OCR expects plan sponsors and business associates to have policies and procedures, training for staff with access to any type of PHI, risk and security assessments and the ability to demonstrate compliance. OCR also stresses that these functions are not a “one and done” exercise. With frequent stories of privacy and security breaches, plan sponsors and their business associates should expect strict compliance enforcement. Giving OCR policies created in the last decade…or even older than two years old…will not pass their scrutiny.
This is where my expertise can help, and no, you don’t need to purchase any software. I develop custom policies and procedures that pass inspection by OCR and whose design meets SOC standards. Training is personally designed for employees in the benefits division that handle PHI so they actually understand what uses and disclosures are and are not permitted. Despite these efforts, it’s likely that plan sponsors and business associates will suffer an unintentional breach by an employee and in fact, OCR expects breaches (it’s those claiming to be perfect that make them suspicious). How a breach is handled – from timely notification and mitigation to remediation and discipline – is the real test of compliance.
So let’s document your practices as policies, educate your benefits team, and gain piece of mind knowing that the plan is keeping the PHI of participants private and secure.
While most of the 2,000+ pages that make up this massive piece of legislation apply to Medicare, there is still plenty impacting employer-sponsored health plans. Starting with SBCs & preventive benefits to the most recent non-discrimination rule - not to mention annual changes in cost sharing and contributions - knowing whether a plan is subject to a provision, when it must be implemented, and how to notify participants requires perpetual modifications to plan designs and materials.
Having worked with dozens of plan sponsors and their various plans, I prepare plan language that is compliant and as importantly understood by participants. My goal is to limit calls to your office for clarification by ensuring that participants have complete and timely information. Whether you have a specific need or would just like a gap analysis of current plan documents, I can help.
By now, you understand that an SPD is a legal document. While that’s true, it also has to be useful and understood by participants. I’ve seen legalese and plan amendments that result in sections that don’t integrate with the rest of the SPD and whose only usefulness for the participant is to cure their insomnia. SPDs eventually end up at best confusing and at worse containing conflicting provisions.
The solution is to ensure that SPDs are a reflection of the employer sponsoring the plan. Are employees actually referred to as ‘associates’? Does the wellness program reflect the name of the company? Details such as these help to make an SPD, SBC or SMM familiar to participants. Paired with clearly illustrated benefit information – with compliant language, of course - the result is material that they’ll actually feel confident referencing. Ensuring plan materials are education tools for participants, in addition to protecting the plan from unnecessary and expensive litigation, is a solution that I take a great deal of satisfaction in providing to plan sponsors.