Employers: What You Need to Know about HIPAA Compliance
With the possibility of facing staggering fines for violating the Health Insurance Portability and Accountability Act of 1996, organizations are well advised to fully understand HIPAA’s privacy and security rules and what is required of them.
Which employers have to comply with HIPAA?
Employers that sponsor one or more self-insured, HIPAA-covered group health plans—group health, dental, vision, pharmacy benefits, long-term care, health care reimbursement flexible spending accounts, or employee assistance programs—are required to comply with all relevant HIPAA regulations.
When it comes to the HIPAA privacy rule, what must covered entities do to protect consumers of health care?
The privacy rule protects individuals from unauthorized disclosure of any protected health information or PHI.
Covered entities must:
adopt written PHI privacy procedures. (These written procedures must include safeguards for administration of PHI, physical security of such information, and electronic and other types of technical security. They should also include the designation of a privacy officer and an explanation of the complaint and resolution process.);
designate a privacy officer;
require their business associates to sign agreements respecting the confidentiality of PHI;
- only release as much information as is necessary to address the need of the entity requesting the information
train all of their employees in privacy rule requirements;
written notice of the covered entities’ privacy practices and access to their medical records;
a chance to request modifications to the records;
a chance to request restrictions on the use or disclosure of their information;
a chance to request an accounting of any use to which the PHI has been put; and
a chance to request alternative methods of communicating information.
establish a process for patients to use in filing complaints and for dealing with complaints.
- take any measures necessary to see that PHI is not used for making employment or benefits decisions, marketing, or fundraising.
What is the HIPAA security rule?
In contrast to the privacy rule that applies to all forms of protected health information (including oral, paper, and electronic), the HIPAA security rule applies only to electronic protected health information or ePHI.
The types of ePHI that must be kept secure include data in motion (such as email), data at rest (such as that kept in databases, servers, flash drives, etc.), data in use (in the process of being created, retrieved, updated or deleted) and data disposed (data that has been discarded).
The security standards are divided into three categories:
Administrative safeguards: These are administrative functions that should be implemented including assignment or delegation of security responsibility to an individual and security training requirements.
Physical safeguards: These are the mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion and include restricting access to EPHI and retaining off site computer backups.
- Technical safeguards: These are primarily the automated processes used to protect date and control access to data and include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted.
For more in-depth information on the above, please visit the US Department of Health and Human Services website.
HIPAA can be a very complex subject with many requirements. Covered entities would be well served discussing any questions they may have with a lawyer experienced in the area.
Should you have any questions related to HIPAA, please contact us online or call our offices at (561) 653-0008. At Scott • Wagner and Associates, our approachable and knowledgeable attorneys are dedicated to providing skilled legal representation for your unique situation.