Legal Insight
Home
Complete archive of features and news articles, sample policies and procedures, assessments, and surveys.
Network and exchange ideas with other members in the forums or ask an expert in one of the hosted forums.
Access vendor directories, product case studies and showcases.
Read Best in Shows, view our conference calendar, read commentaries and take our news poll.
The Hot List
Blogs
Topic Channels
Comp, Benefits, Rewards
HR Management
Legal Insight
Recruiting and Staffing
Software and Technology
Training and Development
= Member Only
Workforce HR Jobs
Post Your Job
Post Your Resume
Subscribe Now
Workforce Magazine
Subscriber Help
























= Member Only


Feature:

The Most Common HIPAA Privacy Mistakes Employers Make
  

Feature Contents

1. Employer Wellness Programs Must Follow Federal Criteria
Under the final HIPAA rules, employers may vary the amount of premium contributions required from employees as long as the wellness program meets certain regulations.

2. Patients Wary of Employer- and Plan-Sponsored Personal Health Records
So far, the public has yet to embrace the records, in part because the main push to promote them has been from health plans and employers. A recent survey found that 52 percent of the respondents were worried about employers using medical information to limit job opportunities.

3. Will the Obese Be Penalized by Insurers Like Smokers?
A small but growing number of employers charge smokers more for their health care than they do for nonsmokers. But as evidence continues to link unhealthy lifestyle choices to health care costs and lost productivity, another question arises: Are obese workers next?


Similar Documents
Related Topics


Sponsored Tools

Quickly Comply with HR Regulations using TriNet
Total HR solutions designed for growing companies: Contact us today!

Americans with Disabilities Act (ADA)
Contact your regional ADA center today for information and training on the ADA.

Online Discriminatory Harassment Prevention Training
HR Executive Top Training Award winner. Co-developed by AIG. Developed by top-rated lawyers.

Ethics Training Your Company Needs Right Now!
Truly effective ethics training does so much more than simply teach the rules. Your employees also need real-world skills in applying those rules. Bauer Ethics Seminars give employees the tools they need to really 'walk the talk' of great ethics!

Email Marketing Made Easy
Grow your Business with Easy & Affordable Email Marketing. Start your FREE Trial Today!

Get Listed >>>
 



The Most Common HIPAA Privacy Mistakes Employers Make


After making initial compliance efforts, many employers may have put the Health Insurance Portability and Accountability Act of 1996 on the back burner. Here are the common mistakes that have been made by employers and other HIPAA-covered entities since the act went into effect in 2003.
By Sandra R. Mihok
Recommend 0

y now, most employers who maintain self-insured health plans have taken steps to comply with the privacy rules issued under the Health Insurance Portability and Accountability Act of 1996. However, after making initial compliance efforts, employers may have put HIPAA on the back burner.

    Since HIPAA went into effect in April 2003, the following have emerged as common mistakes made by employers and other HIPAA-covered entities.

Failing to comply with the security rules
    The rules regarding security measures for electronic health information have been in effect since April 2005. However, many employers have not completed security rule compliance efforts and do not have security rule policies and procedures that comply with HIPAA in place. Others have not appropriately updated plan documents or business associate agreements for the security rules. These mistakes may be costly, given that the Center for Medicare and Medicaid Services has recently instituted HIPAA audits aimed at security rule compliance.

    In addition, business associate agreements were required to be updated to include provisions dealing with security rule compliance. While most new business associate agreements contain these provisions, many of the agreements entered into prior to April 2005 have not been amended to include the required language.

Disregarding FSAs or wellness programs
    While HIPAA affects sponsors of self-insured group health plans, it may not affect those who sponsor fully insured arrangements. However, if an employer sponsors a fully insured group health plan but also offers flexible spending accounts, wellness programs and other types of medical reimbursement arrangements, these other arrangements may be subject to HIPAA. If so, the employer must ensure that the plan meets all of HIPAA's requirements, including maintaining a privacy policy, providing workforce training and entering into appropriate business associate agreements.

Failing to train/retrain workers
    After the initial HIPAA training that many employers conducted when HIPAA first went into effect, many employers have not conducted any further HIPAA training. HIPAA specifically requires training of new hires who will have access to protected health information within a reasonable period of time after the hire date, and requires retraining when there are material changes to the privacy policy.

    If, for example, a wellness program was put in place after the original HIPAA effective date, changes might be required to the privacy policy, and employees who will administer the program might need to be retrained. In addition, retraining should be mandatory if any HIPAA violations have occurred that need to be addressed. It is also a good idea for employers to conduct periodic retraining sessions to make sure employees are reminded of their responsibilities.

Ignoring state privacy laws
    HIPAA does not pre-empt state privacy laws that are more restrictive (i.e., provide greater protections) than HIPAA. Guidance from the U.S. Department of Health and Human Services confirms that these state laws must be specified in the covered entity's notice of privacy practices. In many cases, the notice fails to reference any applicable state laws. Employers must become familiar with these laws to ensure privacy protection.

Failing to update the notice of privacy practices and/or send the three-year reminder
    HIPAA's privacy rules require a plan to amend its notice when a material revision is made to its privacy practices. This updated notice must be sent to participants within 60 days. An update may be in order if, for example, the employer has made changes to health plan administration that affects the privacy policies, or has added new health plan coverages or a wellness program after the initial privacy notice was provided. Health and Human Services has advised that a covered entity must revise and reissue its privacy notice when there has been a material change to an applicable state privacy law.

    In addition, employers are required to remind participants about the privacy notice, and how to obtain it, at least once every three years. The first reminder was required to be sent to participants by April 14, 2006, for large health plans or by April 14, 2007, for small health plans. For large health plans, the next reminder must be provided by April 14, 2009. Health and Human Services has clarified that this requirement may be met by providing the full privacy notice once every three years, issuing a brief reminder notice or even by providing the reminder in a newsletter.

    Covered entities often will attempt to comply with privacy notice requirements by including the privacy notice, or information about the notice, as part of open enrollment materials or summary plan descriptions. However, covered entities should be aware that HIPAA’s rules regarding distribution of privacy notices are typically more stringent than requirements for other types of plan notices. Therefore, such notifications may not have been made in accordance with HIPAA requirements.

Failing to maintain a written procedure for investigating and resolving privacy complaints
    When privacy complaints are made by participants, covered entities often do not have any written procedures in place to resolve them. Covered entities are frequently unsure of the appropriate corrective measures necessary to resolve HIPAA complaints. Although not technically required by HIPAA, maintaining a written procedure for investigating and resolving privacy complaints may go a long way toward avoiding the assessment of penalties if a complaint is filed with Health and Human Services. The department will not assess a penalty if a privacy rule violation was due to reasonable cause and not willful neglect, and is corrected within 30 days of when the covered entity knew (or should have known) of the violation.

    When a potential violation has occurred, an employer should take corrective action as soon as possible by following a written procedure for investigating the complaint. The results of the investigation should be in writing, and might include:

  • The nature of the complaint or potential violation.

  • The steps taken to investigate the complaint.

  • The facts revealed by the investigation.

  • The internal HIPAA policies or procedures related to the facts.

  • The appropriate remedial action to resolve the issue.

    In this regard, the report might include sanctions against employees who violated the policies, in addition to any actions required to mitigate the harmful effects of the violation. The report might also include steps that should be followed in the future to minimize the possibility of recurrence.

Workforce Management Online, July 2008 -- Register Now!
Sandra R. Mihok is an attorney in the employee benefits department of Eckert Seamans Cherin & Mellott and serves as co-chair of the tax, estates and benefits practice group. Her practice focuses on employee benefits and related areas, including plan design and drafting, tax compliance, fiduciary and investment issues, and HIPAA privacy compliance. To comment, e-mail editors@workforce.com.

Features Archive

           
E-mail this document Printer-friendly version Write to the Editor Reprint Information

Reproductions and distribution of the above article are strictly prohibited. To order reprints and/or request permission to use the article in full or partial format, please contact our Reprint Sales Manager at (732) 723-0569.





Copyright © 1995-2008 Crain Communications Inc.
All Rights Reserved. Terms of Use Privacy Statement