HIPAA Compliance for Human Resources

Human resource managers of companies that are covered entities or business associates under the Health Insurance Portability and Accountability Act of 1996 face a wide variety of responsibilities, varying greatly from company to company. 

Those responsibilities can be very complicated and require a massive focus from the human resources departments those charged with looking after privacy and security within a company. A lot of the work that needs to be carried out within a business will depend on if it is classified as a HIPAA covered entity or not. If it is then the requirements of the HIPAA Privacy and Security Rule must be in place along with a range of other legal obligations.

H2: Create a Process

A policy and process  should be in place to deal with and record privacy complaints, investigations and resolutions. 

Once it has been seen that a company fall under the governance of HIPAA policies and procedures should be created and implemented. This is a complicated process and the person or team carrying it out should have a thorough understanding of HIPAA and how to achieve full compliance within the organization.

There is no such thing as a uniform HIPAA process or policy. Every company is different and operates in a different way so the HR process must reflect this and there should be no shortcuts completed or order to tick and box and claim you are complaint.  Policies and procedures should vary based upon the size of the entity, the functions of and services provided by the entity, and other characteristics unique to that entity.

H2: Assign the Role of Security Officer

An IT manager is usually delegated the role of HIPAA Security Officer for an organization. They will be charged with seeing to it that every department within the company is compliant with the HIPAA Security Rule. 

The human resources department should assign the role of security official who will to one individual who is responsible for ensuring employee protected health information (PHI) is always secured. The individual assigned to this task will have to work  closely with the IT department to formulate a plan and process to create a secure system of who may and who may not access certain records. They will also need to have a clear comprehension of how to interact with employees.

The person given this role within the HR department should not assume that the IT department or Security Officer will handle the bulk of the workload in relation to HIPAA compliance. They must always remain focused to see to it that nothing is overlooked.

H2: Constantly Issue Updates and Reminders 

Employees enrolled in a self-insured group health plan must be issued wih a Privacy Practice Notice that will advise them of their HIPAA-related rights. The HR Department should see to it that employees understand their rights under the Privacy Rule so that accidental violations of HIPAA privacy do not happen. 

H2: Take State Privacy Law Compliance in Account

State law can be neglected when there is a strong focus on HIPAA compliance. While HIPAA preempts any state privacy laws with weaker privacy protection, but not those that provide stronger privacy protection, consideration must be given to the local State legislation to avoid any possible penalties in that jurisdiction.

HR Departments should be one of the main driving forces, with a HIPAA-covered entity, to see to it that employees rights to privacy are enshrined in everything that the company carries out. HIPAA Compliance is an ongoing duty and should never be neglected.