Most HR managers will be aware that if the organization operates a self-funded health insurance plan which is also self-administered, employees with access to protected health information (PHI) are required to undergo HIPAA training.
HIPAA training should be provided when an employee starts working in the department administering the health insurance plan and when there are any materials changes to policies, processes, or technology. Refresher training should also be provided periodically.
The training itself should cover relevant sections of the HIPAA Privacy and Security Rules depending on the nature of the employee´s role, and also include security awareness training – as it is failings in this area of HIPAA compliance that most often result in HIPAA violations.
The Significance of HIPAA Compliance for HR Managers
The original aim of HIPAA was to improve the portability of health insurance coverage when individuals move between jobs. As the Act proceeded through Congress, HIPAA had provisions added to reduce waste, fraud, and abuse in healthcare. The Act also called for the Secretary of the HHS to suggest ways to protect individuals’ rights over their health information and improve patient privacy and data security. The result was the creation of the HIPAA Privacy and Security Rules.
The HIPAA Privacy Rule placed restrictions on uses and disclosures of PHI and gave patients and members of group healthcare plans rights over their healthcare data. For example, healthcare organizations could no longer use a patient’s PHI in their marketing campaigns without first getting authorization from the patient. Patients were also allowed to obtain a copy of the healthcare data held by their provider or health insurer.
An additional aim of limiting access to PHI is to stop an individual from using another person’s PHI to obtain free healthcare – termed medical identity theft. As the cost of medical treatment has grown, the value of medical records on the black market has soared. According to a 2014 report, a full dossier of healthcare data on the black market was valued at $1,200 or more. It is no surprise with such a high value that healthcare data is targeted by threat actors.
HR Managers & Major Areas of Noncompliance with HIPAA
HR managers in organizations operating self-funded and self-administered health insurance plans need to be fully aware of the HIPAA regulations, because it is not only employees working in administration who may obtain access to PHI.
They must be familiar with the safeguards to ensure the privacy and security of PHI in all departments, understand the difference between employment records and health information, and aware of the need to enter into business associate agreements with vendors and service providers where necessary.
There are several areas of the HIPAA Rules that are often unwittingly violated. Four elements of compliance that often get overlooked by HR managers are listed below:
Share Updates to Notices of Privacy Practices: Workers who are part of a self-insured group health plan must be given a Notice of Privacy Practices. The NPP advises them of their HIPAA-related rights and how their PHI will be used and disclosed. Many human resources departments fail to share updates when privacy practices are changed and do not send NPP reminders to group health plan members with the required frequency (at least every three years).
Assuming the IT Department is Managing Security Rule Compliance: An IT manager is often given the role of HIPAA Security Officer and is charged with ensuring every department is compliant with the HIPAA Security Rule. The HR department should not assume that Security Rule compliance is the sole responsibility of the IT department as the Security Rule includes clauses relating to physical access and administrative requirements.
Remember State Privacy Legislation: There is often confusion about state privacy legislation. HIPAA is a federal law that sets minimum standards for data privacy and security. States can implement much stricter requirements (for example, HB 300 in Texas). When trying to achieve HIPAA compliance, HR managers must also take into consideration the privacy and security requirements of state legislation.
Create a Written Policy for Investigating & Settling Complaints: While it is not a requirement under HIPAA, a policy should be created to record privacy complaints, reviews, and resolutions. This will help the HR Manager if an employee decides to file a complaint with the Department of Health & Human Services’ Office for Civil Rights.
Conclusion: HIPAA Training is Crucial
In order for a Human Resources manager to do everything possible to avoid a HIPAA breach, they must ensure they have implemented a HIPAA training program for all members of staff. Taking this step will go a long way toward preventing HIPAA breaches and will ensure that if regulators conduct an audit they will be able to prove that training has been provided to employees and that the organization has met its responsibilities under HIPAA.