HIPAA Law and Employers: Understanding Your Responsibilities

Does your organization have obligations under HIPAA? If so, you'll need to fully understand the current HIPAA law and employers must know what steps to take to protect employees' personal health information.

What Does HIPAA Stand For?

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996.

What Is HIPAA Law and What Does HIPAA Protect?

According to the U.S. Department of Health and Human Services (HHS), HIPAA allows for necessary information sharing to ensure individuals receive access to high-quality health care, while also protecting their right to privacy. Any provider or company with access to protected health information must put measures in place to comply with HIPAA.

Who Does HIPAA Apply To?

Health care is one of the most highly regulated industries when it comes to the protection of private information. Patients and employees have come to expect that medical practitioners and other healthcare companies have adequate measures in place to protect their personal data. Employers may also be subject to privacy regulations that fall under HIPAA if they are considered a covered entity or business associate, or through the administration of a group health plan. Employers need to understand any applicable HIPAA rules — particularly during public health emergencies such as the COVID-19 pandemic — and put the correct tools and protocols in place to protect their employees' health information.

What Are Some Misconceptions About HIPAA Laws and Rules?

There are some myths about HIPAA laws and rules for employers. The HHS sets the record straight on its site that HIPAA doesn't:

• Prevent an employer from asking for a doctor's note for an absence, although this practice may create other exposures for employers.
• Affect your ability to request information needed to administer benefits programs, such as healthcare coverage, workers' compensation claims, or sick leave, although employers should consider other risk factors around these types of requests.
• Cover all employee benefit information. For example, employee life insurance, disability and workers' compensation, and wellness programs are generally not covered under this legislation.
• Cover protection of data maintained in employment records. HIPAA rules for employers only apply to medical or health plan records of employees participating as a member of the company's healthcare plan.

What Is the Purpose of HIPAA Laws and Rules in the Workplace?

HIPAA laws and regulations are used in the workplace to protect the health and medical records of employees participating in an employer-sponsored healthcare plan. The laws regulate how individuals' protected healthcare information maintained by a healthcare plan can be shared with employers.

Which Organizations Are Impacted by HIPAA Law?

There are two types of organizations that are subject to HIPAA: covered entities and business associates. Employer-sponsored health plans are considered covered entities. This means that the exchange of information between employers and health plans may be subject to additional safeguards compared to other benefit plans.

What Is a Covered Entity Under HIPAA?

This refers to healthcare organizations, including but not limited to healthcare providers, hospitals, employer-sponsored health plans, and pharmacies.

What Are Business Associates Under HIPAA?

This is a category that refers to any person or business that provides services to or works with covered entities or other business associates. If you perform services on behalf of a covered entity or business associate that involves the use or disclosure of protected health information (PHI), and fall into categories such as service providers (e.g., accountants), consultants, or technical support (like cloud storage), your business associate contract likely contains provisions that relate to HIPAA.

Does HIPAA Law Apply to All Employers?

Due to the complexities of HIPAA regulations, employers are wise to assume that if they possess health information about employees, they will need to spend time ensuring compliance. HIPAA imposes a range of requirements, but the provisions that are relevant to all subject entities pertain to the security and privacy of health-related information. By understanding applicable HIPAA rules for employers, it's possible to identify your potential risks and put a plan into place to help mitigate your exposure.

Becoming HIPAA-Compliant

Although HIPAA's primary intent is to improve the portability and continuity of healthcare insurance plans, employers should still be familiar with the law and potential areas that may affect them. HIPAA compliance for employers can often result in stronger data security and standardized processes that benefit an employer's benefits administration procedures.

What Are Some Common Employer HIPAA Violations?

Reported incidents are generally categorized by the following types:

• Hacking/IT incidents: Improper data access resulting from an outside intrusion in the form of malware or other system break-ins.
• Theft/loss: For example, when devices storing protected health information are lost or stolen.
• Unauthorized access/disclosure: The disclosure of an individual's private information to an entity without proper approval to receive such information.
• Improper disposal: When protected health information is disposed of without the implementation of reasonable safeguards, such as shredding paper documents.

Five Important HIPAA Rules for Employers

There are five rules to pay close attention to in regard to HIPAA law. Employers should consider each of these rules carefully when it comes to compliance.

Privacy and Personal Health Information Rule (45 CFR §164.530)

HIPAA defines PHI broadly. However, some examples of PHI under HIPAA include demographic and contact information, such as a name, address, and a Social Security number that relates to an individual's past, present, or future health status. The definition of PHI also encompasses information related to payments made for the provision of health care.

HIPAA also specifically defines with whom protected health information can be shared. Primarily, covered entities and business associates can share PHI only in the following situations:

• With the person in question for treatment, billing, and healthcare operations;
• With descendants in the case of death;
• To a designated personal representative; or
• In response to a court order.

HIPAA rules require that covered entities provide notice regarding privacy practices and how PHI may be used or shared. The law is very specific regarding patient rights, what must be included, and when information must be presented.

Electronic Security Rule (45 CFR §164.308)

This rule requires physical, technical, and administrative safeguards be put into place to protect individuals' health information. The responsibility is placed on covered entities and their business associates to secure protected health information in electronic form. Organizations are expected to take the necessary steps to ensure privacy, protect against threats, ensure employee compliance, and protect against prohibited electronic uses or disclosures. Compliance is taken very seriously by regulators, with enforcement and penalties ranging up to $50,000 per violation and the potential of enforcement action in egregious cases.

Breach Notification Rule (45 CFR §§ 164.400-414)

Under this rule, covered entities and business associates are required to report any breach that compromises an individual's protected health information. In the event of a breach, proper notification must be made to affected individuals, and copies of the notifications must be submitted by the covered entity to the secretary of the HHS.

Administrative Simplification Regulation (45 CFR 160, 45 CFR 162, and 45 CFR 164)

The Administrative Simplification provisions standardize the electronic exchange of healthcare information. National standards were set for electronic transactions, code sets, and unique identifiers. Employers must use their Employer Identification Number used for tax reporting as their identifier for all HIPAA transactions.

Omnibus Rule (45 CFR § 164.308, 164.312 and 164.316)

This rule expanded liability for business associates and instituted greater penalties for noncompliance. Additional rules prevent certain information from being shared about an employee's health plan when they pay for medical services out of pocket. Companies that may be defined as a business associate will need to understand how their responsibilities have changed and make appropriate adjustments to their HIPAA policies or procedures.

How Does HIPAA Apply to Employers During Events Causing Public Health Concerns?

While HIPAA requirements still apply during public health emergencies, employers may be permitted to disclose PHI to certain individuals or organizations without an employee's or patient's permission. Such examples include:

• At the direction of public health authorities, information may be disclosed to foreign government agencies;
• Individuals at risk of spreading the disease; and
• A patient's family members, relatives, friends, or others involved in the patient's care.

Although HIPAA restricts the sharing and use of personal health information by covered entities and business associates, the law doesn't apply to employment records. Using COVID-19 as an example, the current HIPAA regulation does not prohibit employers from requesting vaccine information from employees. Also, HIPAA doesn't prevent individuals from voluntarily sharing vaccination status in the workplace, as individuals are not considered covered entities.

Employers should note that other state or federal rules may apply. For more information on HIPAA and COVID-19 vaccine employer guidelines, please visit our COVID-19 Vaccine: Frequently Asked Questions.

HIPAA Compliance in the Workplace

HIPAA compliance for employers is critical, whether they are a covered entity or business associate, offer a group health plan, or are operating during a public health emergency. Proactively addressing HIPAA may yield additional benefits for your organization, such as enhanced data security and a more efficient flow of information stemming from the use of standardized procedures and data identifiers.

If your business operates in the healthcare space or contractually works with a company that does, it's important that you determine your HIPAA obligations and risk exposure. An experienced HR professional or business attorney can help you map the risks, as well as develop and implement a plan to stay HIPAA-compliant.