HIPAA: Privacy and Security Policies and Procedures
July 6, 2017
The Health Insurance Portability and Accountability Act (HIPAA) was adopted by Congress to ensure that group health plans are private and secure. The HIPAA Privacy Rule establishes standards for keeping information private. The HIPAA Security Rule establishes safeguards for keeping information private when it is held or transferred in electronic form. Specifically, the intention is to protect protected health information (PHI).
HIPAA requires most employers, both self-funded and fully insured, to have comprehensive written privacy and security policies and procedures. A mistake that is commonly made is when an employer sponsors a fully-insured group health plan and believes it is not subject to the majority of the HIPAA rules, but also sponsors a health reimbursement account (HRA), or a health flexible spending account (HFSA), both of which are considered self-funded plans subject to HIPAA. Another common mistake is that many employers have drafted HIPAA privacy policies, but have never formally addressed the separate HIPAA security rules.