Hipaa compliance within the workplace

BEST PRACTICES HIPAA Compliance in the Workplace

What is HIPAA3

How to Handle HIPAA 6

The Final Rule 9Staffing Plus Solutions

13

TABLE OF CONTENTS:

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy of health information. In the workplace, HIPAA ensure that employee health information is not provided to parties, such as employers, without the consent of the employee. HIPAA laws protect the privacy of all past, current and future employee health-related information.

HIPAA doesn’t only apply to health care organizations – it also applies to businesses that aren’t in the health care industry. Businesses administer health insurance plans, as well as other health- related benefits and information about employee health conditions, which the business must secure in accordance with HIPAA guidelines.

CHAPTER 1:What is HIPAA?

Page 3

http://www.facebook.com/share.php?u=http://go.staffingplus.com/hro---hipaa-ebook

http://www.linkedin.com/shareArticle?mini=true&url=http://go.staffingplus.com/hro---hipaa-ebook

https://twitter.com/intent/tweet?original_referer=http://go.staffingplus.com/hro---hipaa-ebook&url=http://go.staffingplus.com/hro---hipaa-ebook&source=tweetbutton&text=

HIPAA Compliance in the Workplace

Page 4

PurposeHIPAA was established to provide federal protection for personal health information found in medical records, conversations regarding medical treatment and billing information related to the patient’s health. Under HIPAA, patients have the right to view and receive copies of their health information and receive a notice when that information is used and/or shared.

PrivacyThe HIPAA Privacy Rule is balanced so that it allows the disclosure of Personal Health Information (PHI) needed for patient care and other important purposes. The Privacy Rule controls how a health plan or covered health care provider releases protected health information to an employer, including a manager or supervisor. If employers ask health care providers about PHI regarding an employee(s) without authorization, the providers cannot disclose such information.

Employer RequestsUnder HIPAA, an employer can ask an employee for a doctor’s note related to sick leave, workers compensation, wellness programs or health insurance, however, if health-related information is contained within employment records, authorization has to be provided to the physician to obtain health information and may only be used for the purpose stated.




Page 5

Who Is Covered?The intent of HIPAA in the workplace is to protect employees from sharing and disclosing health information with individuals who do not legally need to know that information. Entities covered by HIPAA include health plans, health care providers and health care clearinghouses (entities that process nonstandard health information they receive from another entity into a standard format or vice versa). While other organizations, such as life insurers, schools and law enforcement agencies, do not specifically fall under this law, they cannot obtain health information directly. In cases where health information is included, these organizations must receive the employee's authorization to access personal health information to be in compliance with HIPAA.

Employee RightsUnderstanding employee rights under HIPAA is important in protecting their personal health information. Patients have the right to see and get copies of all health records and information, as well as the right to have corrections added to health information if the information is incorrect or incomplete, such as the result of a test. In the workplace, employees have the right to be notified of the way in which health information is shared and to decide whether or not to give permission for that reason.





The intent of HIPAA is to prevent the sharing and misuse of protected health information thereby ensuring patient privacy. Knowing the ins and outs of HIPAA will help your business stay compliant and free from violation penalties.

CHAPTER 2:How To Handle HIPAA

Page 6




Page 7

Securing Medical RecordsRecords containing information about employees’ PHI need to be secured not only from access outside of the company, but also from unauthorized users inside the company. Only certain employees within the organization

who deal directly with health-related policies need to access the information.

This information should be protected by a special password or locked in a secured drawer or filing cabinet.

When transferring these records, employees must follow company policies to ensure the information isn’t lost or intercepted by another party.

Employees who handle health related information must also maintain a log that details any release or transfer of information.

Employee TrainingAny employees in the organization who handle health-related information – such as medical insurance policy information, a company wellness program or flexible spending account – need to receive proper training about HIPAA and how to handle health-related information. If you fail to properly train such employees, who in turn disclose information about another employee’s health, you may be found liable for the disclosure and may then be sued by the employee whose information was compromised.





Page 8

Employee AbsencesUnder no condition may a manager disclose to other employees in an organization the details of a person’s medical absence from the company, unless the employee consents first. This means that when an employee falls ill or needs to undergo medical treatment, you may pass around a card or other materials to give to the employee who isn’t well, but you can’t disclose the reason for the employee’s absence to everyone else.

Written PoliciesNot only do you need to follow HIPAA laws on a daily basis within your organization, but you also must document the policies your organization has adopted to ensure compliance with the laws. These documents need to detail how employees who have access to health information are to secure the information, under what circumstances health information should be disclosed, and consequences for an employee violating the organization’s HIPAA policies. All employees should have a copy of these written policies, especially those who have access to health information.


http://www.facebook.com/share.php?u=http://info.staffingplus.com/Download-Your-Reference-Checking-Ebook

http://www.linkedin.com/shareArticle?mini=true&url=http://info.staffingplus.com/Download-Your-Reference-Checking-Ebook

https://twitter.com/intent/tweet?original_referer=http://info.staffingplus.com/Download-Your-Reference-Checking-Ebook&url=http://info.staffingplus.com/Download-Your-Reference-Checking-Ebook&source=tweetbutton

On January 25, 2013, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) published its Final Rule of modifications to HIPAA.

The stated purpose of the Final Rule is to both strengthen the privacy and security protections established under HIPAA, to increase flexibility for and decrease burden on the regulated entities.

The amendments became effective on March 26, 2013 and will be enforced by the OCR beginning September 23, 2013.

CHAPTER 3:The Final Rule

Page 9




Page 10

The final rule is actually considered an “omnibus rule” (composed of multiple components) including the following four final rules:

1. Final modifications to the HIPAA Privacy, Security, and Enforcement Rules. These modifications: Make business associates of covered entities

directly liable for compliance with certain requirements of the HIPAA Privacy and Security Rules.

Strengthen the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibit sale of PHI without individual authorization.

Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.

Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.

Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.

Adopt additional Health Information Technology for Economic and Clinical Health (HITECH) Act enhancements to the Enforcement Rule, such as provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.





Page 11

2. A final rule adopting changes to the HIPAA Enforcement Rule to incorporate an increased and tiered civil money penalty structure provided by the HITECH Act.

3. A final rule on breach notification for unsecured PHI under the HITECH Act that clarifies when breaches of unsecured health information must be reported to HHS.

4. A final rule modifying the HIPAA Privacy Rule as required by the federal Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes.





Page 12

Civil Monetary LiabilityAs required by the HITECH Act, the 2013 Amendments substantially increase the potential civil monetary fines for violations for covered entities and business associates, and establish tiers of escalating penalty amounts based on increasing degrees of culpability of violators and other responsible parties. The 2013 Amendments also reduce OCR’s discretion in assessing these fines.


Are You a Business Associate?As defined by HIPAA, a business associate is any organization or person working in association with or providing services to a covered entity who handles or discloses Personal Health Information (PHI) or Personal Health Records (PHR)

Final RuleAn overview of the final rule is available here from the U.S. Department of Health and Human Services.

Violation Category – Section 1176(a)1

Each Violation

(A) Did Not Know $100 - $50,000

(B) Reasonable Cause$1,000 - $50,000

(C)(i) Willful Neglect – Corrected$10,000 - $50,000

(C)(ii) Willful Neglect – Not Corrected

$50,000

http://www.hhs.gov/news/press/2013pres/01/20130117b.html




Staffing Plus offers personalized HR services that will help control cost, lower risk and minimize the financial impact to your organization. We will provide you with the HR expertise and resources you need, so that you can stay focused on your strategic business and financial goals.

As it pertains to HIPAA, Staffing Plus can offer the following assistance by:

Conducting a risk assessment Establishing criteria and

procedures for hiring and assigning tasks related to HIPAA

Documenting the policies to ensure compliance with the laws

CHAPTER 4:Staffing Plus Solutions

Page 13

For further guidance on HIPAA Compliance and other HR related areas, please contact our HR Outsourcing experts at (610)525-4000 or via email at [email protected]

mailto:[email protected]





551 W. Lancaster Ave.Haverford, PA 19041Toll Free: 800-550-9212 Local: 610-525-4000 Fax: 610-526-6740Email: [email protected]



