HIPAA PRIVACY BEST PRACTICES
FOR EMPLOYERS SPONSERING GROUP HEALTH
Appoint compliance officer. This person would perform similar functions as the
“Privacy Official” for a covered entity and would be responsible for ensuring
implementation of the items discussed below. You may have more than one officer, for
example the employer and the office manager or human resources manager, etc…
Draft Standard HIPAA Privacy Compliance Documents and Forms. This will
include development of a model business associate agreement. Because PHI information
will be shared with your insurance broker, a business associate agreement will be
required. There may be other business entities that you may share PHI, therefore an
electronic agreement will be included with your HIPAA documents for possible
amending. Should the firm need to disclose PHI; other than treatment, payment or
healthcare operations, authorization forms will be available from the insurance company.
Assess how PHI is used and disclosed by the firm and other covered entities.
Determine whether any of these activities would violate the business associate agreement
or could result in inappropriate uses or disclosures and modify business operations as
Establish policies and procedures to safeguard PHI. Examples:
Take steps to ensure facsimile transmittals and email communications
do not reach unintended recipients (e.g. verify contact information prior
to sending: call the intended party to confirm receipt, have all PHI sent to
a designated FAX machine that is secured in a locked office; include a
statement on your FAX cover sheet to discourage unintended recipients
from retrieving facsimile that may have PHI.
Recommend setting up a separate file with PHI information. Copies of
health insurance applications will contain PHI. This file should be kept in
a locked cabinet or locked office that there is no possibility for anyone
other than the privacy official to have access.
Password -protect computers and electronic data.
Develop procedure for collecting new business enrollment
applications for group health products. Consents are not required,
however some employers are opting to include in their enrollment forms
some sort of acknowledgement by a participant that he or she is
consenting to the use of disclosure of his or her information for plan
administration purposes Recommend requesting applicant to place
completed application in envelope provided that may even be marked,
PHI, Only Privacy Officer May Open! Be sure and give them specific
procedures as to how they are to give the envelope to the Privacy Officer.
De-Identify the PHI information if the information is required to be
disclosed to someone who is not a covered entity.
Create “firewalls.” Identify those components of the firm’s business such
as life and disability insurance, which are outside the scope of HIPAA
privacy business associate agreements because they are covered entities
(called non-covered entity components). The firm should establish policies
to address how health information received in conjunction with these non-
covered entity components should be handled, if different from those
policies established to handle PHI received from covered entity business
components, such as health, dental and group long term care insurance,
again the need for separate filing systems.
Train the Employees that are privacy officials. Initially train employees regarding the
HIPAA Privacy Rules. Follow up with more detailed training regarding the firm’s
specific safeguards. Develop a strategy for ongoing training and the training of new
Communicate the firm’s policies regarding the privacy of PHI in the employee handbook
and establish sanctions for employees who violate the firm’s policies. If you do not have
an employee handbook, I would recommend giving the employees the HIPAA policies
and procedures for PHI in writing. You may even have the employee confirm on a signup
sheet that they received the information or develop a procedure for confirmation of
receipt. The information would be good to hand out with the Privacy Notice.
The Following Documents must be prepared: (Sample Electronic Forms will be
Prepare Privacy Notice for each Employee. Post privacy Notice on website. A sample
of this form will be electronically sent to you so you may prepare to give to the
Prepare Plan Document for the company to adopt HIPAA Privacy Compliance.
Prepare Verification of Adoption of Plan Document. (File in case Insurance Company
Prepare and Sign a Business Associate Agreement with your Insurance Broker and any
other covered entities.