The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, was passed to safeguard individuals’ protected health information (PHI) and prevents fraud, waste, abuse and even identity theft.
Training in HIPAA requirements is already considered a necessity for those working in the health and wellness industries. But what about companies, regardless of industry, that offer employee-sponsored health plans? Human resources departments that handle benefits will often deal with PHI by default, but if your HR team has not had HIPAA training, employee privacy and security could be compromised.
Under HIPAA, healthcare providers are required to prevent unauthorized access to patients’ PHI, which means implementing secure document management and digital security systems.
PHI includes information such as patient diagnoses and treatment, prescriptions, billing information and address. HIPAA violations can lead to large fines and lawsuits, and can also prompt employees and clients to lose trust in your organization. More often than not, these violations are a result of carelessness and improper procedure – which is why it is so important to implement regular training for those who need it.
If your company performs benefits services, workers’ compensation or medical billing, then your human resources team needs to understand the ins and outs of HIPAA. While compliance with privacy and security laws like HIPAA is often left to IT departments alone to manage, HR personnel should take the lead in creating a culture of compliance, perhaps even designating a compliance officer within the team. Your HR department should regularly inform employees about privacy policies and best practices, record and resolve complaints and maintain and update procedures related to HIPAA.
Medical HR professionals will regularly come into contact with sensitive health information and will also be responsible for reinforcing the importance of staff-wide compliance.
So for HR teams working in healthcare settings like hospitals, private practices, treatment facilities and wellness centers, regular HIPAA trainings should be the norm and fully address HIPAA’s two distinct sets of regulations: HIPAA Privacy and HIPAA Security. The former specifically deals with protecting PHI in terms of people and administration, while the latter is focused on protecting information in electronic format from theft, hacking or disaster.
Training for HR teams in healthcare should include general information on HIPAA, patients’ rights, disclosure of PHI, breach notification protocol and employee sanctions as well as detailed discussion on how to safeguard ePHI and what constitutes a violation under HIPAA Security.
Training for HR personnel in other industries does not need to be as detailed as training for medical HR professionals, and should focus mostly on HIPAA Privacy with a basic outline of HIPAA Security.
For these trainings, it is best to include an overview of HIPAA, an explanation of PHI and when to disclose, a guide to maintaining HIPAA compliance in the office, breach protocol, how breaches occur and employee sanctions. Training leaders in all industries should not waste too much time speaking in generalities, but should emphasize specific HR department expectations, responsibilities and procedures.
According to the U.S. Department of Health and Human Services, “HIPAA Rules are flexible and scalable to accommodate the enormous range in types and sizes of entities that must comply with them. This means that there is no single standardized program that could appropriately train employees of all entities.” HHS itself offers an official free video training module, and the government website HealthIT.gov also provides ample training materials for employers to use.
While HHS advises creating your own training to address the needs of your company, many employers simply purchase an online HIPAA training course, which employees can complete in the span of an hour or two. Beware of this method. While the companies creating these materials provide the necessary information (and they do offer options tailored to HR professionals), employees who simply take an online training are less likely to absorb the information, take it seriously and understand their personal roles in HIPAA compliance.
In-person trainings—whether conducted by the company’s compliance officer or an outside consultant—are much more effective in clearly communicating HIPAA rules and their importance to HR personnel. The best approach is to keep trainings short, focused and frequent, so your staff is not overloaded with information and a culture of HIPAA compliance is regularly reinforced.
One way to improve HIPAA compliance in any office is to implement an up-to-date, secure and efficient document management system. There are companies who can assist in migrating patient or employee records and related PHI to electronic format, storing those in secure cloud software platforms and/or in secure offsite records centers, and ensuring efficient retention and recovery of documents. A document management and information governance company like Access does the heavy lifting of keeping up with new developments in HIPAA as well as state privacy laws and will help you implement policies and procedures accordingly.
For human resources departments, it is best to choose a document management system designed specifically for your needs. Access offers CartaHR, which enables secure storage, quick retrieval, and secure sharing of files, as well as a compliance dashboard for monitoring employee documents and certifications.
HR HIPAA violations can have dire consequences. At Access, we’re here to support your company’s compliance efforts with a secure, easy-to-use document management system that will protect employee and patient PHI.
Andrea Palumbo has over 20 years of experience in the HR and Payroll industry as both an HRIS client and vendor. Her teams are responsible for implementing and maintaining critical HR technology, data and timely processing of payroll for over 1300 employees globally. Andrea’s in-depth knowledge of HR Technology and sensitive employee data allow her to convey the benefits of having a robust HRIS and data management systems working together side by side.