Are Employer’s Subject to HIPPA?

The Health Insurance Portability and Accountability Act (“HIPAA”) is landmark legislation designed to safeguard individuals’ protected health information (“PHI”). HIPPA’s primary goal is to ensure the privacy and security of sensitive medical data while also facilitating the smooth flow of healthcare information.

Key aspects of HIPPA:

Privacy Rule: The Privacy Rule establishes national standards for the protection of PHI, including individual rights to access their health information, control its disclosure, and request corrections. Covered entities must implement policies and procedures to ensure the privacy of PHI and provide patients with notice of their privacy practices.

Security Rule: The Security Rule outlines requirements for safeguarding electronic PHI (ePHI) through administrative, physical, and technical safeguards. Covered entities must conduct risk assessments, implement security measures to protect against unauthorized access, and have contingency plans in place to respond to emergencies.

Breach Notification Rule: The Breach Notification Rule requires covered entities to notify affected individuals, the Secretary of Health and Human Services, and, in some cases, the media, following a breach of unsecured PHI. Notification must occur without unreasonable delay and no later than 60 days following discovery of the breach.

Enforcement Rule: The Enforcement Rule outlines procedures for investigating complaints of HIPAA violations and imposing penalties for non-compliance. Penalties can range from fines to criminal charges, depending on the severity and intent of the violation.

Business Associate Agreements: Covered entities must enter into contracts, known as business associate agreements, with vendors and other entities that handle PHI on their behalf. These agreements outline the responsibilities of the business associate in protecting PHI and establish liability for breaches.

Who is Subject to HIPAA?

HIPAA applies to “covered entities” and “business associates.” Covered entities include healthcare providers, health plans, and healthcare clearinghouses. Business associates are entities that handle PHI on behalf of covered entities, such as third-party administrators and billing companies.

Examples of Violations:

HIPAA violations of the Privacy Rule can occur in various ways, often involving unauthorized access, use, or disclosure of protected health information (PHI). Here are some examples:

Unauthorized Access: An employee at a healthcare facility accesses a patient’s medical records without a legitimate reason or authorization, simply out of curiosity or personal interest.

Improper Disclosure: A healthcare provider discusses a patient’s diagnosis or treatment plan in a public area where others can overhear, violating the patient’s right to privacy.

Lost or Stolen Devices: A laptop or mobile device containing unencrypted PHI is lost or stolen, potentially exposing sensitive patient information to unauthorized individuals.

Emailing PHI: Sending unencrypted emails containing PHI to individuals who are not authorized to receive such information, thereby risking interception or unauthorized access.

Inadequate Safeguards: Failing to implement appropriate security measures to protect PHI, such as leaving paper records containing patient information in an unsecured location accessible to unauthorized individuals.

Improper Disposal: Discarding paper records or electronic devices containing PHI without properly shredding or securely wiping the data, leaving sensitive information vulnerable to unauthorized access.

Access by Unauthorized Individuals: Allowing individuals who are not involved in the patient’s care, such as friends or family members, to access their medical records without proper authorization.

Does HIPAA Apply to Employers?

In most cases, employers are not considered covered entities under HIPAA unless they also operate as healthcare providers or health plans. However, there are exceptions. For instance, if an employer sponsors a group health plan, it becomes subject to HIPAA’s privacy and security rules regarding the health information it collects and maintains.

Notwithstanding, employers may find themselves handling PHI when they offer health plans to their employees or when they engage in functions such as the administration of workers’ compensation claims, sick leave, or wellness programs. In these instances, while HIPAA itself may not apply, employers still should adhere to stringent standards to protect the confidentiality, integrity, and security of the health information in their care. While HIPAA may not directly apply to employers, other federal and state laws govern the handling of employee health information, such as the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA).

Policies to Protect Employee Health Records

Despite not being directly subject to HIPAA, employers still should implement robust policies and procedures to safeguard employee health records. Here are some key steps to consider:

Limit Access: Only designated individuals with a legitimate need should have access to employee health records. Implement strict controls to prevent unauthorized viewing or disclosure.
Employee Training: Educate employees about the importance of confidentiality and their responsibilities in handling sensitive health information. Regular training sessions can reinforce compliance with privacy policies.
Data Encryption and Security: Utilize encryption and other security measures to protect electronic health records from unauthorized access or cyber threats.
Written Policies: Develop clear and comprehensive policies outlining how employee health information will be collected, stored, and accessed. Include procedures for handling requests for information and responding to breaches.

Written Policies: Develop clear and comprehensive policies outlining how employee health information will be collected, stored, and accessed. Include procedures for handling requests for information and responding to breaches.

While HIPAA may not directly apply to employers in most cases, Employers still have a legal and ethical responsibility to protect employee health information under other regulations. By implementing robust policies and procedures, employers can uphold the privacy rights of their employees while mitigating legal risks and maintaining trust in the workplace.

Comments are closed.