From the Compliance Manager: HIPAA Best Practices

February 27, 2020

In light of the security and privacy incidences we hear about in the news on a daily basis, it seems to be a good time to highlight HIPAA in this issue of Compliance Watch.  It is more critical than it ever to take protection of data seriously, going beyond awareness to taking active measures.

Chard Snyder annually reviews our HIPAA procedures and has an established protocol for reporting of HIPAA incidents. A standard business associate agreement (BAA) is in place with any client or vendor with which sensitive data is shared, transmitted or exchanged for the function of services (treatment, diagnosis, prognosis, charges, medicines, or coverage/insurance billing). Chard Snyder also takes comprehensive measures to train our associates, protect the data, and report any incidences to the plan sponsor in a timely manner.

It is the obligation of the plan sponsor, as the covered entity identified by regulatory authorities, to determine a breach and provide subsequent reporting to the Department of Health and Human Services. As your TPA, Chard Snyder has an obligation to collect facts and notify our clients of any incidences. We follow a strict four-step protocol to identify what type of data, to whom it was disclosed, how it was handled, and when the incident was mitigated. Our procedures are annually audited and tested by a qualified third party.

In partnering with our clients, we advise reinforcement of the following operations best practices:

  • Be alert to phishing emails asking for personal data
  • Refresh internal procedures and training to stay updated on recent considerations and trends in technological capabilities
  • Clearly explain to all employees and partners any compliance program expectations as detailed in a document such as a BAA
  • Implement security tools such as multi-factor authentication and encrypted email to safeguard HIPAA-protected data

As partners in the Health and Welfare benefits space, we strive to work with all of our clients and advisors to enforce the highest standards and provide timely resolution to HIPAA concerns. Compliance is a key focus of our service model. Please do not hesitate to reach out with any questions to health.compliance@ascensus.com.