Don't Neglect HIPAA Compliance During Pandemic

​Health Insurance Portability and Accountability Act (HIPAA) compliance may be more important than ever, given the dramatic rise in telecommuting during the coronavirus pandemic. More electronic protected health information (ePHI) is being transferred, but HIPAA compliance too often is an afterthought.

"Some employers have become more lax in their compliance obligations," said Frank Palmieri, an attorney with Palmieri & Eisenberg in Princeton, N.J. "The bottom line is there are typically more urgent—but not more important—responsibilities to address on a daily basis. Therefore, HIPAA compliance obligations are now at the bottom of the pile, except where employers are astute to minimizing liabilities through good-compliance efforts."

HIPAA Privacy Rule

The HIPAA privacy rules require all paper-related health care PHI to be restricted to only individuals who have a need to see such information for valid employer purposes, Palmieri noted.

For example, a benefits manager may review a self-insured health plan to ensure that the checking account is properly funded to pay benefits and to reconcile the accounting for a health plan. In reconciling the account, the benefits manager may observe PHI on reimbursements to individual employees. All PHI is confidential, and disclosure should be limited, he said.

The benefits manager should not disclose information that might adversely affect an employee's promotion, bonus or other employment rights. Create physical and procedural safeguards to limit the disclosure of PHI, Palmieri noted.

HIPAA Security Rule

The HIPAA security rule piggybacks onto the HIPAA privacy rule but applies to ePHI, Palmieri said. "In many cases, it is harder to restrict ePHI, since HR professionals regularly include potential PHI in e-mails," he stated.

When PHI is in an e-mail, it should be blacked out or "deidentified" so the employee's identity is protected, he recommended.

Who Needs to Learn About HIPAA?

Training on HIPAA often is provided for employees in the HR and benefits departments, said Laurie DuChateau, J.D., U.S. compliance consulting practice leader with Buck in Pittsburgh. She emphasized that training is just as important for those in finance, payroll, legal, risk management and information technology departments, plus any temporary employees and contractors who have access to PHI.

According to a Buck survey last year, 35 percent of respondents offered HIPAA training between one and five years ago, 13 percent provided training only during onboarding and 10 percent did not know when HIPAA training was last provided.

Most HR professionals should receive HIPAA training, according to Palmieri, to clear up misunderstandings about when HIPAA applies. The source of the information, not necessarily the information itself, is what makes it protected or not.

When employees tell their HR professional that they have cancer, they are "essentially discussing their life with the HR professional, while secondarily identifying that they may need regular or intermittent leave to obtain medical treatment," he said.

Employees are providing the information voluntarily for employment reasons. "Therefore, the information is part of the employment records to address leave of absence and/or other employer policies," he said. "The information being conveyed is not PHI coming from a health plan or health care provider. It is important for all HR professionals to understand the distinction between actual PHI health care records and employment records."

The Americans with Disabilities Act, not HIPAA, likely would impose confidentiality obligations in such circumstances.

HIPAA Challenges Arising from Remote Work

With the rise in remote work, there are new challenges for keeping PHI and ePHI secure, DuChateau said.

She noted that these challenges include:

• Timely installation of important workstation patches and antivirus updates, as users may not regularly log into their virtual private network.
• Potential for unsecure and unencrypted access points to confidential PHI.
• Personal devices used without appropriate safeguards (e.g., encryption, passwords remote wipe, antivirus updates, web content filtering) and other security controls for accessing PHI.
• Family members using company-issued devices with potential access to PHI.
• Insufficient backup of PHI due to storage on local drives instead of network or cloud locations.
• Inappropriate disposal (e.g., not being shredded) of hard copy and media containing PHI.

[Need help with legal questions? Check out the new SHRM LegalNetwork.]

Action Items

Palmieri said that HR professionals can facilitate HIPAA compliance by:

• Making sure business associate agreements are up-to-date. There should be a vendor matrix identifying all such agreements from insurance brokers and consultants, flex plan administrators, and counsel. "In many cases, it is also important to identify where ePHI does not exist, such as for the administrator of health savings accounts, which are not health plans," he said.
• Paying attention to business associate agreements for disposal vendors that may be removing trash containing PHI and for cloud storage providers that maintain the offsite or cloud database for an employer or health plan.
• Encrypting all machines where any data may be stored. "Although encryption is not legally mandated, it significantly reduces the actual disclosure of PHI and minimizes the need to issue breach notifications," he said. "Another common cause of ePHI disclosures are when copy machines, which contain a memory card of all copies, are not disposed of in a proper manner."