HIPAA S Privacy and Security

HIPAA S Privacy and Security

HIPAA’s Privacy and Security

Action Plan for Compliance – September 2013

While HIPAA’s Privacy and Security Rules have been effective for several years, many health plans did not fully complete action plans. In January 2013, final HIPAA Privacy and Security regulations were released. The final regulations adopted and modified the changes made by HITECH. These final regulations maintained the increased fines and potential liability for plan sponsors. If your plan made modifications proposed by HITECH, all changes required by January 2013 will be included in red. If you are comfortable with your HIPAA compliance steps after HITECH, addressing the issues in red will ensure you are compliant to the 2013 final regulations.

This Action Plan has been designed to make sure your organization addresses the key action steps for complying with these rules. It also includes steps to make sure your organization complies with the new breach notification rules.

Compliance with the Privacy Rule has traditionally been housed in Human Resources, while compliance with the Security Rule significantly involves your IT Department. To clarify which areas of your organization should probably address key action steps, the action plan is color-coded. Any tasks shaded in Yellow will be primarily handled by HR and any steps shaded in green will be IT’s responsibility.

Both Rules require group health plans to document the action steps associated with complying with theseRules. Please use this action plan to document all key action steps taken as well as to document key discussions relating to why a specific action step was chosen. If your plan ever has a complaint filed against it, this documentation will be key to explaining why specific steps were taken.

Please note, some state laws are more restrictive than federal privacy and security rules. If your state has more restrictive rules than the federal laws, you will need to incorporate state law requirements into your compliance plan.

Copyright© Marsh & McLennan Agency LLC. Our publications are written and produced by Marsh & McLennan Agency staff and are intended to inform our clients and friends of general information relating to employee benefit plans and related topics. They are based on general information at the time they are prepared. They should not be relied upon to provide either legal or tax advice. Before making a decision on whether or not to implement or participate in implementing any welfare, pension benefit, or other program, employers and others must consult with their benefits, tax and/or legal advisor for advice that is appropriate to their specific circumstances. This information cannot be used by any taxpayer to avoid tax penalties.

Action Plan
Action Steps / Target Date/ Responsible Party / Comments
1. / Identify the areas of your organization that handle PHI (Protected Health Information) and EPHI; remember it is individually identifiable information that is maintained or transmitted by a group health plan. Note the areas in the comments section.
Areas to consider:
  • Human Resources
  • Accounting/Finance
  • Executive Team
  • Legal
  • Information Technology
As part of privacy compliance, you are going to need to create formal policies and procedures for how certain departments handle PHI in your organization. Since these are the areas that use PHI, they should be represented in your compliance team to make sure the policies and procedures you implement are practical for every part of your organization.
Some organizations will have limited exposure to PHI. For example, some organizations fully insure all their benefits and do not have access to specific claim information. If your organization has limited involvement with PHI, your compliance team may be a few people or maybe just one person.
2. / Form a committee to work through Privacy and Security compliance with members from the areas of your organization that work with PHI.
Schedule the first meeting to make sure everyone on the committee is familiar with the Privacy and Security Rule and start discussing how this affects your organization given that PHI/EPHI is used by employees in your organization.
3. / Form a Privacy Subcommittee – let’s face it, a handful of employees will end up putting together policies and procedures or amending what is in place. This subcommittee will meet more frequently as they will be the ones completing the majority of the required steps; subcommittee will likely be HR staff.
4. / Form a Security Subcommittee – the technical steps and discussion needed to complete Security compliance should be handled by IT and the IT subcommittee will be responsible for the technical aspects of compliance.
5. / Identify all of your plans associated with PHI and EPHI. The HIPAA Rules apply to group health plans, which would include medical, dental, vision, medical spending accounts, prescription drug programs, EAP(if the plan provides for medical services).
It is important to record the following:
Coverage Type / Vendor / Insured or Self-funded
For fully insured plans, your carrier is also considered a covered entity and will handle many of the compliance steps. However, if you have any self-funded elements, your privacy plan should broadly address any group health plan you sponsor. Self-funded plans need to work through all the steps related to HIPAA compliance. For fully insured coverage, the carrier handles much of the compliance activities, and you will only be responsible for minimal compliance steps, covered at the end of this action plan.
IMPORTANT: If all of your plans are fully insured and you do not sponsor Flexible Spending Accounts, you only need to draft a Privacy Policy. Medical Flexible Spending Accounts are considered self-funded group health plans and will require all the compliance steps to be taken.
The Security Rule provisions apply to PHI in the electronic form. Remember, PHI is individually identifiable information relating to a past, present or future medical condition or payment for care for that condition that is stored, used or transmitted by a group health plan. EPHI is PHI in an electronic format.
The information your plan stores, uses or transmits electronically related to the above plans is where you should focus your Security compliance efforts.
Remember, your organization will have health information you may keep electronically that is not PHI – it is not your responsibility to apply Security Rule protections to this information, but it might be a good idea to review any risks to this information as well.
6. / Identify non-health plans that involve access to individual health information. Such programs include workers compensation, salary continuation plans, short term disability, long term disability, executive physicals, drug screens, fitness for duty exams, etc.
The health information obtained in managing these programs is not PHI and is not subject to the Rule. However, consider the following:
  • If the same employees administer these programs that administer the group health plans, it is important they understand information from the group health plan cannot be used to manage any of these programs without individual authorization.
  • Even though medical information affiliated with these programs is not PHI, consider making an effort to safeguard this information in a manner similar to the Privacy Rule requirements.

7a. / Appoint a Privacy Officer. The Rule does not provide guidance on who should be appointed the Privacy Officer. The Privacy Officer will be responsible for implementing any necessary action steps to comply with the Privacy Rules. The Privacy Officer should understand the rules and have the authority to implement policies and procedures to comply with the rules.
The appointment must be made in writing and the process should follow similar appointments in your organization. For example, if you are a corporation you may need board approval to finalize the designation of a Privacy Officer.
It is a good practice to include responsibilities relating to Privacy Rule compliance in the job description of the Privacy Officer.
7b. / Appoint a Security Officer. The Rule does not provide guidance on who should be appointed the health plan Security Officer. The Security Officer will be responsible for implementing any necessary action steps to comply with the Security Rule. It makes sense that the Security Officer should have an understanding of the Security Rule and the authority to implement policies and procedures to comply with the Rule.
The Security Officer can be the same person as the Privacy Officer. The appointment must be made in writing and a similar process needs to be followed as the appointment of the Privacy Officer. For example, if you’re a corporation and you needed board approval to appoint the Privacy Officer, you would need to follow that same process for appointing the Security Officer.
In addition, Security responsibilities should be included in the individual’s job description. Important: The Security Rule makes clear the Officer must be an individual, not a committee.
8. / Identify which areas of your organization have access to PHI. Think in terms of the following(record answers and requested details in the next section):
  • If your plans are self-funded, how do you receive your funding reports? How are they distributed and maintained throughout your organization?

  • Who authorizes the funding of the bank account and what information do they handle?

  • Does your organization receive any monthly claim reports? Who receives these reports?

  • Who receives notifications on possible high amount claimants and the notifications that someone has hit 50% of the specific deductible under your stop-loss contract?

  • Who assists employees with claim problems?

  • Who are the claims fiduciaries for your group health plan (if your third party administrator has not assumed the responsibility)? Do you have a benefits committee that makes final determinations on appealed claims?

  • Do you have union involvement and does the union have access to PHI? Do any union employees help with claims issues, such as a union steward? What information do you provide the union during negotiations? Does it contain any PHI?

  • Do you provide PHI to the CFO, controller, and executive committee as part of the annual review of the benefit plans?

  • Who in your IT department has access to PHI? Even if they do not work with it directly, if they have access to it by virtue of trouble shooting your system, they can access PHI.

  • Does your accounting department have access to PHI by virtue of funding checking accounts or auditing the plan’s financials?

These questions are designed to help you determine where PHI is located in your organization. It is important to know where it is, who has access, what it is used for and how/where it is stored. Complete the chart below with the name and department of individuals who have access, what they use PHI for and how it is stored. You will use this information to create your policies and procedures to comply with the HIPAA rules.
9. / Name / Dept/Title / Where is PHI Stored? / How is PHI Stored? / List of uses for PHI
This is the tentative list of your “workforce members”. Remember, your health plan can use PHI for plan administrative functions; however, you need to name the employees who work with the health plan in your firewall document. This document formally creates your “health plan workforce.” We will address this document in a future step.
In addition, the uses of PHI need to be included in your policies and procedures which we will address later in the Action Plan.
10. / Map your EPHI. It is important to map all areas of your organization where EPHI is used and stored. When addressing all the standards and implementation specifications for Security compliance, it can be overwhelming. It is important to understand, these Security Rules only apply to EPHI. To work through your action items you will need to understand where EPHI is stored and how it is used.
  • To meet certain standards, you will need to address the workstation security; it will be important to understand which workstations have access to EPHI.
  • Look at the networks EPHI is stored on; for example, is information stored in your HRIS? How is that stored on your servers? How do these answers change as you evaluate the different areas of your organization that use and have access to EPHI?
  • How is information transmitted out of your organization? When it is transmitted out, does it create a duplicate record that is stored in another area of your system-for example in your e-mail “sent box”?
Include all hardware and software that is used to collect, store, process or transmit EPHI.
11. / Identify individuals outside of your organization that need access to PHI to perform a function on behalf of your group health plan. These organizations are considered business associates of your group health plan if they use or disclose PHI performing an activity for your group health plan.
  • If you have a TPA processing claims, they are a business associate of your plan.

  • Identify all the PPO networks your plan uses (it is key to determine if your PPO network has a contract directly with your organization or with your TPA). If the contract is with your organization, the PPO is a business associate of your group health plan. If the contract is between the PPO and your TPA, the PPO is a business associate/subcontractor of your TPA and not a business associate of your group health plan.

  • Do you use a separate Pharmacy Benefit Manager?

  • Does your plan use a separate Utilization Review vendor (the same contract issue as PPO applies)? If you have a direct contract with your UR vendor, they are a business associate of the plan. If your TPA contracts with the UR vendor, they are a subcontractor of the TPA.

  • Do you use a separate actuarial firm to calculate the FAS 106 valuations for your retiree health plan? If so, review the data you provide; if there is detailed claims information, they are a business associate of your plan.

  • Do you use a separate COBRA vendor?

  • Do you contract with a patient advocacy firm who provides claims assistance to your employees?

  • Do you contract with a telemedicine provider who provides access to telephonic medical services for your employees?

  • Do you work with a designated legal counsel to provide assistance in claim appeals from your plan participants?

  • Does your plan use a separate firm to outsource eligibility management or handle any part of plan administration?

  • McGraw Wentworth is considered a business associate of your group health plan. Any other broker/consultant that you work with in relation to your health plan is considered a business associate.

Remember, these entities are not business associates:
  • Insurance carrier on a fully insured benefit plan
  • Any employees that are part of your workforce
  • Any conduit - they transport but don’t access PHI

Record all the business associates you have identified above in the rows below. Also, summarize the key functions the business associate performs for your plan. This is important because your business associate contract language should reflect broadly the tasks your business associate performs on behalf of the plan.
If you secured your business associate agreements when the rules were initially effective,you should revisit these agreements in light of the breach reporting requirements and the final HIPAA rules issued in January 2013. Your business associate contract needs to reflect breach reporting procedures and timing.
Name of Business Associate / Summary of Functions / Date of Agreement or Revised Agreement
Review the business associate language carefully. The sample contract language contains all the provisions required in a business associate contract as required by the Rule. As with any contract language, you should have your legal counsel review. Sample contract language can be found at
New updated business associate contract language is included in the toolkit.
Make sure your business associate contract indicates what your business associate is doing on behalf of your plan. If they have agreed to administer any portion of HIPAA’s individual rights, this should be spelled out in the contract.
The business associate agreement should detail that a business associate mustnotify you of any breach or potential breach of EPHI or PHI. The breaches must be communicated in a timely manner. Employers will have tight timelines in investigating breaches to determine if they must be reported to individuals, DHHS or the media.
Top View