Maintaining Compliance and also Keeping HR in the LoopIn your ongoing efforts to provide an office culture of compliance, it is important to remember that HIPAA requires covered entities to establish and implement written policies and procedures that are consistent with its Privacy and Security Rules. It can also be important for your Human Resource officer(s) to be involved with HIPAA compliance related issues in the business.
The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) has begun its Phase 2 HIPAA Audit Program. The Program will focus on the policies and procedures adopted and employed by covered entities and their business associates to meet the requirements of the Privacy, Security, and Breach Notification Rules. Furthermore, if a group health plan is selected for an audit, it would have a very short time to produce its policies and procedures (i.e., 10 business days). If the group health plan does not comply (for example, because it does not have policies and procedures), the OCR will likely impose corrective measures which could include costly civil monetary penalties.
HIPAA policies and procedures have important functions, including but not limited to:
- Limiting uses and disclosures of Protected Health Information (“PHI”) to the minimum amount reasonably necessary to achieve the purpose of the use or disclosure;
- Identifying the workforce members who need access to PHI and electronic PHI (“e-PHI”) to carry out their duties, the categories of PHI that they need, and any conditions under which they need the PHI to do their jobs;
- Ensuring appropriate protection of e-PHI when it is transferred, removed, disposed and electronic media is re-used; and
- Ensuring that e-PHI is not improperly altered or destroyed.
However, it is not sufficient for a covered entity to merely adopt its HIPAA policies and procedures. The health practice office must also:
- Designate a privacy and security official to develop and implement policies and procedures;
- Train applicable workforce members on its policies and procedures as necessary for them to carry out their functions, and apply appropriate sanctions against workforce members who violate its policies and procedures;
- Periodically assess how well its policies and procedures meet the requirements of the Security Rule; and
- Designate a contact person responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.
There is no template for HIPAA policies and procedures. Instead employers have the flexibility to design policies and procedures that are appropriate for their size, organizational structure, and risks to PHI and e-PHI. Furthermore, as employers evolve, so should their policies and procedures. For example, if an employer adopts a telework policy, it may wish to review whether its policies and procedures appropriately address issues involving remote access.
Summarizing, although not a new requirement, due to new technologies, evolving business and regulatory practices, along with impending HHS audits, employers may want to review their HIPAA policies and procedures to make sure that they are compliant and up-to-date. Many HIPAA policies inherently overlap with Human Resource's duties: training, disciplinary actions and employee health information for examples.
The increase in audits — combined with everything from changes in technology, the addition of a health and wellness program and concerns about hacking — serve as a good reminder why employers should revisit HIPAA training often and collaborate with HR to ensure compliance.
Many of the employers facing fines are healthcare providers, health plans or healthcare clearinghouses (organizations considered as covered entities under HIPAA). But most HR professionals also handle protected health information (PHI) to some extent, which puts them in danger of violating the HIPAA Privacy Rule.
Employers should have a written policy in place about how they handle PHI and designate PHI handlers and a HIPAA privacy officer. The policy should outline what types of information are considered PHI and how employers may and may not use it. It should also include a procedure for handling complaints and a process for employees to file them if they think their privacy rights are being violated.
Employees who may handle PHI should be trained on the dos and don’ts of handling protected health information, especially as it relates to electronic information. It’s vital for the HR team to understand the implications of handling PHI in emails, storing it on the cloud, or communicating about it over other electronic formats. And when discussing matters containing PHI with an employee, it’s important to have a signed HIPAA authorization form for the release of employee health information.
Lastly, the HIPAA privacy officer should review compliance documents and ensure that agreements with vendors who handle PHI, called “business associate agreements,” are up to date. The federal government considers vendors and subcontractors to be business associates if they handle PHI on behalf of the covered entity.
Source(s): http://www.hhs.com, http://www.jdsupra.com, https://www.benefitnews.com, http://www.hcsiinc.com