Why do you need this tool?

The Health Insurance Portability and Accountability Act (HIPAA) security rules require group health plans to safeguard electronic Protected Health Information (e-PHI). Employers who sponsor group plans may have to undertake certain compliance activities on behalf of their plans, and some may even have to bring their own electronic systems into compliance with the regulations. Large group health plans ($5 million or more in receipts) should have complied by April 20, 2005, while small plans had until 2006. In addition, the HIPAA rules require group health plans to conduct ongoing evaluations to determine if security policies and procedures need updating. Employer plan sponsors may want to:

§         Consider changes made to systems containing e-PHI;

§         Examine practices for portable data;

§         Assess adequacy of training;

§         Review reported violations or issues; and

§         Reevaluate documentation.

Given these ongoing obligations, the resources and tools on HIPAA Self-Assess are a convenient way to help you reach compliance.

HIPAA Self-Assess includes...

Security Manual: User-friendly and comprehensive, the HIPAA Self-Assess Security Manual provides explanations of each requirement under the security rules and sample policies and procedures you can use as a basis for creating your own.

Sample Business Associate Agreements and Contract Tracker: Business associates who electronically store or transmit e-PHI on behalf of a group health plan must contractually commit to secure the e-PHI, and our sample contains all the elements required under the security rule; the contract tracker helps you monitor and document your vendors’ compliance with their contractual obligation. These documents are included in the Security Manual and are also included separately.

Sample Plan Amendments: We provide you with a sample amendments for incorporation into your plan document that can serve as your contractual commitment to securing e-PHI. Plan sponsors who utilize this plan amendment may share e-PHI with their group health plan, even if the e-PHI is more than summary health or enrollment/disenrollment information.

Risk Analysis Workbook: HIPAA requires every group health plan to conduct a thorough review of the potential risks to the confidentiality, integrity, and availability of e-PHI. HIPAA Self-Assess provides you with this detailed, step-by-step risk analysis workbook (consistent with the security industry’s risk analysis methodology), to help you conduct and document a security analysis of your organization.

Purchasing HIPAA Self-Assess also gives you access to these great resources:

§         Mercer Select: Access to the HIPAA Administrative Simplification pages on the popular mercerselect.com site. Mercer Select is the premier membership service for Mercer clients and other contacts interested in news and analysis on a broad spectrum of human resource (HR) issues in the United States.

§         Educational materials and GRIST legal analysis: Articles from Mercer’s legal and regulatory experts give you a thorough understanding of the final HIPAA regulations, the HIPAA security rules, and employer obligations.

§         HIPAA Security Regulations: When in doubt, go to the source! We provide the full text of the security regulations for your reference.

§         Plus additional resources for you to get information on securing your IT systems and other security practices.

*****

HIPAA Self-Assess includes generic policy, procedures, and legal documents required by the Security Standards for the Protection of Electronic Protected Health Information under Title II of the Health Insurance Portability and Accountability Act of 1996. Mercer is not responsible for any changes that may be necessary to customize the materials for your organization's use or as a result of any regulatory developments or changes in law.