Maintaining Compliance and also Keeping HR in the Loop
The U.S. Department of Health and Human Services, Office for Civil
Rights (“OCR”) has begun its Phase 2 HIPAA Audit Program. The Program
will focus on the policies and procedures adopted and employed by
covered entities and their business associates to meet the requirements
of the Privacy, Security, and Breach Notification Rules. Furthermore,
if a group health plan is selected for an audit, it would have a very
short time to produce its policies and procedures (i.e., 10 business
days). If the group health plan does not comply (for example, because
it does not have policies and procedures), the OCR will likely impose
corrective measures which could include costly civil monetary penalties.
HIPAA policies and procedures have important functions, including but not limited to:
- Limiting uses and disclosures of Protected Health Information (“PHI”) to the minimum amount reasonably necessary to achieve the purpose of the use or disclosure;
- Identifying the workforce members who need access to PHI and electronic PHI (“e-PHI”) to carry out their duties, the categories of PHI that they need, and any conditions under which they need the PHI to do their jobs;
- Ensuring appropriate protection of e-PHI when it is transferred, removed, disposed and electronic media is re-used; and
- Ensuring that e-PHI is not improperly altered or destroyed.
However, it is not sufficient for a covered entity to merely adopt
its HIPAA policies and procedures. The health practice office must also:
- Designate a privacy and security official to develop and implement policies and procedures;
- Train applicable workforce members on its policies and procedures as necessary for them to carry out their functions, and apply appropriate sanctions against workforce members who violate its policies and procedures;
- Periodically assess how well its policies and procedures meet the requirements of the Security Rule; and
- Designate a contact person responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
There is no template for HIPAA policies and procedures. Instead
employers have the flexibility to design policies and procedures that
are appropriate for their size, organizational structure, and risks to
PHI and e-PHI. Furthermore, as employers evolve, so should their
policies and procedures. For example, if an employer adopts a telework
policy, it may wish to review whether its policies and procedures
appropriately address issues involving remote access.
Summarizing, although not a new requirement, due to new technologies,
evolving business and regulatory practices, along with impending HHS audits, employers may
want to review their HIPAA policies and procedures to make sure that
they are compliant and up-to-date. Many HIPAA policies inherently overlap with Human Resource's duties: training, disciplinary actions and employee health information for examples.
The increase in audits — combined with everything from changes in technology, the addition of a health and wellness program and concerns about hacking — serve as a good reminder why employers should revisit HIPAA training often and collaborate with HR to ensure compliance.
Many of the employers facing fines are healthcare providers, health plans or healthcare clearinghouses (organizations considered as covered entities under HIPAA). But most HR professionals also handle protected health information (PHI) to some extent, which puts them in danger of violating the HIPAA Privacy Rule.
Employers should have a written policy in place about how they handle PHI and designate PHI handlers and a HIPAA privacy officer. The policy should outline what types of information are considered PHI and how employers may and may not use it. It should also include a procedure for handling complaints and a process for employees to file them if they think their privacy rights are being violated.
Employees who may handle PHI should be trained on the dos and don’ts of handling protected health information, especially as it relates to electronic information. It’s vital for the HR team to understand the implications of handling PHI in emails, storing it on the cloud, or communicating about it over other electronic formats. And when discussing matters containing PHI with an employee, it’s important to have a signed HIPAA authorization form for the release of employee health information.
Lastly, the HIPAA privacy officer should review compliance documents and ensure that agreements with vendors who handle PHI, called “business associate agreements,” are up to date. The federal government considers vendors and subcontractors to be business associates if they handle PHI on behalf of the covered entity.
Source(s): http://www.hhs.com, http://www.jdsupra.com, https://www.benefitnews.com, http://www.hcsiinc.com
I read your blog on daily basis. This is really great and informative post. Thanks for sharing.
ReplyDeleteHr Policy Compliance