Many of us had envisioned that we would see less enforcement in the Health Insurance Portability and Accountability (HIPAA) compliance arena. This is not the case. According to the U.S. Department of Health & Human Services Office for Civil Rights (OCR) they had a record year in 2018. The news that the OCR is collecting record fines should cause us to pause and ask,
“What can I do to reduce the risk of failing a compliance audit?”
HIPAA and Plan Sponsors/ Employers
Before we answer that question, let’s first discuss how HIPAA might apply to you. For these rules to apply you must be considered what is called a “Covered Entity.” So, are employers considered a covered entity? One might think so, but this is not the case. The rules apply directly to the Group Health Plan (GHP). The GHP and employer or plan sponsor are considered separate legal entities.
So, does HIPAA apply to you as an employer and sponsor of a group health plan? Yes, but how? The employer at times may have to perform duties on behalf of the GHP that require it to have access to the Personal Health Information (PHI) of its members. This PHI is what is protected in the privacy rules contained in HIPAA. It is these rules that the employer and plan sponsor must agree to abide by. Therefore, even though the employer is not a covered entity it still must conduct itself in a way to follow the HIPAA rules as it performs the function as the administrator of the plan who may have access to PHI.
Note that if you are an employer that sponsors a GHP that is fully insured these rules will be limited and may not apply entirely. But if you are a self-insured group you must provide a certification that the PHI of the members of the GHP will be protected.
The HIPAA PHI Rules
Now that you have determined that you are an employer or plan sponsor who will have access to PHI, you should do the following:
- Assemble a task force;
- Designate a Privacy Officer and Security Officer;
- Conduct a PHI & electronic PHI (ePHI) inventory;
- Conduct a thorough risk assessment;
- Develop an ongoing risk management plan;
- Implement privacy and security policies and procedures, considering the health plan’s size and types of activities involving PHI & ePHI;
- Develop breach notification policy;
- Train workforce members on HIPAA policies and procedures;
- Adopt a sanctions policy for employees who fail to comply with applicable HIPAA requirements;
- Enter into Business Associate Agreements, as necessary with outside third parties; and
- Distribute a Notice of Privacy Practices to participants.
As you check the boxes above, here are the top two things to consider addressing quickly:
- Have a Business Associate Agreement in place. The lack of Business Associate Agreements (BAAs) with vendors that have access to PHI continues to be an issue. BAAs must be executed and should be signed prior to transmitting any PHI.
- Conduct a thorough Risk Assessment. Many of the enforcement actions involved parties that failed to conduct a proper risk assessment. A thorough assessment of potential security risks would have identified weaknesses and gaps in transmitting and maintaining PHI.
If you have not revisited your HIPAA policy lately, it may be time to take it off the shelf. OCR has not fined an employer group to-date, but that does not mean you are not at risk of an employee filing a complaint. All it takes is one phone call.
Contact Henderson Brothers, Inc. We have the tools and resources to help you get HIPAA compliant.
Please note that the information contained in this posting is designed to provide authoritative and accurate information, in regard to the subject matter covered. However, it is not provided as legal or tax advice and no representation is made as to the sufficiency for your specific company’s needs. This post should be reviewed by your legal counsel or tax consultant before use.