The Health Insurance Portability and Accountability Act (HIPAA) workplace violations apply to all companies as well as covered enterprises and their business associates not just health providers. Employers in need of health information as part of disability benefits or those offering healthcare to their workers are likely to violate HIPAA. Due to the possibility of HIPAA infringement occurring in a workplace as part of its normal human resource operations, all companies ought to know how they should protect not only themselves but also their valuable employees.

What a HIPAA Violation in the Workplace Entails?

What is HIPAA?

null 1 image

The Health Insurance Portability and Accountability Act or popularly known as HIPAA was passed into law in 1996 to protect people’s health information, especially when they shift from one job to the next. What’s more, the United States Department of Health and Human Services (HHS) later enacted the Privacy Rule back in 2003. The organization described Protected Health Information (PHI) as any information concerning health status that is held by a covered entity.

The Security Rule amendment to HIPAA in 2005 concentrated only on PHI that can be stored electronically (ePHI). Despite being different from the Privacy Rule, more use of digital platforms intended for sharing healthcare information now involve more information systems compared to the past.

What Information Belonging to Employees Qualifies as ePHI or PHI?

The HIPAA Privacy Rule comprises any health plan records or medical records that you gather for administering your employee health care policies. Even if they include health-related information, the Privacy Rule is not applicable to employment records. For instance, if you request an employee to present health information to help you document workers’ compensation or sick leave. This information is not related to the rule. Nonetheless, in case, you contact the worker’s healthcare provider, then the information delivered by the provider falls under the HIPAA Privacy Rule.

What does a Human Resource Department require to Know?

Numerous human resource departments include medical benefits for the workers.  However, when a company provides its employees with a covered health plan, then you must determine as a human resource department whether you meet the stipulated conditions for the Security Rule.

To know whether you meet the prerequisites, first ensure that you look at both the type of plan you intend to roll out and the number of individuals it will involve.

You also need to determine whether the plan covers 50 or more people because if it does, then the Security Rule is applicable. However, if it does not cover such a number; you may want to check whether your health insurance plan is administered by a third party. If that is the case, there is no cause for worry as far as the infringement of HIPAA Security Rule is concerned.

Check whether you operate as the plan sponsor for a group health plan (this entails using a vendor for your employee assistance programs and flexible spending accounts). In most cases, your findings will be positive or rather yes. However, the confusing bit is that you may continue operating as a plan administrator or a person who requires reviewing a third-party vendor even if your work involves only sponsoring the plan. For instance, if you provide your workers with an employee assistance program or a flexible spending program, the Security Rule comes into play.

What does a Security Management Process mean?

When it comes to safeguarding your company from HIPAA violations at the workplace, you should first come up with a risk analysis. This case requires you to assess all the information held by your organization, potential risks, where the data resides as well as the weaknesses that can affect the availability, integrity, and confidentiality of ePHI.

Once you are done with the risk analysis, then you can move on to creating security measures in a bid to minimize the possibility of such vulnerabilities and risks occurring. To avert such risks, make sure that you establish processes, procedures and policies that secure information. For instance, you may want to develop physical protections including a lock that alleviates the possibility of document theft. You may also include a multi-factor authentication process to safeguard your devices from being used without the necessary authorization.

The next step requires you to ensure that the established security measures work as they should. What’s more, ensure that when reviewing your security policies that you check them from both a technical and non-technical point of view.  During this analysis, you might spot a security measure that does not protect your organization or company. As such, you are required to adjust all your controls in an attempt to respond to technological, environmental and employee changes.

What information belonging to Employees requires Protection to Avoid a HIPAA Violation in the Workplace?

Bear in mind that your human resources unit continues to access ePHI and PHI even if you recruit a third-party administrator to oversee your health insurance program. Furthermore, if your benefits personnel and human resource department manage the healthcare plan together with your vendor, then the information talked about in their conversations may fall under the stipulations of HIPAA.

How your Organization can Safeguard ePHI and PHI that the HR Department Accesses?

To do this, first make sure that both your HR and benefits staff catalog the information relayed, how they store it and how they utilize it in performing their administrative duties. In addition, ensure that the same personnel understand that all interactions with the third-party service provider as well as any kind of information that employees transmit via the intranet are subject to the Security Rule. Nonetheless, you must come up with processes and policies that safeguard all the information in transit and at rest. For this case, you must ensure that the protections cover the Internet, your intranet as well as your emails with vendors.

Lastly, your IT department has to create access controls, which should comprise of systems used, fields within files, types of administrative duties performed, data files, functions within applications, and applications with systems. Ultimately, both the IT and HR departments ought to collaborate with each other, particularly in determining what employee groups should have access to each of those details as well as defining who can create, read, adjust, delete, find and alter security settings for the files.

How do you Protect your Organization against Perceived HIPAA Violations?

One of the challenging parts about determining whether a HIPAA breach happened in your organization is recognizing the party that shared the information and how they got it in the first place.

Keep in mind that employee files and records PHI do not fall under HIPAA. Hence, even if such records include information regarding the health of your employees, act is still not applicable. Since many employees are not aware of this fact, some may end up filing violations, particularly with the Office for Civil Rights (OCR). In turn, the investigation process ends up costing the organization both money and time to defend.

Make sure that your human resource department implements procedures and policies that protect the records that employees think are secure. For instance, you may consider training the management about incorrect queries that seem to trigger PHI.

Ken Lynch

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity Labs to pursue just that. Learn more at ReciprocityLabs.com