regulations Impacting Plan Changes – Part II

Posted April 6, 2016 by Megan DiMartino

PPACAJoin AP Benefit Advisors’ General Counsel and VP of Compliance, Patrick C. Haynes, Jr., for this one-hour, complimentary webinar, as he reviews Part II of the PPACA Regulations which impact plan changes. Discussion will include guidance on recent IRS publications, extended deadlines, out-of-pocket maximums and SBC updates. Many employers are struggling to understand how these plan changes will be implemented, the potential cost increases and the new administrative hurdles they should be prepared to face.

Topics will include:

  • IRS Publications 502, 503 & 969
  • 1094 & 1095 Extended Deadlines Coming Up
  • Picking it Clean – Revisiting IRS Notice 2015-87…Again!
  • OOPmaxes, Limits & More – Plan for 2017 Now!
  • SBC Updates – More Changes & More Delays

Webinar Details:

  • Wednesday, April 20, 2016
  • 1:00 – 2:00pm EDT
  • No Cost to Attend
  • This webinar is open to all HR and Finance Professionals – but not to brokers, agents, TPAs and PEOs.

Register Now - CA Blue


For more information contact The information contained in this post, and any attachments, is not intended and should not be misconstrued as legal advice. You should contact your employment, benefits or ERISA attorney for legal direction.

Making Telecommuting Work for Your Organization

Posted April 5, 2016 by Megan DiMartino

Beautiful young woman with coffee using laptop in the kitchenEmployers are hesitant to allow employees to telecommute, as they have no idea if the employee is truly completing their work or not. Jay Forte, president of The Greatness Zone LLC, says that if an organization is truly about results, then one should not micromanage the process. Forte has answers to three questions regarding telecommuting and how to make it work for an organization.

First, what are ways that one can effectively transition in-person staff to remotely working staff?

  • The employer needs to get on the same page with the employee about the most important things that need to occur in the first few months of telecommuting. The employer also needs to establish a clarity of deliverables including: does the employee know what needs to be delivered, what is owed, and how often it is owed. The employer should shed their fear of connecting too often  until both worker and employer get into a rhythm that works.

Second, should employees be allowed to telecommute from the start if there isn’t a need to?

  • Telecommuting is not a perk or a benefit, and should be viewed as a modern way of doing business that provides success.

Third, the remote work model is not working for an organization, how can an employer tell their team that they want to stop remote work when the employees are used to the perks?

  • If one is dealing with true professionals, they will understand the line “We’re not here to make everyone happy, though we wish we could.” If an employer has tried to make remote staff more accountable and made an effort to create an effective remote work space, there is no need to bribe employees for their compliance.

Source: Human Resources Management Articles and News | Business Management Daily – Nailing Down the Rules of Telecommuting: 3 Q&As

For more information contact The information contained in this post, and any attachments, is not intended and should not be misconstrued as legal advice. You should contact your employment, benefits or ERISA attorney for legal direction.

Subscribe to Our Blog