Now that the one-year anniversary is here for all employers with less than $5 million in health care expenses, you should remember what it takes to continue to be in compliance. If you are your company's privacy officer, this responsibility sits squarely on your shoulders.
For those ostriches with your heads in the sand, let me remind you that the penalties are stiff -- including jail time -- for individuals who intentionally violate HIPAA. Getting into HIPAA compliance is not hard, but it does require properly executed documents and procedures. Maintaining compliance is even easier.
* Retrain your entire HIPAA work force annually.
Every year, you must retrain your HIPAA work force. This can be accomplished in about an hour if your training materials are complete. Many times, employers are more puzzled with who is considered a member of the work force than in the training that must occur.
Your HIPAA work force generally includes several departments. Human resources is the primary group and includes anyone who touches an enrollment form or is the primary source for employees to seek assistance with benefit problems.. Certain members of the finance department can be included because finance handles payroll, and payroll deductions are related to plan selection.
The last department that most people forget is members of the IT group. When HR or finance needs assistance with their systems, IT members have access to that information.
* Train your new members of your HIPAA work force within 30 days.
Thirty days is not much time to get a new employee trained on HIPAA, let alone all the other aspects of a new job, but it must be done. Training a new employee doesn't have to be any more time-consuming than retraining.
* Maintain your training log.
HIPAA states that the employer must maintain a log. This log should include:
* The name of the employee and his or her department
* Date the member was initially notified that he or she was a member of the HIPAA work force
* Date the member was initially trained (required within 30 days of notification date)
* Date member was retrained (at least once a year)
* Date member was terminated as a member of HIPAA work force
Your log must be stored for six years, along with all of your other HIPAA-required documents.
* Audit your business associates for HIPAA compliance.
Most employers believe that having a business associate agreement with your agent or vendors provides protection from liability. The law is very clear that the employer should audit its business associates for compliance. Although the audit does not eliminate liability, it does comply with the requirements, which may result in penalties being less severe.
Many times, your benefits agent is your primary business associate. How do you audit your agent? The recommended format is to pay a visit to its office and review each HIPAA process to see if it is in compliance. Use your business associate agreement as your roadmap to your audit. A properly written agreement will list all those processes.
Most canned agreements include a right to correct. Employers who find a violation may be bound to allow 30 days to 90 days for the associate to correct the violation.
Violations on behalf of your agent may be your greatest exposure. As the privacy officer, your selection of your benefits agent goes beyond getting quotes from the same old carriers and HMOs. Your agent should be an extension of your HR department and, in turn, should be managed as a member of your team.
Bruce Bishop (firstname.lastname@example.org) is director of marketing and managing partner of KYBA Benefits. KYBA Benefits provides consulting and administrative services to more than 400 corporate accounts, ranging in size from 20 employees to more than 7,000. Reach Bishop at (770) 425-6700 or (800) 874-2244, ext. 205.