HIPAA Compliance - Eight Steps Employers Should Take
What should an employer do to ensure it is in compliance with the Health Insurance Protability and Accountability Act (HIPAA). Here are eight steps every employer should consider taking.
- Determine first if the organization or any employee benefit plans it provides is a covered entity under HIPAA.
- Analyze the flow of health information and how that information is used and disclosed within the organization. An employer should ask itself these questions: How and why does the organization obtain protected health information (PHI) from employees and its benefit plans? How does the organization use PHI in adinistering the employment and plan relationship? What employees have access to PHI?
- Analyze the flow of health information to, from, and within the employer's group health plan.
- Examine whether information flow and documentation are consistent with HIPAA requirements.
- Develop a plan to bring both the plan and the plan sponsor into HIPAA compliance.
- Ascertain the HIPAA compliance status of business associates who deal with the plans or with insurance issuers or HMOs. Examine existing contracts with business associates and determine which need to be modified to bring the agreements into compliance with HIPAA.
- Amend health plan documents to permit disclosure of PHI consistent with HIPAAs requirements.
- Create privacy policies and procedures consistent with HIPAA requirements.
What is the penalty for non-compliance?
Neither HIPAA nor HIPAA's privacy regulations permit an individual employee to sue for violations of the privacy standards. However, HIPAA does provide both criminal and civil penalties for noncompliance. Failure to comply with HIPAA's privacy regulations can result in civil penalties of up to $100 per person per violation, with a cap of $25,000 per calendar year. Criminal penalties for violations include up to $250,000 in fines and possible imprisonment for up to 10 years.
Comments