HIPAA Privacy Officers - Real World Solutions

[Christine Roberts]

HIPAA requires segregation between an employer's business functions, and administration of its self-funded group medical plan.

In the real world, human resources personnel at such businesses peform some HR tasks such as hiring, firing, and discipline, and also help administer claims and perform other health plan functions. HIPAA requires that employers strictly segregate these functions. HIPAA also requires appointment of a privacy officer. Also in the real world, HR directors are the likely candidate to serve as HIPAA privacy officers because they are usually much more familiar with the group health plan than are folks like the CEO or CFO (of course this can vary greatly).

Many employers out there are just not able to create a salaried

position of privacy officer, and many also don't want to hire the number of people it would take to totally segregate HR functions and group health plan functions. I am curious as to what practitioners are advising clients in this regard, and whether TPAs are stepping in to help bridge the gap.

[Steve72]

HIPAA requires segregation of information, not individuals. There is nothing preventing a person from performing tasks both inside and outside the "HIPAA firewall", so long as PHI received in the course of covered duties is not used for non-covered functions.

Such individuals will have to be trained that they "wear multiple hats" in their employment roles, and that they must keep their duties separated.

Similarly, a HIPAA privacy officer may, and usually does, serve other functions for the employer.

[Christine Roberts]

Steve72, thanks for the quick reply.

Realistically, how can an individual who processes claims at a self-funded plan not be influenced by claim information however subconsciously or subtly, whe he or she is wearing an "HR" hat?

For just one example, presume a HR employee spends the morning processing group health plan claims submitted by Employee X and notes the employee has multiple prescriptions for drugs that are widely known to be for depression and anxiety.

In the afternoon, the same HR employee is asked to sit in on a meeting in which other HR personnel discuss a pending proposal to assign Employee X to a new project for a major client that is high-pressure and high profile, with a very tight completion schedule.

How could the HR person not "give pause" about recommending the assignment, given his or her knowledge about Employee X's prescription use?

Sorry to play devil's advocate....

[Steve72]

The short, semi-cynical answer is, he can't because HIPAA says he can't.

It's the same type of analysis used when an officer acts on behalf of both the plan and the plan sponsor. As you point out, this will be a difficult process, as knowledge can't be "unlearned" for non-HIPAA related functions. I don't know that there is a perfect answer for the situation you outline. If the individual believes PHI has made its way out of the plan function and intothe employer function, there is a HIPAA issue. It would probably be up to a court to decide whether the HR director adequately firewalled the information from use in employment decisions.

[Christine Roberts]

So an analogous situation would be a board of directors where a director who has a personal interest in a matter (say, whether her retirement benefit is doubled) would recuse herself from a vote on that issue but would otherwise partake in board votes?

I.e., the HR person who processed a claim on someone would simply refrain from contributing to a company decision on the person if the PHI the HR person processed would possibly affect his or her impartiality on the HR issue?

Thanks again for contributing to this discussion.

[Steve72]

That's certainly the safest solution. The problem, as you pointed out earlier, is in a small company where, for example, the HR Director is also the Privacy Officer. (Four commas in one sentence. I'm definitely going to grammar purgatory for that one.)

If the individuals input is necessary in his/her role in both areas (HR and Privacy), then the solution you propose may not be possible. In this case, I think it becomes more analogous to a discrimination-in-hiring issue. The HR Director should document as clearly as possible the non-PHI related reasoning for his/her decision. That way, the company will have a record to fall back on if HHS comes knocking.

[PhilB]

To me it seems that many questions like this were left ambiguous by the final privacy rule. As a result, it is up to the employer to determine what is a "reasonable" policy and procedure in meeting the requirements of HIPAA.

[Christine Roberts]

Yes, fortunately or unfortunately employers that are covered entities must use their discretion in this area.

One thing that becomes important if any human resources personnel are doing double duty in the HIPAA context is that they aggressively document the performance-based reasons for any adverse employment action that they take against employees who participate in a self-funded health arrangement, whose PHI could have been available to the human resources personnel.

If HR people who view PHI simply vote "yea" or "nay" on adverse employment decisions, they are automatically open to charges that the PHI they viewed prejudiced them against the employee.

HR people who view PHI must also be counseled to abstain from participating in any vote or decision affecting an employee, if the HR person feels that he or she could not be impartial due to PHI that they have seen on that employee.

I am counseling clients to avoid any staff overlaps between HR functions and group plan administration, if at all possible. But I am aware that for many smaller employers, duplicating staff in these areas is simply not going to happen.