What is HR’s Role in HIPAA Compliance?
Posted on: March 22nd, 2017 09:26 pm
Updated on: February 4th, 2022 04:59 pm
In recent years, many healthcare organizations have faced the same question: Which department should be tasked with Health Insurance Portability and Accountability Act (HIPAA) compliance? More times than not, the finger points to IT. However, in doing so, organizations are overlooking the key component Human Resources (HR) should play in any compliance program.
With HIPAA audits/fines on the rise, looming cyber security threats, healthcare technology changes and organizations implementing health and wellness programs; it is important that HR departments are engaged as active participants in creating a strong “culture of compliance” at each organization. Additionally, it is not uncommon for HR professionals to handle protected health information (PHI) in their daily tasks. Exposure to PHI can put HR teams at risk for violating the HIPAA Privacy Rule.
Even with the best IT infrastructure and safeguards in place, organizations cannot solely rely on IT to manage their HIPAA compliance without taking into account how their employees can impact information security. HR bridges the gap between IT functions and an organization’s workforce. With the help of HR, decisions can be made about WHO can has access to sensitive information, WHAT will be done when an employee violates a policy and WHERE the policies and procedures will be kept and updated appropriately.
Below is a list of tasks that HR should have a role in implementing:
Designate a HIPAA Compliance Officer/Privacy Officer
The HIPAA Privacy Rule and Security Rule require each organization designate someone to oversee HIPAA in the workplace. If the organization is large enough and can afford it, the best course is to hire someone for the privacy officer role. For smaller practices or clinics, the privacy officer role usually falls into the hands of the physician or office manager. Regardless of who is given the job, it is important to be sure they’re qualified along with being organized and responsible.
Maintain Policies and Procedures
It is no secret that a comprehensive set of policies and procedures (PnPs) is not just a good business practice but also an explicit requirement of the HIPAA Security Rule. Many organizations make the mistake of drafting PnPs only to have them collect dust in a filing cabinet. PnPs should be revisited often and updated as needed. Our HIPAA Security software reviews whether the appropriate actions have been taken to ensure each organization’s PnPs comply with the HIPAA rule.
- HIPAA Sanction Policy – Citation 164.308(a)(1)(ii)(C)
The worker sanction reviews if the organization has a PnP in place for worker related incidents including termination, leave of absence, pay raise holdings for non- completion of HIPAA training, etc.
- Criminal Background Checks/Background check – Citation 164.308(a)(3)(ii)(B)
The workforce clearance procedure reviews whether criminal background checks are performed on potential job candidates.
Onboarding Process that Includes Authorization to Access to PHI
Employees can be an organization’s greatest asset, yet also pose a significant threat to PHI. For this reason, organizations must limit access to PHI to only those employees who require access to perform their role.
Security and Privacy Workforce Training
Workforce training is crucial to ensure employees understand how to respond to security threats or address HIPAA requirements. Staff members need to be trained on how to fulfill their roles while not breaching HIPAA policies. Workforce training can be conducted in a variety of ways and should include a written agreement or certificate upon the conclusion of the training.
New Hire/Termination Checklists
As part of a robust onboarding and termination process, HR should coordinate distributing and collecting each employee’s hardware and logins. This can be best achieved by creating new hire and termination checklists. This practice ensures terminated employees cannot access sensitive data or cause unnecessary harm.
A few items to include on these checklists:
- Computer Equipment
- Enable/Disable Login Accounts
- Office Keys
- Safe combinations