The Health Insurance Portability and Accountability Act (HIPAA) was created by the U.S. Congress in 1996 to modernize healthcare information systems and prevent fraud and theft of protected health information (PHI). While it’s a given that healthcare providers, plans, and clearinghouses must all comply with HIPAA, you aren’t alone in wondering which HIPAA requirements apply to employers, especially HR departments.
It is a common misconception that HIPAA applies to employee health information. In many cases, HIPAA—and the Privacy Rule specifically—does not apply to employers, but instead controls how a health plan or a covered health care provider shares an employee’s PHI with an employer.
To better understand the HIPAA requirements that apply to your department, let’s start with a few key terms you should know:
PHI: Any data associated with a patient’s physical or mental health status, along with any related treatments or payments. In practice, PHI includes personally identifiable information (PII) such as names, social security numbers, and addresses, plus healthcare-centric information such as medical record numbers, insurance plan member IDs, and medical device identifiers and serial numbers
Covered Entity: Organizations that deal with health-related data, such as healthcare provider organizations, health plans, and even state governments and educational institutions.
Business Associate Agreement: When covered entities engage third parties, or “Business Associates” in HIPAA parlance, to store, process, and interact with PHI, a Business Associate Agreement (BAA) must be in place to impose safeguards on how the Business Associate uses and discloses PHI. Examples of Business Associates include data protection software vendors, cloud infrastructure providers, and cloud-based file collaboration platform vendors.
HIPAA Privacy Rule: This rule focuses on the rights of the individual (employee or patient) and their ability to control their PHI by setting the standard for, among other things, who may have access to PHI. The Privacy Rule covers the physical security and confidentiality of PHI in all formats including electronic, paper, and oral.
HIPAA Security Rule: Only deals with the protection of electronic PHI (ePHI) that is created, received, maintained or transmitted. Covered entities are required to implement adequate physical, technical and administrative safeguards to protect patient ePHI, for example when sharing via email or storing on the cloud.
HIPAA’s rules require that organizations take appropriate safeguards (more on this below) to maintain the confidentiality of PHI, the goal being to ensure employees can switch health insurance providers and their health records without losing coverage. As the Act progressed through Congress, amendments were added to address concerns over fraud and abuse in the health insurance and healthcare industries. This is where the Security and Privacy Rules came from.
According to the HIPAA Journal, there are four major areas of HIPAA compliance to which HR teams should pay close attention:
HIPAA does not protect employment records, even if the information in those records is health-related. What it does protect, according to the U.S. Department of Health & Human Services (HHS), are medical and health plan records generated as part of an employee-sponsored health plan.
Generally, HIPAA applies to the disclosures made by a healthcare provider, not the questions an HR team may ask. Therefore, if an HR team member asks an employee for supporting documentation for sick leave, wellness programs, health insurance, or workers’ compensation, he/she may ask without being subject to HIPAA requirements. However, if the HR team member asks a healthcare provider directly, the provider cannot release an employee’s health records to an employer without prior authorization from the individual (this would be a HIPAA violation), unless other laws require them to do so.
As you can see, HR departments aren’t automatically responsible to comply with HIPAA, even if they share health-related information. However, if your organization offers a self-insured health plan to employees then your HR team is likely on the hook. Self-insuring organizations collect premiums from enrolled employees and take on the responsibility of paying employees’ and dependents’ medical claims. In this case, it is likely that your HR department will come into contact with PHI and therefore be subject to HIPAA compliance requirements.
For HR teams, sharing medical and health plan records via email and files is often the path of least resistance. When sharing HIPAA-protected PHI, HR teams must be aware of how the HIPAA Security Rule applies. The rule outlines several technical safeguards, three of which apply most directly to email and files:
The language in HIPAA encourages covered entities to evaluate their unique risks, and discuss reasonable and appropriate security measures for these technical safeguards. However, HIPAA offers some prescriptive recommendations that are especially relevant in today’s digital-first world:
“As business practices and technology change, situations may arise where ePHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities. Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions.”
The relationship between HIPAA compliance and HR departments can be confusing. As such, HR teams should not assume that the responsibility for securing employees’ PHI is not theirs. To learn more about protecting your employees, and your organization, download a free copy of “HIPAA Guide for Email and File Protection” for HIPAA considerations in the cloud, best practices, and recommended safeguards.
Understanding HIPAA’s key technical safeguards in relation to common PHI sharing workflows is the first step to overcoming compliance challenges. Download this free guide and learn how data-centric security approaches can help you ensure the privacy of employees' PHI where required by HIPAA.Download Now
Contact us to learn more about our partnership opportunities.