The Health Insurance Portability and Accountability Act of 1996 is designed to protect an individual’s health information from inappropriate disclosure. Even though HIPAA has been in effect for a number of years, HIPAA violations still occur. Following are some of the common mistakes made by entities covered by HIPAA.
Covered entities are required to implement security measures for protecting electronic health information. Although the rules have existed since 2005, many companies have not yet put into practice policies and procedures designed to safeguard this information. In addition, many other companies have not amended plan documents and business agreements that went into effect prior to 2005 to make sure they comply with HIPAA electronic health security measures.
Often, entities affected by HIPAA do not provide proper training regarding the protection of health information. HIPAA requires that new staff members who have access to medical information be trained within a reasonable time after being hired and undergo retraining any time an entity’s privacy policy is significantly updated.
HIPAA does not always affect employers who offer fully insured health plans. If the employer also offers medical reimbursement programs such as flexible spending accounts or wellness programs; however, HIPAA may apply to those programs. Under HIPAA, the employer is required to provide training to the work force and maintain a privacy policy to protect employees.
When an entity makes a significant change in its privacy policy, it is required to send a notice to participants within 60 days. Entities are also required to remind participants about the privacy policy every three years.