HIPAA and Employers: What HR Teams Need to Know

The Health Insurance Portability and Accountability Act (HIPAA) was created by the U.S. Congress in 1996 to modernize healthcare information systems and prevent fraud and theft of protected health information (PHI). While it’s a given that healthcare providers, plans, and clearinghouses must all comply with HIPAA, you aren’t alone in wondering which HIPAA requirements apply to employers, especially HR departments. 

It is a common misconception that HIPAA applies to employee health information. In many cases, HIPAA—and the Privacy Rule specifically—does not apply to employers, but instead controls how a health plan or a covered health care provider shares an employee’s PHI with an employer. 

HIPAA Overview: Terms and Definitions Employers Should Know

To better understand the HIPAA requirements that apply to your department, let’s start with a few key terms you should know:

PHI

Any data associated with a patient’s physical or mental health status, along with any related treatments or payments. In practice, PHI includes personally identifiable information (PII) such as names, social security numbers, and addresses, plus healthcare-centric information such as medical record numbers, insurance plan member IDs, and medical device identifiers and serial numbers

Covered Entity

Organizations that deal with health-related data, such as healthcare provider organizations, health plans, and even state governments and educational institutions.

Business Associate Agreement

When covered entities engage third parties, or “Business Associates” in HIPAA parlance, to store, process, and interact with PHI, a Business Associate Agreement (BAA) must be in place to impose safeguards on how the Business Associate uses and discloses PHI. Examples of Business Associates include data protection software vendors, cloud infrastructure providers, and cloud-based file collaboration platform vendors. 

HIPAA Privacy Rule

This rule focuses on the rights of the individual (employee or patient) and their ability to control their PHI by setting the standard for, among other things, who may have access to PHI. The Privacy Rule covers the physical security and confidentiality of PHI in all formats including electronic, paper, and oral.

HIPAA Security Rule

Only deals with the protection of electronic PHI (ePHI) that is created, received, maintained or transmitted. Covered entities are required to implement adequate physical, technical and administrative safeguards to protect patient ePHI, for example when sharing via email or storing on the cloud.

Does HIPAA Apply to HR Managers?

HIPAA’s rules require that organizations take appropriate safeguards (more on this below) to maintain the confidentiality of PHI, the goal being to ensure employees can switch health insurance providers and their health records without losing coverage. As the Act progressed through Congress, amendments were added to address concerns over fraud and abuse in the health insurance and healthcare industries. This is where the Security and Privacy Rules came from.

According to the HIPAA Journal, there are four major areas of HIPAA compliance to which HR teams should pay close attention:

• Understanding the key components of the Privacy and Security Rules.
• Helping employees understand their rights under HIPAA legislation.
• Safeguarding employees’ PHI.
• Working with Covered Entities and Business Associates with whom PHI is shared.

What HIPAA Does and Does Not Protect

HIPAA does not protect employment records, even if the information in those records is health-related. What it does protect, according to the U.S. Department of Health & Human Services (HHS), are medical and health plan records generated as part of an employee-sponsored health plan. 

Generally, HIPAA applies to the disclosures made by a healthcare provider, not the questions an HR team may ask. Therefore, if an HR team member asks an employee for supporting documentation for sick leave, wellness programs, health insurance, or workers’ compensation, he/she may ask without being subject to HIPAA requirements. However, if the HR team member asks a healthcare provider directly, the provider cannot release an employee’s health records to an employer without prior authorization from the individual (this would be a HIPAA violation), unless other laws require them to do so.

As you can see, HR departments aren’t automatically responsible to comply with HIPAA, even if they share health-related information. However, if your organization offers a self-insured health plan to employees then your HR team is likely on the hook. Self-insuring organizations collect premiums from enrolled employees and take on the responsibility of paying employees’ and dependents’ medical claims. In this case, it is likely that your HR department will come into contact with PHI and therefore be subject to HIPAA compliance requirements.

HIPAA Safeguards for Protecting PHI

For HR teams, sharing medical and health plan records via email and files is often the path of least resistance. When sharing HIPAA-protected PHI, HR teams must be aware of how the HIPAA Security Rule applies. The rule outlines several technical safeguards, three of which apply most directly to email and files: 

• Access controls encompass privileges for employees of covered entities to access PHI to perform their job functions using information systems, applications, programs, or files. 
• Audit controls include technology and processes that support the analysis of activity in information systems that contain or use ePHI. These controls are especially relevant for determining whether data has been breached and assessing the impact.
• Transmission security refers to technical measures to protect against unauthorized access to PHI transmitted electronically, including Integrity Controls that prevent improper modification of PHI and encryption that protects PHI from access by unauthorized third parties.

The language in HIPAA encourages covered entities to evaluate their unique risks, and discuss reasonable and appropriate security measures for these technical safeguards. However, HIPAA offers some prescriptive recommendations that are especially relevant in today’s digital-first world:

“As business practices and technology change, situations may arise where ePHI being transmitted from a covered entity would be at significant risk of being accessed by unauthorized entities. Where risk analysis shows such risk to be significant, a covered entity must encrypt those transmissions.”

The relationship between HIPAA compliance and HR departments can be confusing. As such, HR teams should not assume that the responsibility for securing employees’ PHI is not theirs. To learn more about protecting your employees, and your organization, download a free copy of “HIPAA Guide for Email and File Protection” for HIPAA considerations in the cloud, best practices, and recommended safeguards.