The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that seeks to protect the confidentiality of sensitive patient health information from being disclosed without a patient’s consent or knowledge. These regulations are enforced by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). Specifically, this department is in charge of fining covered entities and business associates for breach of protected health information (PHI). Any information within a medical record that aids in the identification of an individual and was created and utilized while providing health care is considered to be protected health information.
HIPAA privacy rules only apply to covered entities and business associates. Particularly, “covered entities” are defined by the regulations as: (1) health plans; (2) health care clearinghouses; and (3) a health care provider who electronically transmit any health information in connection with transactions for which The United States Department of Health and Human Services (HHS) has adopted standards. Moreover, HIPAA rules also govern business associates which are vendors that provide services involving PHI for or on behalf of other covered entities.
Although most employers will not be covered entities, those employers providing health coverage to employees through a health insurance policy will generally not be responsible for HIPAA compliance because the insurance company itself would be considered the covered entity who will be required to comply with HIPAA. Therefore, the employer may subject itself to HIPAA compliance, if it chooses to receive PHI from that insurer.
Considering that HIPPA was proposed to govern workers regarding how they carry insurance and health care between jobs, HIPAA regulations are very intricate in the workplace. These regulations protect the health and medical records of employees who work for covered employers and those employers who administer group health plans. HIPAA law mandates data protection for anyone who creates, stores, transmits, or utilizes individual identifiable health information. Thus, employers should work to be in compliance with HIPAA regulations.
HIPAA and Human Resource (HR) Managers
In ensuring HIPAA compliance, HR managers should ensure that employees can switch health insurance providers and their health records without losing coverage. Specifically, the HIPAA Journal identifies four major areas of HIPAA compliance required including the following: (1) understanding the privacy and security rules, (2) aiding employees’ comprehension of their rights, (3) safeguarding employees’ PHI, and (4) working with covered entities and business associates with whom PHI is shared. While keeping these areas of compliance in mind, it is important to recognize that HIPAA does not protect employment records specifically, rather it protects the medical and health plan records generated as part of an employee-sponsored health plan. Thus, if the organization offers a self-insured health plan to employees, then the HR team is likely to be held to the standards of HIPAA compliance.
When sharing employee PHI, HR managers are to be aware of the HIPAA Security Rule. The HIPAA Security Rule outlines administrative, physical and technical safeguards to ensure confidentiality of individuals’ electronic personal health information (ePHI) created, received, used, or maintained by a covered entity. In order to ensure these safeguards are met, covered entities need to ensure that policies and procedures for employees are given through annual training to adequately meet administrative safeguard standards. These standards include reducing vulnerability in PHI security by conducting HIPAA risk assessments, assigning a security personnel who is responsible for developing security policies and procedures, and restricting unnecessary access to ePHI by other personnel.
HIPAA risk assessments are essential in ensuring compliance. These assessments assist in identifying potential risks that can be addressed within a reasonable time frame to prevent potential violations that could result in penalties. In 2013 the HIPAA Security Rule was updated to require that HIPAA risk assessments were to be performed on covered entities or business associates. These risk assessments are fully conducted in five main steps: defining the flow of information, defining the threats and vulnerabilities, conducting an initial risk assessment, developing control recommendations, and lastly conducting residual risk assessments. By following these steps, an organization can ensure that it is in compliance with HIPAA to prevent violations that could result in potential penalties.
The failure for organizations to enter into HIPAA-compliant agreements with vendors that are provided with or given access to PHI is one of the most common violations. These agreements need to be revised in accordance with the Omnibus Final Rule. This Omnibus Final Rule came into effect in 2013 and expands the HIPAA obligations. Now HIPAA applies to business associates and their subcontractors, modifies breach notification standards, and expands patient rights to access and restrict their PHI.
During HIPAA compliance audits, should there be any violations discovered, there will be both civil and criminal penalties. Typically, those who violate it, may face fines that range from $100- $250,000 per offense and/or 1–10-year prison sentences. Though it can be a bit difficult for employers to enforce HIPAA sanctions on employees who break the rules, it is vital for the wellbeing of the company considering the possible sanctions that can apply.
Let's Recreate the Data Ecosystem Together!