HIPAA privacy regs: Six steps to complianceBy Kathryn L. Bakich
While the HIPAA privacy regulations are complex, and satisfying their requirements involves a multifaceted, ongoing effort, understanding what's involved is easier by breaking it down into the following six elements:
How your organization is affected: The answer depends upon whether you are a "covered entity" (i.e., a typical employer-sponsored health plan), a "hybrid entity" (single legal entities that perform both covered and noncovered functions) of a "business associate" (for example, a TPA). In addition, you need to know which of the health and welfare benefits you offer are actually covered by HIPAA privacy rules.
For example, disability, workers' compensation and life insurance are not. Medical, hospital, drug, behavioral health, and other health benefits are. You also need to look closely at such benefits as Employee Assistance Programs (EAPs) to determine whether they are an ERISA plan and, consequently, a Covered Entity under HIPAA. And don't forget to look at the elements of your flexible spending arrangements that may be covered.
Provider relationships: First, pinpoint all the "business associates" that provide services to your health plan and determine what changes will be required in their operations (including the reports they generate and how they handle individual privacy rights).
Next, prepare a business associate agreement (or get one from the business associates) and execute it immediately.
Plan amendments: If your group health plan is self-insured, then the plan documents must, of course, be amended. If they are not amended, you cannot receive "Protected Health Information" (PHI) for plan administration purposes. In addition, you need to create "firewalls" between the group health plan and the human resources function.
Steps must be taken to assure that protected health information isn't used or disclosed for employment or other benefit plan purposes. If your group health plan is fully insured, you may need to amend plan documents if PHI is used for purposes such as audits or quality control.
Employee communications: The most basic requirement is to prepare a Notice of Privacy Practices and have a game plan in place to distribute the notice. This effort may require coordination with business associates. If your group health plan is fully insured, you may be exempt from this requirement, but nevertheless you should be mindful that employees will be receiving such notices from insurance carriers. Although HIPAA doesn't mandate that SPDs be revised, you may want to do so just the same.
Staff training: Employees who use PHI must be trained on how to comply with the new regulations. Therefore, you should schedule training promptly and establish procedures for tracking and documenting training. Benefits staff should be trained first, while establishing the firewall to guard against improper disclosure of protected health information. Next, train HR staff on HIPAA privacy compliance, and promulgate a ban on improper use and disclosure of protected information. Finally, conduct compliance training for line managers and supervisors.
Prepare for employee impact: Employees will need to be advised of new procedures that will be in place to assure regulatory compliance. For example, employees may face new questions when interacting with human resources, "call center" or HMOs about their health claims. In addition, employee consent may be required for HR professionals to carry out routine tasks involving disability benefit applications, integrated disability management, or implementing routine ADA and FMLA-related tasks.
Given the importance of preventing health information from being used in the employment process, HR should evaluate all the places where firewalls need to be built.
You should work closely with your attorneys and consultants as you move through the challenges of HIPAA compliance. You must retain the ability to examine PHI for plan administration purposes, particularly in these times of rampant health cost increases. Consequently, you must put in place those policies that will protect employee PHI, but assure that you can fully analyze the cost implications of your benefit plans.
Remember that HIPAA requires reasonable and flexible policies and procedures - and that only your business knows what standards will work for it.