You have some new steps to take should employees’ health info be seen by prying eyes.
New Heath Insurance Portability and Accountability Act (HIPAA) security breach rules mean you’ll be responsible to notify each employee affected and the Department of Health and Human Services (HHS).
The rules technically kicked in Sept. 23, but the feds say they won’t enforce them until Feb. 22.
What counts, what doesn’t
Not all the data your Benefits and HR folks collect is impacted:
- What counts: Individual info from group health, dental or vision plans; healthcare reimbursement flexible spending accounts; pharmacy benefits plans; employee assistance programs; and long-term care plans.
- What doesn’t: Info related to leave request, accommodation requests, and workers’ comp.
And while you must inform individual employees immediately whenever their health info falls into the wrong hands, you only have to report to HHS right away if more than 500 records are affected.
If less are affected, you’ll need to keep a log of what happened and report to HHS by the following March 1.