The Health Insurance Portability and Accountability Act (HIPAA) is a law that includes privacy and security rules to protect certain personal health information. Employer-sponsored benefit plans need to stay HIPAA compliant to avoid penalties, such as fines.
The HIPAA regulations can be complicated. It’s important to keep your goals in mind and organize your strategies when following each rule. That’s why many group health plans use a HIPAA compliance checklist to structure their approach.
You can build a compliance checklist that fits your plan’s unique needs. However, it’s important to start by understanding each HIPAA rule, how it applies to you, and which tasks will keep you compliant.
HIPAA compliance basics
HIPAA was introduced in 1996 and first enforced in 2003. Its main goals are to protect the privacy and security of individual’s health information and ensure the portability and accountability of health insurance coverages.
HIPAA does this in part by setting standards for how individually identifiable health information that is maintained or transmitted (Protected Health Information (PHI)) is used and disclosed. PHI can include:
- Names
- Addresses
- Contact information
- IP addresses
- Fingerprints
- Health plan ID numbers
- Other unique identifiers relating to the health or provision of healthcare services to an individual
Many organizations that handle participant or patient data are subject to the HIPAA regulations. Examples include:
- Healthcare clearinghouses: Entities that process certain health information
- Healthcare providers: Doctors, dentists, nursing homes, pharmacies
- Health plans: Health insurance programs, company group health plans, and some government programs
These are called covered entities, and they must comply with the HIPAA regulations. Third-party organizations that perform PHI-related activities for covered entities are called business associates and must also comply with some parts of the regulations.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA. This can include investigating complaints, conducting compliance reviews, and educating covered entities. In the case of a criminal HIPAA violation, the OCR may work with the Department of Justice.
Different compliance obligations apply depending on your unique situation. For example, self-insured health plans are generally subject to all HIPAA privacy and security rules. Requirements for fully insured plans depend on how the plan sponsor and insurance carrier interact.
These different levels of compliance are all determined by the three main rules of HIPAA. Here’s what to know about each one:
HIPAA Privacy Rule
The Privacy Rule creates a standard for protecting PHI like medical records. It establishes what a covered entity can do with PHI and determines when it’s necessary to get authorization to disclose PHI. It also creates rights for individuals, including getting copies of health records and requesting corrections.
This rule was first proposed in 1999 and has been updated many times since then. The most recent update was the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy” in 2024. It’s important to understand how often these changes occur and what they look like because this could impact your compliance strategy.
For group health plans, the Privacy Rule means you need to provide participants with a Notice of Privacy Practices at enrollment and within 60 days of any material change, and remind them how to obtain a copy at least every three years. This explains what rights they have regarding their PHI. It should also outline how you use and disclose this information and when you’ll request authorization.
How do you know when you need authorization? The Privacy Rule explains that HIPAA-covered entities can only use PHI without specific authorization for the following purposes:
- Healthcare operations: Underwriting, legal services, business planning, general administration activities
- Payment operations: Providing benefits, offering premiums or reimbursements, determining health plan eligibility
- Treatment: Providing healthcare services or to consult with another healthcare provider
Conversely, authorization is required for other uses and disclosures. For example, you must obtain authorization prior to marketing any additional products or services to the plan participants.
When you use or disclose PHI in any circumstances, the Privacy Rule requires you to use or disclose only what’s necessary to complete the task. This is part of the minimum necessary standard.
The Privacy Rule also creates expectations for policies, procedures, and HIPAA training. This includes clarifying what happens if someone administering your group health plan (rather than in your health plan) breaches a HIPAA standard. You may need to designate someone to oversee implementing privacy rules.
HIPAA Security Rule
The Security Rule requires HIPAA-covered entities to implement a safeguard strategy to protect PHI. This applies to all kinds of electronic PHI, whether you create, receive, store, or share it.
The types of safeguards are administrative, physical, technical, organizational, and documentation. Covered entities must implement controls to comply with each type of safeguard and satisfy the policies, procedures, and documentation requirements.
It’s important to know that the Security Rule designates safeguards as either required or addressable. If a safeguard is in the addressable category, you need to assess if it’s appropriate for your health plan and implement it if reasonable. If an addressable safeguard is not reasonable and appropriate, you’ll need to document your explanation and choose a different security measure if necessary.
The idea behind the Security Rule is to create guidelines instead of strict rules. This helps you create a framework that adapts to and scales with your group health plan. Just remember that you must have reasonable and appropriate security controls to protect electronic PHI, a regular risk assessment process, and documentation using formal HIPAA procedures.
HIPAA Breach Notification Rule
The Breach Notification Rule is a HIPAA requirement that creates rules for assessing and reporting breaches of PHI. Breaches are defined as impermissible access, use or disclosure of PHI that compromises the security or privacy of the PHI. There are certain exceptions to this definition based on who is involved and what the results might be.
While all breaches must be assessed, only breaches of unsecured PHI are reportable. This refers to PHI that hasn’t been encrypted or properly destroyed.
Any impermissible access, use or disclosure of unsecured PHI is presumed to be a breach unless you can prove otherwise. This requires a risk assessment that considers factors such as the type of PHI involved, the recipient, whether the data was viewed, and any mitigating factors.
If a business associate has a breach, it must provide this information to the covered entity it works with. If the covered entity is the one with the breach, it may need to notify three groups:
- Impacted individuals: You need to notify participants no later than 60 days after discovering a breach. This notification should include a description of the breach, types of PHI involved, next steps, and contact information for further questions.
- Media: For breaches affecting more than 500 residents of a state or jurisdiction, you also need to notify relevant media outlets within 60 days. This notice should include all the same details as the individual communications.
- HHS Secretary: You must use the HHS website to fill out a breach report form to notify the Secretary of HHS of an applicable breach. This should be done within 60 days if the breach impacts 500+ people, or within the calendar year if it impacts fewer.
Your responsibilities as a group health plan may differ depending on your situation. For example, fully insured plans may not have additional obligations because the insurance carrier does not share PHI with the plan sponsor and assumes responsibility for the fully insured plans. Self-insured plan sponsors must take additional steps to comply with the HIPAA Privacy and Security Rules.
The value of a HIPAA compliance checklist for group health plans
There are multiple ways to ensure you stay compliant with all three rules and their requirements. A HIPAA checklist is one of the most customizable tools at your fingertips. You can build this checklist around your health plan’s needs and scale it as you learn what works.
A HIPAA checklist comes with plenty of benefits. Examples include:
Staying compliant
HIPAA violations can create a lot more work than staying compliant in the first place. If the OCR catches an issue early, it may provide technical assistance without investigations or penalties. However, it may require you to follow corrective measures and change your privacy practices.
The OCR has imposed civil money penalties in 147 cases at a total of $143,728,972. Violations can cost up to $50,000 each if not corrected. Individuals and the plan itself could face criminal penalties, including up to $250,000 in fines and up to 10 years in prison.
According to the OCR, group health plans are the fourth most common type of covered entity with alleged violations. It reports that the most common issues include impermissible uses of PHI, lack of safeguards, and using more than the minimum necessary information.
A HIPAA checklist can help you avoid many of these problems by organizing your approach and keeping track of your efforts.
Preventing damage
Participants rely on their health plan to protect sensitive information. Breaches can result in anything from inconvenience to identity theft. You have a responsibility to limit those risks with effective and efficient solutions.
A well-designed checklist gives you visibility into everything you’re doing to help protect PHI. This also makes it easier to communicate your efforts to participants, as required.
Addressing unique challenges
HIPAA compliance requirements can be complicated for group health plans. You have different responsibilities depending on the PHI you have access to, the type of funding structure your plan uses, how many other stakeholders are involved, and more.
A checklist helps clarify exactly what you’re doing and why, so your efforts are always focused. This also helps organize compliance tasks across multiple departments.
Documenting your efforts
Documentation is crucial in many aspects of compliance. It doesn’t just prove your efforts to the OCR during a HIPAA audit but also helps you communicate with participants and identify opportunities for process improvements. This way, you’re prepared to track down the source of a problem like a data breach and come up with an appropriate solution.
Your HIPAA compliance checklist
You should build your own HIPAA checklist based on what works for your group health plan. Here are a few items to include:
#1: Understand HIPAA basics
Remember that HIPAA requirements are different for health plans than for other covered entities. It’s important to understand these variations so you don’t rely on incorrect or incomplete information.
It’s just as crucial to break down each individual HIPAA regulation. For example, the Security Rule requires that you know the difference between technical, physical, and administrative safeguards. The Breach Notification Rule has similarly detailed requirements when it comes to sharing the right details about breaches.
Tip: Not all HIPAA requirements have to complicate your compliance. Rules like the minimum necessary standard can help prevent unnecessary work and keep your efforts focused, streamlined, and efficient.
#2: Identifying, understanding, and using your PHI
One of your most important responsibilities is understanding PHI. This part of your checklist should cover:
- Identification: You should have a process for identifying PHI because employers hold certain information that isn’t subject to some HIPAA rules.
- Permission: You can only disclose PHI if required or permitted by regulations or if authorized by the individual.
- Authorization: Where an authorization is necessary for disclosure, you must get signed authorization that includes details like revocation procedures, expiration dates, rights information, and more.
For example, disclosing information within the covered entity for treatment purposes or to the individual is allowed. So is sharing PHI in some cases involving law enforcement, organ donation, safety threats, and Workers’ Compensation compliance. Meanwhile, something as simple as leaving a document unattended in a public-facing area could be considered an impermissible disclosure and breach.
#3: Creating policies and procedures
Many elements of the HIPAA rules require you to create specific plans and policies to stay compliant. You have some flexibility because HIPAA doesn’t lay out every rule and expectation. However, this also means that you’ll need to do your own research and design a framework that will keep the entire health plan compliant.
This part of your checklist should focus on the steps you take to build policies and procedures. It might be helpful to break this down into separate lists for each of the three main rules. You should also designate privacy and security officers to keep track of your efforts and ensure compliance with different regulations.
Make sure your new approach keeps you compliant. To do this, you should include steps for reviewing your efforts. You can conduct your own HIPAA compliance audit to see where you may have overlooked an important consideration or requirement.
Tip: Remember to add a step for updating your policies and procedures. You should do this regularly to make sure you’re keeping up with the latest HIPAA updates and OCR enforcement priorities.
#4: Including other compliance requirements
There’s a lot to consider when it comes to benefits compliance. You can’t afford to get stuck focusing solely on HIPAA.
That’s because HIPAA interacts with your other compliance obligations. Following a rule from one might fulfill a requirement from another. On the other hand, some requirements can cause complications because they seem to pull in opposite directions or stretch your resources too thin.
This means your HIPAA compliance checklist should consider other compliance efforts and how they interact with each step. Even if HIPAA doesn’t apply in a particular situation, other laws might be relevant. Examples include:
- Americans with Disabilities Act
- Genetic Information Nondiscrimination Act
- Gramm-Leach-Bliley Act
One of the best ways to tie all of these considerations together is through a broad risk assessment. This helps you understand all of your compliance obligations across the entire group health plan. You’ll have the insights you need to combine efforts, restructure strategies, create new checklist steps, and address gaps.
#5: Building a compliant culture
Your checklist should lay the groundwork for compliance across every component of the group health plan. That means establishing shared expectations and backing them up with the appropriate internal education.
This isn’t just to comply with specific requirements like the Privacy Rule’s expectations for regular HIPAA training. A culture of constant learning helps encourage individuals to ask for support instead of making assumptions, which can help prevent breaches and other issues.
Your checklist should start by establishing who needs to be trained. This generally includes any employee with access to PHI as a regular part of their job function. However, it may also be equally helpful to train others so they understand why they can’t or shouldn’t access certain information.
You should also consider what each type of training needs to cover. Security and compliance employees will require more thorough education than other employees.
#6: Getting support
Staying compliant with HIPAA regulations requires ongoing training, audits, and security measures that can be complex to manage alone. Support from experts ensures the necessary safeguards are in place, minimizing risks and ensuring that you’re following the right protocols. That’s why your checklist should always include a step for getting compliance support.
Questions about HIPAA compliance? Start with Marsh McLennan Agency.
HIPAA doesn’t just protect your participants; it keeps group health plans like yours from making mistakes that could put you at risk. Every HIPAA safeguard exists to ensure that PHI stays in the right hands.
However, every plan is different, and there’s no single framework for following all the HIPAA rules.
Our compliance consultants can help. They'll take the time to learn about your needs and support you in your efforts to stay on the right track.
We’re here to help partner with you to achieve HIPAA compliance. Contact us today for HIPAA solution recommendations from the Marsh McLennan Agency team.
