One of the most common mistakes that employers make is failing to update the notice of privacy practices and/or send the three-year reminder. As per HIPAA, the notice must be amended when a material revision is made to its privacy practices and this updated notice must be sent to participants within 60 days. Health and Human Services has advised that a covered entity must revise and reissue its privacy notice when there has been a material change to an applicable state privacy law.
In addition, employers are required to remind participants about the privacy notice, and how to obtain it, at least once every three years. The first reminder was required to be sent to participants by April 14, 2006, for large health plans or by April 14, 2007, for small health plans. For large health plans, the next reminder must be provided by April 14, 2009. Health and Human Services has clarified that this requirement may be met by providing the full privacy notice once every three years, issuing a brief reminder notice or even by providing the reminder in a newsletter.
Covered entities should be aware that HIPAA’s rules regarding distribution of privacy notices are typically more stringent than requirements for other types of plan notices. Therefore, such notifications may not have been made in accordance with HIPAA requirements.
Again, covered entities are frequently unsure of the appropriate corrective measures necessary to resolve HIPAA complaints. Although not technically required by HIPAA, maintaining a written procedure for investigating and resolving privacy complaints may go a long way toward avoiding the assessment of penalties if a complaint is filed with Health and Human Services. The department will not assess a penalty if a privacy rule violation was due to reasonable cause and not willful neglect, and is corrected within 30 days of when the covered entity knew (or should have known) of the violation.
When a potential violation has occurred, an employer should take corrective action as soon as possible by following a written procedure for investigating the complaint. The results of the investigation should be in writing, and might include the nature of the complaint or potential violation, the steps taken to investigate the complaint, the facts revealed by the investigation, the internal HIPAA policies or procedures related to the facts and the appropriate remedial action to resolve the issue.
In this regard, the report might include sanctions against employees who violated the policies, in addition to any actions required to mitigate the harmful effects of the violation. The report might also include steps that should be followed in the future to minimize the possibility of recurrence.