With the start of the new year, a good New Year’s resolution for employers that sponsor ERISA retirement and/or health and welfare benefit plans is to ensure that all current ERISA plan fiduciaries—including any new members of plan administrative and investment committees—have received up-to-date ERISA fiduciary training. ERISA litigation brought against individual plan fiduciaries has significantly increased in recent years. Plan fiduciaries assume responsibilities and make decisions that could potentially subject them to substantial personal liability. To mitigate this risk exposure, each committee member (or other ERISA plan fiduciary) should receive fiduciary training initially upon becoming a plan fiduciary and at least annually thereafter. Plan fiduciaries need to understand (i) when they are acting on behalf of the plan’s participants in a fiduciary capacity, (ii) the different fiduciary roles under a plan and how fiduciary liability can attach in different ways, (iii) the difference between fiduciary decisions and non-fiduciary (“settlor”) decisions affecting plans—and how to avoid having fiduciary duties attach to certain decisions, (iv) the difference between fiduciary liability and co-fiduciary liability under ERISA, and (v) how to avoid personal liability for the acts or omissions of another plan fiduciary.
In addition to periodic ERISA fiduciary training, employers that sponsor group health plans which are HIPAA “covered entities” should consider the legal requirement under the HIPAA privacy rules (the “Rules”) to provide timely HIPAA privacy training to applicable members of their workforces.
The Rules do not prescribe a specific per se timeframe during which HIPAA privacy training must be provided (or renewed for workforce members who have been previously trained). Instead, the Rules require that all members of the plan sponsor’s workforce who are designated as performing job duties on behalf of the plan sponsor’s group health plan subject to HIPAA (the “Health Plan”) and have access to HIPAA “protected health information” (“PHI”) under the Health Plan (“Authorized Staff”) must be trained on the plan sponsor’s HIPAA privacy policies and procedures (“HIPAA P&P”), as appropriate for such workforce members to carry out their functions for the Health Plan.
With respect to any new workforce members who are hired as Authorized Staff, HIPAA privacy training must be provided within a reasonable period after the person joins the workforce and before such person has access to any PHI.
Regarding periodic training for existing Authorized Staff, the required timeframe needs to be determined by the plan sponsor based on its assessment of how often its Authorized Staff needs a refresher course or update and the turnover that has occurred within the Authorized Staff since the last training session. In the event of a material change in the plan sponsor’s HIPAA P&P, training regarding any such changes must be given within a reasonable period after the change becomes effective.
The Rules require that documentation (in written or electronic form) be maintained to show that the required training has been provided. A plan sponsor should maintain a sign-in or log-in sheet for each training session to evidence the training date and the members of the training class. This documentation must be retained in the plan sponsor’s HIPAA privacy recordkeeping files for at least six years from the later of its creation date or the date on which it was last effective.