Employers and HIPAA
Why should you care?
It’s a common mistake to assume that only large employers and medical providers would ever experience a security issue that would be considered an infraction under HIPAA. However, violations, complaints, and breaches can happen to anyone:
- In 2008 a sales representative of an insurance agency in the Southeast had a laptop stolen. The laptop contained the personal information of the employees of a local school district. The local press named the agency and reported that the laptop contained names, birthdates, social security numbers, and medical history information.
- A complaint about an insurance agency was lodged on a website where individuals seek legal advice. According to the complaint an agent called the workplace of an employee’s spouse to follow up about her information on the medical history section of an application. The employee’s spouse was not at the office at the time, and instead of calling back, the agent asked personal medical related questions to the spouse’s secretary!
- A Utah woman had her health plan enrollment information stolen. The information was then used by someone who had a baby. After the infant tested positive for the mother’s illegal drug use, authorities confronted the Utah woman and threatened to take away her other children. The woman was forced to prove she had not had a child in years and that she had been the victim of medical identity theft.
An employer is subject to HIPAA whenever they have access to an employee’s Individually identifiable health information. This applies not only to self funded employers, but those with fully insured plans as well depending on the plans that are offered and they way they are administered.
HIPAA Noncompliance can result in
- Civil and/or criminal liability for the employer if a breach occurs, even when the breach is the malicious act of a rogue employee
- Remedial penalties associated with random audits conducted by the HHS
- Remedial penalties due to employee complaints and the subsequent investigation by the HHS
- Bad press
Why risk it?
The number one cause of HIPAA related mistakes is internal staff ignorance on the subject. Let our experts help ensure your organization is HIPAA compliant so you no don’t have to worry.
What does it take to be HIPAA Compliant?
For an employer to be in compliance, they must establish written HIPAA policies and procedures that govern the plan’s use of PHI.
Other necessary steps include (but are not limited to):
- Determine what organizations and vendors are acting as business associates and enter into written agreements
- Implement reasonable physical and technical safeguards to protect PHI
- Create/Update Plan Documents, Notice of Privacy Practices, Business Associate Agreements, etc.
- Conduct a Security Risk Assessment
- Provide HIPAA Training for employees who handle protected PHI