Unless a person’s job depends on knowing Health Insurance Portability and Accountability (HIPAA) privacy and security rules, the topic is what my family calls a MEGO (“my eyes glaze over”).

So I was surprised when I attended “HIPAA Tune-Up for Your Health Plans,” a presentation by attorney Petula Workman, CEBS, at the 34th Annual ISCEBS Employee Benefit Symposium. Many dozens of hands shot up after Workman asked her large audience how many had attended her HIPAA presentation the previous year. “And yet you came back!” she quipped. I quickly realized why she had such a large fan base.

Workman, a division vice president and compliance counsel for Arthur J. Gallagher & Co., packed more information into the next hour than would possibly fit into the short article I later wrote for the ISCEBS NewsBriefs. I had no room for the stories that illustrate her points and—along with her valuable advice—keep benefits professionals coming back for more on HIPAA compliance. Here are a few that I found educational and entertaining.

Say What You Mean; Mean What You Say

Workman focused on specific Department of Health and Human Services (HHS) concerns in an upcoming round of benefit plan audits on HIPAA compliance. For example, plans need to have a Notice of Privacy Practices that tells participants how their protected health information (PHI) will be used and protected. Plan sponsors need to (1) have a notice in the first place, (2) distribute it to the right people at the right times and (3) post it online where participants can find it.

“Make sure it says what you actually do . . . try to use simple words in the notice. Define unfamiliar terms. I can tell you stories about folks who don’t understand. For instance, there was a lady who passed out in the bathroom one time in the office and her co-workers were really concerned about telling anybody that she had passed out because of HIPAA. . . . She needs medical attention, guys. Call 911. It’s OK.”

[Related: HIPAA Privacy E-learning Course]

Actually Read Those Policies and Procedures

And participants have a right to see their own PHI. “Make sure your policies and procedures cover the time in which you’re supposed to respond,” she said. “I talked to an employer lately who said, ‘We just got this request, and I was trying to figure out what I’m supposed to do.’”

“Did you read your policies and procedures?”

“Yeah, it’s not in there.”

“Give me your policies and procedures . . . It does say you’re supposed to respond in 30 days but you could get a 30-day extension. How long has it been?”

“69 days.”

Anyone with access to PHI—including IT staff who’d rather be anywhere but in HIPAA training—needs to be trained on the policies and procedures.

“How many have a CFO who wants to see large-claims data that includes names?” Workman asked. A number of hands went up. “Does that bother you? Tell them they can’t have it unless they go through HIPAA training, and that HIPAA training is three hours long on a Friday afternoon at 2:00.”

[Related: Mobile Device Security for Protected Health Information | Benefit Bits Video]

Know Your Weak Spots

Workman provided a graphic detailing nine steps for conducting a risk assessment under HIPAA Security Rules (which, in all seriousness, was something she stressed every benefit plan should do to protect electronic PHI). One step is determining the likelihood of a threat.

“You could be hacked by North Korea. Did you produce a movie that made fun of their beloved dictator? If you didn’t, then the likelihood of that threat is substantially reduced . . . to nil.” A more likely threat is from inside an organization—a disgruntled employee.

Benefit plan offices need to have physical controls over places where both paper and electronic PHI can be accessed. “One of our employers got chosen during the first round of (HHS) audits,” Workman said. “I asked, ‘So, who makes sure that people don’t get into Benefits, to all of the computers?’

“ ‘No one. Employees wander in and out of Benefits all the time.’

“You need to stop that before the on-site audit. If the auditor can walk in, past your receptionist and straight back to your offices, you are probably going to get a substantial failure during this audit.”

[Related: HIPAA Privacy for Health Plans After HITECH]

If the Unthinkable Happens

Breach notifications—likely needed only if a plan sponsor has already messed up in the areas of privacy and security—have somewhat different rules depending on the number of participants a breach impacts. “If you have fewer than 500 people impacted by a breach, you get to keep a log and then you have to tell (HHS) the year following when the breach was discovered. So in 2015, if we discovered a breach, I’d be reporting that in early 2016. This rule is kind of nice because if you happen to be related to the breach, you’ll have time to try to find a new job before HHS has to find out about it.”

Also—seriously—HHS has a great website with tools and information about complying with HIPAA privacy and security rules and breach notification requirements.

I hope I get to hear Workman talk about HIPAA compliance at the 35th Annual ISCEBS Symposium September 18-21 in Baltimore, Maryland.

Chris Vogel, CEBS
Senior Editor—Publications at the International Foundation









Chris Vogel, CEBS

Senior Editor—Publications at the International Foundation

Favorite Foundation service/product: Benefits Magazine, of course—especially “What’s Working” articles

Benefits related topics she loves to cover: Behavioral science behind steering employees to best retirement and health care options; innovative health care and wellness plan designsFavorite Foundation conference/event moment: Every minute of the Employee Benefits SymposiumPersonal Insight: “Leisure time” for Chris is far from inactive. You might find her gardening, cooking up a storm of healthy foods, traveling to historic places, biking with her husband, reading 24/7 or knitting sweaters for her grandson. Whatever activity, she’ll be doing it with an inspiring enthusiasm.


Recommended Posts

Missing Participants: Help From SECURE 2.0 and the Latest Best Practices  

Guest Contributor

Benefits Magazine Extras articles provide you with bonus content on a mix of benefits topics as well as deep dives and analyses on the latest benefit trends and compliance issues. Foundation members can visit ifebp.org/benefitsmagazine to view the full bimonthly print edition of the […]

FAQs on Workplace Emergency Savings Accounts Under SECURE 2.0  

Jenny Gartman, CEBS

The U.S. Department of Labor (DOL) Employee Benefits Security Administration (EBSA) has issued FAQs on optional pension-linked emergency savings accounts (PLESAs) as part of the implementation of the SECURE 2.0 Act of 2022 (ERISA section 801). SECURE 2.0 authorized 401(k), 403(b) and governmental […]

Foundation Survey Results–Focus on Mental Health Initiatives in Apprenticeship Programs

Justin Held, CEBS

The International Foundation just released Top Trends in Apprenticeship Programs—2024 Survey Results, the 8th iteration of their apprenticeship program benchmarking survey. In addition to focusing on trends, such as individual and program challenges, life skills, and partnerships, this iteration takes a deep […]