HIPAA Checkup – How Good Are Your Policies and Procedures?

Allison B. Bans • March 14, 2017

Although it is not a new requirement, it is important and therefore worth a reminder:  HIPAA requires covered entities to establish and implement written policies and procedures that are consistent with its Privacy and Security Rules.

As discussed in an earlier blog , the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) has begun its Phase 2 HIPAA Audit Program.  The Program will focus on the policies and procedures adopted and employed by covered entities and their business associates to meet the requirements of the Privacy, Security, and Breach Notification Rules.  Furthermore, if a group health plan is selected for an audit, it would have a very short time to produce its policies and procedures (i.e., 10 business days).  If the group health plan does not comply (for example, because it does not have policies and procedures), the OCR will likely impose corrective measures which could include costly civil monetary penalties.

HIPAA policies and procedures have important functions, including but not limited to:

  • Limiting uses and disclosures of Protected Health Information (“PHI”) to the minimum amount reasonably necessary to achieve the purpose of the use or disclosure;
  • Identifying the workforce members who need access to PHI and electronic PHI (“e-PHI”) to carry out their duties, the categories of PHI that they need, and any conditions under which they need the PHI to do their jobs;
  • Ensuring appropriate protection of e-PHI when it is transferred, removed, disposed and electronic media is re-used; and
  • Ensuring that e-PHI is not improperly altered or destroyed.

However, it is not sufficient for a group health plan to merely adopt its HIPAA policies and procedures.  A group health plan must also:

  • Designate a privacy and security official to develop and implement policies and procedures;  
  • Train applicable workforce members on its policies and procedures as necessary for them to carry out their functions, and apply appropriate sanctions against workforce members who violate its policies and procedures;
  • Periodically assess how well its policies and procedures meet the requirements of the Security Rule; and
  • Designate a contact person responsible for receiving complaints and providing individuals with information on the covered entity’s privacy practices.

There is no template for HIPAA policies and procedures.  Instead employers have the flexibility to design policies and procedures that are appropriate for their size, organizational structure, and risks to PHI and e-PHI.  Furthermore, as employers evolve, so should their policies and procedures.  For example, if an employer adopts a telework policy, it may wish to review whether its policies and procedures appropriately address issues involving remote access.

In summary, although not a new requirement, due to new technologies, evolving business practices, and impending HHS audits, employers may want to review their HIPAA policies and procedures to make sure that they are compliant and up-to-date.

Employee burnout: what it is and how to prevent it

By Mardy Gould May 24, 2024
Employee burnout has become an epidemic in today’s modern workplace. So much so that the World Health Organization (WHO) officially recognizes it as an “occupational phenomenon.”1 While many used to consider mounting workplace stress an individual employee problem, these days, it’s become an employer’s responsibility to prevent burnout before it hurts productivity and business performance—not to mention your employees’ physical and mental health. Luckily, you can prevent burnout from affecting your workforce in several ways. This article will explore the causes and signs of employee burnout and the steps you can take to create a positive work environment where employees feel safe from toxic stress levels.

Form 720 and PCORI fee FAQs

By Mardy Gould May 23, 2024
If you're a small business owner, you may have heard of the acronym PCORI and the fees that come with it. But what is PCORI, and how does it apply to your organization? Under the Affordable Care Act (ACA), sponsors of self-insured health plans must pay a fee to fund the federal Patient-Centered Outcomes Research Institute (PCORI). PCORI is an independent organization the ACA created to conduct research to help healthcare consumers make better decisions for their specific needs and outcomes. It also performs research related to clinical effectiveness. Employers offering a self-insured medical reimbursement health plan, such as a health reimbursement arrangement (HRA), must pay this fee by July 31 each year via Form 7201. This fee was initially set to expire in 2019, but Congress extended it through September 30, 20292, due to the Further Consolidated Appropriations Act of 20203.
More Posts