Insight to Action

Wearing Two Hats: Maintaining Privacy When the Employer is the Provider

10 November 2016

In an effort to contain costs, a growing number of self-insured healthcare employers are implementing medical management programs to target outreach to high-risk members. Some have decided to manage their program internally, posing a critical question: When the employer and the provider are one in the same, what’s the best way to assure employees their protected health information (PHI) is protected and kept private?

HIPAA draws a clear distinction between health plan and employer when it comes to PHI: the plan may have access to PHI, the employer may not. Yet in many healthcare organizations, the HR staff wear two hats: the “plan” hat for when they’re performing medical management and health plan functions, and the “employer” hat for the rest of employer HR functions. Without proper safeguards, having the same people performing these two tasks can be a HIPAA violation waiting to happen. The peril is especially acute when the employer has an in-house medical management program. How can organizations insourcing their medical management program avoid this pitfall?

Consider the following best practices for protecting employee privacy:

  • Establish a “firewall” between the plan individuals who have rightful access to PHI and all others acting on behalf of the employer. In smaller organizations where overlap may be unavoidable, strive to minimize the number of “dual role” staff members.
  • Make sure you have strong policies restricting access to and use of PHI—and monitor and enforce these policies vigorously—to ensure that protected information is never used to make employment-related decisions.
  • Establish controls to ensure insurers, claims administrators, third-party administrators, pharmacy benefit managers, and other third-party vendors who have legitimate access to PHI do not pass it to employer personnel who should not have access.
  • Put in place effective data security safeguards to prevent employees from accessing a fellow employee’s PHI unless they are directly involved with that person’s care.
  • Carefully consider privacy issues when deciding what to insource and what to outsource.

Taking thoughtful steps like these to ensure only appropriate personnel have access to PHI not only supports HIPAA compliance but also helps earn employees’ trust—a key success factor for a medical management program. Failing to do so can lead to employee complaints or, worse yet, costly lawsuits and regulatory penalties. Think of robust privacy controls as mandatory insurance.

To explore this topic in more depth read our white paper, “Avoiding Pitfalls in Medical Management: When the Employer is the Provider.”