Although in some cases employers may be able to minimize how much work they may have to do to comply with HIPAA, employers will probably find it necessary to make some, if not all, of the following operational changes:

• review current policies and procedures to determine exactly what changes are needed to comply with HIPAA and to ensure continued compliance

• have separate human resources employees to handle benefits and employment information

• modify information systems to prevent the mingling of benefits and employment data, possibly to the extent of erecting a “firewall” between the databases

• revise policies and procedures concerning the use of PHI

• document in detail all changes and activities to comply with HIPAA or to decrease the plan’s need to comply

• work with “business associates” with whom the company exchanges PHI or benefits information generally to ensure these entities are also in compliance with HIPAA. Such entities may include technology vendors who work on information systems; healthcare plan administrators; employee benefits consultants, and so on.

• name a Privacy Officer—not necessarily a new employee—with HIPAA privacy regulations as his or her major responsibility

• train responsible employees on how PHI can be used

• revise plan documents to indicate the company’s limited and/or specific uses and disclosures of PHI

• develop sanctions for non-compliance with HIPAA

For more information or to order now call toll free 1-866-BE HIPAA.

Email your questions about HIPAA compliance or comments about this site to Client Care.