G.Neil Tools To Manage And Motivate People Phone orders 800-999-9111Live Chat
Shopping Cart
    GNeil Library Customer Care My Account
 
Attendance Tracking Employee Records Performance Management Personnel Software Hiring & Recruiting Training & Development Labor Law & Compliance Workplace Safety Workplace Communications Motivation Recognition Greeting Cards
New ProductsWeb Specials 
Free eNewsletter
Enter Priority Number
Catalog Quick Order
-


Live Chat
Community Resources
Payroll Outsourcing Poster Guard Member Self-Service Website Chart of Posting ChangesFree Poster Audit
Click to verify BBB accreditation and to see a BBB report.

Connect with us on ...

Twitter

HR Forum Blog
HyperLink

Fundamentals of HIPAA Security Compliance

08/20/08


Ensuring the integrity and security of sensitive employee health information is an employer’s responsibility. A federal law, the Health Insurance Portability and Accountability Act (HIPAA), requires employers to take specific actions to safeguard this information. The law has been on the books for nearly a decade, but new technologies may require significant policy updates. Read on to find out how employers can stay in compliance with the federal requirements.

Ensuring that the privacy of employees’ personal health information is maintained isn’t just a job for insurance companies. In fact, the 1996 HIPPAA Act requires all employers who keep electronic records of workers’ health-related events to abide by strict guidelines to ensure that the security of personal health information (PHI) is maintained.

Security standards apply to protected health information in any electronic-storage medium, including hard drives and removable media. They also apply to any PHI that is transmitted electronically, whether via the Internet or on company intranets. Small health plans with gross receipts of less than $5 million must comply by April 20, 2006. (Larger plans had to comply April 20, 2005.)

The security standards require employers to enact security measures on three levels: administrative safeguards, technical safeguards and physical security. Additionally, employers must meet certain documentational and organizational requirements. Here are the basic fundamentals of each:

Administrative safeguards
Employers must conduct a security risk assessment. This process forces management to track how health information flows throughout the organization. For example, managers should consider whether some workers use palmtop computers or PDAs, for instance. If so, an employer’s policy manual may need to address how palmtop computers are accounted for and stored, and what happens if one of these computers becomes lost or stolen — along with the sensitive health information it may contain.

The policy manual also should clearly identify, by name and duty position, which employees have access to this information. Companies should limit possession of this information to a few trusted individuals with a legitimate need to know. Last, there must be a system in place for tracking and documenting “security incidents,” regardless of whether sensitive health information was released.

Technical safeguards
Every user on the network should have a unique identifier. This will allow IT workers to track each user’s activity in the system, either through a user name or numerical identifier. An Internet Protocol (IP) address may be used (provided workers do not routinely share or swap workstations). The policy manual must also provide for procedures to access PHI in an emergency, including how that access will be monitored.

Physical security
Company management, along with the IT team, should take a hard look at the ways unauthorized individuals might try to access the information. Specific servers and workstations that contain sensitive information should be identified and measures taken to ensure that these areas are observed by authorized employees or remain locked at all times.

Employers also must provide for the secure disposal of personal health information that’s no longer needed. For example, they could establish a procedure for a thorough erasure or reformatting of discs before disposal or reuse and establish similar procedures if a computer is transferred from one employee to another.

HIPAA does not specify that employers use any particular technology or security product. Company management should assess security procedures in light of local conditions and business needs.

Documentation requirements
Employers must maintain HIPAA policies and communications in writing. Most commonly, there will be a binder (or series of binders) devoted to compliance with HIPAA regulations. This binder must be continually updated to include changes in organizational structure and turnover.

Organizational requirements
Employers’ responsibilities do not end at the office door. The law also holds companies accountable for their business partners and vendors. If an employer has a business relationship in which PHI must be released, and associates in the other business are not implementing reasonable HIPAA security procedures, that employer is obligated to terminate the contract or arrangement. If that is not feasible, a report must be submitted to the Department of Health and Human Services.

Conclusion
Employers should keep in mind that compliance with HIPAA standards does not, in and of itself, protect a company from liability should PHI become compromised. But a reasonable and good faith effort to comply with HIPAA requirements could go a long way toward limiting any monetary damages as a result of a security breach.

This article is in no way intended to be a comprehensive guide to HIPAA requirements. G.Neil has published a useful guide for PHI custodians, the HIPAA Comprehensive Answer Kit.