As part of the new regulatory expansion regarding the Health Insurance Portability and Accountability Act (HIPAA), the Department of Health and Human Services’ Office issued its final ruling regarding the modification of the act’s security, privacy, and breach notification requirements. The final rule, which came into effect on March 26, 2013, requires that all employers, vendors, and health care providers become compliant by September 23rd or face significant financial penalties up to $50,000 per violation and $1.5 million for multiple infractions of the same kind.
This new regulation essentially broadens the HIPAA definition of how employers and health care providers are to handle Protected Health Information (PHI)—including the transmittal and storage of personal data and health records. Additionally, it modifies the criteria in which privacy notices and the distribution of health care information is used. While the handling of PHI has always been on the HIPAA forefront, what’s happening now is that data breach notification will be handled in a much stricter manner.
By HIPAA definition, a data breach occurs when there is unauthorized disclosure, acquisition or access, of a person’s PHI. Should this occur, the burden of proof will remain on the shoulders of the employer or health care provider, proving that a person’s PHI has not been compromised.
Here’s how employers and health care providers can ensure compliance under the new HIPAA modifications:
- Work closely with vendors and your HR department to be sure they are aware of the broader security and privacy policy changes, as well as the September 23rd deadline for compliance.
- Make the time to review all current HIPAA processes that involve electronic security policies, procedures, and notices. Think specifically about areas in which there might be gaps and where PHI could potentially be compromised.
- Review marketing practices and materials to determine if they meet privacy compliance guidelines.
- Revise privacy notices to include new disclosure requirements.
- Better manage compliance issues by designating only specific key personnel who are allowed to have access to, utilize, and disclose a person’s PHI.
- Create a checklist as to how privacy notices are to be distributed and updated. Something as routine as privacy notice issuance must adhere to best practices to ensure notification has been made.
It’s critical to note that these broader HIPAA regulations will be strictly enforced as more administrative processes and patient data records are handled and stored online. While this may feel like just another compliance headache, it’s really more about protecting consumer privacy and ensuring your business isn’t put at risk for a data breach. The best advice is to identify all plans that generate or use PHI, including group medical plans, employee wellness programs, and employee assistance programs—now. Don’t wait until the last minute to become familiar with the current HIPAA updates.
For more information on health privacy information, visit http://www.hhs.gov/ocr/privacy/
If you haven’t outsourced your COBRA administration yet, now is the time to explore your options. With the added challenge of PPACA compliance, most HR teams welcome the relief of outsourcing COBRA administration. To further explore the option, download our free report – “In Search of ROO (Return on Outsourcing).”