Health Information Compliance Alert

Published on Wed Jun 08, 2022 PDF

Answer: No matter the status of the staff for a covered entity (CE), if the employees are interacting with patients and disclosing or using protected health information (PHI), they are akin to the HIPAA Rules.

“For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce,” the HHS Office for Civil Rights (OCR) reminds in online Privacy Rule guidance. “These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs,” OCR adds.

Tip: Compliance officers should adapt HIPAA training based on an employee’s role and how much PHI that they’ll be handling daily. That being said, they should also ensure that staff are fully trained on the Rules — and know the consequences for unauthorized access and disclosure. You may also want to have staff sign a HIPAA acknowledgement form as part of your procedures and store the data in personnel files.