HIPAA violations in the workplace apply to all companies, not just healthcare providers, but also covered entities and their business associates. Employers providing healthcare to their employees or requiring health information as part of disability benefits can violate HIPAA. With the ability for a HIPAA workplace violation to occur as part of everyday human resources activities, all companies need to be aware of how to protect themselves and their employees.
What is a HIPAA Violation in the Workplace?
What is HIPAA?
Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) intends to protect individuals’ health information when they moved from one job to another. The US Department of Health and Human Services (HHS) additionally passed the Privacy Rule in 2003, defining Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.” In 2005, the Security Rule update to HIPAA focused on electronically stored PHI (ePHI). Although separate from the Privacy Rule, the increased use of digital platforms for sharing healthcare information implicates more information systems than before.
What employee information qualifies as PHI or ePHI?
The HIPAA Privacy Rule incorporates any medical records or health plan records that you collect to administer your employee health care plans. It does not apply to employment records, even if they contain health-related information.
For example, if you ask an employee to provide health information to document sick leave or workers’ compensation, this information does not fall under the Privacy Rule. However, if you contact your employee’s healthcare provider, the information that the provider gives you falls under the Privacy Rule.
What does a Human Resources department need to know?
Many human resources departments incorporate medical benefits for the employees. If your company offers employees a covered health plan, then you need to determine whether you meet the threshold for complying with the Security Rule.
First, you need to look at the type of plan you administer and the number of people involved.
Does your plan cover 50 or more participants?
If the answer is yes, then the Security Rule applies.
If the answer is no:
Does a third party administer your health insurance plan?
If the answer to this question is yes, you need to worry about HIPAA Security Rule violations.
Do you function as the plan sponsor for a group health care plan (this includes using a vendor for your flexible spending accounts and employee assistance programs)?
Most likely, however, the answer to this last question is “yes.” The confusing part here is that even if only sponsor the plan, you may still be functioning as a plan administrator or someone who needs to review a third party vendor. For example, if you offer your employees a flexible spending account or employee assistance program, then the Security Rule applies.
What is a security management process?
Your first step to protecting your company from a workplace HIPAA violation lies in creating a risk analysis. You need to determine all the information your organization houses, where the data resides, and potential risks and vulnerabilities that can impact the confidentiality, integrity, and availability of ePHI.
Once you complete the risk analysis, you need to create security measures to reduce the likelihood of those risks and vulnerabilities. To diminish these risks, you need to establish policies, procedures, and processes that secure information. For example, you might want to create physical protections such as a lock that mitigate the risk of document theft or incorporate multi-factor authentication to protect devices from unauthorized use.
After establishing security measures, you need to ensure that they work. When you review your security measures, you want to look at them from both a technical and non-technical standpoint. During this evaluation, you may find that a security measure no longer protects your organization, and therefore, you need to adjust your controls to respond to employee, environmental, and technological changes.
What employee information needs to be protected to prevent a HIPAA workplace violation?
Even if you hire a third-party administrator to manage your health insurance program, your human resources department still has access to PHI and ePHI. If your HR department and benefits personnel coordinate the healthcare plan with your vendor, the information contained in those conversations may be subject to HIPAA.
How can an organization protect PHI and ePHI in that its HR department accesses?
First, your HR and benefits personnel should catalog the information transmitted, how they store it, and how they use it to perform their administrative functions.
Additionally, your HR department and benefits personnel need to understand that communications with the third-party service provider fall under the Security Rule, as does any information employees can submit through your intranet. Thus, you need to create policies and processes that protect information at rest and in transit. These protections need to incorporate your intranet, the internet, and emails with vendors.
Finally, your IT department needs to establish access controls. These should include types of administrative functions performed, systems used, applications with systems, functions within applications, data files, and fields within files. Then, HR and IT should work together to determine what employee groups need access to each of those and define who can read, create, modify, delete, search and change security settings for files.
How can I protect against perceived HIPAA violations?
The hardest part about determining whether a HIPAA violation occurred in your company is understanding who shared information and how they obtained the information.
HIPAA does not consider personnel files and records PHI. Thus, even if the records contain information about your employee’s health, HIPAA does not apply. However, employees may not understand this. Confused employees may file violations with the Office for Civil Rights (OCR). This investigation then costs time and money to defend.
Your HR department should develop policies and procedures that secure records employees perceive as protected. For example, you may want to train management regarding inappropriate questions that appear to invoke PHI. Although HIPAA does not regulate these, employees may not realize that and try to establish a claim.
How ZenGRC Enables HIPAA Compliance
ZenGRC eases the compliance burden by providing organizations seed content for mapping their controls across a variety of standards and frameworks. This speeds the onboarding process and also enables gap analysis.
Healthcare providers can choose from HITRUST, COBIT, COSO, ISO, PCI DSS, and NIST frameworks to ensure proper IT HIPAA compliance. Moreover, business partners seeking to become HIPAA compliant as they scale can quickly view their current compliance using our gap analysis tool and determine how much additional work they need to do.
For more information about using ZenGRC to ease the HIPAA compliance burden and to speed the process of scalability, schedule a demo.