Privacy Issues in the Workplace

 Second, if the public agency has a self-administered health plan with 50 or more participants it is subject to HIPAA. Self-insured plans, cafeteria plans or flexible spending accounts with more than 50 participants (if administered by a public agency rather than a third-party administrator) are all covered by HIPAA.

If a public agency has an outside administrator for its health plans, cafeteria plans or flexible spending accounts, then it is not covered by the full range of HIPAA’s Privacy Rule. However, even if it is not a covered entity, a public agency still has to meet certain lesser requirements such as:

 Ensuring that the third party administrator is complying with the Privacy Rule;  Obtaining authorizations from employees to access information about their health claims  Ensuring that the health plan provides that employees can access their own health information.

HIPAA’s Privacy Rule imposes a number of administrative requirements on covered entities. If your agency is a covered or hybrid entity, the Rule requires it to do the following:

 Notify individuals regarding their privacy rights and how their private health information can be used or disclosed.

 Adopt and implement internal privacy policies and procedures.

 Train employees to understand these policies and procedures as appropriate for their functions in carrying out duties related to the employer’s capacity as a health plan or health provider.  Designate individuals who are responsible for implementing these policies and procedures, and who will receive privacy-related complaints.  Establish privacy requirements in contracts with business associates that perform functions related to the employer’s capacity as covered entity.  Implement appropriate administrative, technical, and physical safeguards to protect the privacy of health information, so that it is not readily available to those who do not need it.  Meet obligations concerning the exercise by individuals of their rights under the Privacy Rule. 244

An agency must designate an employee to serve as the privacy officer. HIPAA does not specify any particular qualifications, but an employer should consider selecting someone with knowledge of the agency as a whole from a management perspective and a familiarity with benefits administration.

Privacy Issues in the Workplace ©2019 (s) Liebert Cassidy Whitmore 74