HIPAA Compliance Assessment
(Health Insurance Portability & Accountability Act)
drives the Standards for Privacy of Individual Health Information (“Privacy Rule”). These standards, along with the HITECH (Health Information Technology for Economic and Clinical Health) “Security Rule” standards, address the security, use, and disclosure of individual’s health info “PHI” (personal health information) by organizations subject to the privacy rules. PHI is defined as individually identifiable health information from their past, present or future physical or mental health conditions.
HIPAA’s three compliance areas include:
- The Privacy Rule, which restricts covered entities’ and business associates’ use and disclosure of an individual’s PHI)
- The Security Rule, which requires covered physician practices to implement “administrative, technical, and physical safeguards” to ensure the confidentiality, integrity, and availability of electronic
- The Breach Notification Rule, which requires covered entities to notify affected individuals, the Secretary of the U.S. Department of Health & Human Services (HHS), and in some cases — the media when they discover a breach of a patient’s unsecured
How Does HIPAA Apply to Your Company?
The level and extent of HIPAA compliance requirements vary based on whether your company is considered a “covered entity”. However, even businesses not considered covered entities and those excluded from HIPAA requirements should still take basic steps to ensure the protection of employee’s information.
Who and What is Excluded from HIPAA?
Any company or plan that does not meet the definition of covered entity or business associate is exempt from HIPAA rules. Exceptions include:
- Employers who don’t offer any HIPAA covered benefits like medical, dental, vision, or
- Non HIPAA plans like Short-term and Long-term Disability, Worker’s Compensation, Life insurance, Accidental Death and Dismemberment, OSHA required testing, Auto liability insurance that contains payment for medical damages, and Stop-loss coverage
- Plans with less than 50 participants that are administered and maintained solely by the employer that established the plan, no outside third party vender (TPA) are used in the administration of the plan
If you fall into any of these categories, you are excluded from HIPAA regulations. Document your determination of exclusion from HIPAA regulations and retain for your records.
Covered entities fall into three categories:
- Health plans
- Health care providers that conduct certain types of transactions in electronic form
- Health care clearinghouses
Health plans include private health insurance companies, government health insurers, employer-sponsored group health plans or HMO’s (both fully insured and self-funded plans), FSA’s, dental and vision plans, EAP programs (unless referral only), HRA, HSA and typically insured supplement plans.
A business which is a medical office, in the medical field, insurance provider, insurance issuer, broker, hybrid entity (an organization that has a component that is a “covered” health care provider, and whose activities include both “covered” and “non-covered” functions) or agency which processes medical and/or claims information, would need to ask themselves a more comprehensive set of questions to determine their level of compliance need to ensure proper steps are taken for compliance with HIPAA.
Covered entities have the flexibility and freedom to design their privacy policies and procedures as they see fit, as long as they are reasonably designed to ensure compliance with HIPAA requirements.
HIPAA Requirements for Most Employers
In general, most employers, those who offer fully-insured health benefits like medical, dental, or FSA to their employees, will fall into the “Health Plans” category under HIPAA regulations. However, their level of HIPAA requirements depends on how they maintain, transmit and receive PHI. Organizations can greatly minimize requirements by restricting their personal involvement in handling PHI. As long as the company doesn’t keep, transmit or receive PHI, their level of HIPAA obligation is minimal. The following steps will help these organizations comply with HIPAA:
- Define a HIPAA Privacy Officer responsible for handling and overseeing PHI relationships and dealings for the
- Review relationships with brokers, insurance providers and outside third party administrators to identify any areas of PHI transmission or use and obtain assurance of HIPAA
- Review the following company practices and procedures to verify if PHI is used, stored or transmitted by the company to outside insurance providers, TPA (third party) venders or medical facilities:
- Enrollment process for PHI sent or received in electronic or paper form
- Billing, invoicing, premium collection and remittance processes for any
- HR processes for employee file management, benefit management, and COBRA management for PHI
- Take steps to eliminate handling of PHI, and where necessary secure all minimal PHI handlings protecting employee’s privacy
- Create a HIPAA policy added to employee and leader
- Provide the HIPAA Privacy Notice to all participants, unless provided by the insurer. Note, this notice is done as part of the all-in-one employee notification service provided by HR Service, Inc., and is included in our SPD Wrap documents or a template sample notice is available under HIPAA
Sample policy, procedures and documentation form can be found in the Compliance Basics Center under “HIPAA Tools”, “HIPAA Forms, Documents and Policies”, “Limited or Non-Covered Entity HIPAA Guidance Sample”
Plans that require full HIPAA compliance
If your plan falls into a covered entity which keeps, receives and/or transmits PHI, full HIPAA requirements apply and should, at a minimum, have policies and procedures in writing which include:
- Document your covered entity assessment process and findings
- Conduct a risk assessment and analysis to include:
- Facilities or other places where patient/employee health data is accessed
- Computer equipment, servers, mobile/portable devices like tablets and cell phones
- Physical, visual or auditory access to employee/patient data
- Designated Security Officer
- Workforce training and oversight
- Work information access controls
- Scheduled/Periodic Security reassessment
- Secure, authorized electronic exchange of employee/patient information
- Measures that keep electronic employee/patient information from improper or unapproved changes
- Controls for access to employee/patient information
- User access and activities audit logs
- Data loss measures
Policies and Procedures
- Clearly written work flow policies and procedures
- HIPAA security compliance procedures (employee/patient notifications and breach compliance)
- Documentation of policies and procedures
There are many other requirements for those entities held to full HIPAA compliance. For a complete list of HIPAA requirements, forms, policies, and templates visit the “HIPAA Tools” section in the Compliance Basics Center available to all HR Service clients.
The above information is a simplification of “Health Plan” HIPAA requirements. Covered Entities, especially health care providers and clearing houses, should refer to “Covered Entity Determination” for a comprehensive checklist to determine HIPAA applicability under the Federal HIPAA Privacy, Security and Breach Notification Rules. Other resource include a “HIPAA Privacy and Security Compliance Guide Checklist” with additional resources, guidance, forms/tools and steps in establishing, implementing and maintaining a HIPAA compliance program.
About HR Service, Inc.
HR Service provides broker and client solutions for benefit ERISA compliance and HR, insuring organizations meet ERISA and Department of Labor (DOL) requirements for: Summary Plan Description Wraps (SPD Wraps), Employee Notifications, 125 Premium Only Plans (125 POP), Summaries of Material Modification (SMM), Health Insurance Portability & Accountability Act (HIPAA), ACA Reporting, and Employment Laws. Our web-based SPD Wraps, Employee Notices, 125 POPs, and ACA Reporting tools make it easy to comply with ERISA.