HIPAA Law and Employers: What is Required?
Health care is one of the most highly regulated industries when it comes to the protection of private information. Patients and employees have come to expect that medical practitioners and other healthcare companies have adequate measures in place to protect their personal data. Employers may also be subject to privacy regulations that fall under the Health Insurance Portability and Accountability Act (HIPAA) if they are considered a covered entity or business associate, or through the administration of a group health plan. Employers need to understand any applicable HIPAA rules – particularly during public health emergencies such as the COVID-19 (coronavirus) pandemic – and put the correct tools and protocols in place to protect their employees' health information.
What does HIPAA stand for?
HIPAA stands for the regulations established by the Health Insurance Portability and Accountability Act of 1996. According to the U.S. Department of Health and Human Services (HHS), HIPAA allows for the necessary sharing of information to ensure individuals receive access to high-quality health care while protecting their right to privacy. Any provider or company with access to protected health information must put measures in place to comply with HIPAA.
What are some misconceptions about HIPAA?
There are some myths about HIPAA rules for employers. The HHS sets the record straight on its site that HIPAA doesn't:
- Prevent an employer from asking for a doctor's note for an absence, although this practice may create other exposures for employers.
- Affect your ability to request information needed to administer benefits programs, such as healthcare coverage, workers' compensation claims, or sick leave, although employers should consider other risk factors around these types of requests.
- Cover all employee benefit information. For example, employee life insurance, disability and workers' compensation, and wellness programs are generally not covered under this legislation.
- Cover protection of data maintained in employment records, only medical or health plan records of employees participating as a member of the company's healthcare plan.
The purpose of HIPAA in the workplace
HIPAA regulations are used in the workplace to protect the health and medical records of employees participating in an employer -sponsored healthcare plan. The laws regulate how individuals' protected healthcare information maintained by a healthcare plan can be shared with employers.
Which organizations are impacted by HIPAA?
There are two types of organizations that are subject to HIPAA: covered entities and business associates. Employer-sponsored health plans are considered covered entities. Thus, the exchange of information between employers and health plans may be subject to additional safeguards compared to other benefit plans.
This refers to healthcare organizations, including but not limited to healthcare providers, hospitals, employer-sponsored health plans, and pharmacies.
This is a category that refers to any person or business which provides services to or works with covered entities or other business associates. If you perform services on behalf of a covered entity or business associate that involves the use or disclosure of protected health information (PHI), and fall into categories such as service providers (for example, accountants), consultants, or technical support (like cloud storage), your business associate contract likely contains provisions that relate to HIPAA.
Does HIPAA apply to all employers?
Due to the complexities of HIPAA regulations, employers are wise to assume that if they possess health information about employees, they will need to spend time ensuring compliance. HIPAA imposes a range of requirements, but the provisions that are relevant to all subject entities pertain to the security and privacy of health-related information. By understanding applicable HIPAA rules for employers, it's possible to identify your potential risks and put a plan into place to help mitigate your exposure.
Becoming HIPAA compliant
Although HIPAA's primary intent is to improve the portability and continuity of healthcare insurance plans, employers should still gain a familiarity with the law and potential areas that may affect them. HIPAA compliance for employers can often result in stronger data security and standardized processes that benefit an employer's benefits administration procedures.
What are some common HIPAA violations?
Reported incidents are generally categorized by the following types:
- Hacking/IT incidents: Improper data access resulting from an outside intrusion in the form of malware or other system break-ins.
- Theft/loss: For example, when devices storing protected health information are lost accidentally or stolen.
- Unauthorized access/disclosure: The disclosure of an individual's private information to an entity without proper approval to receive such information.
- Improper disposal: When protected health information is disposed of without the implementation of reasonable safeguards, such as shredding paper documents.
HIPAA rules for employers
There are five rules to pay close attention to in the HIPAA law, and employers should consider them carefully when it comes to compliance.
Privacy and personal health information rule
HIPAA defines PHI broadly. However, it typically includes demographic and contact information, such as name and address; and a Social Security number that relates to an individual's past, present, or future health status. It also relates to payments made for the provision of health care. Further, HIPAA specifically defines with whom protected health information can be shared. Primarily, covered entities and business associates can share PHI only with the person in question; for treatment, billing, and healthcare operations; to decedents in the case of death; to a designated personal representative; or in response to a court order. HIPAA rules require that covered entities provide notice regarding privacy practices and how PHI may be used or shared. The law is very specific regarding patient rights, what must be included and when information must be presented.
Electronic security rule
This rule requires physical, technical, and administrative safeguards be put into place to protect individuals' health information. The responsibility is placed on covered entities and their business associates to secure protected health information in electronic form. Organizations are expected to take the necessary steps to ensure privacy, protect against threats, ensure employee compliance, and protect against prohibited electronic uses or disclosures. Compliance is taken very seriously by the regulators, with enforcement and penalties ranging up to $50,000 per violation and the potential of enforcement action in egregious cases.
Breach notification rule
Under this rule, covered entities and business associates are required to report any breach that compromises an individual's protected health information. In the event of a breach, proper notification must be made to affected individuals, and copies of the notifications must be submitted by the covered entity to the secretary of the HHS.
Administrative simplification regulation
The Administrative Simplification provisions standardize the electronic exchange of healthcare information. National standards were set for electronic transactions, code sets, and unique identifiers. Employers must use their Employer Identification Number used for tax reporting as their identifier for all HIPAA transactions.
This ruling expanded liability for business associates and instituted greater penalties for noncompliance. Additional rules prevent certain information from being shared about an employee's health plan when they pay for medical services out of pocket. Companies that may be defined as a business associate will need to understand how their responsibilities have changed and make appropriate adjustments to their HIPAA policies or procedures.
Does HIPAA apply to employers during the COVID-19 pandemic?
While HIPAA requirements still apply even during a public health emergency, employers may be permitted to disclose PHI to certain individuals without an employee’s or patient’s permission. In light of the current COVID-19 pandemic, the HHS outlined these entities in a February 2020 bulletin, and they include:
- At the direction of public health authorities, Foreign government agencies;
- People at risk of contracting or spreading the disease; and
- A patient’s family members, relatives, friends, or others involved in the patient’s care;
Employers should note that other state or federal rules may apply.
HIPAA considerations for employees
Employees with access to protected health information should be educated on their responsibilities and be given information on how to report a suspected breach. To reduce the risk of a HIPAA violation, training for employees should include the following:
- Never share your password.
- Never transmit sensitive information via text message.
- Check ID badges or other information for those requesting private health information.
- Never leave your work area without locking your screen or securing data.
HIPAA compliance for your business
HIPAA compliance for employers is critical, whether they are a covered entity or business associate, offer a group health plan, or are operating during a public health emergency. Proactively addressing HIPAA includes benefits such as enhanced data security and a more efficient flow of information stemming from the use of standardized procedures and data identifiers.
If your business operates in the healthcare space or contractually works with a company that does, it's important that you determine your HIPAA obligations and risk exposure. An experienced HR professional or business attorney can help you map the risks as well as develop and implement a plan to stay compliant.