When it was first created, the Health Insurance Portability and Accountability [HIPAA] Act was enacted in order to safeguard a patient’s protected health information [PHI]. Over the years, the policy has evolved so that both covered entities and business associates are beholden to the rules and regulations mandated via HIPAA. However, even the businesses outside of that specific purview should be aware of HIPAA’s rules and act in accordance, particularly since all employers will possess at least some employee PHI.
Violations of HIPAA can result in serious legal ramifications to both your business and any employees who are found guilty of such breaches. Therefore, it’s essential that your HR team is trained in HIPAA compliance procedures and protocols, especially if you’re a covered entity or business associate. Below, we’ll discuss everything you need to know about HIPAA and HIPAA training for HR professionals.
Covered Entities and Business Associates
One of the major failures of HIPAA, as it was originally enacted, involved the fact that there were simply no detailed privacy requirements about personally identifiable health information. Naturally, this led to countless violations and instances of individuals’ private information being shared, lost, or improperly used without their consent. In 1999, the Privacy Rule was proposed in order to accomplish the following:
[It] protects all personally identifiable health information, known as protected health information (PHI), created or received by a covered entity. Personally identifiable health information is defined as information, including demographic information, that “relates to past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care for the individual” that either identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Fortunately for most HR departments, the vast majority of businesses do not fall under the burden of HIPAA compliance. That is unless they are a covered entity or a business associate. According to HHS, these are:
- Covered Entity
- Health Plan – An individual or group plan that provides or pays the cost of medical care.
- Health Care Clearinghouse – A public or private entity that either process or facilitate the processing of health information received from another entity in a nonstandard format.
- Health Care Provider – A provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
- Business Associate – A person or entity that performs certain roles or tasks that involve the dissemination of PHI on behalf of a covered entity. According to 45 CFR 160.103, a business associate is:
Anyone who creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing; or legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity.
Examples of business associates may be:
- Answering services
- Medical billing companies
- Medical collection agencies
- Health information exchanges (HIEs)
- E-prescribing gateways
- Third-party administrators
- Pharmacy benefit managers
- Data analysis service providers
- Management companies
- Shredding companies
- Medical transcription companies
- Accounting firms
- Law firms
- Consulting firms
- Financial institutions
What is PHI?
PHI relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” that is: transmitted by electronic media; maintained in electronic media; or transmitted or maintained in any other form or medium.
Common PHI identifiers include:
- Account number
- Address (all geographic subdivisions smaller than the state, including street address, city, county, or ZIP code)
- All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
- Any other unique identifying number, characteristic, or code
- Biometric identifiers, such as fingerprints, face scans, or voiceprints
- Certificate/license number
- Device identifiers or serial numbers
- Email address
- FAX number
- Full-face photographic images
- Health plan beneficiary number
- IP address
- Medical record number
- Social Security number
- Telephone numbers
- Vehicle identifiers and serial numbers
- Web URLs
HIPAA Training for HR Professionals
HR’s Role in HIPAA Compliance
When discussing HIPAA and HR, a common mistake that far too many HR departments find themselves guilty of involves passing the duties and obligations of HIPAA security compliance to their IT department. They assume that since the issue is mostly related to information technology, they are the wrong people for the job. They couldn’t be more incorrect about that assertion.
Simply passing the buck to IT won’t ensure business compliance with HIPAA. In fact, it will likely result in multiple violations since IT has little to no power over employee policies and procedures, nor do they have any say about the following:
- Which employees may be granted access to sensitive information?
- How will employees be trained in regard to HIPAA compliance?
- Who will outline the written HIPAA compliance policies?
- Who will dictate and enforce sanctions on employees who cause HIPAA breaches?
Questions such as these are best answered by HR working in conjunction with their IT department.
HR and the Security Rule
When it comes to HIPAA and HR, your team needs to pay special attention to the Security Rule. It mandates that every covered entity and business associate “Safeguard the confidentiality, integrity, and availability of electronic PHI.” These terms can be defined as follows:
- Confidentiality – PHI is not being shared or disseminated to unauthorized individuals or entities.
- Integrity – PHI has not been edited, altered, or destroyed without authorization.
- Availability – PHI is accessible and usable when desired by the authorized individual.
In addition, your business needs to create a security management process in order to achieve compliance objectives. This starts with a thorough analysis in order to assess the potential hazards and exposures of electronic PHI. From there, your business and HR department must determine and then implement proper security measures and procedures in order to reduce the discovered risks.
Again, although this may seem like more of an IT department concern, there are several roles that HR can and should play throughout the process. These include:
Updating Agreements and Documents
HIPAA’s Privacy Rule necessitates that covered health plans have written agreements with third-party providers who use or share PHI on their behalf. If you have a business associate agreement, it’s legally required to have written language regarding safeguards for ePHI. Similarly, the Security Rule requires further amendments to documents with plan sponsors. In such cases, the plan document needs to have written measures for protecting ePHI.
If your documents don’t already have those provisions, the HR department will need to update and amend them. Also, HR is the department most typically involved in the negotiation or renegotiation of business associate agreements. Therefore, the task of ensuring that such documents are updated and in compliance with HIPAA falls on HR.
Nominating a Security Official
If you are a covered plan, you’re required to name one individual as the person who is ultimately responsible for ePHI’s security. Although it doesn’t have to be someone different, it’s recommended that the person nominated as Security Officer differ from that of the Privacy Officer. This person will be in charge of ensuring that covered plans follow the proper security protocols and procedures.
HR tends to have the most visibility when it comes to employees and their roles. As a result, HR is ideally positioned to determine which candidate is the best fit for a role that requires both:
- Leadership skills.
- The ability to effectively communicate with various other members and departments within your company.
Security Awareness Training
Both HR and IT need to work together to create an employee training program that will inform employees broadly, and then tailor programs to specific individuals who interact with PHI on a daily basis. In addition, HR will need to do the following:
- Label employees who will need further or specific training.
- Decide whether or not new hires should have access to PHI prior to training.
- Schedule training sessions.
- Document employee engagement and participation in training sessions.
HR also needs to decide how frequently refresher courses will occur. Frankly, the more education your employees get, the better. With that in mind, it’s recommended that employees undergo PHI security training at least once per year.
Gatekeeping ePHI Access
Your HR team acts as the gatekeeper of all ePHI. It’s their duty to help the IT determine which employees have authorization to ePHI, in addition to the scope and depth of that access. As a result, HR will need to take the following actions:
- Catalog the categories of ePHI used by the company.
- Determine how ePHI is used and shared.
- Develop access control lists.
- Define types of access that are permitted.
- Work with IT on a daily basis to ensure that lists are current.
- Modify access lists, seeing as employees and their jobs will evolve.
- Notify IT of employee termination or departure in order to remove access rights.
Creating Written Policies
As mentioned, HR plays a massive role in drafting written policies for the HIPAA Security Rule. Mandated written policies include:
- Appropriate access to ePHI.
- Investigating and resolving complaints.
- Dealing with terminated employees.
- Training for employees on protocols and procedures.
- Identifying, reporting, and investigating security breaches.
- Handling employees guilty of HIPAA breaches.
- Proper ways to handle and/or destroy data.
HIPAA HR compliance doesn’t simply involve writing out such policies. Rather, HR plays an administrative role in obtaining approvals and communicating policies to employees, especially new ones. Together, both HR and IT will chart out the proper response to security intrusions or vulnerabilities. This can include anything from employee discipline to your company’s response to the media.
Employees and HR
Although it was briefly touched upon, it can’t be highlighted enough how crucial it is for HR to educate and train employees about common HIPAA violations. For example, some security aspects that HR should emphasize include:
- Employee training – It’s vital that all employees know what is considered to be a breach of HIPAA and the possible consequences of such actions. Every single employee needs to be aware of the potential penalties for noncompliance. Therefore, HR should regularly hold in-office training sessions in order to teach employees about HIPAA and to answer any questions that they might have.
- Maintain possession of mobile devices – Mobile devices are incredibly vulnerable to both theft and loss, as well as cyber intrusion. With that in mind, one of HR’s roles should be to highlight the importance of mobile security. Your HR team should be regularly reminding employees about keeping devices close at all times, and locking them up when not in use.
- Use encryption – The more safeguards that any device has the better protected that device will be. HR should mandate that all devices use encryption, dual-authentication, changing passwords, and VPN services.
- Properly dispose of files – Your HR team needs to highlight the importance of shredding papers prior to throwing them away. Even seemingly innocuous documents may contain PHI.
HIPAA Training for HR Professionals
Your HR staff plays an instrumental role in the safety and security of your business, ensuring that you maintain compliance with HIPAA. Seeing as this is such an important task, it’s wise to require that your HR team receive HIPAA training themselves so that they can be more thorough and knowledgeable about the company’s duties.
RSI Security can help you accomplish this. We have created a rigorous security awareness training program that extensively covers the various facets of HIPAA as well as other aspects of business security. Together, we can ensure that your HR professionals are equipped to go about their vital task of safeguarding your business.
NCBI. Beyond the HIPAA Privacy Rule. https://www.ncbi.nlm.nih.gov/books/NBK9573/
US Department of HHS. To Whom Does the Privacy Rule Apply and Whom Will it Affect? https://privacyruleandresearch.nih.gov/pr_06.asp#targetText=Covered%20entities%20are%20defined%20in,which%20HHS%20has%20adopted%20standards.
Cornell Law School. 45 CFR § 160.103 – Definitions. https://www.law.cornell.edu/cfr/text/45/160.103
HHS. Summary of the HIPAA Privacy Rule. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html