The medical and benefit plan communities have now had several years to become comfortable with the HIPAA privacy rules. One might say that some human resources and benefits staff have become rather unconcerned about all of the compliance excitement of a few years ago and may be taking a fairly laid-back attitude regarding ongoing compliance. For the most part, that may be fine. The initial implementation phase is complete, most day-to-day tasks are handled by the insurance company or third-party administrator, plan participants rarely ask questions about their privacy rights, and there doesn’t seem to be much audit activity from the federal government. So there’s no reason to think twice about HIPAA privacy, right?
Well, maybe. There are (at least) three reasons why it might be valuable to do a HIPAA privacy checkup.
Employee Turnover
Due to employee turnover, not all current employees may be as well versed in the privacy rules and the company’s privacy procedures as those who handled the implementation of the rules when they were first issued. In addition, is the company still conducting training to the extent required by the rules? Is that training well documented? It may be a good idea to ensure that all appropriate individuals are knowledgeable about the rules, and that the company is keeping up with its training requirements.
Compliance Review
As with any program, it’s a good idea to periodically perform a compliance review to ensure that the policies and procedures the company put in place to comply with HIPAA are still being followed consistently and accurately. This may include reviewing the documentation that’s required to be maintained, interviewing individuals who have responsibility for the health plan, and testing the procedures at both the company and any vendors to ensure the data is protected and only being used or disclosed as it should be. Some companies perform these reviews internally (perhaps with the help of internal audit or legal groups) while others work with an outside consulting or law firm.
Accessing Protected Information
At times an employer may have good reason for wanting to access protected health information. Today the most common HIPAA privacy questions raised by employers are “May I get the information I need?” and “If so, what do I need to do?” By brushing up on the HIPAA privacy rules and taking a look at how the company may want to access protected information, it may be possible to implement procedures that make it easier to retrieve that information when it’s needed. For example, the company may want to review and perhaps update its privacy policy and any authorization forms that are used. It’s also very important to regularly check for developments in state privacy laws; remember that covered entities must comply with both the federal HIPAA privacy rules and any state rules that are more stringent.
For most employers, HIPAA privacy is something that sits in the background and rarely comes up during the day-to-day course of business. However, by making time to regularly perform a HIPAA checkup, you can help maintain the compliance of your program and thereby reduce the risk to the company that may arise from a breach of the rules.