HIPAA and Employers
HIPAA compliance is confusing for many employers who are not in the medical industry. It is the most complex health care industry regulation ever put into place. It has many facets and details that regulate the privacy of individually identifiable medical information.
HIPAA stands for Health Insurance Portability Accountability Act. It was enacted in 1996 by the federal government for the purpose of creating standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. There are two main standards: privacy of individually identifiable health information and portability of the patient’s health information between providers and insurers. These two facets are intertwined in the regulation.
The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of Health and Human Services (HHS) has adopted standards under HIPAA which are considered to be the “covered entities”.
Note that the HIPAA privacy rule is still being modified, with the most recent changes in March 2021. The main objective is to support and remove barriers to coordinated care and individual engagement.
Covered Entity or Business Associate
One way to find out if and how HIPAA applies to your business, or that it is defined as a “covered entity” is to use a compliance checklist. A HIPAA compliance checklist is necessary for businesses to learn if they are subject to the Administrative Simplification provisions. This ensures they are aware of the requirements to stay HIPAA compliant. Being aware of your compliance obligations and those of your business associates can be vital, in the event of a HIPAA violation, ignorance of the HIPAA requirements is not an acceptable defense against enforcement action.
Not all HIPAA provisions apply to every business. Organizations subject to all Administrative Simplification provisions are health plans, health care clearing houses, and healthcare providers that transmit health information in electronic form. Depending on whether or not your business is considered a Covered Entity or Business Associate differing provisions apply.
CHECKLIST
The HIPAA checklist is given below. If the answer is yes for any of the following questions, then the organization is considered to be a Covered Entity:
- Is your organization the provider of an individual or group health plan, a health maintenance organization (HMO), an issuer of a Medicare supplemental policy, a federal or state-funded health program, a multi-employer welfare program, or a self-administered, employer-sponsored health plan with fifty or more plan members that pays the cost of medical care or medical items through insurance, reimbursement, or otherwise?
- Is your organization a health care clearinghouse, a billing service, repricing company, community health management information system, or community health information system that processes – or facilitates the processing of – health information received from an entity in a nonstandard format into a standard transaction (or vice versa)?
- Are you, or is your organization a healthcare provider or pharmacy who furnishes, bills, or is paid for health care in the normal course of business – even if it is not the primary purpose of the organization – and who transmits health information in electronic form in connection with a transaction for which a HIPAA standard exists?
As a covered entity, you are subject to Privacy Rule as are your business partners that you may be sharing employees’ individually identifiable health information, such as your health insurance provider, worker’s compensation insurance provider, etc.
These HIPAA requirements go beyond an employee’s choice of medical insurance. If you are identified as a Covered Entity, the regulation includes privacy of an individual’s current health status such as why someone is out sick. Also, you may not ask for a diagnosis from the employee or their health care provider, unless the employee signs a release giving permission. Keep in mind that there are other governmental regulations that affect the privacy of employee information.
The Fair Credit Reporting Act and Fair and Accurate Credit Transaction Act govern what employers can do with certain types of employee data. Additionally, state laws such as the California Privacy Rights Act grants employees’ rights over what data is maintained about them similar to the patients’ rights provision of the HIPAA Privacy Rule. The failure to comply with the Privacy Rule HIPAA rights is one of the leading reasons for complaints to the HHS Office for violation of Civil Rights.
COVERED ENTITY REQUIREMENTS
If an organization is considered to be a Covered Entity then they are required to comply with the applicable Administrative Simplification provisions of the Privacy, Security, and Breach Notification Rules. Whereas if the organization is considered a Business Associate the Administrative Simplification provisions of the Security and Breach Notification Rules apply. If the answer is yes for any of the following questions the organization is considered a Business Associate:
- Do you, or does your organization, create, receive, maintain, or transmit Protected Health Information – in any medium – in the fulfilment of a function, activity, or service for, or on behalf of a Covered Entity?
- Is your organization a health information organization, an e-prescribing gateway, or other organization that provides data transmission or data storage services with respect to Protected Health Information?
- Do you, or does your organization, provide subcontractor services for an organization of the types mentioned above that involve creating, receiving, maintaining, transmitting, using, or disclosing Protected Health Information?
If you have answered yes to any of those questions, then the HIPAA privacy rules apply to your company.
What Information is Protected
If you are an employer that has employees’ Protected Health Information then the Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”12
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual, individually identifiable health information includes many common identifiers, e.g., name, address, birth date, social security number.
The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other individually identifiable health information, collectively defined as protected health information (PHI), in whatever format it is created, received, maintained, or transmitted, e.g., oral, written, or electronic. The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits on the uses and disclosures that may be made of such information without an individual’s authorization.
HIPAA Risk Assessment
A HIPAA risk assessment is important for an organization to understand where improvements can be made to help protect PHI. This allows an employer to be able to be aware of how PHI is collected and handled within the business and be aware of how protected this information is.
HIPAA requirements are very complicated as you can see. If your business has 50 or more employees, a good rule of thumb is to be certain to keep your employees’ health information documents in a folder that is separate from their personnel folder. That would include insurance forms and doctor’s notes. Also, do not ask an employee for details about their health. It would be worthwhile to be sure that you are acquainted with your state’s privacy laws since they directly intersect with HIPAA.
Because HIPAA has so many nuances, and other intersecting state laws that govern employee privacy, to make sure that you are compliant, it is best to check with your legal counsel. If you’d like a referral to a competent employment attorney or just want to talk through your individual situation, please reach out to me at 408-834-9069 or go to www.smallbizhrservices.com/contact. We are here to make HR easy for busy employers.