Businesses not directly involved in the healthcare or healthcare insurance industries should none-the-less pay close attention to HIPAA compliance for HR departments. It has been estimated a third of all workers and their dependents who receive occupation healthcare benefits do so through a self-insured group health plan.
Although this does not mean a self-insuring business automatically becomes a HIPAA-Covered Entity – and thereby subject to HIPAA regulations – the likelihood is the HR department will have some involvement with insurance-related tasks. During the execution of the insurance-related tasks, HR personnel will undoubtedly come into contact with Protected Health Information.
Why HIPAA Compliance for HR Departments is Important
The original purpose of the Healthcare Insurance Portability and Accountability Act (HIPAA) was to improve the portability and continuity of health insurance coverage. As the Act progressed through Congress, amendments were added with the intention of combating waste, fraud and abuse in the health insurance and healthcare industries.
As a result of these amendments, the HIPAA Privacy and Security Rules were introduced. The Rules restrict access to and use of Protected Health Information (PHI), primarily to give patients and members of group healthcare plans control over how their personal information is used. For example, healthcare organizations can no longer use a patient´s PHI for marketing activities without the patient´s consent.
A further purpose of restricting access to PHI is to prevent one person using somebody else´s PHI to obtain free healthcare – effectively identity theft. As the costs of medical treatment have increased, so has the value of healthcare data. A 2014 report calculated a full dossier of healthcare data on the black market is worth upwards of $1,200. By comparison, a stolen Visa card is worth $4.
Major Areas of HIPAA Compliance for HR Departments
There are four major areas of HIPAA compliance in which HR personnel should be well-versed. These relate to understanding the key components of the Privacy and Security Rules, helping employees understand their rights under HIPAA legislation, safeguarding the PHI of employees, and working with Covered Entities and Business Associates with whom PHI is shared.
However, there are some areas of HIPAA compliance which – although not unique to HR – sometimes get overlooked in the effort to achieve HIPAA compliance:
Don´t Assume the IT Department is Responsible for Security Rule Compliance
An IT manager is usually delegated as the HIPAA Security Officer, and it is their responsibility to ensure every department within the company is compliant with the Security Rule. But this is not always the case, and HR personnel should not assume the responsibility for security is not theirs.
Remember to Send Updates and Reminders of Privacy Practice Notices
Employees enrolled in a self-insured group health plan must be given a Privacy Practice Notice informing them of their HIPAA-related rights. Most HR departments remember to do this, but some forget to send updates when privacy practices are revised, and a reminder at least once every three years.
Maintain a Written Policy for Investigating and Resolving Complaints
Although not required by HIPAA, a policy should be in place to record privacy complaints, investigations and resolutions. This will be of significant benefit to the company – and the HR department in particular if an employee pursues their complaint to the Department of Health & Human Services.
Don´t Overlook State Privacy Law Compliance
The relationship between HIPAA and state privacy laws is a source of confusion for some people. HIPAA pre-empt any state privacy laws with weaker privacy protection, but not those that provide stronger privacy protection. In the quest for HIPAA compliance, HR departments should not overlook state requirements.