One of the essential considerations for the modern human resources department is adherence to HIPAA laws, which guide security procedures for employee health records. HIPAA is the federal government’s Health Insurance Portability and Accountability Act of 1996.
The law’s rules require that businesses take appropriate safeguards to maintain the confidentiality of electronic health records. The Privacy Rule refers to those records as “protected health information” or PHIs. The goal of the law is to ensure employees can switch health insurance providers and their health records without losing coverage.
What the Privacy Rule Protects & What it Doesn’t
When designing a secure system for protected health information, human resources managers must understand what the rule is designed to protect and what isn’t covered under its guidelines. According to the U.S. Department of Health & Human Services, the Privacy Rule protects medical and health plan records generated as part of an employee-sponsored health plan.
However, the rule does not protect general employment records, even if those records include some information about an employee’s health. The rule also doesn’t impact the privacy of what an employer might put in an employee’s file.
Creating Knowledgeable Employees
It’s the human resources department’s role to make sure that employees understand their rights under the Privacy Rule so that accidental violations of HIPAA privacy don’t occur. For example, an employee’s supervisor may request a doctor’s note from the employee.
However, the supervisor cannot go directly to the employee’s health care provider for that information unless the employee has given explicit authorization to make health information available.
Creating a Security Management Process
There are three objectives that the HR department and those in charge of the company’s information technology resources must confront when designing the company’s HIPAA safeguards.
Those objectives include keeping records confidential, maintaining integrity of the records, and ensuring authorized individuals may access the records when needed. An important part of ensuring records are secure is creating a set of standard security rules. In addition, the plan must feature logs that create an electronic paper trail for future auditing purposes.
Designating a Responsible Person
It’s important for the human resources department to designate a security official who will be responsible for employee protected health information. The role requires some technical expertise, but the main responsibility of the official is to ensure the company adheres to current HIPAA laws.
In most cases, the best person for this role will be someone working in the HR department who understands how to interact with employees because of specialized human resources training. The HR department’s security official must also know how to speak with the IT department so as to create a secure system of who may and who may not access certain records.
Further, the HR department must also create a written version of the policies used by the company to remain HIPAA compliant. The written plan must also feature a contingency plan just in case an emergency like a fire or flood occurs which could destroy records.
Remaining HIPAA compliant is a task that requires a dedicated official from the HR department, and it’s important to make sure that all plans are reviewed routinely to make sure everything remains compliant with current rules. HIPAA laws do change on occasion, so it’s essential to remain up-to-date with the current rules.
Related Resources: