HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliance for HR Departments

Businesses not directly involved in the healthcare or healthcare insurance industries should none-the-less pay close attention to HIPAA compliance for HR departments. It has been estimated a third of all workers and their dependents who receive occupation healthcare benefits do so through a self-insured group health plan.

Although this does not mean a self-insuring business automatically becomes a HIPAA-Covered Entity – and thereby subject to HIPAA regulations – the likelihood is the HR department will have some involvement with insurance-related tasks. During the execution of the insurance-related tasks, HR personnel will undoubtedly come into contact with Protected Health Information.

Why HIPAA Compliance for HR Departments is Important

The original purpose of the Healthcare Insurance Portability and Accountability Act (HIPAA) was to improve the portability and continuity of health insurance coverage. As the Act progressed through Congress, amendments were added with the intention of combating waste, fraud and abuse in the health insurance and healthcare industries.

As a result of these amendments, the HIPAA Privacy and Security Rules were introduced. The Rules restrict access to and use of Protected Health Information (PHI), primarily to give patients and members of group healthcare plans control over how their personal information is used. For example, healthcare organizations can no longer use a patient´s PHI for marketing activities without the patient´s consent.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

A further purpose of restricting access to PHI is to prevent one person using somebody else´s PHI to obtain free healthcare – effectively identity theft. As the costs of medical treatment have increased, so has the value of healthcare data. A 2014 report calculated a full dossier of healthcare data on the black market is worth upwards of $1,200. By comparison, a stolen Visa card is worth $4.

Major Areas of HIPAA Compliance for HR Departments

There are four major areas of HIPAA compliance in which HR personnel should be well-versed. These relate to understanding the key components of the Privacy and Security Rules, helping employees understand their rights under HIPAA legislation, safeguarding the PHI of employees, and working with Covered Entities and Business Associates with whom PHI is shared.

These areas of HIPAA compliance for HR departments are comprehensively covered in our “HIPAA Compliance Guide” – a free booklet summarizing the law and its implications. However, there are some areas of HIPAA compliance which – although not unique to HR – sometimes get overlooked in the effort to achieve HIPAA compliance:

Don´t Assume the IT Department is Responsible for Security Rule Compliance

An IT manager is usually delegated as the HIPAA Security Officer, and it is their responsibility to ensure every department within the company is compliant with the Security Rule. But this is not always the case, and HR personnel should not assume the responsibility for security is not theirs.

Remember to Send Updates and Reminders of Privacy Practice Notices

Employees enrolled in a self-insured group health plan must be given a Privacy Practice Notice informing them of their HIPAA-related rights. Most HR departments remember to do this, but some forget to send updates when privacy practices are revised, and a reminder at least once every three years.

Maintain a Written Policy for Investigating and Resolving Complaints

Although not required by HIPAA, a policy should be in place to record privacy complaints, investigations and resolutions. This will be of significant benefit to the company – and the HR department in particular- if an employee pursues their complaint to the Department of Health & Human Services.

Don´t Overlook State Privacy Law Compliance

The relationship between HIPAA and state privacy laws is a source of confusion for some people. HIPAA pre-empts any state privacy laws with weaker privacy protection, but not those that provide stronger privacy protection. In the quest for HIPAA compliance, HR departments should not overlook state requirements.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.