It’s a question that many employees ask and one that employers are not always sure how to answer themselves. Most employers know that they almost always possess some health-related information on their employees. This type of information can be found in the context of things like workers’ compensation claims, fringe benefit administration, and administration of leave and absenteeism. So it is only natural that both employees and employers would wonder just how does HIPPA apply to the average HR department?
What is HIPPA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that was enacted to ensure protection of individuals’ protected health information (PHI). The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) issued by the U.S. Department of Health and Human Services established detailed national standards for the protection of PHI; personal health information. In general, HIPAA protects individuals from the unauthorized use or disclosure any PHI.
However, the HIPAA Privacy Rule only applies to “Covered Entities,” which are defined by the regulations as: (1) a health plan; (2) a health care clearinghouse; and (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
The rules also apply to “Business Associates,” which are vendors that provide services involving PHI for or on behalf of Covered Entities. Under this definition, Covered Entities includes health plans, health care clearinghouses, and health care providers. Thus, the Privacy Rule WILL apply to employers if they somehow operate as a health plan, a healthcare clearinghouse, or a health care provider or are providing certain services on their behalf. Most other employers will not be “Covered Entities.”
As a result, employers providing health coverage to their employees through a health insurance policy will generally not be responsible for HIPAA compliance, because the insurance company is the covered entity (it is considered the health plan) and will be required to comply with HIPAA. In these cases, the employer may subject itself to HIPAA if it chooses to receive PHI from the insurer, but this is rare.
But What About Personnel Files?
Most of the information contained in an employer’s personnel files and records is not PHI. The regulations state that “Protected health information excludes individually identifiable health information … in employment records held by a covered entity in its role as an employer.” Thus even the information held in employment records by health care institutions is generally not governed by HIPAA.
If you have read this far you may be thinking “OK, but what about workers’ compensation claims? I get a lot of detailed medical information on my claimant employees. That has to be protected.” Here too though, the Privacy Rule gives employers a break.
The rule recognizes that employers, along with their workers’ compensation insurers and claims administrators, have a legitimate need to access detailed medical records in order to efficiently administer the workers’ compensation system. In many cases, the Privacy Rule allows Covered Entities, those actually providing the medical treatment to your injured employees, to disclose treatment information without violating HIPAA.
The fact that the information you maintain in employment records about your employees is not necessarily regulated by HIPAA should not mean ignoring employees’ legitimate privacy concerns. Employers may be subject to various state privacy laws, which afford different and additional protections to employees than does HIPAA.
Additionally, employers may have to deal with a knowledge gap in that many employees firmly, but wrongly, believe they are entitled to HIPAA protection over their workplace medical records. This is a complicated and constantly evolving area of the law, so employers should consider taking the following steps:
- Understand whether the employer has heightened HIPAA obligations, for example, if the employer maintains a self-insured group health plan, and confirms that appropriate policies, procedures, and training programs are in place.
- Get smart and stay smart as to all other applicable laws. Don’t forget the Americans with Disabilities Act and the Genetic Information Nondiscrimination Act. These laws have plenty to say about employee medical records.
- Develop policies and procedures to secure what employees believe are their confidential medical records. Train your management as to what they can ask and what they would be better off not asking. It may not be PHI, but that doesn’t mean you want TMI (Too Much Information). TMI is information you don’t really need to make appropriate management decisions. The fact you have TMI can be used by an employee to make out the elements of a discrimination claim.
- Even though not necessarily PHI, it’s a best practice when asking your employees to provide any medical information — be it to administer leave, fringe benefits, or workers’ compensation — to get a properly drafted release and consent from the employee.