It’s been 20 years since the Health Insurance Portability and Accountability Act (HIPAA) was enacted to ensure the privacy of a person’s medical information (the “privacy rule”). Since then, there have been changes from time to time to straighten this protection.
These rules, which are designed to keep third parties from learning about this information without a person’s permission, do not apply only to doctors and other medical professionals; employers are also subject to them in some instances. If you violate HIPAA, you can face civil penalties and even criminal sanctions.
Which records need to be protected, and which do not?
Employment records
HIPAA specifically exempts employment records from the privacy and security requirements (unless the circumstances described below apply). This is so even if they contain information about sick days, drug screening, or disability insurance. You are permitted to ask for a doctor’s note or medical records for purposes of sick leave, disability insurance coverage, and workers’ compensation claims.
However, this does not mean you’re free from privacy and security requirements. The Equal Employment Opportunity Commission (EEOC) has said that Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) have such requirements. More specifically, the EEOC suggests that personal health information protected under the ADA and GINA should be appropriately “walled off” from view in an Electronic Medical Record (EMR). In other words, you aren’t required to have two files for each employee but you need to segregate protected information.
State law may also impose privacy/confidentiality requirements. In some states, such as California, employers are required to establish procedures to ensure the confidentiality of employee medical records; employers must disclose any security breaches.
Payroll deductions
If a company health plan withholds money for an employee’s premiums, then HIPAA applies to payroll records. There is no minimum number of employees needed to trigger this rule. The reason: The payroll deduction relates to the payment of health coverage and identifies the individual being covered, so it is protected health information.
Health activities in the workplace
If you conduct a blood drive on your premises, then employee information needs to be protected. You can obtain a list of the employees who donated blood, but you can’t share this information; it’s confidential. Thus, it’s important to use screens or booths to ensure employees’ privacy.
The same goes for other health-related activities that you do on premises, such as flu shots and wellness programs.
Resource
If you need more guidance on how HIPAA applies to your company, view the National Association of Health Underwriter’s HIPAA Privacy Requirements Compliance Guide.