The Health Insurance Portability and Accountability Act (HIPAA) is a federal law in the United States that protects sensitive patient information within the healthcare industry. It outlines the guidelines by which personally identifiable information maintained by healthcare and health insurance industries should be protected from fraud and theft. While HIPAA does not apply to all employers, it does apply to those who fall under the categories of healthcare clearinghouses, healthcare providers, and health plans. This means that any company handling protected health information (PHI) is obligated to follow HIPAA laws, even if they are not directly working in the healthcare industry.
In the context of employers, HIPAA applies in certain circumstances, such as when they are involved in HIPAA-covered transactions or when they have access to employee PHI.section.
Characteristics | Values |
---|---|
Does HIPAA apply to employers? | It depends on the situation. If an employer falls under the categories of healthcare clearinghouses or healthcare providers, then HIPAA laws apply. |
Does HIPAA apply to workers' compensation cases? | No, HIPAA specifically exempts workers' compensation from its regulations. |
Does HIPAA apply to an employer's request for health information from a covered entity for an employee? | Yes, with employee authorization. If not authorized by the employee, information may not be shared with human resources or employers. |
What You'll Learn
HIPAA and workers' compensation
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to ensure that everyone's medical information and privacy are protected. HIPAA allows for necessary information sharing to ensure individuals receive access to high-quality health care, while also protecting their right to privacy. Any provider or company with access to protected health information must put measures in place to comply with HIPAA.
The HIPAA Privacy Rule does not apply to workers' compensation insurers, workers' compensation administrative agencies, or employers. However, these entities need access to the health information of individuals injured on the job or with a work-related illness to process or adjudicate claims, or to coordinate care under workers' compensation systems. This health information is generally obtained from healthcare providers who treat these individuals and who may be covered by the Privacy Rule. The Privacy Rule permits covered entities to disclose protected health information to workers' compensation insurers, state administrators, employers, and other persons or entities involved in workers' compensation systems, without the individual's authorization.
In the case of workers' compensation, employees are required to provide their medical information to file their claims. This means that their privacy rights under HIPAA are waived to a certain extent. Their doctor is required to share their medical records with their workers' compensation insurance company and their employer when requested. Their doctor may also need to compile reports of conversations during appointments and submit them to the employer and their insurer. These reports can also be used before a judge during a workers' compensation hearing.
The Privacy Rule does not protect employment records, even if the information in those records is health-related. However, it does protect medical or health plan records if the individual is a patient of the provider or a member of the health plan. If an employer asks an employee's healthcare provider directly for information, the provider cannot give the employer the information without the employee's authorization unless other laws require them to do so.
Online Laws: Global Reach or Country Specific?
You may want to see also
When does an employer become a covered entity?
An employer becomes a covered entity under HIPAA if they provide group health insurance for their employees. The Health and Human Services (HHS) states that a "group health plan" is a type of health plan and that this plan is a covered entity under HIPAA. The only exception is for plans with fewer than 50 participants.
Under the ERISA regulatory schema, the idea of the health plan being separate from the employer is a critical element. However, the courts have largely ignored this distinction since there is rarely a different level of control from the employer to the health plan.
HIPAA-covered transactions include:
- A request to obtain payment from a healthcare provider to a health plan, accompanied by supporting documentation.
- An inquiry from a healthcare provider to a health plan about an individual's eligibility to receive treatment.
- A request to a health plan to refer an individual to another healthcare provider.
- The transmission of an explanation of benefits or remittance advice from a health plan to a healthcare provider.
In most cases, employers do not have to implement measures to protect the privacy of individually identifiable health information. However, employers are subject to HIPAA in certain circumstances, such as when they create, maintain, or transmit Protected Health Information in connection with a HIPAA-covered transaction. This usually only happens when the employer administers a self-insured health plan.
Sexual Harassment Laws: Nonprofits' Compliance and Protection
You may want to see also
What is PHI?
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. This information is known as Protected Health Information (PHI).
PHI is any individually identifiable health information used for treatment or payment purposes, as well as any individually identifiable non-health information maintained in the same designated record set as Protected Health Information. This includes any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.
PHI is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. It is important to note that HIPAA only applies to health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions for which the Department of Health and Human Services (HHS) has published standards. Therefore, not all healthcare providers are subject to HIPAA – although state privacy regulations may still apply.
PHI is used in studies involving the review of existing medical records for research information, such as retrospective chart reviews. PHI is also created in studies that produce new medical information in the course of the research, such as diagnosing a health condition or evaluating a new drug or health device. This information will be entered into the medical record. For example, sponsored clinical trials that submit data to the U.S. Food and Drug Administration involve PHI and are therefore subject to HIPAA regulations.
The President and Ethics Laws: Who Watches the Watchmen?
You may want to see also
HIPAA and employee authorisation
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies to an employer's group health plan, except for self-administered plans with fewer than 50 participants. In general, the Privacy Rule requires employers to obtain authorization from an employee when protected health information (PHI) received through the group health plan is used for purposes other than treatment, payment, or health plan operations. According to the U.S. Department of Health & Human Services, an authorization must specify several elements, including a description of the PHI to be used and disclosed, the person authorized to make the disclosure, the person to whom the disclosure may be made, an expiration date, and, in some cases, the purpose for the disclosure.
There are several circumstances where HIPAA does not apply in the workplace. Fully-insured group health plans that do not create or receive PHI other than summary health information have limited requirements under the Privacy Rule. Workers' compensation claims do not require authorization as transactions necessary to comply with state workers' compensation laws are specifically exempted from HIPAA. Other records are considered employment records rather than health care records and are not protected by HIPAA. These include Family and Medical Leave Act (FMLA) medical certifications, requests for accommodation under the Americans with Disabilities Act (ADA), and doctor's notes provided under an employer's absence policy.
While employers are not covered entities under HIPAA, they may still be involved in HIPAA-covered transactions under certain circumstances. These include providing onsite clinics as an employee health benefit, providing a self-insured health plan for employees, or acting as an intermediary between employees, healthcare providers, and health plans. In such cases, employers are subject to "partial compliance" and must provide a certification that PHI will be safeguarded as prescribed by the HIPAA Privacy Rule and not used for employment-related actions.
The HIPAA Privacy Rule defines what constitutes individually identifiable health information and how it should be protected from unauthorized uses and disclosures. It is important to note that PHI is only covered by HIPAA when it is used to communicate information about an individual's past, present, or future medical condition, the provision of healthcare to an individual, or the payment for healthcare. Therefore, if a worker provides their PHI to an employer's HR department, but it is never used for any of these purposes, HIPAA no longer applies.
Copyright Law: Blogging and Fair Use Explained
You may want to see also
HIPAA training for employers
HIPAA training is an important aspect of HIPAA compliance. Employees need to be aware of the HIPAA regulations to be able to follow them. Training provides employees with an introduction to HIPAA, including how to recognize protected health information (PHI), proper uses and disclosures of PHI, how to keep PHI secure, and how to report a breach of PHI.
The HIPAA regulations relating to employee training are flexible because of the different functions Covered Entities perform, the various roles of employees, and the different levels of access to PHI. Both the HIPAA Privacy Rule and the HIPAA Security Rule stipulate that training should be provided to members of the workforce, but the Security Rule is clearer that all members of the workforce should participate. The Privacy Rule is more flexible, stating that:
> "A Covered Entity must train all members of its workforce on the policies and procedures with respect to Protected Health Information required by this subpart [the Privacy Rule] and subpart D of this part [the Breach Notification Rule], as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity."
This has been interpreted to mean that HIPAA employee training only needs to be provided "by function". However, all members of the workforce need to be aware that individuals have rights regarding their PHI and what those rights are, even if they are not involved in responding to individuals exercising those rights. Therefore, HIPAA employee training needs to be comprehensive.
HIPAA staff training for Business Associates is sometimes limited to security awareness training, but this is a mistake. For example, HIPAA staff training for Business Associates should include how to report any security incident and the procedures for reporting security incidents and data breaches to Covered Entities.
HIPAA compliance training for employees can be provided in a classroom, via video, or online. Historically, it was classroom-based and instructor-led, but this can be ineffective because there is a lot of material to cover in HIPAA. Videos enable instructors to break down and explain HIPAA visually, which can lead to more engagement and better retention. Online training comprised of mix-and-match modules is a more effective way to comply with the training requirements, as the modules can be assembled into groups relevant to each employee's role, and each employee can complete the training individually at a time that minimizes disruption.
Covered Entities are required to provide training on HIPAA policies and procedures "within a reasonable period of time" after a person joins their workforce and whenever there are material changes to policies and procedures that affect an employee's role. There is no time period stipulated for when a security awareness and training program has to be provided.
In addition, Covered Entities and Business Associates should incorporate HIPAA employee training into risk analyses to identify when further training is needed to prevent unauthorized uses or disclosures of PHI. If a need for training is identified, it must be provided "within a reasonable period".
Other occasions when HIPAA employee training should be provided include when a member of the workforce has violated HIPAA and additional training is a penalty, and when the Office for Civil Rights imposes a Corrective Action Plan following a compliance investigation.
So, what should employers know about HIPAA training for their employees?
- HIPAA training is important because members of a Covered Entity's workforce need to understand how to protect PHI from unauthorized uses and disclosures.
- The failure to provide training is a violation of HIPAA in itself.
- Training should be provided to all members of the workforce, regardless of their level of interaction with PHI.
- Training will depend on what policies and procedures the Covered Entity has developed and what is relevant for each employee to carry out their functions in compliance with HIPAA.
- Training can be provided in a classroom, via video, or online, with online training being the most effective way to comply with the training requirements.
- Training should be provided when a person joins a Covered Entity's workforce and whenever there are material changes to policies and procedures that affect an employee's role.
- Training should also be provided when a risk analysis identifies a need for further training.
Vagrancy Laws: Whites Exempt or Included?
You may want to see also
Frequently asked questions
HIPAA laws apply to employers who fall under the three categories of covered entities: healthcare clearinghouses, healthcare providers, and health plans. If an employer does not fall under any of these categories, HIPAA does not apply.
Yes, an employer can request an employee's health information without their consent in certain situations. For example, if an employee suffers a work-related injury or illness, the employer can access the employee's health information to process claims, coordinate healthcare, and arrange compensation. However, employers must adhere to HIPAA's principle of minimum necessary disclosure and only disclose information essential for the specific purpose.
PHI includes any information in an individual's medical record that can be used to personally identify them, such as telephone numbers, fax numbers, medical record numbers, and Social Security numbers. PHI also includes demographic information such as name, address, birth date, and other common identifiers.