The Department of Health and Human Services has been auditing healthcare entities and others to evaluate whether they’re in compliance with the Health Insurance Portability and Accountability Act, or HIPAA.
Typically, when federal health data privacy laws come up, the discussion is focused on a hospital or a medical group where a breach or violation occurred. But HIPAA’s privacy provisions also apply to certain employers and their human resource employees.
Whether you’re an employer with a fully insured, self-funded or self-administered health plan, you must comply with HIPAA privacy rules. Employers also may be considered HIPAA-covered entities if they provide certain wellness programs, employee assistance programs, medical reimbursement accounts, or operate on-site clinics.
The government imposed fines of more than $19 million in 2017 on entities it found out of compliance with HIPAA. Its latest round of audits are mostly intended to help employers and others improve their HIPAA compliance record, rather than assess fines.
HIPAA requires safeguards to protect privacy and sets limits on what — if anything — can be disclosed without a patient’s or employee’s OK.
Under the law, patients have the right to view and receive copies of their health information and receive a notice when that information is used and shared. So, if an employer requests private health information, or PHI, about an employee, the employee would have the right to be notified that the information was shared with the employer.
Compliance Gaps in PHI
Although HHS has yet to release its findings from the audits, it has identified compliance gaps in PHI, as well as security risk analysis and management.
According to HHS, many of the entities it reviewed were either fully or substantially out of compliance.
Although cases filed against employers have been exceedingly rare, those that sponsor group health plans should periodically review their compliance with the rules. That work should include identifying where their PHI is stored, how it’s transmitted and received.
HIPAA training is also important. Employers should take care to document what was covered in their training sessions and which employees participated.
Any entity facing an audit should familiarize themselves with HIPAA audit protocols, which can be found on the Health and Human Services website.
Audit targets should also make sure to respond quickly to requests from auditors and provide all requested documents.
Scott McGraw is Vice President of CCIG’s Employee Benefits division. Reach him at 720-330-7924 or firstname.lastname@example.org.
CCIG is a Denver-area insurance brokerage with the full-service capabilities of a national brokerage. We do more than make sure you have the right policy. We also help you manage your long-term cost of insurance with our risk and claims management expertise and a commitment to service excellence.