The level and responsibility for compliance depends on whether PHI is provided by the group health plan to the employer or not.
Business associates are required to protect any PHI received from the covered entity in the same manner as required by a covered entity.
Prior to disclosing any PHI, covered entities must obtain assurance by written agreement that the business associate will properly safeguard the information.
When a benefits broker handles a group health plan’s PHI, it is required to protect it in the same manner as a covered entity.
As a business associate of the insurance carriers and some self-insured client plans, Keller Benefit Services is fully compliant with HIPAA.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains Privacy and Security Rules.
The Privacy Rule is intended to provide individual rights regarding protected health information (PHI).Breach Notification Rule The HITECT Act includes the Breach Notification Rule, which outlines notification procedures for covered entities that experience a breach of PHI that is in violation of the Privacy Rule.A breach is defined as the unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of the information.All plan sponsors need to take at least the first step of the Security Rule.Self-insured health plans, including health care FSAs, and larger fully-insured plans are more likely to have e PHI and therefore must take all of the following steps to comply with the Security Rule: The Security Rule is designed to be technology neutral and flexible so that covered entities will be able to devise safeguards that can work within their existing system capabilities.Standard: Training "A covered entity (§164.530(b)(1)) must train all members of its workforce on the policies and procedures with respect to PHI required by this…[Rule]…as necessary and appropriate for the members of the workforce to carry out their function within the covered entity." Specifications: Training To meet this requirement, training must: Standards: Safeguards "A covered entity (§164.530(C)(1)) must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI." Specification: Safeguards As such, the entity "must reasonably safeguard PHI from any intentional or unintentional use or disclosure that is in violation of the standards implementation specifications or other requirements of this" [Rule].