Stuart Gentle Publisher at Onrec

What HR Needs To Know About HIPAA

One question that is asked often by organizations looking to be HIPAA compliant is what department ought to be in charge of HIPAA compliance

In most cases, business leaders tend to point fingers at the IT team. Sure, it will be tough to be compliant without the HIPAA technicalities that the IT department can help solve, but it is impossible to ignore the role that employees play in enhancing HIPAA compliance.

Since HR managers are at the center of employee management, they can improve a business’ compliance efforts. Simply put, they help bridge the gap between the workforce and IT functions. Furthermore, they are often exposed to ePHI as part of their job description. With enough visibility into their ePHI, they can control aspects like who has access to the data, the consequences of an employee violating HIPAA, and outlining the compliance policies.

Here is what HR should know about HIPAA compliance:

What the Privacy Rule Protects

When working on HIPAA compliance policies and procedures, HR departments need to understand everything that is protected under the HIPAA privacy rule and the things that aren’t. With enough understanding, your business can evade the penalties and fines that arise from violating the regulation. Ideally, the privacy rule protects both medical and health plan records that the business needs to make the employee-sponsored health plan successful.

However, you should note that the rule doesn’t protect general employment records, regardless of whether they include the employee’s health data or not. It doesn’t touch on the privacy that needs to be maintained concerning what employers put in their employee’s files.

They Should Prepare Policies and Procedures

It is the role of HR managers to prepare the policies and procedures that employees need to follow for compliance purposes. While this task might seem straightforward, it can be a little bit daunting. Your HR department needs to not only understand the intricate details of HIPAA compliance but also understand how the business functions.

The trick is to ensure that the policies they implement will cover all loopholes that could lead to your business violating the privacy rule. However, HIPAA policies and procedures can never be used as a one-fits-all implementation. While a specific set of policies will work for a particular entity, it might lead to compliance loopholes for another. HR managers need to focus on every aspect of how the data is protected, especially those aspects unique to your business.

Creating a Security Management Process

When designing HIPAA security safeguards, the HR department and IT teams have three main objectives. These include maintaining the integrity of the records, keeping health records confidential, and ensuring only authorized individuals can access the records when needed. Since HR managers understand the roles that every individual in your business plays, they can quickly provide this information to the IT teams for implementation. This will make it easy to control data access as well as create security rules that improve the compliance posture of the business without complicating employee roles.

Creating Knowledge among Employees

HR teams need to ensure that employees understand how the HIPAA rules work, both to protect their rights and to improve the compliance status of the business. As long as employees understand their rights under HIPAA, they can ensure that there is no breach.

For instance, an employee can offer their supervisor a doctor’s note upon request, but the supervisor should never get the information directly from the health provider without the explicit authorization of the employee involved.

Also, the onus is upon your HR department to train employees on the best practices for upholding HIPAA compliance. This includes how employees can ensure the organization remains compliant while fulfilling their daily operations. You can train employees on compliance requirements through plenty of ways. You should, however, offer them a written agreement or a certificate of training once the training program is over.

Designating Compliance Responsibilities

Your HR department should designate a security official whose responsibility will be to oversee the security of PHI. The role also requires the individual to have some level of technical expertise. Ideally, this responsibility can best be offered to someone within the HR department, who is adept enough to interact with employees for human resource training.

They should also understand how to collaborate with the IT department in implementing security controls that help improve HIPAA compliance. Lastly, they should be in charge of overseeing the creation of HIPAA policies, such as contingency plans, in case health data is destroyed or breached.

Controlling Employee Onboarding and Termination

While employees tend to be the greatest asset your organization has, they too can be a security liability, especially with the kind of challenge that insider threat is posing in today’s world. As a result, HR departments have a crucial role to play in controlling what employees have access to health data. For instance, your HR team should have an employee onboarding checklist that includes the type of data they allow each new employee to access.

Other than collaborating with the IT department to foster active access control measures, HR managers should also include security training as part of the onboarding process. If an employee leaves the business, then their access to accounts and data access channels should be terminated. This helps reduce the chances of a terminated employee using the organization’s data for their gain.

HIPAA Compliance Is an Ongoing Process

Your business will only be HIPAA compliant temporarily. While the most challenging part of compliance is the initial stages, it doesn’t end there. HR managers need to work in tandem with the IT team to ensure annual HIPAA compliance. This includes improving your business’ security policies and procedures, taking your workforce through yearly training, setting security reminders, and even onboarding new employees.

At the very core of HIPAA compliance, HR managers have to ensure that there is a compliance culture throughout the organization. This includes fostering open lines of communication between the different departments and ensuring that high levels of accountability are upheld throughout the organization.

Compliance is a team effort, and HR lies right at the core of it all. They can influence security policies, employee training, employee onboarding and termination, and the culture of the organization. Empower your HR department to ensure that they can improve your business’ status compliance-wise.