By Ken Lynch, CEO, Reciprocity, Inc.

Gibson Consultants Note: HIPAA has become a household issue during the past 22 years. However, with so many new healthcare companies being formed, a primer on its requirements, definitions, and compliance might be useful to new market entrants.

January 2019 – All organizations are required to adhere to HIPAA guidelines in the workplace. Healthcare providers, covered entities and business associates handle healthcare information and, therefore, are at risk of violating HIPAA regulations.

HIPAA workplace violations can occur during everyday processes. Therefore, it is critical for organizations to know how to protect themselves and their employees.

Overview of HIPAA Regulations

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. The Act aimed at protecting the health information of individuals as they moved from job to job.

In 2003, Congress passed the Privacy Rule. The Act defines Protected Health Information (PHI) as any information that pertains to the health status, payment of healthcare or provision of healthcare of an individual, which is held by an entity.

The Security Rule of 2005 updated HIPAA to also cover electronic PHI (ePHI).

As healthcare providers increasingly rely on digital information platforms to share and store patient data, their risk of violating HIPAA regulations increases.

Does Your Employee Information Qualify as PHI or ePHI?

According to the HIPAA Privacy Rule, any health plan or medical records that you collect to administer your employee health care plans qualify as PHI or ePHI. However, employment records do not qualify as PHI or ePHI, even if they contain information related to employees’ health status or healthcare provision.

For example, when an employee submits healthcare information for the purposes of a workers’ compensation claim, the information does not fall under HIPAA Privacy Rule. On the other hand, if you contact the employee’s healthcare provider to inquire about his health status, the information you will receive falls under the Privacy Rule.

HIPAA Guidelines for Human Resources Department

The Human Resources department needs to understand the information that constitutes PHI and ePHI when dealing with employees. For example, if you provide employees with a covered health plan, HR should determine whether your organization meets the minimum threshold for complying with the Security Rule.

The requirements are:

• The plan should cover 50 or more employees
• The health insurance plan is administered by a third party
• The company is the plan sponsor of its employees’ group health care plan

If any of the above scenarios apply, then your firm should comply with the HIPAA Security Rule.

Security Management Process for Healthcare Providers

It’s critical for your organization to create a HIPAA workplace violation risk analysis. The analysis will involve determining all the information held by the firm, where the information is stored, and the potential risks and vulnerabilities that can impact it.

After completing the risk analysis, come up with measures of safeguarding the data. This may involve establishing processes, policies and procedures for handling, transmitting and storing personal health identifiable data. For example, you can implement multiple authentication protocols and restrict access to servers that hold ePHI data to only a few employees.

Finally, assess your security procedures to be sure that they work. Carry out regular reviews to check for both technical and non-technical vulnerabilities. The reviews should help you to identify potential risks and come up with mitigation measures to protect the data you are housing.

Protecting Employee Information to Prevent HIPAA Workplace Violation

Contracting a third party to manage your health insurance program does not completely leave your organization off the hook with regards to HIPAA since your HR department will still have access to PHI and ePHI.

To prevent HIPAA workplace violation HR and the benefits personnel need to understand what is covered under the Security Rule. Any communication with a third-party service provider that involves the transmission of employee PHI or ePHI must follow HIPAA guidelines. The same also applies for information that employees may submit to HR through the company intranet.

To prevent HIPAA workplace violations, your organization should follow standard industry data security policies and procedures for transmitting and storing PHI and ePHI. The policies should be incorporated in all communication avenues within the organization as well as with vendors.

The IT department needs to set up robust data security measures to prevent unauthorized access to systems, data files, and applications that carry or store PHI and ePHI. IT should also work hand-in-hand with the HR department to establish protocols for secure access and management of PHI and ePHI in the organization.

How to Prevent Perceived HIPAA Workplace Violations

To prevent HIPAA violations in the workplace, it is essential to know the type of information being shared and how it is shared.

Personal files and records are not considered PHI under HIPAA. Therefore, even if the records contain some health information about your employees, HIPAA regulations do not apply. However, some employees may not understand this and could file violations with the Office for Civil Rights (OCR). The ensuing investigations can be time-consuming and put a dent on your finances.

HR needs to develop policies for access and storage of records that employee perceive are protected. For example, access to all PHI and ePHI records should be restricted in the organization. Employees should be confident that the information they provide to your organization is secure.

Use Compliance Management Software

You can use compliance management software to map data storage and controls in the organization. Ideally, you want software with in-built industry frameworks such as NIST, PCI DSS, ISO, COBIT, HITRUST, COSO, and others to ensure proper HIPAA compliance. This helps keep everything consolidated and accessible for reporting and auditing.

Apart from this, assess your business partners regularly to ensure they are HIPAA-compliant, and you’ll have a straightforward road to getting and maintaining your compliance.

About the Author

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.