With the start of the new year, a good New Year?ÃÃs resolution for employers that sponsor ERISA retirement and/or health and welfare benefit plans is to ensure that all current ERISA plan fiduciaries?Ãöincluding any new members of plan administrative and investment committees?Ãöhave received up-to-date ERISA fiduciary training. ERISA litigation brought against individual plan fiduciaries has significantly increased in recent years. Plan fiduciaries assume responsibilities and make decisions that could potentially subject them to substantial personal liability. To mitigate this risk exposure, each committee member (or other ERISA plan fiduciary) should receive fiduciary training initially upon becoming a plan fiduciary and at least annually thereafter. Plan fiduciaries need to understand (i) when they are acting on behalf of the plan?ÃÃs participants in a fiduciary capacity, (ii) the different fiduciary roles under a plan and how fiduciary liability can attach in different ways, (iii) the difference between fiduciary decisions and non-fiduciary (?ãsettlor?ÃÂ¥) decisions affecting plans?Ãöand how to avoid having fiduciary duties attach to certain decisions, (iv) the difference between fiduciary liability and co-fiduciary liability under ERISA, and (v) how to avoid personal liability for the acts or omissions of another plan fiduciary.?á
In addition to periodic ERISA fiduciary training, employers that sponsor group health plans which are HIPAA ?ãcovered entities?ÃÂ¥ should consider the legal requirement under the HIPAA privacy rules (the ?ãRules?ÃÂ¥) to provide timely HIPAA privacy training to applicable members of their workforces.
The Rules do not prescribe a specific per se timeframe during which HIPAA privacy training must be provided (or renewed for workforce members who have been previously trained). Instead, the Rules require that all members of the plan sponsor?ÃÃs workforce who are designated as performing job duties on behalf of the plan sponsor?ÃÃs group health plan subject to HIPAA (the ?ãHealth Plan?ÃÂ¥) and have access to HIPAA ?ãprotected health information?ÃÂ¥ (?ãPHI?ÃÂ¥) under the Health Plan (?ãAuthorized Staff?ÃÂ¥) must be trained on the plan sponsor?ÃÃs HIPAA privacy policies and procedures (?ãHIPAA P&P?ÃÂ¥), as appropriate for such workforce members to carry out their functions for the Health Plan.?á
With respect to any new workforce members who are hired as Authorized Staff, HIPAA privacy training must be provided within a reasonable period after the person joins the workforce and before such person has access to any PHI.
Regarding periodic training for existing Authorized Staff, the required timeframe needs to be determined by the plan sponsor based on its assessment of how often its Authorized Staff needs a refresher course or update and the turnover that has occurred within the Authorized Staff since the last training session. In the event of a material change in the plan sponsor?ÃÃs HIPAA P&P, training regarding any such changes must be given within a reasonable period after the change becomes effective.
The Rules require that documentation (in written or electronic form) be maintained to show that the required training has been provided. A plan sponsor should maintain a sign-in or log-in sheet for each training session to evidence the training date and the members of the training class. This documentation must be retained in the plan sponsor?ÃÃs HIPAA privacy recordkeeping files for at least six years from the later of its creation date or the date on which it was last effective.?á