Employers and HIPAA: What you need to know

HIPAA sets national standards for safeguarding patients' health information, primarily targeting healthcare organizations. However, employers often wonder about HIPAA's impact on their operations. Although HIPAA generally doesn't apply to employers directly, certain situations may require compliance with its privacy and security rules. 

Does HIPAA law apply to all employers?

HIPAA regulations can be complex, and employers should assume that they need to ensure compliance if they possess health information about employees. While the HIPAA privacy rule does not directly apply to employers, employers may still have obligations under HIPAA if they are considered a covered entity or business associate or administer a group health plan. By understanding applicable HIPAA rules, employers can identify potential risks and take necessary measures to mitigate exposure.

Misconceptions about HIPAA laws and rules

There are several misconceptions about HIPAA laws and rules for employers:

• HIPAA does not prevent employers from asking for a doctor's note for an absence.
• HIPAA does not affect the administration of employee benefits programs. Employers can request information necessary to administer benefits programs, such as healthcare coverage, workers' compensation claims, or sick leave. 
• Not all employee benefit information is covered by HIPAA. While HIPAA protects medical or health plan records of employees participating in the company's healthcare plan, it does not cover employee life insurance, disability and workers' compensation, and wellness programs.
• HIPAA does not cover the protection of data maintained in employment records. HIPAA rules for employers specifically apply to medical or health plan records of employees participating in the company's healthcare plan, not to employment records in general.

Common employer HIPAA violations

Employers may inadvertently violate HIPAA rules if they fail to implement proper safeguards to protect employees' health information. Common employer HIPAA violations include:

• Hacking/IT incidents: Improper data access from outside intrusion, such as malware or system break-ins.
• Theft/loss: Instances where devices containing protected health information are lost or stolen.
• Unauthorized access/disclosure: Disclosing an individual's private information to an entity without proper approval.
• Improper disposal: When protected health information is not disposed of properly, such as failing to shred paper documents containing sensitive information.

Important HIPAA rules for employers

To maintain HIPAA compliance, employers should pay close attention to the following rules:

Privacy and personal health information rule (45 CFR §164.530)

HIPAA broadly defines protected health information (PHI) and specifies with whom PHI can be shared. Covered entities and business associates can share PHI with the individual in question for treatment, billing, and healthcare operations. 

Electronic security rule (45 CFR §164.308)

This rule requires covered entities and their business associates to implement physical, technical, and administrative safeguards to protect individuals' health information in electronic form. 

Breach notification rule (45 CFR §§ 164.400-414)

Under this rule, covered entities and business associates are required to report any breach that compromises an individual's protected health information. 

Administrative simplification regulation (45 CFR 160, 162, and 164)

The administrative simplification provisions of HIPAA standardize the electronic exchange of healthcare information. National standards are set for electronic transactions, code sets, and unique identifiers. 

Omnibus rule (45 CFR § 164.308, 164.312, and 164.316)

The Omnibus rule expanded liability for business associates and increased penalties for noncompliance. It also introduced additional rules to protect certain information related to an employee's health plan when they pay for medical services out of pocket. 

Protecting employee health information in the workplace

To ensure the privacy and security of employee health information, employers should:

• Implement a clear privacy policy: Develop a comprehensive policy outlining how the company handles health information and train employees on these guidelines.
• Limit access to health information: Restrict access to employee health records to those who need it for specific job-related purposes, such as human resources personnel, managers, or supervisors dealing with accommodations.
• Secure storage of records: Store health records securely, both physically and electronically, to prevent unauthorized access. Implement access controls, encryption, and regular audits to ensure data security.
• Use secure email when transmitting private employee information: Use secure, HIPAA compliant email whenever sending employee data, particularly if health information is included in the communication. 

FAQs

What types of health information are covered by HIPAA in the context of employer-sponsored health plans?

HIPAA protects individually identifiable health information held or transmitted by covered entities, including health plans, healthcare clearinghouses, and certain healthcare providers. Employers that sponsor or administer group health plans may be subject to HIPAA's privacy and security requirements concerning employee health information contained in these plans.

Can employers access their employees' medical records under HIPAA?

Employers generally cannot access their employees' medical records under HIPAA without the employee's authorization or unless permitted by law. However, employers may have access to certain employee health information as plan sponsors or administrators of group health plans for purposes of plan administration and healthcare operations.

See also: Top 10 HIPAA compliant email services