How Does HIPAA Protect Employees?

What is HIPPA??

How Does HIPAA Protect Employees?

HIPAA is a complicated health and privacy act that intertwines significantly with legal compliance in the workplace. Human resource professionals are often left to wonder: what is HIPAA, exactly? Where does the act come into play within the employer-employee relationship?

Read on to learn the fundamentals about HIPAA in the workplace, including how HIPAA works to protect employees.

The Basics: What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by the United States Department of Health and Human Services in order to protect the privacy of a patient’s sensitive health information.

You’ll notice the full name of the act includes both “portability” and “accountability,” which alludes to the dichotomy of access and privacy. That’s because the goal of HIPAA is to strike the perfect balance between protecting individuals’ health information while still allowing for the flow of health information as needed to promote high quality health care.

What Information is Private Under HIPAA?

HIPAA uses the abbreviation “PHI” for private health information. Private health information means any data associated with a patient’s physical or mental health treatment and status. PHI also includes information about related payments. PHI might also include information that could identify a specific patient outside of an aggregate. This information is called “PII) (short for personally identifiable information) and includes names, social security numbers, addresses, medical record numbers, insurance plan member IDs, and medical device identifiers and serial numbers.

How Does HIPAA Affect the Employer-Employee Relationship?

The privacy rules implemented by HIPAA ensure patient health information can be disclosed when it benefits a patient’s treatment (such as for inter-hospital purposes). At the same time, the privacy rules also dictate how and when health plans release certain information to third parties, including employers.

HIPAA prevents the sharing of employee health information, both past and present, to anyone who doesn’t legally need it, including employers, without the patient’s direct consent. This means businesses will not be able to see their employees’ medical records, or billing information related to an employee’s health, unless the employee gives the “ok” for the information to be shared.

Under HIPAA, employers can still ask employees for a doctor’s note if they need the information for sick leave, workers’ compensation, wellness programs, or health insurance. An employee can also be asked for supporting documentation if they are taking sick leave. Most questions that a human resources professional will need to ask will not amount to a HIPAA violation.

However, if a human resources professional requests employee health information directly from their healthcare provider, the healthcare provider will not be able to disclose the information without the employee’s consent—to do so would be a HIPAA violation. 

Who Does HIPAA apply to?

In general, the HIPAA Rules do not apply to employers or employment records. HIPAA does control how an employer health plan shares an employee’s private health information with an employer, however. While HIPAA only applies to “covered entities,” such as health care providers and health plans, employers should still be aware of how HIPAA affects them.

The group health plans selected by your benefits team that pay the cost of medical care are the “covered entities” under HIPAA. The HIPAA privacy rules regulate covered entities. Covered entities can include health plans as well as health, dental, vision, and prescription drug insurers, health maintenance organizations (“HMOs”), Medicare, Medicaid, and Medicare supplement insurers, and long-term care insurers. Health plans also include employer-sponsored group health plans and multi-employer health plans.

In essence, these entities cannot bypass an employee to share the employee’s health information with the employer.

One specific scenario is unique from the above rules: If your business offers a self-insured health plan to employees, you may be exposed to greater HIPAA liability. Businesses that are self-insuring, collect their own premiums from their enrolled employees, and bear their own responsibility for the payout of medical claims for their employees and dependents are covered entities. If this is your organization’s situation, it is very likely that your human resources department will deal directly with your employee’s private health information. Your organization will therefore be subject to more stringent HIPAA compliance requirements. 

How Might an Employer Accidentally Violate HIPAA?

Some of the most common accidental HIPAA violations committed by an employer include occurring when an employer is the victim of a data hack. Employers should also be aware of the potential for the theft or loss of confidential employee records. Disposing of records carefully and properly is crucial, as is ensuring that only authorized parties have access to employee data.

If an employer asks an employee to provide proof that they have been vaccinated, that is not a HIPAA violation according to the United States Department of Health and Human Services.

Penalties associated with HIPAA law breaches (both purposeful and inadvertent) can include steep fines payable to the government, as well as compensation for the affected employee.

What Can Employers do to Stay HIPAA Compliant?

There are a few items that human resource teams should pay particular attention to in regard to HIPAA:

First, take care in safeguarding your employees’ private health information. According to the Department of Health and Human Services, “As business practices and technology change, situations may arise where [electronic private health information] being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities. As previously mentioned, making sure our data system is protected from access by unauthorized third parties is one of the most important steps an organization can take toward protecting their employees’ private health information.

Second, have your human resource department brief employees on their rights under HIPAA. Depending on the strengths and weaknesses of your particular organization, a human resources compliance expert may be necessary.

Compliance with all federal, state, and local laws is critical to any successful organization. Making sense of HIPAA, however, can be complicated. If your organization would benefit from access to certified HR experts, it’s time to contact Benely.