To the HR Department – Exactly When is HIPAA Compliance your Concern?
_{May 2, 2018}

I was browsing over some HR related vacancies from various recruitment professionals working in healthcare organizations and noted that none of the posts missed mentioning about the HR candidate having some basic knowledge on the principles and practices of HIPAA.  Some even mentioned about providing regular follow up training relative to HIPAA compliance in the workplace.

Human Resource personnel working for an organization that is a Covered Entity (CE), then all requirements of the Privacy and Security Rule, found at 45 CFR Parts 160 and 164, in addition to the updated requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act, must be met. Not only CE Human Resources but also companies regarded as Business Associate (BA) must comply with certain provisions under HIPAA law, all of which have been extended to business associates through the HITECH Act.

Creation and implementation of policies and procedures that will address the requirements of HIPAA Privacy and Security rules is the responsibility of Privacy and Security Officers.  In most cases, these positions are filled by people other than the HR Manager. Nonetheless, HR Management still plays a crucial role in HIPAA compliance.  How exactly HR influences and drives the organization’s HIPAA compliance?

1. HR team should be the foremost advocates of HIPAA compliance. It is important that HR departments are engaged as active participants in creating a strong “culture of compliance” within the organization. HR bridges the gap between IT and the employees. IT will set the stage i.e. putting together IT system and network infrastructures and safeguards in place while employees utilize these safeguards in their everyday tasks with commitment and whole honesty.
2. Then the very people who are most needed in the creation and implementation of the policies and procedures for HIPAA compliance i.e. Privacy and Security Officers will still go through the hands of the HR team. It is the role of the HR Manager and staff to look for the most qualified PO and SO for the organization.
3. HR department is responsible for creating policies and procedures that integrates well with HIPAA compliance policies and procedures. Just like for example, the HR policies relevant to employees’ access to company systems. HIPAA law mandates under Workforce Security 164.308(a)(3) that CE must “Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.” Or compliance relating to background checks as detailed under Workforce Security 164.308(a)(3)(ii)(B). The workforce clearance procedure reviews whether criminal background checks are performed on potential job candidates.
4. HR department is also responsible to on-boarding process which includes authorization access to PHI. The department must note that employees’ needs to be given access to ePHI shall be based on his or her job description. In collaboration with the IT department, HRD will help by providing the employee list, their respective roles and coordinating with the department managers, the level of access each of those roles must have. IT department after having all these information will then try to put together RBAC (Role Based Access Control) access control scheme.
5. Newly hired and existing workforce must be given Security and Privacy training to be able to respond to security threats or address HIPAA requirements. Each member of the organization must learn how they can work on their daily routines without violating any of the HIPAA rules. These trainings maybe conducted in various ways and HR department must ensure that a written agreement (i.e. Employment Contracts) includes these trainings as a required training at least annually.
6. It is also the responsibility of HR department to ensure that a new hire and termination checklist is created and implemented accordingly considering the HIPAA security rules. Such practice make certain that terminated employees cannot access sensitive data or cause unnecessary harm. Here are some questions HRD might need to ensure are addressed in their termination checklist:

• Do you immediately deactivate a workforce member’s access upon termination (or, as appropriate, upon change of job description)?
• Do you notify your IS vendor of an employee’s termination within a specific time?
• Is there a standard checklist of action items when an employee leaves? (Return keys, close and payment of credit cards, return software and hardware)
• Does your organization consistently enforce checklists and policies with respect to all employees who are terminated or whose duties have changed, whether the termination or change was voluntary or for cause?

To our HR professionals out there working in covered entities or BA, which part of your day-to-day duties and responsibilities directly affect your organization’s HIPAA compliance? We’d love to hear your thoughts, join our forum.