Why HR managers should review their HIPAA procedures
HIPAA audits are on the rise, and so are associated fines. In 2016, the U.S. Department of Health and Human Service’s Office of Civil Rights collected $23 million in fines, a 300% increase over 2014, the previous record year for fines.
The increase in audits — combined with everything from changes in technology, the addition of a health and wellness program and concerns about hacking — serve as a good reminder why employers should revisit HIPAA training often to ensure compliance.
Many of the employers facing fines are healthcare providers, health plans or healthcare clearinghouses (organizations considered as covered entities under HIPAA). But most HR professionals handle protected health information (PHI) to some extent -- which puts them in danger of violating the HIPAA Privacy Rule.
Employers need a formal approach to HIPAA
Employers should have a written policy in place about how they handle PHI and designate PHI handlers and a HIPAA privacy officer. The policy should outline what types of information are considered PHI and how employers may and may not use it. It should also include a procedure for handling complaints and a process for employees to file them if they think their privacy rights are being violated.
Employees who may handle PHI should be trained on the dos and don’ts of handling protected health information — especially as it relates to electronic information. It’s vital for the HR team to understand the implications of handling PHI in emails, storing it on the cloud, or communicating about it over other electronic formats. And when discussing matters containing PHI with an employee, it’s important to have a signed HIPAA authorization form for the release of employee health information.
Lastly, the HIPAA privacy officer should review health plan documents and ensure that agreements with vendors who handle PHI, called “business associate agreements,” are up to date. The federal government considers such vendors to be business associates of the plan sponsor.
As companies hit with steep fines in 2016 would tell you, the penalties for HIPAA violations can be high. They start at $100 per incident but can increase up to $25,000 per violation per year. These violations can also be “stacked” if an individual makes more than one violation, or if more than one standard is violated.
In addition to federal rules, employers may also be subject to state privacy rules that further limit how PHI is used.
The increase in the number of audits, as well as changes in how employees might communicate about PHI or store information, make it more important than ever to ensure you and your team have covered all the bases should your company be hit with a HIPAA audit.