One Simple Way to Assess Your Broker – Do They Comply With Federal Law?

We have been focused to date on trying to get broker’s focused on their legal responsibilities as BA’s under HIPAA HITECH and the 2/17/2010 deadline.

Now we are shifting to viewing this issue as an employer/covered entity and how you should assess your benefits broker or consultant. You have been subject to HIPAA for the last 6 years as have the health insurers, hospitals et al. Now your broker is as well and HITECH adds new responsibilities and penalties for both of you.

Clearly many, many brokers are diligently working to comply. Hats off to all of you. Complying with HIPAA HITECH is time consuming and painful but the right thing to do. If you are one of these real professionals stop reading now.

Let’s be very clear on the HIPAA HITECH law and how it applies to business associates who help you using ePHI (i.e brokers).

FACT – Brokers are BA’s and have signed or accepted BA agreements with ALL their insurance carriers saying they are fully compliant with the new law. (whether they understand the law or even know what compliance means!)

FACT – You need to have updated BA agreements in place with your organization just like the carriers have done already.

Sue McAndrew, deputy director for Health Information Privacy for OCR, asked at this week’s HIPAA Summit if a business associate could end up paying out of its own pocket for a breach. The answer was yes.

“Business associates going forward will be directly liable for violations that occur in their possession,” McAndrew said.“The fines would be imposed upon the BA, and if they can’t pay, we send them to jail.”

OK. So the repsonsibilities of BA’s are VERY SERIOUS..and oh by the way are Federal law. So Democrat, Republican, Libertarian, Socialist, Independent or Tea Partier you are subject to full compliance.

Now you may think that this seems harsh or over the top but ask yourself this. If you found an employee violating any law in your office what would you do? Or found out that your lawyer or accountant disobeyed the law when they did work for you? Obviously you would fire them.

Far too many of the responses I have gotten from seasoned benefits consultants have been very disappointing and frankly irresponsible as it relates to their clients and their employees information privacy and security. These range from “not my problem”, “someone is dealing with it here”, “scr*w the government”, “they will never prosecute a broker”. “I can’t be responsible for my client’s behavior and much more.. and much worse.

FACT – If your broker or any other BA is not fully complying with HIPAA HITECH it endangers your company as the covered entity (CE) responsible for tracking and reporting any security breaches from your BA’s and if they are not compliant not only do they face major fines and legal action so do you.

Put another way your broker’s lack of compliance – and even understanding what that means – shows a total disconnect from your company and your most important asset – your employees. Also their own E&O policies don’t cover fines here which tells you something as well.

Their cavalier attitude may reflect itself in not securely managing census, enrollment, medical information, bills et all that contain personally identifiable health information can lead to identity theft, lawsuits and having to report your own organization to HHS and all local media if over 500 lives information is deemed compromised.

As a 35 year veteran of this industry I am  baffled by what I am seeing and could give you a laundry list of  questions to use to assess a benefit’s consultant’s true competence and that of his organization but to get to the heart of the matter just ask your brokerage firm these simple questions:

  • Is your firm HIPAA HITECH compliant?
  • Can you demonstrate that compliance to us with your plan and policies?
  • How do you encrypt any PHI we work with you on via email, in your office and when on staff laptops?

Unfortunately many of you are going to find that the folks you trust and work with are not going to be able to answer and are woefully non compliant on really clueless on what is required of them and as such not serving your best interests.

It is also called “willful neglect” under the law and subject to the most serious penalties.

What do you do about it?

Find a new broker who takes Federal laws seriously if for no other reason than it shows a respect for you and your employees and the same laws and requirements that you live by everyday.

If you do not you put your  company’s well being and employees privacy at risk. That is your requirement under the law – to be sure your BA’s  are compliant…or face the consequences yourself.

Explore posts in the same categories: brokers, Business, Employee Benefits, Healthcare, Healthcare Insurers, Healthcare Reform, Human Resources

Tags: , , , , ,

You can comment below, or link to this permanent URL from your own site.

2 Comments on “One Simple Way to Assess Your Broker – Do They Comply With Federal Law?”

  1. William Larson Says:

    I ran across an article from an attorney firm stating the following-
    A portion of the HITECH Act will have a significant impact on employers that sponsor group health plans. The Act effectively mandates that group health plans secure protected health information. Plan sponsors that fail to bring their group health plans into compliance are at risk for enforcement actions, large penalties, class action lawsuits and injuries to reputation. By any measure, this is the toughest federal law ever enacted to regulate employee benefit plans.
    I would be interested in your thoughts on this subject.
    Bill Larson

    • John Nail Says:

      Bill that is the major thrust of HITECH and the most important health reform action taken to date. Trusted data is the foundation of electronic health records and of a truly streamlined admin system for healthcare where data can be shared not more paper.

      This applies to “Covered Entities” ie insurers and plan sponsors and “Business Associates” ie brokers or any other supplier that touches PHI/PII.

      CE’s are also on the hook for the compliance of their BA’s and BA’s for any sub contractors – like ben admin vendors et al.

      Go here to get more:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: