Know Your Legal Duties During Open Enrollment

The health insurance open enrollment period is happening right now. Open Enrollment means that pretty much everyone’s personal information is in circulation within your business. You and your employees are legally responsible for keeping that information confidential.

Privacy isn’t the only thing at stake—so is your bottom line.

All the best practices in the world can be no match for what we’ll call the “snoop factor”: looking at someone’s medical records without authorization. This can happen—even in the most innocent way—if an employee were to leave their open enrollment papers out on their desk, on top of the printer, or in the break room. Then there’s gossip, or just plain loose lips: Someone in your office might share someone else’s personal information without authorization. The penalties can add up. Under HIPAA jurisdiction, the maximum fine for a data breach is $50,000 per violation (with a $1.5 million maximum). Just one violation can set back your business plan—not to mention your company’s reputation. And if that’s not enough to wake up your employees to the problem, they, too, can be subject to investigation and fines as individuals.

What does HIPAA mean for you, specifically?

HIPAA rules govern information security in any business of 50+ employees that offers group health insurance. If your company fits that description, then your top-line responsibilities fall into three categories:
  • Administration: Designating an in-house privacy official
  • Education: Adopting policies and procedures around information privacy
  • Notification: Advising employees of their privacy rights
The good news is, if you’ve been acting HIPAA compliant thus far, you’re not going to need to change any time soon. As of 2018, there haven’t been any big updates to the law since this original post. However, the Office for Civil Rights is increasing enforcement of current regulations, so it’s important to remain vigilant. For businesses that have clients or employees in Europe, being HIPAA compliant puts you in good stead regarding the new GDPR requirements; the same goes for companies doing business in California with the California Consumer Privacy Act, as these consumer privacy laws also dictate records management protocol and consumer access to their data.

Active online record storage: The best of both worlds.

Active records storage—where files are stored off-site, yet readily accessible—is the “go-to” solution for many businesses. Confidential employee and business information is secure and out-of-sight. And when documents are needed back in the office, they can be in-hand quickly. For added security, an online HIPAA compliant records storage center, allows you to keep your confidential documents online and have immediate access via desktops, laptops and mobile devices. Talk about “active!”

How do you protect information privacy during Open Enrollment?

Education is especially important during the health insurance Open Enrollment period. Remind (or re-train) your employees about compliant handling of personal information. That applies to office conversations as well as documents and files. To “make it real” for them, share some of our HIPAA violation horrors.

Keep it going all year round.

Make it an ongoing priority to make your office more “shred-aware.” In many businesses, most employees have no idea about the security risks inherent just in their day-to-day tasks. You can boost data security in your office with our five-step shredding crash course. Beyond shredding, HIPAA compliance means:
  • You always know precisely where relevant documents are stored.
  • You always know who is authorized to access them.
  • Your records are always stored in a secure place.
During Open Enrollment period and throughout the year, effective online records storage can reduce your HIPAA liability risk—and let you keep your focus on your business.