HIPAA training should be tailored to the employer’s involvement with the group health plan – and, specifically, PHI – as well as the dynamics of the employer’s workforce.
It is important to keep in mind that a self-funded plan is required to comply with all of the HIPAA privacy and security requirements. Typically, the employer as plan sponsor is the fiduciary responsible for the plan's compliance. As such, the employer may choose to be hands-on with respect to PHI and handling the plan administrative functions and therefore, have more regular and direct access to PHI. By contrast, the employer may delegate the plan administrative functions and tasks necessary to comply with HIPAA to TPAs or other service providers which would act on behalf of the plan, but the employer would remain ultimately responsible for compliance with the regulations.
However, even if a TPA or other service provider performs most of the administration functions for a self-funded plan, the employer will retain some functions requiring access to PHI. For example, many TPA arrangements require that the plan sponsor serve as the named fiduciary for appeals of denied claims. Deciding appeals almost always requires access to PHI.
Accordingly, the employer would need to be sure to protect the PHI in accordance with the privacy and security requirements. The necessary measures may include, but are not limited to creating a firewall to protect the PHI, ensuring staff is aware of and adhering to the limitations on the use of information, and providing covered individuals with notice of certain rights with respect to their own PHI. Additionally, if PHI is provided in electronic format, compliance with security requirements (e.g., encryption) must also be observed.
Employees may not necessarily be aware of the HIPAA privacy and security requirements absent training. The general rule is to train all members of the workforce, which would include new employees upon hire. A broad training regime demonstrates the employer’s commitment to HIPAA compliance and raising awareness throughout the organization. Most importantly, the training should focus upon employees that will be administering and involved with the health plan (i.e., those that will actually have access to PHI). Instruction on an annual basis (if not more frequently) is generally recommended. It is also advisable that the employer document each employee’s completion of the program (for example, by collecting a certification statement).
The current global viral outbreak highlights the importance of a well-trained workforce. Even under these circumstances, the HIPAA privacy rule still applies. Therefore, a group health plan must continue to apply administrative and technical safeguards to protect the confidentiality of PHI. Accordingly, any PHI disclosure must be the minimum amount necessary (e.g., to treat an employee or dependent, protect the public health) in accordance with applicable guidelines.
In addition to educating the staff and protecting the privacy of employees, an ongoing HIPAA training regime may be advantageous to the employer in the event of a security incident or breach. Should there be a complaint to a regulator, the employer can demonstrate that it took its compliance obligations seriously, which could possibly be considered a mitigating factor in terms of damage assessments.
With respect to the training format, the employer has flexibility to design a program appropriate for the employee population and logistics. Accordingly, the employer can use videos, webinars, live meetings, newsletters/bulletins, a review of compliance guidelines, etc. The approach selected should clearly explain the employer's formal policies and procedures on HIPAA security and privacy.
If the employer is interested in a suggestion for a vendor to assist with HIPAA training, Total HIPAA can provide a comprehensive training program with formal record keeping at a reasonable price. Contact your adviser for more information about Total HIPAA.