Employer Privacy and Security Related to Employee Benefits
Written by Victor A. Deksnys, Alliance Partner, Aligned Growth Partners, LLC
Most everyone is familiar with news reports regarding identity theft, hacked data bases, personal information being compromised, and the resulting issues and liabilities the originating hosts face wherein the breach occurred.
Let's consider the Health Insurance Portability and Accountability Act (HIPAA) of 1996, as amended. This act addresses individuals' Protected Health Information (PHI) in two ways: Privacy Rule requirements and Security Rule requirements. Initially the law affected hospitals, insurance companies, medical facilities and doctors' offices. However, the legislation came to recognize employer provided health benefits as a covered category wherein the legislation applies to employers too.
You may ask, which employers are affected? If you have two or more employees and offer medical, dental, or vision benefits, HIPAA Privacy Rule and Security Rule applies. Step one in the compliance process is to determine whether you, as an employer, have access to any PHI. It's important to note that if you did not complete a risk analysis (as defined by HIPAA regulations) to determine whether PHI exists within your organization, then you are in violation of HIPAA.
From a practical vantage point, most small employers provide group insurance coverage to employees and never receive or request any PHI from the insurance carrier regarding an employee's medical information or family claim history. But, that's not the end of the story. What happens if an employee sends an email to human resources (HR) asking about a maternity claim issue regarding the employee's spouse? Now the employer is aware of the individual, possibly by name, whose medical condition involves the delivery of a baby.
The top five issues for the employer to consider in this situation are:
- Unless there is a release from the spouse, the employer cannot 'update/inform' the employee about any claims information regarding the employee's spouse. The employer should inform the employee, the employer is addressing the issues and will be in touch with the claimant/spouse.
- Since HR received an email, the internal security protocols should limit access to the email. For example, not everyone in information technology or HR should have access to the email. Only designated job positions should have access.
- If HR does send/issue emails or resolutions about the claim issues, the emails should be sent encrypted or password protected whenever the claimant is identified.
- Along these lines, where is the fax machine? If an employee sends a fax, could a receptionist see the transmittal? Employers need to establish appropriate protocols based on the risk analysis.
- Penalties range from hundreds to thousands of dollars per violation with a maximum annual cap at about $1.7 million for the same violation.
Caution and discretion are key employer responsibilities in regard to HIPAA Privacy and Security compliance. The last thing an employer wants to do is inform an employee about someone's medical condition, such as, "We are working on your wife's pregnancy claim," when the employee was unaware of the pregnancy. Similarly, employers would not want to disclose medical information about employees, spouses, or children to other co-workers.
In final analysis, successful employers are partnered with competent professional advisors. We encourage employers to start there. Ask yourself, "is my broker/consultant helping to make my company more successful?"