By now, most employers who maintain self-insured health plans have taken steps to comply with the privacy rules issued under the Health Insurance Portability and Accountability Act of 1996. However, after making initial compliance efforts, employers may have put HIPAA on the back burner.
Since HIPAA went into effect in April 2003, the following have emerged as common mistakes made by employers and other HIPAA-covered entities.
Failing to comply with the security rules
The rules regarding security measures for electronic health information have been in effect since April 2005. However, many employers have not completed security rule compliance efforts and do not have security rule policies and procedures that comply with HIPAA in place. Others have not appropriately updated plan documents or business associate agreements for the security rules. These mistakes may be costly, given that the Center for Medicare and Medicaid Services has recently instituted HIPAA audits aimed at security rule compliance.
In addition, business associate agreements were required to be updated to include provisions dealing with security rule compliance. While most new business associate agreements contain these provisions, many of the agreements entered into prior to April 2005 have not been amended to include the required language.
Disregarding FSAs or wellness programs
Failing to train/retrain workers
Ignoring state privacy laws
HIPAA does not pre-empt state privacy laws that are more restrictive (i.e., provide greater protections) than HIPAA. Guidance from the U.S. Department of Health and Human Services confirms that these state laws must be specified in the covered entity's notice of privacy practices. In many cases, the notice fails to reference any applicable state laws. Employers must become familiar with these laws to ensure privacy protection.
Failing to update the notice of privacy practices and/or send the three-year reminder
HIPAA's privacy rules require a plan to amend its notice when a material revision is made to its privacy practices. This updated notice must be sent to participants within 60 days. An update may be in order if, for example, the employer has made changes to health plan administration that affects the privacy policies, or has added new health plan coverages or a wellness program after the initial privacy notice was provided. Health and Human Services has advised that a covered entity must revise and reissue its privacy notice when there has been a material change to an applicable state privacy law.
In addition, employers are required to remind participants about the privacy notice, and how to obtain it, at least once every three years. The first reminder was required to be sent to participants by April 14, 2006, for large health plans or by April 14, 2007, for small health plans. For large health plans, the next reminder must be provided by April 14, 2009. Health and Human Services has clarified that this requirement may be met by providing the full privacy notice once every three years, issuing a brief reminder notice or even by providing the reminder in a newsletter.
Covered entities often will attempt to comply with privacy notice requirements by including the privacy notice, or information about the notice, as part of open enrollment materials or summary plan descriptions. However, covered entities should be aware that HIPAA’s rules regarding distribution of privacy notices are typically more stringent than requirements for other types of plan notices. Therefore, such notifications may not have been made in accordance with HIPAA requirements.
Failing to maintain a written procedure for investigating and resolving privacy complaints
When privacy complaints are made by participants, covered entities often do not have any written procedures in place to resolve them. Covered entities are frequently unsure of the appropriate corrective measures necessary to resolve HIPAA complaints. Although not technically required by HIPAA, maintaining a written procedure for investigating and resolving privacy complaints may go a long way toward avoiding the assessment of penalties if a complaint is filed with Health and Human Services. The department will not assess a penalty if a privacy rule violation was due to reasonable cause and not willful neglect, and is corrected within 30 days of when the covered entity knew (or should have known) of the violation.
When a potential violation has occurred, an employer should take corrective action as soon as possible by following a written procedure for investigating the complaint. The results of the investigation should be in writing, and might include:
The nature of the complaint or potential violation.
The steps taken to investigate the complaint.
The facts revealed by the investigation.
The internal HIPAA policies or procedures related to the facts.
The appropriate remedial action to resolve the issue.
In this regard, the report might include sanctions against employees who violated the policies, in addition to any actions required to mitigate the harmful effects of the violation. The report might also include steps that should be followed in the future to minimize the possibility of recurrence.