HR Departments and HIPAA Compliance
Companies not directly involved in the healthcare or healthcare insurance sectors should none-the-less pay close attention to HIPAA compliance for HR departments. It has been calculated a third of all workers and their dependents who receive occupation healthcare benefits do so via a self-insured group health plan.
Although this does not mean a self-insuring business is therefore a HIPAA-Covered Entity – and thereby subject to HIPAA legislation– the chances are that the HR department will have some involvement with insurance-related duties. During the execution of the insurance-related duties, HR personnel will undoubtedly come into contact with Protected Health Information.
Why HIPAA Compliance for HR Departments is Vital
The original aim of the Healthcare Insurance Portability and Accountability Act (HIPAA) was to enhance the portability and continuity of health insurance coverage. As the Act progressed through Congress, amendments were made with the aim of combating waste, fraud and abuse in the health insurance and healthcare sectors.
Due to these amendments, the HIPAA Privacy and Security Rules were introduced. The Rules limit access to and use of Protected Health Information (PHI), mainly to give patients and members of group healthcare plans control over how their personal information is used. For instance, healthcare groups can no longer use a patient´s PHI for marketing activities without the patient’s authorization.
A further aim of restricting access to PHI is to prevent one person using somebody else’s PHI to obtain free healthcare – essentially identity theft. As the expense of medical treatment has risen, so has the value of healthcare data. A 2014 report estimated a full dossier of healthcare data on the black market is worth over $1,200. By comparison, a stolen Visa card is worth around $4.
Major Focuses of HIPAA Compliance for HR Departments
There are four major areas of HIPAA compliance in which HR personnel should be well informed. These are concerned with understanding the key components of the Privacy and Security Rules, helping workers understand their rights under HIPAA legislation, securing the PHI of employees, and working with Covered Entities and Business Associates with whom PHI is sent.
Never Assume the IT Department is Responsible for Security Rule Compliance
An IT manager is normally delegated as the HIPAA Security Officer, and it is their responsibility to make sure every department within the group is compliant with the Security Rule. But this is not always the case, and HR personnel should not think the responsibility for security is not theirs.
Always Send Updates and Reminders of Privacy Practice Notices
Workers enrolled in a self-insured group health plan must be given a Privacy Practice Notice telling them them of their HIPAA-related rights. Most HR departments always do this, but some forget to share updates when privacy practices are revised, and a reminder a minimum of once every three years.
Keep a Written Policy for Reviewing and Resolving Complaints
Although not necessary under HIPAA, a policy should be in place to document privacy complaints, investigations and resolutions. This will be ofmajor benefit to the company – and the HR department in particular- if an employee follows up their complaint to the Department of Health & Human Services.
Never Overlook State Privacy Law Compliance
The relationship between HIPAA and state privacy laws is a source of confusion for some individuals. HIPAA preempts any state privacy laws with weaker privacy protection, but not those that ensure stronger privacy protection. State HIPAA Requirement must always be considered.