Unless a person’s job depends on knowing Health Insurance Portability and Accountability (HIPAA) privacy and security rules, the topic is what my family calls a MEGO (“my eyes glaze over”).
So I was surprised when I attended “HIPAA Tune-Up for Your Health Plans,” a presentation by attorney Petula Workman, CEBS, at the 34th Annual ISCEBS Employee Benefit Symposium. Many dozens of hands shot up after Workman asked her large audience how many had attended her HIPAA presentation the previous year. “And yet you came back!” she quipped. I quickly realized why she had such a large fan base.
Workman, a division vice president and compliance counsel for Arthur J. Gallagher & Co., packed more information into the next hour than would possibly fit into the short article I later wrote for the ISCEBS NewsBriefs. I had no room for the stories that illustrate her points and—along with her valuable advice—keep benefits professionals coming back for more on HIPAA compliance. Here are a few that I found educational and entertaining.
Say What You Mean; Mean What You Say
Workman focused on specific Department of Health and Human Services (HHS) concerns in an upcoming round of benefit plan audits on HIPAA compliance. For example, plans need to have a Notice of Privacy Practices that tells participants how their protected health information (PHI) will be used and protected. Plan sponsors need to (1) have a notice in the first place, (2) distribute it to the right people at the right times and (3) post it online where participants can find it.
“Make sure it says what you actually do . . . try to use simple words in the notice. Define unfamiliar terms. I can tell you stories about folks who don’t understand. For instance, there was a lady who passed out in the bathroom one time in the office and her co-workers were really concerned about telling anybody that she had passed out because of HIPAA. . . . She needs medical attention, guys. Call 911. It’s OK.”
[Related: HIPAA Privacy E-learning Course]
Actually Read Those Policies and Procedures
And participants have a right to see their own PHI. “Make sure your policies and procedures cover the time in which you’re supposed to respond,” she said. “I talked to an employer lately who said, ‘We just got this request, and I was trying to figure out what I’m supposed to do.’”
“Did you read your policies and procedures?”
“Yeah, it’s not in there.”
“Give me your policies and procedures . . . It does say you’re supposed to respond in 30 days but you could get a 30-day extension. How long has it been?”
“69 days.”
Anyone with access to PHI—including IT staff who’d rather be anywhere but in HIPAA training—needs to be trained on the policies and procedures.
“How many have a CFO who wants to see large-claims data that includes names?” Workman asked. A number of hands went up. “Does that bother you? Tell them they can’t have it unless they go through HIPAA training, and that HIPAA training is three hours long on a Friday afternoon at 2:00.”
[Related: Mobile Device Security for Protected Health Information | Benefit Bits Video]
Know Your Weak Spots
Workman provided a graphic detailing nine steps for conducting a risk assessment under HIPAA Security Rules (which, in all seriousness, was something she stressed every benefit plan should do to protect electronic PHI). One step is determining the likelihood of a threat.
“You could be hacked by North Korea. Did you produce a movie that made fun of their beloved dictator? If you didn’t, then the likelihood of that threat is substantially reduced . . . to nil.” A more likely threat is from inside an organization—a disgruntled employee.
Benefit plan offices need to have physical controls over places where both paper and electronic PHI can be accessed. “One of our employers got chosen during the first round of (HHS) audits,” Workman said. “I asked, ‘So, who makes sure that people don’t get into Benefits, to all of the computers?’
“ ‘No one. Employees wander in and out of Benefits all the time.’
“You need to stop that before the on-site audit. If the auditor can walk in, past your receptionist and straight back to your offices, you are probably going to get a substantial failure during this audit.”
[Related: HIPAA Privacy for Health Plans After HITECH]
If the Unthinkable Happens
Breach notifications—likely needed only if a plan sponsor has already messed up in the areas of privacy and security—have somewhat different rules depending on the number of participants a breach impacts. “If you have fewer than 500 people impacted by a breach, you get to keep a log and then you have to tell (HHS) the year following when the breach was discovered. So in 2015, if we discovered a breach, I’d be reporting that in early 2016. This rule is kind of nice because if you happen to be related to the breach, you’ll have time to try to find a new job before HHS has to find out about it.”
Also—seriously—HHS has a great website with tools and information about complying with HIPAA privacy and security rules and breach notification requirements.
I hope I get to hear Workman talk about HIPAA compliance at the 35th Annual ISCEBS Symposium September 18-21 in Baltimore, Maryland.
Chris Vogel, CEBS
Senior Editor—Publications at the International Foundation