HR Managers & HIPAA Compliance

Human resource managers who are not directly involved in healthcare or healthcare insurance still need to give due consideration to compliance with the Healthcare Insurance Portability Accountability Act (HIPAA).

A third of all workers and their dependents, according to estimates, receive occupation healthcare benefits via a self-insured group health plan. While this does not mean a self-insuring business automatically is governed by HIPAA regulations, chances are that the HR manager will be ultimately responsible for insurance-related projects. Due to projects like this is no doubt that the staff that report to the HR manager will be expected to handle Protected Health Information (PHI).

The Significance of HIPAA Compliance for HR Managers

The original aim of the Healthcare Insurance Portability and Accountability Act (HIPAA) was to enhance the portability and continuity of health insurance coverage. As the Act proceeded through Congress, changes were included aimed at tackling waste, fraud and abuse in the health insurance and healthcare sectors.

The ultimate result of these amendments was the creation of the HIPAA Privacy and Security Rules, established to limit access to and use of PHI. It was envisaged that they would give patients and members of group healthcare plans complete management in relation to how their personal information is used. For example, healthcare groups can no longer use a patient’s PHI for marketing campaigns without first getting adequate authorization from the patient.

A additional aim of limiting access to PHI is to stop any individual from using another person’s PHI to obtain free healthcare – which would be identity theft. As the expense of medical treatment has grown, so have the profit that can be made from selling private healthcare data illegally. A 2014 report estimated a full dossier of healthcare data on the black market is worth upwards of $1,200.

HR Managers & Major Areas of HIPAA Compliance

There are four major parts of HIPAA compliance in which HR managers should be very familiar with. These are linked to being aware of the key elements of the Privacy and Security Rules, assisting workers be aware of the obligations according to HIPAA legislation, securing the PHI of staff, and working with Covered Entities and Business Associates with whom PHI is shared.

  1. Always Share Updates and Reminders of Privacy Practice Notices: Workers who are part of a self-insured group health plan must be given a Privacy Practice Notice advising them of their HIPAA-related rights. The majority of Human Resources departments complete this but fail to share updates when privacy practices are amended, and a reminder on a minimum of once every three years.
  2. Never Assume the IT Department is Managing Security Rule Compliance: An IT manager is usually given the duties of the HIPAA Security Officer, and they are charged with seeing to it that every department within the business is compliant with the Security Rule. But this is not always so, and HR personnel should not think that the responsibility for security is not theirs.
  3. Remember State Privacy Legislation: The link between HIPAA and state privacy legislation can lead to a lot of confusion for some individuals. HIPAA takes precedence over all state privacy legislation with a lesser level  of security provisions, but not those that a higher level of privacy protection. When trying to achieve HIPAA compliance, HR managers should not forget to consider overlook state legislation.
  4. Create a Written Policy for Investigating & Settling Complaints: While it is not a requirement under HIPAA, a policy should be created to record privacy complaints, reviews and resolutions. This will be help the HR Manager when an employee chooses to pursue their complaint to the Department of Health & Human Services.

Conclusion: HIPAA Training is Crucial

In order for a Human Resources manager to be 100% happy that they are doing everything possible to avoid a HIPAA breach occurring at their organization, they must ensure that they have implemented a HIPAA training programme for all members of staff. Taking this step will not only prevent practically all HIPAA breaches but it will also be something that is viewed on with approval should there ever be a need for a HIPAA investigation at the entity in question.