Heard about the new rules on employee medical records privacy? In case you missed it or couldn’t face the mountain of paperwork, it’s time to comply.
In January of this year, the US Health and Human Services agency issued final omnibus regulations on GINA and HITECH Act privacy and security regulations. (We’ve discussed our friend GINA several times in this column. The HITECH Act updated GINA to reflect the myriad new forms of electronic medical records transmittal.)
If you sponsor a healthcare plan for employees, or even just maintain medical-related records such as FMLA medical certifications, these rules apply to you. The final HHS rules took effect September 23.
Here are some necessary steps you need to take:
• Review existing vendor relationships with respect to group health plans to be sure there are formal business associate agreements in place acknowledging each party’s responsibilities under the new rule.
• Amend (or, if necessary, adopt) written breach notification procedures.
• Update and redistribute the Notice of Privacy Practices regarding new or revised individual rights and changes in policies and procedures.
• Train workers with access to Personal Health Information (PHI) on all applicable changes.
Bottom line: Avoiding the Paperwork Isn’t Worth the Risk
Surely you’ve got lots of higher priorities on your plate than jumping through more hoops for Uncle Sam. Think you can hide and hope for the best? Think again. Look for a big increase in enforcement activity to go along with the new rules. There were numerous enforcement changes increasing both the authority of the HHS and the risks for employers. HIPAA enforcement previously was complaint-driven, but in the future, the HHS will actively conduct HIPAA privacy and security audits, with the agency now being required to investigate all complaints.
HIPAA penalties also were increased and now can be as high as $50,000 per violation, capped at $1.5 million per year for identical violations. However, the penalties can be “stacked” during the same year for different types of violations, meaning the maximum annual penalty actually can be multiples of the annual cap, depending on the number of violations and different types of violations during the same annual period. So if you or any of your health plan vendors commits privacy violations with respect to your employees, it can cost you big. Better get at that paperwork.