The U.S. Department of Health and Human Services (HHS) has recently released two reports to Congress regarding HIPAA compliance and breaches of unsecured protected health information (PHI). The compliance report notes that hundreds of cases during 2018 resulted in corrective actions, and 11 investigations resulted in either corrective action plans or civil monetary penalties imposed, totaling more than $28 million.
These reports serve as a reminder and a warning for covered entities and business associates to comply with HIPAA Privacy and Security.
As a covered entity (health plans are considered covered entities), an employer is significantly exposed to fines and penalties for HIPAA violations and breaches due to enforcement with HHS. At a high level, here is a list of requirements for covered entities:
- Required business associate agreements (BAAs) with all outside entities handling protected health information (PHI) need to be in place and up to date.
- Notice of privacy practices needs to be distributed to plan participants.
- Plan must be compliant with EDI and security requirements governing electronic information.
- Plan must also be compliant with other applicable laws regarding release of personal financial or medical records or PHI (e.g., Gramm-Leach-Bliley Act).
- Risk assessment must be conducted.
- Training of employees at least once per year.
- HIPAA Privacy and Security Officers must be appointed.
- Policies and Procedures must be in place.
Employers who sponsor a health plan, especially a self-funded plan, are required to comply with HIPAA Privacy and Security rules. Thus, let this report serve as an encouragement to comply with HIPAA and ensure PHI is handled properly.