By Ken Lynch, founder and CEO, Reciprocity Labs.
The Health Insurance Portability and Accountability Act (HIPAA) applies to all companies in the United States. Healthcare providers, covered entities and their business associates should understand HIPAA and take compliance steps to avoid monetary fines and even prison time. HIPAA violations in the workplace can occur in any organization but especially those that provide healthcare benefits to their employees or require health information to process disability benefits or workplace compensation.
Understanding HIPAA violations in the workplace
HIPAA was enacted in 1996 and aimed to protect the health information of individuals as they moved from one job to another. Since then, the Act has been refined to include more coverage and protections.
In 2003, the Privacy Rule, which defines Protected Health Information (PHI), was passed by the US Department of Health and Human Services. In 2005, HIPAA was updated with the Security Rule, which focuses on electronically stored PHI (ePHI). Today, employers must adhere to HIPAA and related regulations, including the Security Rule and the Privacy Rule, as required by industry regulators and the federal government.
What information qualifies as PHI or ePHI
The Privacy Rule defines PHI as any health information that concerns the payment of healthcare, provision of healthcare or health status of an individual, which is held by a covered entity.
In the workplace, any employee health plans or medical records that are collected by the employer for the purposes of administering healthcare plans are PHI or ePHI information. Health information that is gathered but not intended for use in administering healthcare plans is not considered PHI or ePHI.
When an employee provides health information to document workers’ compensation or sick leave, the information is not considered PHI or ePHI. On the other hand, if you contact an employee’s healthcare provider, the information that the provider will give you falls under the Privacy Rule. Employment records do not fall under PHI or ePHI even they may include health-related information.
What HR should know about HIPAA
If your organization offers employees a covered health plan, it’s critical to determine whether you need to be HIPAA compliant.
First off, the type of plan you offer and the number of employees you cover will determine whether the Security Rule applies to your organization. If any of the following apply, your firm needs to be HIPAA compliant:
- Your plan covers 50 or more employees
- You use a third party to manage your health insurance plan
- Your organization is the plan sponsor for the employees’ group health care plan
- You use a vendor for your employee assistance programs and flexible spending accounts
How the prevent workplace HIPAA violations
There are various strategies you can implement to prevent HIPAA workplace violations by your organization. The first step is to carry out a risk analysis by checking the following:
- All in the information that your organization stores
- Where the data is stored
- The potential risks that can impact the ePHI stored by your organization
After completing a risk analysis, come up with security measures that will mitigate the identified risks. Develop policies and procedures for secure handling, transfer and storage of employee healthcare data. For example, you may want to limit access to your employees’ medical records to a few HR members. You can also store documents containing health records in restricted areas and implement multi-factor authentication to a few personnel who may need to access employees’ electronic health records.
The data security measures you implement should be tested to ensure that they work as required. You should also review the security policies from a technical and non-technical point of view. Regular reviews should be carried out to seal any loopholes that may not have been uncovered in the past.
Even if a third party manages your health insurance program, your organization may still be at risk of HIPAA workplace violation. For example, if your HR department still has access to PHI and ePHI, ensure that the firm is HIPAA compliant. If HR coordinates the healthcare plan with the vendor, the information that will be exchanged between these two entities may fall under HIPAA and therefore compliance would be necessary.
Protecting PHI and ePHI accessed by the human resources department
All organizations need to implement and maintain HIPAA compliance policies, especially with regards to the HR department. To begin, the HR and benefits departments should catalog the information received and stored in the organization as they carry out their administrative functions.
The next step is to secure the communication between HR and the employees that submit healthcare information through the company’s intranet as well as with third party service providers that fall under the Security Rule. Implement robust policies and processes that guide the transmission, reception, storage and destruction of healthcare data. These processes should be incorporated into the company’s internet, intranet, and emails with vendors. Employees in the HR department should handle PHI and ePHI according to the policies.
The final step is to establish access control to the PHI and ePHI data that the company has. HR needs to work with IT to determine the types of administrative functions that can be done on the employee healthcare data. Implement clear security protocols on access, modification and storage of PHI and ePHI in the organization.
Prevent HIPAA workplace violations
Preventing HIPAA workplace violations is all about understanding how the company gathers, transmits and stores PHI and ePHI.
Personal records, even though they may contain healthcare information, are not considered PHI under HIPAA. However, employees may not understand this and may file for violations with the Office of Civil Rights (OCR). Such investigations can be costly and time-consuming. Therefore, develop policies and procedures that will secure employee healthcare records to avoid non-compliance suits.