You’ve probably heard of the Health Insurance Portability and Accountability Act (HIPAA). The law that says health care providers are prohibited from sharing your medical information with anyone other than you (unless you authorize any other individuals). And while like most people, you may think this law applies only to health care providers –you’d be wrong.
Employers Subject to HIPAA
Under HIPAA, any employer that deals with health plans, health care clearinghouses and health care providers that conduct specific electronic transactions, is subject to HIPAA compliance. When new employees are hired, there are several pieces of personal information that employers gather. And much of this information is classified as “protected health information,” (PHI) or personal identifiers. This information includes:
- Phone number
- Social Security number
- Medical record number
- Health Plan ID
- Full-face photo
- Account number
- Driver’s license number
If anyone on your entity’s staff obtains and maintains any of the information described above, you are to protect this information and remain in compliance with HIPAA.
How Is My Entity Required To Comply?
So what exactly are you required to do as it relates to HIPAA? For starters:
- You must adequately protect any PHI you obtain from your employees and store on your work environment’s IT systems. Just like you should be working hard to protect any client information you work with and store, you should be working to protect your employees’ personal information as well. Be sure the IT security measures you take are the best they can be.
- You must obtain written consent from an employee to share PHI with other service providers or vendors. Situations where this may occur include disclosing PHI for treatment, payment and other health care operations. If you need to share this information with outside service providers, be sure you have written consent on file for your employees.
- Ensure that any external service providers, vendors or subcontractors – all defined as “Business Associates” per HIPAA – you work with and share PHI with understands the compliance requirements relating to HIPAA. Develop a “Business Associate” agreement, which outlines the steps each outside provider should take to ensure confidentiality of your employee’s personal information.
The HIPAA Security Rule
Part of HIPAA includes a specific section which outlines national security standards to protect individuals’ electronic personal health information that is created, received, used or maintained by an entity. This section is known as “The HIPAA Security Rule.” According to the U.S. Department of Health & Human Services’ (HHS) website, this rule “… requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
Per this rule, entities are required to conduct a risk analysis to ensure that IT systems and processes are adequately protecting PHI. To get a sense if your entity is compliant with HIPAA’s security requirements, check out this HHS Security Risk Assessment Tool.
Entities/individuals that must comply with the HIPAA Security Rule include:
- Health care providers
- Health plans
- Health insurance companies
- Health maintenance organization (HMOs)
- Employer group health plans
- Government programs, including:
- VA programs
- “Business Associates,” including:
- Software companies
- Asset recyclers
- IT consultants
- Pharmacy benefit managers (PBMs)
- Health plan brokers
Like most government regulations, HIPAA can be confusing and overwhelming. The U.S. Department of Health & Human Services has a great section on its website dedicated to helping professionals better understand how they should comply with HIPAA. Be sure to check this website out here. Our government team here at Rea is also happy to consult on HIPAA-related matters. Feel free to contact us anytime for assistance.
By Annie Yoder, CPA, CFF, CFE (New Philadelphia office)