The Health Insurance Portability and Accountability Act (“HIPAA”) applies not only to healthcare providers, but to health plans, including multiemployer plans. It was established and designed to protect against the unauthorized use and disclosure of personal health information (including any electronic records). In its constantly changing world, HIPAA compliance can prove to be an ominous task. While not exhaustive, this blog provides five “must do” tips for HIPAA compliance:
- Know what information is protected under HIPAA: Not all information is protected under HIPAA. To fall under the law, the information must be what is known as “Protected Health Information” or commonly referred to as “PHI.” PHI is any individually identifiable health information that is created or received by certain entities, such as a health care provider or health plan. For information to be “individually identifiable” the information must contain facts that allows the reader to know to whom the information pertains. For example, this could include obvious pieces of information, such as a name or date of birth. However, it can also include something more conspicuous such as vehicle information or a web URL. On other hand, information such as employment records or education records are specifically excluded from being considered PHI.
- Know When PHI can be Disclosed Without the Individual’s Consent: HIPAA allows covered entities to disclose PHI without the individual’s consent when it relates to health treatment, payment, and/or other health care operations. For example, a health insurer or TPA would not need an individual’s consent to share medical records/data to handle a prior authorization request. Additionally, information can be shared between entities that have entered into an agreement to keep the information confidential, called a Business Associate Agreement.
- Provide a Privacy Notice: A Privacy Notice explains individual rights and responsibilities under HIPAA. This notice must be provided by certain entities to individuals, redistributed upon amendment, and put on the entities’ website. An example of this notice can be found on the Department of Health and Human Services’ website at:
- Implement and Follow Simple Security Measures: HIPAA requires certain security measures to protect those not authorized to obtain PHI from obtaining it. This includes password requirements, locking certain workspaces or cabinets, using only secure networks to access PHI, and using certain destruction methods for items containing PHI that will render PHI unusable, unreadable and/or indecipherable to unauthorized individuals.
- Train Employees Who Have Access to PHI: HIPAA training is required periodically, when there are significant changes to the law and when an employee first begins employment with an entity subject to HIPAA. Keeping employees up to date and reprieved of their responsibilities under the HIPAA will help safeguard entities from becoming a subject of a violation and possibly a (hefty) fine.
Complying with HIPAA’s privacy and security rules is not a “set it and forget it” task. Instead, it is an ongoing process that requires companies and plan sponsors to continually assess potential risks and proactively work to protect data from those threats.