Author: Dan Brady, Regulatory and Legislative Specialist, Hays Companies

Many employers that sponsor self-insured health plans are under the assumption that their Notice of Privacy Practices covers their responsibilities under HIPAA. While the Notice of Privacy Practices is an excellent starting point, there is more to HIPAA Privacy and Security that you need to know.

The HIPAA Privacy Rule requires covered entities (health plans) to develop safeguards ensuring the privacy of protected health information (PHI). While outside HIPAA’s definition of a covered entity, employers and plan sponsors are indirectly subject to the Privacy Rule to the extent that they have access to PHI for plan administration purposes.

Below, you will find several requirements beyond the Notice of Privacy Practices that employers should consider in order to maintain compliance with the HIPAA Privacy Rule.

1. Administrative Requirements

Personnel designation: a covered entity must designate a privacy official responsible for the development and implementation of the policies and procedures of the entity as well as a contact person responsible for receiving complaints and providing further information.

Employee Training: a covered entity must train all employees with access to protected health information (PHI) on the covered entity’s privacy and security policies and procedures.

2. Security Safeguards

A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

3. Develop Policies and Procedures

Providers and health plans must provide individuals with detailed written information that explains their privacy rights and how their information will be used.

  • Individual rights: covered individuals have the following rights: right to access their own health records and request corrections, to obtain an accounting of certain disclosures, to appoint a personal representative and to requires restrictions on the use and disclosure of their PHI. These rights are spelled out in the Notice of Privacy Practices.
  • Use and Disclosure Rules: Unless expressly authorized in writing by the individual, covered entities may not use or disclose PHI for purposes other than treatment or payment and health care operations. When covered entities use, disclose or request PHI, they are subject to the minimum necessary standard.

4. Breach Notification Policy

The HIPAA Breach Notification Rule requires covered entities to provide timely notification to affected individuals following a breach of unsecured PHI. If a covered entity or a business associate knows of an impermissible use or disclosure of unsecured PHI, it should maintain documentation that all required notifications were made. Alternatively, if the covered entity concludes that notification is not required (e.g., based on its risk assessment or application of an exception), it should document how it determined that notification was not required.

5. Business Associate Agreement

The Privacy Rule requires that covered entities include certain protections for PHI provided to business associates. The Business Associate Agreement provides the covered entity satisfactory assurances that the business associate will use and disclose PHI in an appropriate manner. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.

This document is provided for general information purposes only and should not be considered legal or tax advice or legal or tax opinion on any specific facts or circumstances. Readers are urged to consult their legal counsel and tax advisor concerning any legal or tax questions that may arise.

Interested in more compliance updates? Subscribe to our mailing list, here: