HR Support on HIPAA Compliance

Editor's Note: Know the differences between HIPAA's privacy and security rules!

Tracy MorleyOverview: The Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules and the enforcement provisions surrounding them are of paramount importance to HR.

HIPAA's Privacy Rule sets standards for the protection of certain health information and addresses the use and disclosure of individual health information, more commonly known as protected health information or PHI. The objective of the Privacy Rule is to protect the privacy of medical information while, at the same time, allowing the flow of necessary information to provide high quality health care.

While the Privacy Rule deals with the use and disclosure of PHI, HIPAA's Security Rule establishes standards to protect an individual's electronic protected health information, or ePHI. The Security Rule attempts to ensure the security of ePHI through the use of administrative, physical and technical safeguards and applies only to electronically transmitted or stored PHI and not to oral or written PHI.

The Health Information and Technology for Economic and Clinical Health Act, or HITECH Act, made significant changes to HIPAA's Privacy and Security rules in the areas of enforcement provisions, notification of breach requirements, access to electronic health records and the definition of business associate.

Trends: A major provision of the HITECH Act is to improve enforcement of HIPAA violations. The Department of Health and Human Services Office for Civil Rights (OCR) has stepped up its enforcement of compliance with the privacy, security and breach notification rules in this regard.

Author: Tracy Morley, SPHR, Legal Editor

Latest items in HIPAA Privacy and Security

  • Health Plan Identifier Required in HIPAA Transactions: Employment Law Manual Updated

    Date:
    20 October 2014
    Type:
    Editor's Choice

    A health plan identifier (HPID) must be used in Health Insurance Portability and Accountability Act (HIPAA) standard transactions starting November 7, 2016. However, HPIDs must be obtained by November 5, 2014, or November 5, 2015, depending on plan size.

  • Handling Protected Health Information Handbook Statement: Texas

    Type:
    Employee Handbooks

    Texas employers that assemble, collect, analyze, use, evaluate, store, transmit, come into possession of or otherwise obtain or store protected health information should consider including this model policy statement in their handbook.

  • HHS Releases HIPAA and Same-Sex Marriage Guidance in Light of Windsor

    Date:
    24 September 2014
    Type:
    News

    The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance addressing the effect of United States v. Windsor on the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Covered entities (and business associates, as applicable) must understand how the Privacy Rule applies to lawfully married same-sex spouses in light of Windsor.

  • Health Information and Privacy Content Enhanced

    Date:
    24 June 2014
    Type:
    Editor's Choice

    Multiple areas of the Health Information and Privacy section of the Employment Law Manual have been significantly expanded to provide more in-depth information on excepted benefits and HIPAA's privacy, security and breach notification rules. This content was also updated due to the elimination of pre-existing condition exclusions, as required by the Affordable Care Act.

  • New York-Presbyterian Hospital Pays $3.3 Million in Largest HIPAA Data Breach Settlement to Date

    Date:
    09 May 2014
    Type:
    News

    New York-Presbyterian Hospital agrees to pay $3.3 million in a data breach settlement under HIPAA, resulting in the largest settlement of its kind to date.

  • Employers Pay $1.9 Million in HIPAA Settlements After Theft of Unencrypted Laptops

    Date:
    07 May 2014
    Type:
    News

    The US Department of Health and Human Services Office for Civil Rights announced settlements totaling almost $1.98 million against two employers that had unencrypted laptops containing electronic PHI (ePHI) stolen.

  • ACA Final Rule Limiting Waiting Periods Released

    Date:
    25 February 2014
    Type:
    News

    The US Departments of Labor, Treasury and Health and Human Services issued a final rule implementing the 90-day waiting period limitation under the Affordable Care Act.

  • Dermatology Practice Fails to Adopt HIPAA Breach Notification Policies and Procedures, Agrees to Pay $150,000 Fine

    Date:
    27 January 2014
    Type:
    News

    Adult & Pediatric Dermatology, P.C. agreed to pay $150,000 to settle potential violations of the Privacy, Security and Breach Notification Rules under the Health Insurance Portability and Accountability Act of 1996. This is the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provision of the Health Information Technology for Economic and Clinical Health Act.

  • HIPAA Excepted Benefits Broadened Under Proposed Rules

    Date:
    24 December 2013
    Type:
    News

    The federal Departments of Labor, Treasury and Health and Human Services have jointly published proposed regulations regarding amendments to HIPAA excepted benefits. Employers are invited to comment on the proposed rules and on the government's approach.

  • New Quick Reference Chart on HIPAA Violation Categories and Penalty Amounts Added

    Date:
    25 September 2013
    Type:
    Editor's Choice

    A quick reference chart has been added to help employers quickly assess penalties for noncompliance with the Health Insurance Portability and Accountability Act (HIPAA). The chart provides a summary of the HIPAA violation category, the penalty range for each violation and the maximum penalty amounts for HIPAA violations.