HR Managers & HIPAA Compliance

by | Mar 3, 2021

Most HR managers will be aware that if the organization operates a self-funded health insurance plan which is also self-administered, employees with access to protected health information (PHI) are required to undergo HIPAA training.

HIPAA training should be provided when an employee starts working in the department administering the health insurance plan and when there are any materials changes to policies, processes, or technology. Refresher training should also be provided periodically.

The training itself should cover relevant sections of the HIPAA Privacy and Security Rules depending on the nature of the employee´s role, and also include security awareness training – as it is failings in this area of HIPAA compliance that most often result in HIPAA violations.

The Significance of HIPAA Compliance for HR Managers

The original aim of HIPAA was to improve the portability of health insurance coverage when individuals move between jobs. As the Act proceeded through Congress, HIPAA had provisions added to reduce waste, fraud, and abuse in healthcare. The Act also called for the Secretary of the HHS to suggest ways to protect individuals’ rights over their health information and improve patient privacy and data security. The result was the creation of the HIPAA Privacy and Security Rules.

The HIPAA Privacy Rule placed restrictions on uses and disclosures of PHI and gave patients and members of group healthcare plans rights over their healthcare data. For example, healthcare organizations could no longer use a patient’s PHI in their marketing campaigns without first getting authorization from the patient. Patients were also allowed to obtain a copy of the healthcare data held by their provider or health insurer.

An additional aim of limiting access to PHI is to stop an individual from using another person’s PHI to obtain free healthcare – termed medical identity theft. As the cost of medical treatment has grown, the value of medical records on the black market has soared. According to a 2014 report, a full dossier of healthcare data on the black market was valued at $1,200 or more. It is no surprise with such a high value that healthcare data is targeted by threat actors.

HR Managers & Major Areas of Noncompliance with HIPAA

HR managers in organizations operating self-funded and self-administered health insurance plans need to be fully aware of the HIPAA regulations, because it is not only employees working in administration who may obtain access to PHI.

They must be familiar with the safeguards to ensure the privacy and security of PHI in all departments, understand the difference between employment records and health information, and aware of the need to enter into business associate agreements with vendors and service providers where necessary.

There are several areas of the HIPAA Rules that are often unwittingly violated. Four elements of compliance that often get overlooked by HR managers are listed below:

Share Updates to Notices of Privacy Practices: Workers who are part of a self-insured group health plan must be given a Notice of Privacy Practices. The NPP advises them of their HIPAA-related rights and how their PHI will be used and disclosed. Many human resources departments fail to share updates when privacy practices are changed and do not send NPP reminders to group health plan members with the required frequency (at least every three years).

Assuming the IT Department is Managing Security Rule Compliance: An IT manager is often given the role of HIPAA Security Officer and is charged with ensuring every department is compliant with the HIPAA Security Rule. The HR department should not assume that Security Rule compliance is the sole responsibility of the IT department as the Security Rule includes clauses relating to physical access and administrative requirements.

Remember State Privacy Legislation: There is often confusion about state privacy legislation. HIPAA is a federal law that sets minimum standards for data privacy and security. States can implement much stricter requirements (for example, HB 300 in Texas). When trying to achieve HIPAA compliance, HR managers must also take into consideration the privacy and security requirements of state legislation.

Create a Written Policy for Investigating & Settling Complaints: While it is not a requirement under HIPAA, a policy should be created to record privacy complaints, reviews, and resolutions. This will help the HR Manager if an employee decides to file a complaint with the Department of Health & Human Services’ Office for Civil Rights.

Conclusion: HIPAA Training is Crucial

In order for a Human Resources manager to do everything possible to avoid a HIPAA breach, they must ensure they have implemented a HIPAA training program for all members of staff. Taking this step will go a long way toward preventing HIPAA breaches and will ensure that if regulators conduct an audit they will be able to prove that training has been provided to employees and that the organization has met its responsibilities under HIPAA.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy