I was recently approached with a question regarding the application of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in structuring management and job descriptions within a privately held company. Specifically, the question presented was directly related to the Privacy Rule regulating the use and disclosure of certain information held by “covered entities.” Often when presented with a question related to the administration of human resource functions, I can easily identify the legal answer; however, it is not uncommon that a little foresight and common sense takes me a step beyond the legislation.
The company in question here has just under 200 employees, a fully insured medical plan and a fairly simple management structure. As usual, there is a CEO at the top of the management team under which there is a small cadre of vice presidents. The issue at hand involves the vice president of operations, who has worn many hats for the company over its 20-year life. These duties include the responsibility for shopping and securing the company’s group health coverage on an annual basis, hiring and firing as well as basic operational oversight. The company has grown significantly over the past several years, and recently, the VP of operations hired an HR manager to perform some of his expanding duties.
Included in the job description of the new HR manager is the recruitment of qualified candidates and terminations of problematic employees; however, he reports directly to the VP of operations, who holds ultimate authority and the final say. The HR manager also handles drug testing and assists the safety director when needs arise. The safety director adminsters the manufacturing plant’s safety programs as well as the return to work program for workers’ compensation claimants.
A prudent recommendation was made by an insurance broker that the company appoint a HIPAA compliance officer due to the company’s growth and increased liability associated with running a health plan. The VP of operations has been named the HIPAA compliance officer and as always has been the case, deals with employee data and annual renewal negotiation. Does this arrangement pose an issue with HIPAA’s privacy rule, or are there possible conflicts of interest here? The answer is yes and no. See next week’s post to find out exactly what I mean.