Employers have so many federal, state and local rules and regulations to comply with that it can oftentimes seem overwhelming. Passed in the late 1990s, the Health Insurance Portability and Accountability Act (more commonly known as HIPAA), added yet another acronym for employers to learn and understand. Simply put, HIPAA and its corresponding Security and Privacy Rules establish national standards for privacy rights and expectations when it comes to individually identifiable health information. Entities with access to health information (health plans, health insurance providers, medical professionals) included under HIPAA are required to comply with rules that govern the protection and sharing of health information in any form or medium (electronic, oral or written) that can be linked to or used to uniquely identify an individual.
But it’s not just doctors and health insurance companies that need to ensure that they are HIPAA compliant. Employers who sponsor self-insured, HIPAA-covered group health plans (group health, dental, vision, FSA, EAP, etc.) are required to comply with any and all relevant HIPAA regulations. HIPAA also extends to include business associates: persons or organizations other than members or a covered entity’s workforce, who “perform certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of individually identifiable health information” protected under HIPAA. Covered functions include claims processing, data analysis or review, and billing functions. Covered services include legal, accounting, consulting, managerial and administrative and financial services. These regulations can also apply to contracted business associates a covered entity uses.
So what does “individually identifiable health information” include? Generally speaking, any information about an individual’s past, present or possible future physical or mental health is considered protected information. In addition, the provision of health care and any payments for such provisions (past, present or future) is also protected. However, only information that could reasonably be used to identify an individual such as name, address, birth date or Social Security Number is protected, and is commonly referred to as Protected Health Information (PHI).
In order to be HIPAA compliant, employers need to ensure that they are taking measures to ensure that all PHI data is kept secure at all times. This includes creating and implementing policies and procedures regarding information security and privacy, communicating these policies to employees and regularly auditing policies and procedures.
If you’re starting to think that your business doesn’t have the resources to become HIPAA compliant, you’re not alone. Many businesses, especially smaller companies, decide that they are not equipped to handle compliance and other human resources functions and decide to outsource their HR and compliance needs.
Wading through the HIPAA legislation and regulations to determine whether a business is HIPAA compliant can be overwhelming, but it doesn’t have to be. Download G&A Partners’ 10-question HIPAA Compliance Checklist to see if your business is on track to becoming HIPAA compliant.
G&A Partners, a leading national professional organization (PEO) and human resources outsourcing provider, employs a team of HR experts who understand the ins and outs of human resources and employer-related laws. Learn how G&A’s highly trained staff can help your business become compliant with HIPAA, PPACA, FLSA, FMLA, COBRA and all of the hundreds of other federal, state and local laws regulating employers by calling 1-866-927-6203 or schedule a free business consultation.