The complexity of the Health Insurance Portability and Accounting Act (HIPPA) makes it difficult for well-intentioned employers to ensure compliance with its provisions. We often field calls from New Mexico employers asking if HIPAA applies in certain situations and what steps they need to take to make sure they do not violate it. In light of HIPAA's significant penalties (ranging from $100 to $50,000 per violation), it is important for employers to understand its provisions and applicability. HIPAA specifies how protected health information (PHI) may be used and how it must be protected. This article explains some of the most common areas where employers with a health plan may run afoul of the law and best practices for avoiding violations.
If you are an employer with a self-insured health plan, including a Health Reimbursement Account (HRA) or Health Flexible Spending Account (Health FSA), your health plan is considered a covered entity and you must comply with the Health Insurance Portability and Accountability Act (HIPAA). (Please note that an employer may have some medical information about employees in personnel files, such as doctors' notes or FMLA paperwork. Simply having medical information in an employee's personnel file does not make an employer a covered entity under HIPAA.)
First and foremost, health plan documents must specify that PHI will not be used for employment-related actions. In other words, an employer may not use an employee's PHI to make hiring, firing, promotion, or demotion decisions. Not only is this a HIPAA violation, it may also expose the employer to a wrongful termination suit. Employers should avoid even the appearance that PHI was used in making any employment-related decision. The easiest way to accomplish this is to set up a firewall between the health plan and employer, and ensure that the employees responsible for making employment-related decisions are not privy to any individual employee's PHI from the health plans. To the extent information about the health plan needs to be shared with the employer, such as financial information, it is best to remove any individually identifiable information and limit it to the minimum necessary to meet the employer's need.
It is imperative that employers encrypt laptops and mobile devices that may store, access, or transmit PHI. While all computers should be encrypted, portable electronic devices are a priority as they are especially vulnerable to theft and loss. When an unencrypted device that contains PHI is lost or stolen, it is almost always a HIPAA breach. Depending on the size and circumstances of the breach, fines can be in the millions of dollars (and criminal penalties can apply). When the Office of Civil Rights (OCR) assesses penalties, it does not matter that the theft occurred through no fault of the employer. What matters is that the employer could have encrypted the device and did not.
Employers with a self-insured health plan often fail to adequately train their workforce on how to handle and maintain PHI. Employees may not realize that PHI receives special protection and should not be discussed with coworkers or left lying about where it is visible to people passing by. Employers should have policies and procedures in place that explain what PHI is; how it is to be maintained, shared, and protected; and set forth the protocols to follow in the event there is a breach. Employees that may view PHI as part of their job should participate in a training that explains the key aspects of the policies and procedures and the employer should document that this training took place.
If an employer contracts with another entity, such as a copy repair company, IT services, or accounting or legal services, and that entity may view or use PHI to carry out its job responsibilities, then the employer needs to have a signed business associate agreement in place with that entity. The business associate agreement sets forth how PHI must be used and protected. This has been a robust area of enforcement for OCR lately. One recent settlement resulted in a $1.5 million dollar fine to a health system, partly for not having a business associate agreement in place with one of its contractors.
In case the huge penalties (including the possibility of jail time) under HIPAA are not enough of an incentive to comply with the law, OCR announced on March 16, 2016 that the second round of HIPAA audits are underway. OCR will audit at least 200 covered entities and business associates, including some onsite audits. While the audits are not intended to be punitive, information gleaned from the audits may be used in a compliance action against the entity.