HIPAA's core objective is to standardize and streamline electronic data transfer in the nation's health care system. However, more efficient access to patient information also raises privacy concerns. HIPAA privacy rules are a response to those concerns.
For most employers, the HR department will be the focus of operational impact from these regulations. An employer's sponsored health plan is considered a "covered entity," required to follow HIPAA transaction standards, security and privacy rules, while an employer sponsored cafeteria plan may require legal review to amend the plan if there are more than 50 participants.
In states where privacy laws have more stringent requirements, the organization must also comply with those laws,following dual privacy practices.
Employers without self-insured plans that offer health benefits are meeting additional requirements when interacting with health care providers. Employers are asked to provide assurances via business associate agreements that personal health data is protected and that the employer cooperates with other covered entities striving to meet HIPAA requirements.
Employers must secure and keep confidential employees' personal health data. While there may be access to employee personal medical information to pay health claims, it must be protected from access by individuals responsible for making employment and retention decisions.
A delicate balance must be maintained between HIPAA's privacy rules and the need for health information to comply with health status employment laws such as COBRA, FMLA, ADA, workers' compensation and OSHA that require employers to take affirmative steps in response to an employee's medical condition. However, an employer is prohibited from using that information for employment related determinations without the consent of the employee. SOURCE: Ivan J. Barrick, Ph.D., CHE, CPHIMS is director of the Healthcare Operations Improvement Practice of Parente Randolph, a leading mid-Atlantic independent accounting and consulting firm. Reach him at firstname.lastname@example.org or (866) PRHIPAA.