HIPPA Law Basics for Employers & HR
Jessica Miller-Merrell | HR| By
The Role of HIPAA Laws in Human Resources
When it comes to topics of privacy especially concerning employee healthcare benefits, HIPAA is one of the most misunderstood and miscommunicated for employers and employees. HIPAA is nebulous and in combination with any employer healthcare plan it creates a great deal of confusion and frustration for managers, HR and employees.
What is HIPAA?
The HIPAA Privacy Rule as outlined by the U.S. Department of Health and Human Services establishes national standards to protect individuals’ medical records and other personal health information. The HIPAA Privacy Rules applies to health plans, healthcare clearinghouses, and those health care providers that conduct certain health care transactions electronically.
The rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The types of patient healthcare information that must be disclosed to be considered protected by HIPAA includes all or the majority of the following:
- Patient date of birth
- Patient full name
- Patient diagnosis
- Patient medical record number (MRN)
How HIPAA Impacts Employee Healthcare Benefits & HR
HIPAA as stated above typically impacts health plans, healthcare clearinghouses and health care providers. An employer is considered a health plan if they pay for a portion of the cost of the medical care. If, as an employer, you pay for a portion of an employee’s health plan, you fall under HIPAA privacy guidelines.
HIPAA controls how a health plan or covered health care providers disclose protected health information to an employer, including a manager or supervisor of a company.
As an employe if you pay for a portion of the total cost of an employee healthcare plan, you are required to follow HIPAA. Employers have access to healthcare information including benefit enrollment, any benefit changes, FMLA and wellness program information that falls under HIPAA privacy.
Employees must authorize health care providers first before they are able to to disclose any healthcare related information to their employer, unless other laws require them to disclose it. This is one reason why employees must complete Family Medical Leave Paperwork authorizing a medical professional to share an employee’s healthcare information before typically granting them FMLA leave. It asks for information including date of birth, diagnosis, social security number
Under the HIPAA law, employers must protect your health information the following ways:
Protection of sensitive healthcare information and changes.
- For example, benefit paperwork falls under the privacy law and any plan changes associated with them if this information includes any data that comes from the electronic health record.
Provide HIPAA training for employees who have access to sensitive employee health information.
Protection of FSA or Wellness Program Information.
- These fall under HIPAA’s privacy guidelines, meaning program administrators and employees affiliated with these programs are provided with specific HIPAA training and must ensure the employee healthcare information is protected.
Protection of Occupational Health Records.
- Also known as OHR or Employee Health Records, these are a result of a post-offer employee physical, workers compensation or other workplace injury under OSHA. HIPAA requires the health facilities and agencies to keep this information secure. Employers are obligated the same way.
Additionally, employers must have HIPAA privacy laws displayed as well as state specific ones and must notify employees of their specific privacy policies for the company. Employers must also have a defined policy and process related to the notification and investigation that takes place if an employee notifies the organization of a potential privacy violation. HIPAA’s privacy protection is key.
What HIPAA Doesn’t Protect
Your employment records.
- Employee medical and health care benefit information should always be filed separate for the individual employee file. Employee new hire paperwork, performance review and documentation are generally not protected under HIPAA.
- Employment decisions based on health information including absences and time off work unless they include the all the information disclosed by a medical professional bulleted above.
Managers or HR from sharing healthcare information with co-workers or the boss.
- For example, if an employee was sick because they were pregnant and emailed that to the team. This is not a violation of HIPAA privacy.
Workplace or office gossip.
- While the workplace grapevine is never fun, the sharing of personal information like a cancer diagnosis isn’t typically HIPAA protected.
Recommended HIPAA Resources
HIPAA Privacy Laws are extremely complex, and this article in no way fully articulates the complexity of the law. HIPAA was put in place to protect a patient’s healthcare record while also providing patients and a patient authorized person or organization access to those records.
I recommend checking out the following resources to learn more about HIPAA Privacy Laws, starting with the Department of Health Services Health Privacy Information Page. The site has a variety of resources, however, for healthcare consumers, I recommend visiting their Consumer HIPAA Resources for more in depth information on HIPAA Privacy guidelines and other frequently asked questions. I also suggest you contact your employment attorney to answer specific questions and or help you establish an employee investigation and communication process at your company.
Micole Kaye says
HIPPA is definitely extremely complicated. Thanks for the mini breakdown and info! Happy New Year, Jessica. (:
Jessica Miller-Merrell says
Of course Micole. Thank you! HIPAA is a moving target.
A question… I had a work related injury, I followed up with the doctor that the company have and the day of my follow up appointment the lady from HR showed up with out me knowing that she was going there, the doctor told me that the lady was there to deliver papers? I said ok she gave me the list that the doctor had to fill out and gave him the same papers, she told me that the law change and she had to deliver the papers to me and doctor the same day ? Ok same day doesn’t mean same place and moment because I don’t live with the doctor, after she delivered the papers, she decided to stay en the room with me and my doctor arguin with me about what I was doing at work and discussin my medical condition with the doctor asking me and the doctor I was still swallowing, she said that she had the legal right to be there because their attorneys said that… I never asked to stay at home and get paid I did missed lots of hours because of the injury but never ask for money, the first 2 restrictions my employer didn’t follow and they got a privet investigator that took me to the place and he dictated that I did get hurt at work, HR threatened me with putting me in a different department just because they have cameras so they can check on me because she doesn’t trusted me anymore.
Is there any legal action that I can take against them for violating my medical privacy and her actions?
Gina vitiello says
A supervisor asking medical info to other staff about another staff medical condition and texting the sick employee during her recovery about the reason why she has not told him abput the reason for surgery ..is that a violation of Hippa in the work place ?
What if hr is aware of a medication you take because at my job we must tell hr. Then I tell my supervisor several months later of said medication and that my dr and I agreed to go off of it, as the cons outweighed the pros. (the supervisor did not need to know. Was told in confidence) Afterwards, he told everyone at work what I was prescribed. Very embarrassing. Illegal? Violation of my rights?
I had employee who was out of office for 2weeks. I called to find out if he was okay and when was he returning to work. He stated he was sick. He said he would return in two weeks after I spoke with him. I explained that the work policy is that he provide medical documentation as to his absence. The same day of the call he faxed a note just stating that he was out of work from the two week prior and would not be returning to the week after the date of the note. I found that sketchy as it was a quick turn around from the time I called and the note was provided. I contacted the doctors office to confirm exact date the patient was seen. Did not ask about condition of patient. I was checking the validity of the note. Was I wrong as an employer? I need to protect the rest of my staff as it is a food and beverage company. Not sure his reason for being out but we have FMLA in place and work rules around time off and notice of consent.
Jenny Brandle says
I was wondering if you could point me in the direction of HIPAA laws pertaining to the dismissal or exit of an employee at a healthcare facility. I need to add it to our Human Resources exit interview, but I want to source the information correctly.
I had an interesting conversation as my employer basically said Drs excuses aren’t really necessary and or valid?
So I have been diagnosed with the FLU-Upper Resp Infection & Bronchitis and have been out for this week I only work part time 4 hrs per evening total of (16hrs) missed but they have said I still need to call in and speak to a member of leadership every day and basically call out sick.
They have email scanned copies of my physician notes with work absentee dates and say due to HIPPA notes really don’t matter is that legal?
Daniel Parker says
My job I have to travel to a few different states, so I have to get a physical and DOT card I was placed on state probation in reference to my underage child My company knew this had court order allowing me to leave the state of my probation. They didn’t know I had a GPS attached to me. When I had physical at the doctor’s office The nurse called my company up was gossiping about GPS legally did the nurse cross the line? GPS has nothing to do with my physical condition I have been off work for a month now