What is PEO HIPAA?

A professional employer organization, or PEO, is a company that provides a variety of services to small and medium-sized businesses. These services include human resource consulting, safety and risk mitigation services, payroll processing, employer payroll tax filing, and health benefits administration. When a PEO operates an employer’s self-insured plan, the PEO is in effect acting as the plan, and must follow HIPAA regulations. The subject of PEO HIPAA is discussed below. 

What is PEO HIPAA? PEO Compliance with the HIPAA Privacy Rule

If the PEO is acting as the sponsor of a company’s group healthcare plan, the PEO is fully bound by the HIPAA Privacy Rule. PEO HIPAA Privacy Rule compliance has a number of components. The PEO must know how to identify protected health information (PHI), and must prevent its unauthorized use and disclosure. The PEO must ensure that any business associates with whom it enters into a relationship involving PHI are familiar with the HIPAA Privacy and Security Rules. 

The PEO must enter into written business associate agreements with these business associates, under which the business associate agrees to implement measures to safeguard the ePHI it creates, maintains, receives, or transmits.

In some instances, written patient authorization is required before a PEO may share information with a provider, another health plan, or a business associate. PEO HIPAA compliance requires the PEO to know when authorization is required, and when a patient can request restriction of PHI uses and disclosures.

What is PEO HIPAA? When is Written Patient Authorization Not Required?

PEO HIPAA compliance requires knowledge of when the PEO is not required to obtain patient consent to or authorization for release of PHI. If a PEO is using PHI for the purposes of payment, treatment, or healthcare operations, patient authorization is not required. A patient does, however, have the right to request that the PEO restrict uses or disclosures of PHI about the patient to carry out treatment, patient, or healthcare operations. A patient also has the right to request that the PEO restrict uses or disclosures of PHI pertaining to certain public health activities.

Under PEO HIPAA rules, the PEO is not required to agree to a requested restriction. If, however, the PEO does agree to the restriction, the PEO may not turn around and use or disclose PHI in violation of the restriction. There is an “emergency treatment” exception to this prohibition. If the patient who requested the restriction requires emergency treatment, and the PHI that the PEO agreed to restrict is needed to provide that treatment, the PEO may use the restricted PHI, or disclose it to a provider so the provider can provide treatment.

What is PEO HIPAA? Must a PEO Comply with the HIPAA Security Rule?

PEO HIPAA compliance requires a PEO to be fully compliant with the HIPAA Security Rule. The Security Rule requires covered entities and business associates to implement measures to safeguard the confidentiality, integrity, and availability of electronic protected health information.

The specific safeguards consist of administrative safeguards, physical safeguards, and technical safeguards. Administrative safeguards require the PEO to develop Security Rule policies and procedures, and to train the workforce on these policies and procedures. Physical safeguards require the PEO to ensure the physical security of worksites in which ePHI is stored. 

Physical safeguard measures require the PEO to implement policies and procedures to limit physical access to its electronic information systems, and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Technical safeguards require the PEO to implement technical policies and procedures for electronic information systems that maintain electronic protected health information. These policies and procedures must restrict access to those members of the workforce who have been granted access rights.   

PEO HIPAA compliance also requires the PEO to follow the HIPAA breach notification rule. Under this rule, a PEO must notify individuals, the HHS, and in some cases, the media, of a breach of unsecured PHI. A failure to guard against data breaches can be very costly to a PEO or other health plan. For example, in late September of 2020, the failure of the health plan Premera Blue Cross (PBC) to comply with the HIPAA Security Rule, by failing to conduct a security risk analysis, risk management, and to institute audit controls, led to a data breach. This breach exposed the ePHI of over 10.4 million people. Hackers were able to use a phishing email to install malware that gave them access to PBC’s IT system for a full nine months without detection. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), after investigating the breach, entered into a settlement agreement with PBC, requiring PBC to pay $6.85 million and to develop a corrective action plan (CAP).