HIPAA Review: 4 Steps to Ensure Compliance as an Employer
We are hearing about changes to the Health Insurance Portability Accountability Act (HIPAA) Privacy Rule, which has been protecting patient and employee’s health information since it was passed in 1996. Mostly these changes are affecting health-related organizations. Now the Department of Health and Human Services (HHS) is moving forward in modifying the regulations to allow certain covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of those individuals who, due to specific mental health reasons are prohibited by Federal law from having a firearm.
This change will enable for better reporting of the identities of those individuals to the background check system, while continuing to strongly protect individuals’ privacy interests. Mostly health care organizations working directly with patients’ medical information are affected by this modification.
However, HIPAA laws apply to companies that are not in the health care industry. For businesses that administer health insurance plans, as well as any other health-related benefits and information about employee health conditions, they must ensure this information is secured according to the HIPAA regulations.
So what can you do as an employer to safeguard your employees’ health information? Here are the top four recommendations we recommend our clients follow to ensure they are abiding by the HIPAA regulations.
HIPAA Review: 4 Simple Steps to Ensure Compliance as an Employer
- Protect the Employee’s Medical Records: This means any information regarding an employee’s health must be secured so only authorized users have access to this information. In other words, only certain employees within your company who are dealing specifically with health-related information need this access. This information should be password-protected or locked in a secured drawer or filing cabinet. It is advisable that employees handling this sensitive information should keep a log that details any release or transfer of information.
- HIPAA Training: Those employees in your company who are required to handle health-related information (a company wellness program, medical insurance policy information, enrollment forms for health plans or flexible spending account) should receive training on the HIPAA guidelines and the proper handling of sensitive information. If these employees are not properly trained and they disclose information about another employee’s health, your company could be found liable for this breach.
- Compliance as a Priority: Compliance should be a priority within your organization. This may require hiring a consultant to help with the planning, auditing and implementation of company policies related to HIPAA. Companies need to document the policies they have implemented to ensure they are complying with the HIPAA regulations. The policy should outline how those employees with access to health information are securing the documents, and when they are legally required to disclose any of this information. In addition, you should outline the consequences should an employee violate your HIPAA policies.
- Employee Absences: Provide training to manageres on HIPAA requirements. Managers must not disclose to other employees any details of another employee’s medical absences unless the employee provides consent to release this information.
Ensuring you are compliant with the current HIPAA regulations and keeping abreast of any changes is critical to your business, and often gets overlooked. Take small steps toward compliance now before it becomes too much of a burden.