This blog follows last week’s post about the Complexities of HIPAA and what a company should do about privacy, a HIPAA Compliance Officer, and a human resources outsourcing firm. To catch up, check out last week’s blog here.

HIPAA specifically defines covered entities as a healthcare provider that conducts certain transactions in electronic form (called here a “covered health care provider”), a healthcare clearinghouse, or a health plan. While a much stickier situation arises for businesses engaged in self-insured health plans or those that provide onsite clinics, this particular business is not a covered entity; however, the health plan is.

There is no rule or law stating that an executive with the authority to hire and fire cannot become a “HIPAA Compliance Officer,” and it is not unusual for a small business owner to self-perform all of the functions in question, but why would senior management risk an issue down the road?  Whether you win or lose in court, it is costly, and an ounce of prevention is worth a pound of cure in risk management. This is a legal arrangement, but with 200 employees, why take a chance here? Appoint an office manager or another individual on the administrative team to become the HIPAA Compliance Officer, and train that individual on all aspects of relevant law as well as the collection of sensitive employee data when it is necessary, or outsource this function to a firm that specializes in human resources administration. It only makes sense, and often can save hard dollars.

As for the arrangement with the safety manager, this company is relatively safer. HIPAA contains exclusions in its Privacy Rule when as it pertains to workers’ compensation and the transmission of data associated with work related injury.  HIPAA, in its current form, allows unabated leeway to employers in administering work related claims.  Is this legal?  Yes, and the safety director in this company has little authority for the hiring and firing of staff which is another layer of protection, but again, why risk it? What is the cost of separating claims administration from the director of safety? What is the cost of outsourcing this piece of the human resource program to a firm that specialized in maintain human resource compliance?