The Role of HIPAA Laws in Human Resources
When it comes to topics of privacy especially concerning employee healthcare benefits, HIPAA is one of the most misunderstood and miscommunicated for employers and employees. HIPAA is nebulous and in combination with any employer healthcare plan it creates a great deal of confusion and frustration for managers, HR and employees.
What is HIPAA?
The HIPAA Privacy Rule as outlined by the U.S. Department of Health and Human Services establishes national standards to protect individuals’ medical records and other personal health information. The HIPAA Privacy Rules applies to health plans, healthcare clearinghouses, and those health care providers that conduct certain health care transactions electronically.
The rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The types of patient healthcare information that must be disclosed to be considered protected by HIPAA includes all or the majority of the following:
Join us on 3/22 at 9:00 AM EST as we dive into GDPR basics for the recruiter and what they need to know. Register here.
- Patient date of birth
- Patient full name
- Patient diagnosis
- Patient medical record number (MRN)
How HIPAA Impacts Employee Healthcare Benefits & HR
HIPAA as stated above typically impacts health plans, healthcare clearinghouses and health care providers. An employer is considered a health plan if they pay for a portion of the cost of the medical care. If, as an employer, you pay for a portion of an employee’s health plan, you fall under HIPAA privacy guidelines.
HIPAA controls how a health plan or covered health care providers disclose protected health information to an employer, including a manager or supervisor of a company.
As an employe if you pay for a portion of the total cost of an employee healthcare plan, you are required to follow HIPAA. Employers have access to healthcare information including benefit enrollment, any benefit changes, FMLA and wellness program information that falls under HIPAA privacy.
Employees must authorize health care providers first before they are able to to disclose any healthcare related information to their employer, unless other laws require them to disclose it. This is one reason why employees must complete Family Medical Leave Paperwork authorizing a medical professional to share an employee’s healthcare information before typically granting them FMLA leave. It asks for information including date of birth, diagnosis, social security number
Under the HIPAA law, employers must protect your health information the following ways:
- Protection of sensitive healthcare information and changes. For example, benefit paperwork falls under the privacy law and any plan changes associated with them if this information includes any data that comes from the electronic health record.
- Provide HIPAA training for employees who have access to sensitive employee health information.
- Protection of FSA or Wellness Program Information. These fall under HIPAA’s privacy guidelines, meaning program administrators and employees affiliated with these programs are provided with specific HIPAA training and must ensure the employee healthcare information is protected.
- Protection of Occupational Health Records. Also known as OHR or Employee Health Records, these are a result of a post-offer employee physical, workers compensation or other workplace injury under OSHA. HIPAA requires the health facilities and agencies to keep this information secure. Employers are obligated the same way.
Additionally, employers must have HIPAA privacy laws displayed as well as state specific ones and must notify employees of their specific privacy policies for the company. Employers must also have a defined policy and process related to the notification and investigation that takes place if an employee notifies the organization of a potential privacy violation. HIPAA’s privacy protection is key.
What HIPAA Doesn’t Protect
- Your employment records. Employee medical and health care benefit information should always be filed separate for the individual employee file. Employee new hire paperwork, performance review and documentation are generally not protected under HIPAA.
- Employment decisions based on health information including absences and time off work unless they include the all the information disclosed by a medical professional bulleted above.
- Managers or HR from sharing healthcare information with co-workers or the boss. For example, if an employee was sick because they were pregnant and emailed that to the team. This is not a violation of HIPAA privacy.
- Workplace or office gossip. While the workplace grapevine is never fun, the sharing of personal information like a cancer diagnosis isn’t typically HIPAA protected.
Recommended HIPAA Resources
HIPAA Privacy Laws are extremely complex, and this article in no way fully articulates the complexity of the law. HIPAA was put in place to protect a patient’s healthcare record while also providing patients and a patient authorized person or organization access to those records.
I recommend checking out the following resources to learn more about HIPAA Privacy Laws, starting with the Department of Health Services Health Privacy Information Page. The site has a variety of resources, however, for healthcare consumers, I recommend visiting their Consumer HIPAA Resources for more in depth information on HIPAA Privacy guidelines and other frequently asked questions. I also suggest you contact your employment attorney to answer specific questions and or help you establish an employee investigation and communication process at your company.