HIPAA violations in places of work apply to all businesses including healthcare providers as well as covered entities and their respective business associates. Employers, specifically those that require health information for disability benefits or provide healthcare to their workers can infringe HIPAA. With the likelihood of a HIPAA violation occurring in a workplace as part of routine human resource tasks, all organizations ought to know how to safeguard themselves and their workers as well.
What does a HIPAA Workplace Violation mean?
What is HIPAA?
The Health Insurance Portability and Accountability Act or HIPAA was passed into law in 1996. It aims at protecting people’s health information, particularly when moving from one job to the next. In 2003, the United States Department of Health and Human Services or HHS enacted the Privacy Rule. Later in 2005, there was a Security Rule amendment to HIPAA aimed at electronically stored protected health information (PHI).
What employee details are considered PHI or ePHI?
The HIPAA Privacy Rule entails any health plan records or medical records that you gather in a bid to implement your employee healthcare strategies. However, it is not applicable to employment records, regardless of whether they include health-based information or not.
What information does a human resources department require to know?
Most human resources divisions include employee medical benefits. Hence, if you offer your workers a covered healthcare plan, you ought to decide whether you meet all the conditions of the Security Rule.
- For starters, focus on the number of individuals involved and the type of plan you put in place.
- If your plan covers at least 50 participants, then the Security Rule is applicable.
- If the participants are lower than 50, then ask yourself whether a third party oversees your healthcare insurance plan. If the response is yes, there may be no cause for alarm regarding the violations of the HIPAA Security Rule.
- Do you act as the plan sponsor, especially for a group healthcare plan? In most cases, the response to this question is yes. However, the confusing bit is that even though you only function as the sponsor of the plan, you might still be acting as the plan administrator.
What does a security management process mean?
The first move for safeguarding your business from HIPAA workplace violation rests in coming up with a risk analysis. You have to identify all the information housed in your organization, where the data is stored as well as the possible vulnerabilities and risks that can affect the availability, integrity, and confidentiality of ePHI.
Upon completing the risk analysis, make sure that you develop security measures so as to minimize the possibility of those weaknesses or risks reoccurring. To mitigate such risks, ensure that you put up processes, policies, and procedures that safeguard the information.
After creating security measures, ascertain that they work appropriately. When reviewing them, you need to take a non-technical and technical point of view. In fact, in the course of this evaluation, you may discover that a given security measure is no longer useful. Hence, you have to adjust all your controls in a bid to respond to environmental, technological and employee changes.
What employee information requires protection to avert a workplace HIPAA violation?
Even when you recruit a third-party administrator to help you in managing your health insurance plan, your company’s human resources department has to continue accessing ePHI and PHI. In case the HR and benefits team manage the healthcare program with the vendor, then the information may fall under HIPAA.
How can a company protect ePHI and PHI that is still being accessed by its HR department?
To begin with, your human resources and benefits staff ought to catalog all the information conveyed, how it is stored, and how they utilize it in carrying out their administrative duties.
Moreover, such teams need to know that their interactions with the third-party service provider are subject to the Security Rule. Hence, you have to come up with policies and processes that protect information both in transit and at rest. The safeguards should incorporate your emails with vendors, the Internet, and your intranet.
Lastly, make sure that your IT team establishes access controls. What’s more, the IT and HR teams have to collaborate to decide what employee groups require accessing each of the controls and defining who can search, delete, change, create, read and modify your files’ security configurations.
How can you protect your company against perceived HIPAA violations?
The challenging bit about identifying whether a HIPAA violation took place in your organization is knowing who shared the information as well as how they accessed the information.
Although HIPAA does not take into account personal records and files, workers may find it difficult to understand this concept. As such, some of them may file violation cases with the Office for Civil Rights. To avoid spending time and money to investigate and defend such claims, ensure that your HR team develops procedures and policies that safeguard all records that employees assume are protected.