Blog

Mind your compliance gaps to make sure you don’t take unnecessary risks

  • Blog

    Mind your compliance gaps to make sure you don’t take unnecessary risks

    NACo Partner Resource

    This blog post is sponsored by NACo partner, Buck.

    Buck is supporting HIPAA compliance which may be even more critical for county governments given their standing in the communities they serve and the sensitivity of the information being stored.

    We take chances every day, in the firm hope of a payoff, no matter how small.  

    But a breach of protected health information (PHI) or electronic protected health information (ePHI) could place your county at risk for fines for failing to comply with the Health Insurance Portability and Accountability Act (HIPAA).

    Unlike some compliance requirements that only apply to the private sector, all public sector organizations are required to comply with HIPAA’s rules. In fact, HIPAA compliance may be even more critical for county governments given your standing in the communities you serve and the sensitivity of the information you store. With the increase in the number of remote workers, the ever-present threat of cybersecurity breaches, and, more recently, the privacy concerns around reproductive health, there are multiple reasons that reinforce the need for strong HIPAA compliance. 

    Three steps to creating a comprehensive HIPAA compliance program

    1) Document your HIPAA policies and procedures

    Your HIPAA policies and procedures act as the playbook for how your group health plan will comply with HIPAA’s requirements and, as such, will be one of the first things checked if audited by the Health and Human Services Office of Civil Rights.

    These documents are highly customized to the way your county operates.  Privacy policies and procedures address when, how, and to whom disclosures of PHI are permitted and how to obtain authorizations to release protected health information. They also identify your team members with access to PHI and prescribe who should be trained. 

    The security policies and procedures describe how your county will protect PHI and e-PHI from a workplace and system security perspective. They incorporate physical, technical, and administrative safeguards accounting for the measures your employees will take to secure the HIPAA data you collect, store, and disseminate while administering the group health plan.

    Individual rights, business associate agreements, forms, and templates such as the Notice of Privacy Practices, Uses and Disclosures Tracking Form, and Breach Incident Reporting Forms, are all typical components of a thoroughly documented privacy policy and procedure.

    2) Assess your risks – HIPAA’s required risk threat analysis

    A risk analysis considers a range of threats but also provides a range of possible solutions.

    It’s important to note that health plans and their business associate vendors with access to protected health information have a responsibility to conduct a thorough risk assessment.

    To conduct a risk analysis, your county must identify and inventory the locations where PHI and ePHI are stored. For example, there may be PHI in HRIS systems, email, various benefits administration systems, applications, physical storage locations, cloud servers, networks, and websites, to name a few.

    Once inventoried, your team must weigh the likelihood/frequency, cost/impact, vulnerability, and mitigating controls of various types of natural, human, and environmental threats that may apply.  High-risk threats should be mitigated through safeguards until the risk is lowered to an acceptable level. The risk analysis itself must be well documented and shared with all involved parties responsible for protecting PHI/ePHI.

    3) Train your workforce – HIPAA’s training requirement

    For sponsors of group health plans, HIPAA training is a requirement. Lack of training for employees exposed to PHI was identified as a primary area of concern in audit reviews conducted by the Office of Civil Rights. It’s critical to include HIPAA training during the onboarding of new employees with access to PHI.  Attendance at all HIPAA training sessions should be documented, as these records can be requested during audits and investigations.

    Training content must include “HIPAA basics” for those unfamiliar with the law, an overview of the privacy and security rules, including leading practices, and what steps to take in the event of a breach (including identification, notification, and additional tasks that may be necessary after a confirmed breach).

    Of equal importance is to emphasize specific areas of concern within an organization and to update the content regularly to address new issues and threats along with leading practices to mitigate risk. Training should also capture when HHS issues new guidelines or rules and when there are changes in policies and procedures. 

    Keep diligent

    In today’s environment, it’s crucial to develop sound policies and procedures, perform systems assessments, document the necessary risk/threat analysis, and train your workforce to fulfill the responsibilities associated with handling PHI. 

    Diligence is defined as a steady, earnest, and energetic effort, which is precisely what is called for when it comes to HIPAA compliance.  Although not a small undertaking, following these steps will result in your county being better prepared to address any of the challenges to the privacy and security of group health plan data that may lie ahead. 

    To learn more about the compliance challenges facing county governments, register HERE for Buck’s September 28th webinar “Compliance challenges and best practices for public sector health and retirement plans.”

     

     

    NACo Partner Resource This blog post is sponsored by NACo partner, Buck.
    2022-09-15
    Blog
    2022-09-16
Mind your compliance gaps to make sure you don’t take unnecessary risks

NACo Partner Resource

This blog post is sponsored by NACo partner, Buck.

Buck is supporting HIPAA compliance which may be even more critical for county governments given their standing in the communities they serve and the sensitivity of the information being stored.

We take chances every day, in the firm hope of a payoff, no matter how small.  

But a breach of protected health information (PHI) or electronic protected health information (ePHI) could place your county at risk for fines for failing to comply with the Health Insurance Portability and Accountability Act (HIPAA).

Unlike some compliance requirements that only apply to the private sector, all public sector organizations are required to comply with HIPAA’s rules. In fact, HIPAA compliance may be even more critical for county governments given your standing in the communities you serve and the sensitivity of the information you store. With the increase in the number of remote workers, the ever-present threat of cybersecurity breaches, and, more recently, the privacy concerns around reproductive health, there are multiple reasons that reinforce the need for strong HIPAA compliance. 

Three steps to creating a comprehensive HIPAA compliance program

1) Document your HIPAA policies and procedures

Your HIPAA policies and procedures act as the playbook for how your group health plan will comply with HIPAA’s requirements and, as such, will be one of the first things checked if audited by the Health and Human Services Office of Civil Rights.

These documents are highly customized to the way your county operates.  Privacy policies and procedures address when, how, and to whom disclosures of PHI are permitted and how to obtain authorizations to release protected health information. They also identify your team members with access to PHI and prescribe who should be trained. 

The security policies and procedures describe how your county will protect PHI and e-PHI from a workplace and system security perspective. They incorporate physical, technical, and administrative safeguards accounting for the measures your employees will take to secure the HIPAA data you collect, store, and disseminate while administering the group health plan.

Individual rights, business associate agreements, forms, and templates such as the Notice of Privacy Practices, Uses and Disclosures Tracking Form, and Breach Incident Reporting Forms, are all typical components of a thoroughly documented privacy policy and procedure.

2) Assess your risks – HIPAA’s required risk threat analysis

A risk analysis considers a range of threats but also provides a range of possible solutions.

It’s important to note that health plans and their business associate vendors with access to protected health information have a responsibility to conduct a thorough risk assessment.

To conduct a risk analysis, your county must identify and inventory the locations where PHI and ePHI are stored. For example, there may be PHI in HRIS systems, email, various benefits administration systems, applications, physical storage locations, cloud servers, networks, and websites, to name a few.

Once inventoried, your team must weigh the likelihood/frequency, cost/impact, vulnerability, and mitigating controls of various types of natural, human, and environmental threats that may apply.  High-risk threats should be mitigated through safeguards until the risk is lowered to an acceptable level. The risk analysis itself must be well documented and shared with all involved parties responsible for protecting PHI/ePHI.

3) Train your workforce – HIPAA’s training requirement

For sponsors of group health plans, HIPAA training is a requirement. Lack of training for employees exposed to PHI was identified as a primary area of concern in audit reviews conducted by the Office of Civil Rights. It’s critical to include HIPAA training during the onboarding of new employees with access to PHI.  Attendance at all HIPAA training sessions should be documented, as these records can be requested during audits and investigations.

Training content must include “HIPAA basics” for those unfamiliar with the law, an overview of the privacy and security rules, including leading practices, and what steps to take in the event of a breach (including identification, notification, and additional tasks that may be necessary after a confirmed breach).

Of equal importance is to emphasize specific areas of concern within an organization and to update the content regularly to address new issues and threats along with leading practices to mitigate risk. Training should also capture when HHS issues new guidelines or rules and when there are changes in policies and procedures. 

Keep diligent

In today’s environment, it’s crucial to develop sound policies and procedures, perform systems assessments, document the necessary risk/threat analysis, and train your workforce to fulfill the responsibilities associated with handling PHI. 

Diligence is defined as a steady, earnest, and energetic effort, which is precisely what is called for when it comes to HIPAA compliance.  Although not a small undertaking, following these steps will result in your county being better prepared to address any of the challenges to the privacy and security of group health plan data that may lie ahead. 

To learn more about the compliance challenges facing county governments, register HERE for Buck’s September 28th webinar “Compliance challenges and best practices for public sector health and retirement plans.”

 

 

  • Basic page

    The Stepping Up Initiative

    In May 2015, NACo and partners at the CSG Justice Center and APA Foundation launched Stepping Up: A National Initiative to Reduce the Number of People with Mental Illnesses in Jails.
    page

    <table border="1" cellpadding="1" cellspacing="1" style="width:100%" summary="call-out">
    <tbody>
    <tr>
    <td>

  • Reports & Toolkits

    COVID-19 Recovery Clearinghouse

    The COVID-19 Recovery Clearinghouse features timely resources for counties, including allocation estimations, examples of county programs using federal coronavirus relief funds, the latest news and more.
    03
    12
    7:15 pm
    Reports & Toolkits

    <table border="1" cellpadding="1" cellspacing="1" style="width:100%" summary="ad-block no-top-margin no-bullets">
    <caption>Jump to Section</caption>

  • page

    <h3><strong>Counties Matter in Human Services</strong></h3>

  • Basic page

    NACo High Performance Leadership Academy

    The NACo High Performance Leadership Academy is an online 12-week program that will empower frontline county government professionals with the most fundamental leadership skills to deliver results for counties and communities.
    page

    <table border="1" cellpadding="1" cellspacing="1" style="width:100%" summary="medium-call-out transparent">
    <tbody>
    <tr>
    <td>

  • Basic page

    Live Healthy U.S. Counties

    The National Association of Counties (NACo) Live Healthy Prescription, Health & Dental Discount Program is a NO-COST program available to all member counties.
    page

    <h1>With <a id="naco" name="naco">NACo</a>, Saving Feels Better</h1>

  • page

    <table border="1" cellpadding="1" cellspacing="1" style="width:100%" summary="call-out">
    <tbody>
    <tr>

Related Posts

Related Resources

More From