Tag: managing HIPAA

May 2
2019

HIPAA Violations, How to Prevent Them

By Ken Lynch, founder and CEO, Reciprocity Labs.

Ken Lynch

The Health Insurance Portability and Accountability Act (HIPAA) applies to all companies in the United States. Healthcare providers, covered entities and their business associates should understand HIPAA and take compliance steps to avoid monetary fines and even prison time. HIPAA violations in the workplace can occur in any organization but especially those that provide healthcare benefits to their employees or require health information to process disability benefits or workplace compensation.

Understanding HIPAA violations in the workplace

HIPAA was enacted in 1996 and aimed to protect the health information of individuals as they moved from one job to another. Since then, the Act has been refined to include more coverage and protections.

In 2003, the Privacy Rule, which defines Protected Health Information (PHI), was passed by the US Department of Health and Human Services. In 2005, HIPAA was updated with the Security Rule, which focuses on electronically stored PHI (ePHI). Today, employers must adhere to HIPAA and related regulations, including the Security Rule and the Privacy Rule, as required by industry regulators and the federal government.

What information qualifies as PHI or ePHI

The Privacy Rule defines PHI as any health information that concerns the payment of healthcare, provision of healthcare or health status of an individual, which is held by a covered entity.

In the workplace, any employee health plans or medical records that are collected by the employer for the purposes of administering healthcare plans are PHI or ePHI information. Health information that is gathered but not intended for use in administering healthcare plans is not considered PHI or ePHI.

When an employee provides health information to document workers’ compensation or sick leave, the information is not considered PHI or ePHI. On the other hand, if you contact an employee’s healthcare provider, the information that the provider will give you falls under the Privacy Rule. Employment records do not fall under PHI or ePHI even they may include health-related information.

What HR should know about HIPAA

If your organization offers employees a covered health plan, it’s critical to determine whether you need to be HIPAA compliant.

Continue Reading

Related

Dec 18
2014

HIPAA Is Not Do It Once and You’re Done

Lea Chatham
Lea Chatham

Guest post by Lea Chatham, Editor-in-Chief, Getting Paid Blog

I remember when the Health Insurance Portability and Accountability Act (HIPAA) passed. I was working for a leading practice management software vendor. Everyone was overwhelmed by what was involved. We developed a huge amount of education and information for our customers. Some people wondered if the healthcare industry could make such a major change.

Today, HIPAA is ubiquitous. Many practices take it for granted. They are not concerned about a breach because they believe they have done everything they need to do. In a recent study by MedData Group of physicians top practice management priorities for 2015, HIPAA didn’t even make the list.

“We instigated HIPPA when it came out, and it is in place and second nature to us,” said Joann Lister, a provider at a family medicine practice in Texas. “We have all worked at the hospital so we had plenty of training on the rules. Our physical space and computers are confidential. Our practice management and EHR software, Kareo, always goes back to login when we are done in a room so the next patient does not see anything. We have limited personnel so it is easier to know that everyone honors the HIPAA rules.”

The question is: Have practices gotten too complacent with HIPAA? With the latest changes to HIPAA in 2014, have they followed through on making changes and updates? The data and experience of industry experts and consultants suggests that there may be a problem with HIPAA compliance.

“The last analysis we did for a practice had 41 pages of regulations that required implementation,” recalled practice management consultant Rochelle Glassman, CEO of United Physician Services. “Most practices do not know what the complete requirements are. They believe that if they have the patients sign the privacy form that is all they need to do. This year there were updates that included the new HITECH Act and the HIPAA Omnibus rule. I can guarantee that many practices have not updated their HIPAA program to include the changes because they do not even know they exist.”

Continue Reading

Related