The Effects of HIPAA on Organizations
-
Patient Information Security and Access
-
HIPAA requires role-based access to protected patient information. Hospitals and other health-care providers must protect the privacy of "individually identifiable health information," whether on paper, communicated verbally or in electronic form. Organizations must have policies in place to define role-based access to personal health information for the purposes of treatment, payment or operations. Only staff members with a need to know specific information can gain access to electronic patient records.
Public Interest and Benefit Activities
-
HIPAA allows the disclosure of protected health information for recalled medical devices. Organizations must familiarize themselves with designated national priorities that permit the release of protected health information without the consent of the patient or his representative. HIPAA identifies 12 "public interest purposes," each of which has limitations and conditions intended to balance public interest with personal privacy. Some of the allowable disclosures enumerated as public interest purposes include recalls of FDA-approved medical devices, protecting victims of domestic violence, abuse and neglect, cases involving suspected criminal activity and responses to court orders.
Employers
-
Employers with an on-site nurse must comply with HIPAA requirements. Employers may receive protected health information about an employee's on-the-job injury. If an employer provides an on-site employee health nurse, offers an employee wellness program or has a self-insured insurance plan, the employer must provide the same protections of privacy and security for personal health records as for records in hospitals and physician offices.
Ongoing Training
-
Organizations must provide HIPAA training for appropriate employees. Employers subject to HIPAA must train new hires and provide training on HIPAA updates when implemented. Employers must also provide training in the aftermath of any HIPAA violations.
Organizations Offering Flexible Spending Accounts
-
Employers offering Flexible Spending Accounts must have HIPAA-compliant plan administrators. If an employer offers a Flexible Spending Account (FSA), which allows employees to set aside pre-tax dollars for out-of-pocket medical expenses, the employer must ensure that the administrator of the FSA meets HIPAA compliance guidelines. Employers may also need a HIPAA-compliant "business associate" agreement with the FSA administrator.
Written Procedure for Complaint Investigation
-
A written procedure facilitates a thorough review of a HIPAA complaint. Organizations should have a written plan for investigating HIPAA complaints. HIPAA rules do not mandate a written procedure; however, organizations can use their written plans as part of their documentation on actions taken to investigate, remediate and resolve complaints. The investigative documentation can also prevent recurrence of problematic processes. HIPAA may grant 30 days for organizations to correct an unintentional HIPAA infraction.
Fines
-
An intentional HIPAA violation may result in a fine. Organizations that fail to comply with HIPAA mandates to protect the privacy and security of protected health information may face fines from $100 to $50,000 or more per violation. The Office for Civil Rights must notify the organization of failure to comply with HIPAA requirements, and the organization will receive opportunities to provide evidence that might reduce the penalty.
-