Best Practice Tips for HIPAA Compliance

Even companies that don’t sponsor health plans have to comply with HIPAA regulations. Protecting health information can be tricky. Here are some best practices that will keep your company in compliance.

It’s hard to believe twelve years have passed since the introduction of the Health Insurance Portability and Accountability Act, commonly known as HIPAA. Today many employers are still working to adhere to the regulations, which cover everything from plan portability to nondiscrimination, according to attorney Walter W. Miller.

But the centerpiece of HIPAA regulations has always been, and remains, maintaining privacy around the disclosure of private health information.

The fundamental premise of HIPAA is that individually identifiable health information created by or received from a covered entity (such as a health plan or healthcare provider) automatically becomes Protected Health Information (PHI). Once the information is protected, it can only be used for the purposes of patient treatment, payment of healthcare costs, and for health operations. The latter includes such common benefit plan functions as enrollment, eligibility determinations, claims determination, claims payment, pre-certification, and reviewing status of payment.

Even where use or disclosure of PHI is allowed under the privacy regulations, only the “minimum necessary” information required to accomplish the treatment, payment or healthcare operations can be used or disclosed. The regulations are fairly clear; employers are subject to specific and extensive regulatory burdens if they obtain and use PHI to administer their own health plan or are involved in making or reviewing benefit decisions.

If you or your company needs PHI for any other reason, it must come with a specific authorization from the employee or patient. As a result, it’s a rare regulated employer that is not affected in some way by HIPAA regulations. Additional rules specifically cover employers that self-insure a health plan, retain an employee acting as the health plan administrator or act as plan sponsors.

If your company sponsors a health plan, for example, obviously there will be times when you’ll be required to use protected health information to manage the program. The privacy rules are intended to prevent the information from being used for employment-related functions or functions related to other employee benefit plans or other benefits provided by the plan sponsor. Under the rules, a plan sponsor must agree to use and disclose protected health information received from the health plan only for plan administrative functions, which must be specified in the plan documents.

Even companies that don’t sponsor health plans are affected by HIPAA regulations. Take, for example, a company that requires a pre-employment physical. If the physical is being performed by a physician, other than an employee physician, most likely that the physician will be covered by HIPAA. Therefore, the individually identifiable health information collected by the doctor at the physical will be protected health information.

The employer wants the information, but because the use is not for treatment, payment or health care operations, the physician will have to obtain the patient’s express authorization to release it. The employer may only use the information for the purposes expressly stated in the authorization. Other employment-related practices that may be affected include disease management and wellness programs, occupational health issues, and on-site medical clinics.

Here are some best practice tips for HIPAA compliance:

• Better to be safe than sorry. It’s best to assume that all contacts with health care providers are covered by HIPAA regulations and a HIPAA authorization will be needed before information is released.
• Ask for or provide only the minimal amount of protected health information, even when authorization is provided. The burdens from HIPAA are minimal if PHI is not routinely obtained as part of the ongoing administration or oversight of a covered health plan.
• Don’t use group health plan information to obtain evidence of disability on behalf of the employee unless the employee has provided a valid authorization.
• Ensure that an adequate “fire wall” as required by the regulations is in place, describing which employees have access to the PHI, restricting access to such individuals and for such use as is necessary for plan administration functions, and providing methods by which noncompliance can be resolved.
• Know your rights. HIPAA privacy regulations do not create the right to refuse to cooperate in legitimate requests for information.

HIPAA makes employers liable for violations of their business associates if the employer is aware of the wrongdoing.