Think back for a moment about what made you want to work in Human Resources. Was it the idea of helping people grow and forge their own career paths? Your desire to drive mass-scale diversity and inclusion efforts? Or maybe you wanted to play a key role in elevating a company to the top of Fortune’s “Best Companies” list.
Whatever led you to this people-focused profession, “becoming a legal expert without the benefit of a law degree” was probably not part of your thought process. Yet, in this increasingly global economy, that’s a pretty accurate description of what a career Human Resources looks like.
It’s on HR to understand the employment laws for every state in which your company has an office. If the company wants to hire people from outside the US, who has to know how to obtain immigrant work visas? And who is the CEO going to turn to right after announcing that the company is about to break ground on its first European office?
With health insurance in the US tied to employment, it’s naturally fallen on the shoulders of HR to master the complexities of HIPAA (the Health Insurance Portability and Accountability Act of 1996) and its corollary Privacy Rule.
Employers and HIPAA-HITECH
As administrators of the health plan for its employees, most companies fall under the same HIPAA-HITECH guidelines as covered entities* (HITECH is the acronym for the Health Information Technology for Economic and Clinical Health Act, another HIPAA byproduct). According to the US Department of Health & Human Services, a covered entity is defined as a health provider, health plan, healthcare clearinghouse, institution or organization that “electronically transmit(s) any health information in connection with transactions for which HHS has adopted standards.”†
Because your company is subject to HIPAA-HITECH regulations, at some point after 2003, your company likely conducted a massive risk analysis of its data gathering, storage and sharing protocols (if you were working there at the time, you were involved), and worked with IT to bring everything into compliance. Not exactly an easy or fun process, but it makes sense that an organization that falls under a set of rules would be responsible for setting up the processes needed to comply with those rules.
However, managing the adjacent responsibility for the compliance of a covered entity’s business associates is another matter.
HIPAA’s Privacy Rule stipulates that any business associate of a covered entity—a classification that has a broad definition, but which we’ll simplify here to a company doing business with a covered entity that has access to and handles protected health information, or PHI, for that entity—must also comply.
Corporate wellness programs and HIPAA-HITECH
The legal responsibility here extends not only to medical coverage, but to corporate wellness programs as well. HIPAA’s Security Rule states that covered entities and business associates must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”‡ Once that assessment is completed, the business associate must address all risks that were uncovered.
Whether you’re searching for someone to manage your company’s wellness program from end to end, or you’re simply looking for some fresh thinking regarding your program’s incentives strategy, you’re considering onboarding a new business associate. If that business supplies your employees with prepaid cards they’ve earned by meeting a health goal, that company is, in the eyes of the US Department of Health & Human Services, handling your employees’ PHI.
That means the long process of risk assessment you went through to make sure your company was HIPAA-HITECH compliant is about to begin all over again, with your new vendor.
Or . . . maybe not.