FREE TRIAL UPGRADE!
Thank you for investing in EnvironmentalHazmatHuman ResourcesHuman Resources, Hazmat & Environmental related content. Click 'UPGRADE' to continue.
CANCEL
YOU'RE ALL SET!
Enjoy your limited-time access to the Compliance Network!
A confirmation welcome email has been sent to your email address from ComplianceNetwork@t.jjkellercompliancenetwork.com. Please check your spam/junk folder if you can't find it in your inbox.
YOU'RE ALL SET!
Thank you for your interest in EnvironmentalHazmatHuman ResourcesHuman Resources, Hazmat & Environmental related content.
WHOOPS!
You've reached your limit of free access, if you'd like more info, please contact us at 800-327-6868.
CLOSE
 
 
InstituteHIPAA privacy and securityEmployee BenefitsHR EdgeAssociate Benefits & CompensationHow-To GuidesHR GeneralistHR ManagementEnglishAnalysisFocus AreaHuman ResourcesUSA

HIPAA privacy: How to comply

The Health Insurance Portability and Accountability Act (HIPAA) has multiple parts, one of which governs privacy and security. The HIPAA privacy and security requirements apply to what is called “covered entities.” These entities include health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. They do not, however, specifically include employers.

Under these provisions, employers, in their activities as group health care plan sponsors, are generally pulled in as covered entitles as they act on behalf of group health plans. Otherwise, in their activities as employers, they are not considered HIPAA covered entities.

Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations ("HMOs"), Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions — a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a HIPAA covered entities.

Since most employers have insurers or brokers handling their group health care plans, most of the HIPAA obligations are carried out by those insurers or brokers on behalf of employers.

Before becoming a group health care plan sponsor, employers should check with insurers or brokers to see what steps they take to ensure HIPAA compliance.

PHI

HIPAA protects individuals’ protected health information (PHI). This is information that is individually identifiable held or transmitted by a covered entities or its business associate, in any form or media, whether electronic, paper, or oral.

"Individually identifiable health information" is information, including demographic data, that relates to:

  • The individual's past, present or future physical or mental health or condition,
  • The provision of health care to the individual, or
  • The past, present, or future payment for the provision of health care to the individual,

...and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Covered entities must provide a notice of privacy practices (NPP) to individuals every three years.

Disclosures

Covered entities may not use or disclose PHI, except either:

  • As the privacy rule permits or requires; or
  • As the individual who is the subject of the information (or the individual's personal representative) authorizes in writing.

Covered entities must disclose PHI in only two situations:

  • To individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their PHI; and
  • To the U.S. Department of Health and Human Services (HHS) when it is undertaking a compliance investigation or review or enforcement action.

Covered entities may disclose PHI in a variety of situations, including as authorized by, and to comply with, workers' compensation laws and other similar programs providing benefits for work-related injuries or illnesses.

Otherwise, covered entities must obtain the individual's written authorization for any use or disclosure of PHI.

A group health plan and the health insurer or HMO offered by the plan may disclose the following PHI to the "plan sponsor":

  • Enrollment or disenrollment information with respect to the group health plan or a health insurer or HMO offered by the plan.
  • If requested by the plan sponsor, summary health information for the plan sponsor to use to obtain premium bids for providing health insurance coverage through the group health plan, or to modify, amend, or terminate the group health plan. "Summary health information" is information that summarizes claims history, claims expenses, or types of claims experience of the individuals for whom the plan sponsor has provided health benefits through the group health plan, and that is stripped of all individual identifiers other than five-digit zip code (though it need not qualify as de-identified PHI).
  • PHI of the group health plan's enrollees for the plan sponsor to perform plan administration functions. The plan must receive certification from the plan sponsor that the group health plan document has been amended to impose restrictions on the plan sponsor's use and disclosure of the PHI. These restrictions must include the representation that the plan sponsor will not use or disclose the PHI for any employment-related action or decision or in connection with any other benefit plan.

Other HIPAA compliance obligations

  • Notice of privacy practices: Each covered entities, with certain exceptions, must provide a notice of its privacy practices (NPP). Employers sponsoring health plans must give its notice to each new enrollee at enrollment, and send a reminder to every enrollee at least once every three years that the notice is available upon request. Employers can meet this requirement by furnishing the notice to the "named insured," that is, the subscriber for coverage that also applies to spouses and dependents.
  • Policies: Covered entities must develop and implement written privacy policies and procedures that are consistent with the privacy rule.
  • Privacy personnel: Covered entities must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on its privacy practices.
  • Workforce training and management: Covered entities must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entities (whether or not they are paid by the entities). Covered entities must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the privacy rule.
  • Mitigation: Covered entities must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of PHI by its workforce or its business associates in violation of its privacy policies and procedures or the privacy rule.
  • Data safeguards: Covered entities must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the privacy rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.
  • Complaints: Covered entities must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the privacy rule, and the procedures must be in the privacy practices notice.
  • Documentation and record retention: Covered entities must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the privacy rule requires to be documented.

HIPAA privacy and ADA confidentiality

While the HIPAA privacy rules apply to employers only in their activities as group health care plan sponsors, the confidentiality provisions of the federal Americans with Disabilities Act (ADA) apply to employers in their activities as employers.

Outside of group health plans, the ADA requires employers to keep employee and applicant medical information confidential and separate from the general personnel file(s).

HIPAA and the FMLA

Under the federal Family and Medical Leave Act (FMLA), employers may require employees to provide a certification supporting the need for leave. In many cases, the employee takes the form to the health care provider, who completes it and returns it to the employee (or family member). The employee then gives the completed form to the employer.

In this situation, the HIPAA privacy rules are not triggered.

If the employee or patient would rather have the health care provider give the completed certification directly to the employer, the health care provider would need a HIPAA disclosure authorization to do so.

Employers may not mandate that employees ask the health care provider to give the certification directly to them. Employees have the right to get the certification from the health care provider, then give it to the employer.

employee-benefits
Employee Benefits
HUMAN RESOURCES EDGE
InstituteHIPAA privacy and securityEmployee BenefitsHR EdgeAssociate Benefits & CompensationHow-To GuidesHR GeneralistHR ManagementEnglishAnalysisFocus AreaHuman ResourcesUSA

HIPAA privacy: How to comply

InstituteHIPAA privacy and securityEmployee BenefitsHR EdgeAssociate Benefits & CompensationHow-To GuidesHR GeneralistHR ManagementEnglishAnalysisFocus AreaHuman ResourcesUSA

The Health Insurance Portability and Accountability Act (HIPAA) has multiple parts, one of which governs privacy and security. The HIPAA privacy and security requirements apply to what is called “covered entities.” These entities include health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. They do not, however, specifically include employers.

Under these provisions, employers, in their activities as group health care plan sponsors, are generally pulled in as covered entitles as they act on behalf of group health plans. Otherwise, in their activities as employers, they are not considered HIPAA covered entities.

Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations ("HMOs"), Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. There are exceptions — a group health plan with less than 50 participants that is administered solely by the employer that established and maintains the plan is not a HIPAA covered entities.

Since most employers have insurers or brokers handling their group health care plans, most of the HIPAA obligations are carried out by those insurers or brokers on behalf of employers.

Before becoming a group health care plan sponsor, employers should check with insurers or brokers to see what steps they take to ensure HIPAA compliance.

PHI

HIPAA protects individuals’ protected health information (PHI). This is information that is individually identifiable held or transmitted by a covered entities or its business associate, in any form or media, whether electronic, paper, or oral.

"Individually identifiable health information" is information, including demographic data, that relates to:

  • The individual's past, present or future physical or mental health or condition,
  • The provision of health care to the individual, or
  • The past, present, or future payment for the provision of health care to the individual,

...and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Covered entities must provide a notice of privacy practices (NPP) to individuals every three years.

Disclosures

Covered entities may not use or disclose PHI, except either:

  • As the privacy rule permits or requires; or
  • As the individual who is the subject of the information (or the individual's personal representative) authorizes in writing.

Covered entities must disclose PHI in only two situations:

  • To individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their PHI; and
  • To the U.S. Department of Health and Human Services (HHS) when it is undertaking a compliance investigation or review or enforcement action.

Covered entities may disclose PHI in a variety of situations, including as authorized by, and to comply with, workers' compensation laws and other similar programs providing benefits for work-related injuries or illnesses.

Otherwise, covered entities must obtain the individual's written authorization for any use or disclosure of PHI.

A group health plan and the health insurer or HMO offered by the plan may disclose the following PHI to the "plan sponsor":

  • Enrollment or disenrollment information with respect to the group health plan or a health insurer or HMO offered by the plan.
  • If requested by the plan sponsor, summary health information for the plan sponsor to use to obtain premium bids for providing health insurance coverage through the group health plan, or to modify, amend, or terminate the group health plan. "Summary health information" is information that summarizes claims history, claims expenses, or types of claims experience of the individuals for whom the plan sponsor has provided health benefits through the group health plan, and that is stripped of all individual identifiers other than five-digit zip code (though it need not qualify as de-identified PHI).
  • PHI of the group health plan's enrollees for the plan sponsor to perform plan administration functions. The plan must receive certification from the plan sponsor that the group health plan document has been amended to impose restrictions on the plan sponsor's use and disclosure of the PHI. These restrictions must include the representation that the plan sponsor will not use or disclose the PHI for any employment-related action or decision or in connection with any other benefit plan.

Other HIPAA compliance obligations

  • Notice of privacy practices: Each covered entities, with certain exceptions, must provide a notice of its privacy practices (NPP). Employers sponsoring health plans must give its notice to each new enrollee at enrollment, and send a reminder to every enrollee at least once every three years that the notice is available upon request. Employers can meet this requirement by furnishing the notice to the "named insured," that is, the subscriber for coverage that also applies to spouses and dependents.
  • Policies: Covered entities must develop and implement written privacy policies and procedures that are consistent with the privacy rule.
  • Privacy personnel: Covered entities must designate a privacy official responsible for developing and implementing its privacy policies and procedures, and a contact person or contact office responsible for receiving complaints and providing individuals with information on its privacy practices.
  • Workforce training and management: Covered entities must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. Workforce members include employees, volunteers, trainees, and may also include other persons whose conduct is under the direct control of the entities (whether or not they are paid by the entities). Covered entities must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the privacy rule.
  • Mitigation: Covered entities must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of PHI by its workforce or its business associates in violation of its privacy policies and procedures or the privacy rule.
  • Data safeguards: Covered entities must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the privacy rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.
  • Complaints: Covered entities must have procedures for individuals to complain about its compliance with its privacy policies and procedures and the privacy rule, and the procedures must be in the privacy practices notice.
  • Documentation and record retention: Covered entities must maintain, until six years after the later of the date of their creation or last effective date, its privacy policies and procedures, its privacy practices notices, disposition of complaints, and other actions, activities, and designations that the privacy rule requires to be documented.

HIPAA privacy and ADA confidentiality

While the HIPAA privacy rules apply to employers only in their activities as group health care plan sponsors, the confidentiality provisions of the federal Americans with Disabilities Act (ADA) apply to employers in their activities as employers.

Outside of group health plans, the ADA requires employers to keep employee and applicant medical information confidential and separate from the general personnel file(s).

HIPAA and the FMLA

Under the federal Family and Medical Leave Act (FMLA), employers may require employees to provide a certification supporting the need for leave. In many cases, the employee takes the form to the health care provider, who completes it and returns it to the employee (or family member). The employee then gives the completed form to the employer.

In this situation, the HIPAA privacy rules are not triggered.

If the employee or patient would rather have the health care provider give the completed certification directly to the employer, the health care provider would need a HIPAA disclosure authorization to do so.

Employers may not mandate that employees ask the health care provider to give the certification directly to them. Employees have the right to get the certification from the health care provider, then give it to the employer.

Answer
UPGRADE TO CONTINUE READING