Human Resources managers are tasked with a wide variety of responsibilities in their multifaceted roles, which can vary significantly from company to company. For HR managers of companies that are covered entities or business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), those responsibilities can be quite complex and require concerted efforts between the HR manager and the company’s Privacy and Security officers.
Type of Entity
Ultimately, the responsibilities of an entity under HIPAA will depend on whether that entity is a covered entity or a business associate. Most businesses are not covered entities. Under HIPAA, only health care providers that file electronic claims, insurance companies and health care clearinghouses are considered covered entities. However, many companies are increasingly choosing to self-insure their employees, and a company with a self-insurance plan is considered a covered entity with respect to its self-insured plan.
If the business is a covered entity, then all requirements of the Privacy and Security Rule, found at 45 CFR Parts 160 and 164, in addition to the updated requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act, must be met. If the company is a business associate, then all parts of the Privacy Rule must be met, along with the parts of the Security Rule that have been extended to business associates through the HITECH Act.
Policies and Procedures
Once it has been determined that an entity must comply with HIPAA, it is then time to prepare the required policies and procedures – a task that is much more daunting than it sounds and that is underestimated and overlooked by many. This is a time-consuming process that requires a solid working understanding not only of HIPAA, but of the entity and how it will be best able to actually implement those policies and procedures as it strives toward full compliance.
Adequate HIPAA policies and procedures are not a one-size-fits-all installation, and what works best for one entity may not work at all for another. Policies and procedures should vary based upon the size of the entity, the functions of and services provided by the entity, and other characteristics unique to that entity.
Though responsibility for the creation and implementation of these policies and procedures falls on the shoulder of the entity’s designated Privacy and Security Officers, this designation can fall upon the entity’s HR manager(s). Even if the entity’s Privacy or Security Officer position is filled by someone other than an HR manager, HR management will nonetheless play a crucial role in HIPAA compliance in one way or another. HR may be tasked with helping the Privacy and Security Officer implement policies and procedures to the entity workforce, and will no doubt play a vital role in ensuring that the workforce receives the required annual HIPAA training, as well as updates and training on any changes introduced in policies or procedures.
Protected Health Information
HR managers often have access to at least some protected health information of their employees, varying depending on the type and function of the entity. HR managers must know and follow the requirements of HIPAA and HITECH as they pertain to the use, disclosure, maintenance, transmission, safeguarding of and access to this information. This may include being tasked by the entity with documenting all disclosures, producing requested accountings, and keeping track of business associates that may make disclosures. Additionally, HR managers should know how to respond to any requests for such information, whether that request comes from an employee, another individual, by subpoena, or from law enforcement.
An Ongoing Process
HIPAA compliance only exists in a temporary state. Undoubtedly, the most difficult aspect of HIPAA compliance is the initial procurement and full implementation of all required policies and procedures, but it doesn’t end there. An annual Security Risk Assessment of the entity’s policies and procedures, potentially vulnerable areas, and what the entity may do to redress those concerns is required – in addition to annual workforce training and periodic security reminders. HR managers can play a very important and unique role in their entity’s HIPAA and HITECH compliance, and should be sure to familiarize themselves with the requirements of these rules, as well as develop strong working relationships and open lines of communication with others within their organization who play a part in the entity’s compliance. Compliance truly is a team effort, and to reach the best results it should be treated as such.
If you know your entity is currently non-compliant or is behind on their requirements, it is best to work to remedy that situation as soon as possible rather than put it off any longer. The longer compliance is left on the back burner, the more difficult it is for the entity to catch up. Keeping up with compliance ensures smoother completion of the annual requirements, and can potentially save your entity huge sums of money in civil penalties from the federal government.