Small businesses that provide health insurance must now make extra efforts to protect their employees' personal information, under a new federal regulation.

The goal of the Health Insurance Portability and Accountability Act's new security rule, which went into effect on Friday, is to adopt national standards to protect the confidentiality and availability of electronic protected health information.

Companies with health plans that have annual receipts of $5 million or less must comply with the new rules.

Small businesses should examine their electronic systems and see what can be done to avoid vulnerability, according to Stanley Nachimson, a senior technical adviser at the Department of Health and Human Services (HHS).

A password strategy is one of the most common solutions small businesses can use to restrict access to designated individuals, Nichimson said. Keeping track of who accesses and edits the information is another way to comply with the rule.

Other technical suggestions from HHS include having an automatic logoff, encryption, and decryption. Physical safeguards, such as locking filing cabinets and keeping records of visitors should not be overlooked, Nachimson added.

Two basics of the security rule are as follows:

  • The integrity, confidentiality, and availability of electronic health information must be protected whether the covered entity creates, receives, stores, or transmits the information
  • The information must be protected against any reasonably anticipated threat or hazard to the security or integrity of such information.

The International Foundation of Employee Benefit Plans, a Brookfield, Wis.-based trade group, recently surveyed 188 small businesses with health-plan receipts under $5 million, and found that 56% have established an HIPAA privacy and/or security committee. Sixty-seven percent of respondents said they provided HIPAA training to their employees in-house.