According to the Journal of Occupational and Environmental Medicine, “Under HIPAA, ‘a group health plan, and a health insurance issuer offering group health insurance coverage in connection with a group health plan may not establish rules for eligibility (including continued eligibility) of any individual to enroll under the terms of the plan based on any of the following health status-related factors about the individual or a dependent of the individual: a) health status, b) medical condition (including both physical and mental illnesses), c) claims experience, d) receipt of health care, e) medical history, f) genetic information, g) evidence of insurability (including conditions arising out of acts of domestic violence), and h) disability.’.”
HIPAA classifies these group health plans, whether fully insured or self-insured, as covered entities. This classification requires them to meet the requirements set by the HIPAA Security Rule’s safeguards. These include:
Health plans must comply with the documentation implementations required by HIPAA. These requirements include establishing policies and procedures outlining how ePHI is handled, accessed, and disclosed.
These plans are to maintain records of security incidents, documenting any breaches or unauthorized access to ePHI and the actions taken in response. The documentation aids in compliance and improves the organization's ability to respond effectively to potential threats. The specific provisions related to documentation for group health plans are discussed in Section 164.314 of the Security Rule and include:
“(i) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the group health plan;
(ii) Ensure that the adequate separation required by § 164.504(f)(2)(iii)
[of the Privacy Rule] is supported by reasonable and appropriate security measures;
(iii) Ensure that any agent, including a subcontractor, to whom it provides this information agrees to implement reasonable and appropriate security measures to protect the information; and
(iv) Report to the group health plan any security incident of which it becomes aware.”
Group health plans as covered entities have to take measures to protect ePHI during transmission and storage. One of the most effective and commonly applied methods of sharing PHI remains email, which presents challenges when popular platforms like Gmail are used without considering compliance.
HIPAA compliant email platforms were developed with compliance in mind, creating an effective way for organizations to ensure compliance without sacrificing convenience. Platforms like Paubox API specifically integrate seamlessly with both Outlook and Gmail allowing organizations to use familiar platforms. The use of platforms like Paubox also presents users with a verifiable audit trail of all communications involving PHI, a useful tool when being audited or investigated by the Department of Health and Human Services.
Covered entities and business associates are required to retain documentation related to the protection of ePHI for a minimum of six years from the date of creation or the date it was last in effect.
Accessibility to PHI is necessary for making informed medical decisions and coordinating treatment among different providers.
HIPAA's documentation requirements include maintaining comprehensive records that demonstrate compliance with the Privacy and Security Rules.