One of the critical requirements of HIPAA is having effective policies and procedures that reflect how an organization uses, controls, and manages the protected health information of individuals. Employees must not only be aware of these policies and procedures but also attest that they will abide by them.
Many companies include their HIPAA policies in Employee Handbooks, but is that the best way?
HIPAA in Employee Handbooks – What is the Purpose?
Handbooks serve as a centralized place for employees to look for answers to common questions and can also assist in an employer’s legal defense. In many cases, an employee handbook is not required by law.
It is still a good idea to have one, whether required or not. A handbook offers you a consistent method to welcome new employees, introduce the organization and its culture, and explain expectations.
It also makes it easier for an employer to ensure that each employee receives copies of all relevant policies. Suppose an organization creates, uses, analyzes, processes, stores, or destroys protected health information (PHI) as defined by the HIPAA Privacy Rule. In that case, there must be policies in place to govern how that information is controlled, accessed, and secured.
HIPAA in Employee Handbooks – What Kinds of Things Should be Included?
The information and policies contained within an employee handbook are very important. They should provide an overall operational framework for your business and directly address the relationship between the employee and the employer. Whether you are starting from scratch or revising an existing handbook, there are a few things to think about as you go through the process.
Aim for clarity and understanding – Wherever possible, the handbook should be written in clear, concise language. Avoid overly complex terms or legalese when explaining policies and procedures. Use examples that are familiar to employees.
Avoid detail overload – Include enough information so that policies can be understood but avoid overwhelming employees with too many details. It may be better to list highly detailed workplace procedures in a separate manual or within individual job descriptions.
Don’t create a contract when there isn’t one – Avoid rigid disciplinary rules and other languages that could be interpreted as creating a contractual obligation requiring just cause for termination. The employer should maintain discretion to discipline and terminate employees.
Be consistent and follow the law – A handbook should read as if it were written by one person, not a multitude of different writers. Policies should not contradict each other. They should all reflect the company’s business practices and values, and they must follow all applicable federal, state, and local laws.
Speak the right language – If your workforce speaks more than one language, provide the handbook in all languages spoken by your team members.
*Don’t forget to include contact information for an employer representative that can answer employee questions about policies.
HIPAA in Employee Handbooks – How is the Best Way to Distribute?
When a handbook is first created, amended, or substantially revised, employers should make it available to employees electronically or by providing hard copies. Employers may hold a meeting to introduce the handbook to all employees when first introduced or upon a significant addition or revision. It’s a great idea to designate someone to distribute or coordinate access to them, such as a representative from Human Resources who can answer any questions about the employer’s policies.
All new employees should receive a copy during orientation, and employees should be notified each time it is updated. If the update is minor, an employer may choose to distribute or electronically circulate only the updated policy to employees if employees have already received copies of the handbook and the remainder of the handbook has not been revised.
Most importantly, employers should collect signed acknowledgments of receipt, review, and understanding of the handbook. This reduces the risk of an employee claiming ignorance of a policy as an excuse for non-compliance.
Furthermore, this attestation is considered a requirement for a company to achieve HIPAA compliance. Compliancy Group offers the ability for clients to add employee handbooks into our industry-leading compliance automation software called “The Guard.”
Employees can review handbooks at any time and attest to receiving and understanding the information. The Guard maintains a record of these attestations should a need arise requiring proof of attestation.