HIPAA Compliance and the Employer’s Ever-Changing Obligations
For a more in-depth look at HIPAA regulations, check out this webinar recording.
The Health Insurance Portability and Accountability Act (HIPAA) was a massive legislative attempt at addressing several different health insurance issues. The act passed congress and was signed by President Clinton in 1996.
What exactly is HIPAA?
- HIPAA relates to the treatment of Protected Health Information (PHI)
- PHI is information that is individually identifiable
- PHI is information that relates to an individual’s past, current, or future medical condition
- PHI is information that originates from or is related to the employer’s health plan
Why should you care about HIPAA?
- It’s the law. For better or worse.
Health and Human Services are actively enforcing HIPAA’s rules and regulations. What used to be a slap on the wrist, a significant violation of HIPAA’s rules may result in hundreds of thousands of dollars in fines. Under HIPAA, employers are required to address three primary requirements:
HIPAA’s privacy requirements mainly apply to physical PHI and interactions with other individuals. Employers are required to appoint a “Privacy Officer.” This individual is responsible for the development, maintenance, and enforcement of the employer’s HIPAA Privacy Policies and Procedures.
HIPAA’s security requirements primarily deal with PHI that is transmitted or stored electronically (ePHI). Like the privacy officer, employers are required to hire a “Security Officer.” This individual is responsible for the maintenance of and answerable to any ePHI issues.
A key difference between the Privacy and Security rules is that the Security requirements are addressable while the Privacy rules are generally the same for everybody. Being addressable basically means that HIPAA identifies what needs to be done, while leaving it up to the employer on how to do it.
- Business Associates
A Business Associate is an entity who you will share with or who will have access to your PHI. Before sharing your PHI, you must ensure that the entity will take the same exact steps to protecting it as you do. This is typically done using a Business Associate Agreement.
5 Steps in Properly Addressing HIPAA:
- Step 1: Assess which of your benefits are subject to the rules
- Plans subject to HIPAA include medical, prescription, dental, vision, health FSAs, and HRAs
- Plans not subject to HIPAA include short-and long-term disability, retirement, life insurance, workers’ compensation, FMLA, and employment drug tests
- Step 2: Determine how much, if any, access to PHI you have for each of those plans
- Step 3: Develop policies and procedures appropriate to your level of PHI exposure and risk of any data breaches
- Step 4: Identify those employees who will have access to PHI and train them on those policies and procedures
- Step 5: Develop and distribute a Privacy Notice at every open enrollment to let participants know who the Privacy and Security officers are and how you’ve addressed HIPAA requirements
Remember, if you have a group health plan, no matter the company size, you technically must deal with HIPAA in some shape or form.
For an in-depth look at HIPAA’s privacy and security rules, we invite you to listen in on the replay of the Assurance University Webinar held earlier this year. Compliance expert Mark Lam takes a hard look at what employers need to know and do to stay compliant. http://results.assuranceagency.com/HIPAAReplay
ABOUT THE AUTHOR