Home » Resources & News » PA Manufacturer Magazine » New HIPPA Regs

New HIPAA Regs –

How they impact your HR department

Last year, HHS Secretary Tommy G. Thompson issued comprehensive final regulations that give patients sweeping protections over the privacy of their medical records. Issued as a set of improved regulations with stronger marketing language under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the modified Standards for Privacy of Individually Identifiable Health Information – better known as the Privacy Rule – is part of a larger effort to address “administrative simplification” provisions.

Specifically, the privacy rule is designed to protect consumers' private health information. The federal regulation empowers patients by guaranteeing them access to their medical records, giving them more control over how their protected health information is used and disclosed and providing an enforcement mechanism if their medical privacy is compromised.

The rule will protect medical records and other personal health information maintained primarily by certain health care providers, hospitals, health plans, health insurers and health care clearinghouses.

Under the modified Privacy Rule:

  • Patients must give specific authorization before entities covered by this regulation could use or disclose protected information in most non-routine circumstances – such as releasing information to an employer for use in marketing activities.
  • Covered entities will need to provide patients with written notice of their privacy practices and patients' privacy rights. Patients would be asked to sign or otherwise acknowledge receipt of the privacy notice from direct treatment providers.
  • Pharmacies, health plans and other covered entities must first obtain an individual's specific authorization before using their information for marketing materials.
  • Covered entities cannot use business associate agreements to circumvent the rule's marketing prohibition. The improvement explicitly prohibits pharmacies or other covered entities from selling personal medical information to a business that wants to market its products or services under a business associate agreement.
  • Patients generally will be able to access their personal medical records and request changes to correct any errors. In addition, patients generally could request an accounting of non-routine uses and disclosures of their health information.

Relating to HR
While the privacy rule more directly concerns those in the medical professions, business as a whole will also witness some changes.

Charles O'Hara, Health Care Law Practitioner at Thorp Reed & Armstrong, LLP, and authority on HIPAA standards and compliance, notes that the Privacy Rule can also impact companies from a general administrative perspective. In particular, proactive steps to ensure compliance should be undertaken by corporate HR departments that perform traditional HR functions, as well as help administer group health plans, mediate sponsored group health plans or host onsite medical activities (such as medical screening tests).

O'Hara notes that plan administration functions often result in HR executives handling private health information and employer-related information. Consider the following scenario as a likely example of how the new regulations can impact HR:

An employee submits an insurance claim on the group plan but experiences difficulty in getting the claim processed. He or she goes to the HR department to request help. As a result of the request, the HR department is now in possession of some private health information of the employee. When the HR executive contacts the plan representative, in general that representative will not be able to discuss any details of the claim unless the employee explicitly authorizes disclosure to the HR executive.

Such a scenario is highly probable and can be anticipated with special regard to coverage issues, claims processing and payment concerns. HR departments should be conscious of the employee's privacy rights and prepared to address the issue of disclosure authorization.

If any employee chooses to authorize the use of his or her private medical records, consent must be made explicit and should be in writing. O'Hara emphasizes, “Disclosure authorization needs to be specific. The Plan rep should only disclose to the HR representative the specific information authorized by the employee to be disclosed. As a result, disclosure authorization should be done individually on a case-by-case basis.”

O'Hara says, “Generally, HR needs to be sensitive to the issues involved in obtaining, possessing, storing and disposing of private medical and health information. HR should be well aware and respectful whenever information that would otherwise need to be protected is provided to it.”

HR departments should be mindful of the fact that improper disclosure can take many possible forms. Common sense will likely prevail where the HR official is dealing directly with health insurance matters or on-site medical events. But according to O'Hara, improper disclosure may also occur in areas where concern with protection is less obvious.

For example, if an employee undergoing treatment for cancer is up for promotion, no information regarding his or her medical history or illness should be passed along in the decision-making processes concerning professional advancement.

In instances where a group health plan sponsorship is in effect, all medical information of an employee that an employer obtains as the plan sponsor must be segregated from all other general employment information. Medical information may be used for the purposes of administering the plan, but should not be used for any other employment purposes.

Privacy provisions do not apply to general employment records. HR can continue to administer these employment records as always.

Final Points
Also, be mindful of the fact that confidentiality restrictions do not go away when an employee leaves the company. Severance constitutes a gray area requiring conscious attention. If HR has any protected information, extra precaution should be exercised in the disposal of such records. Use a paper shredder to avoid all danger of improper disclosure charges.

The HIPAA privacy regulations went into full effect April 14, 2003. Small health plans (defined as those plans with less than $5,000,000 in annual receipts) are allotted a legal extension for compliance until April 14, 2004.

The privacy regulation enhances the protections afforded by many existing state laws. Stronger state laws and other federal laws continue to apply, so the federal regulation provides a national base of privacy protections. The standards for covered entities apply whether its patients are privately insured, uninsured or covered under public programs such as Medicare or Medicaid.

To help people prepare for and meet the rule's requirements, HHS' Office for Civil Rights (OCR) will conduct outreach and education targeted to health plans, health care providers, consumers and others affected by the privacy regulation.

HHS will also hold national educational conferences in the fall to address issues related to key parts of the privacy regulation.

O'Hara also suggests that the federal government has a number of good guides to the new regulations in Q&A format on-line. Visit www.CMS.gov for more information.

Services | Training and Workshops | Career Center | Site Map | Contact Us
Home
Copyright ©2008 Catalyst Connection
Privacy Policy | Terms and Conditions of Use