HIPAA, or the Health Insurance Portability and Accountability Act, doesn’t just apply to medical professionals, it also applies to businesses outside the healthcare sector. Since small business owners offer healthcare and store information regarding employee health, they must comply with HIPAA guidelines. Non-compliance may result in fines or closures, depending on the severity of the violation.

Employee Training and Awareness

Employers are not the only ones responsible for HIPAA compliance; employees are, too. All staff members in the organization who handle health-related, personal information, such as medical insurance information, must receive HIPAA compliance training. When a business fails to properly train staff members, thus leading to an accidental disclosure, the business may be held liable and be sued in court by the employee whose information was violated.

Record Storage and Security

Businesses must take extra precautions when storing employee files pertaining to health information. These files must be secured from outside individuals and unauthorized staff members. Employees authorized to deal with health-related information should only gain access through a secured filing cabinet or password-protected computer system. If record transfers are required, an employee must be designated to follow all company policies and HIPAA regulations to ensure the sensitive information is not lost, stolen or exposed to unauthorized individuals. Business owners are required to keep detailed logs regarding any health-related information that is transferred, released or viewed to stay in compliance with HIPAA regulations.

Employee Illness and Absences

Business owners and privileged individuals cannot disclose an employee’s condition or health status unless the employee gives prior authorization. Therefore, when an employee is ill, supervisory staff and other company employees can be notified of his absence, but the reason for the absence cannot be disclosed.

Staffing In-House Privacy Officers

Business owners must have a designated privacy officer on staff. This role is often accepted by an office manager for smaller business operations. Though a privacy officer is selected and trained, the business owner is still liable for non-compliance. Therefore, business owners should make sure their privacy officers understand all HIPAA regulations and how they apply directly to their industry.

Company-wide Policies

Small businesses must not only comply with HIPAA regulations, but written company-wide policies must be documented as well. These policies limit the disclosure of protected personal health information to the minimum required to accomplish a specific disclosure. Businesses that comply with HIPAA, but fail to document may still be fined for non-compliance. This is because compliance inspectors will assume that a lack of documentation practices equals non-compliance.