HIPAA audits are on the rise, and so are associated fines for mishandling PHI (protected health information). In 2016, the U.S. Department of Health and Human Service’s Office of Civil Rights collected $23 million in fines. That’s a 300% increase over 2014, the previous record year for HIPAA privacy fines.1
Many of the employers facing HIPAA fines are healthcare providers, health plans or healthcare clearinghouses. These organizations are considered covered entities under HIPAA. It follows that most HR professionals handle PHI, and exposure can put them in danger of violating the HIPAA Privacy Rule.
HR staff deals with medical information a few different ways. Here’s one common example:
|Jane, the HR director, and Charles, the controller, work at a 1,000-employee, self-insured non-profit organization. One of their responsibilities is tracking and managing large claimants on their plan. During any given month, Jane and Charles will come in contact with roughly 40-50 claims containing PHI.|
For a self-funded employer, handling claims makes sense. But employers with fully-insured medical plans may also handle PHI. Take this scenario:
|Dan is the HR director of a tech startup in New York City’s Silicon Alley. Tech start-ups tend to attract young employees. Therefore, some of the workers have enrolled in health & welfare benefits for the first time. They are learning the ins and outs of health insurance. One of Dan’s employees gets an explanation of benefits that he doesn’t understand. He turns to HR for help. Dan looks over the explanation and, together with the employee, calls the insurance company. Dan has just handled PHI.|
The increase in HIPAA audits, combined with changes in technology, the addition of a health & wellness program, to concerns about hacking, are good reminders to revisit HIPAA training to ensure compliance.
A Formal Approach to HIPAA Privacy
Employers should have a written PHI policy in place about how they handle this sensitive information. Also designate PHI handlers and a HIPAA privacy officer. The PHI policy should outline what information is considered PHI and how it may or may not be used. The PHI policy should also include a procedure for handling complaints and a process for employees to file them if they think their privacy rights are violated.
Handling PHI puts HR professionals in danger of violating the HIPAA Privacy Rule.
Employees who come in contact with PHI should be trained on the dos and don’ts of handling protected health information. This is especially true as it relates to electronic information. The HR team should understand the implications of handling PHI in emails, storing it on the cloud, or communicating about it over other electronic formats. When discussing matters containing PHI with an employee, be sure to have a signed HIPAA authorization form for the release of employee health information.
Lastly, the HIPAA privacy officer should review health plan documents and ensure that agreements with vendors who handle PHI, called “business associate agreements,” are up to date. The federal government considers such vendors to be business associates of the plan sponsor.
As companies hit with steep fines in 2016 would tell you, the penalties for HIPAA violations can be high. They start at $100 per incident but can increase up to $25,000 per violation per year. These violations can also be “stacked” if an individual makes more than one violation, or if more than one standard is violated.
In addition to federal rules, employers may also be subject to state privacy rules that further limit how PHI is used.
The increase in the number of HIPAA audits, as well as changes in how employees communicate about PHI or store information, make it more important than ever to cover all the bases should your company be hit with one. If your staff needs training or if you are unsure if your policies are up to date, ask your health & welfare benefits broker to assist you.
- Nationwide ACA Nondiscrimination Injunction | February 24, 2017
- A Closer Look at EEOC’s Final Health & Wellness ADA & GINA Regulations
- Demystifying 3 Confusing Lines on IRS Form 1095-C
© 2017 Corporate Synergies Group, LLC. No part of this material may be republished or distributed without prior written consent.