In a recent article in the Sioux Falls Business Journal, Davenport Evans attorney Monte Walz reminded companies that a basic understanding of how HIPAA impacts employers can help avoid costly violations and cure “HIPAA-chondria.” Employers who provide health benefits directly to employees or have access to PHI must be careful to separate this information from other employment files and may not use PHI for job-related purposes. For example, denying a promotion to an employee because of information contained in the employee’s health records would violate HIPAA.
Employers who are covered by HIPAA essentially must do four things:
• Establish written HIPAA policies and procedures.
• Provide a written notice of privacy rights to persons whose PHI is being used or disclosed.
• Implement security measures and train employees regarding PHI confidentiality and related procedures.
• Appoint a privacy officer to monitor compliance with HIPAA rules, handle complaints and report to management.
Employer responsibilities include implementing appropriate workplace practices and security measures to limit use and disclosure of PHI. Generally, employees should be able to access PHI only on a need-to-know basis. Under new rules, even unintentional unauthorized disclosure of PHI, such as in the case of a lost laptop, can trigger reporting requirements not only to the affected person but also, in some cases, to the federal government and the media. Given recent enforcement actions by the U.S. Department of Health and Human Services, now is the time to schedule a HIPAA checkup for your business.
Click here to view the Sioux Falls Business Journal article in full.