By Ken Lynch, founder and CEO, Reciprocity Labs.
The Health Insurance Portability and Accountability Act (HIPAA) applies to all companies in the United States. Healthcare providers, covered entities and their business associates should understand HIPAA and take compliance steps to avoid monetary fines and even prison time. HIPAA violations in the workplace can occur in any organization but especially those that provide healthcare benefits to their employees or require health information to process disability benefits or workplace compensation.
Understanding HIPAA violations in the workplace
HIPAA was enacted in 1996 and aimed to protect the health information of individuals as they moved from one job to another. Since then, the Act has been refined to include more coverage and protections.
In 2003, the Privacy Rule, which defines Protected Health Information (PHI), was passed by the US Department of Health and Human Services. In 2005, HIPAA was updated with the Security Rule, which focuses on electronically stored PHI (ePHI). Today, employers must adhere to HIPAA and related regulations, including the Security Rule and the Privacy Rule, as required by industry regulators and the federal government.
What information qualifies as PHI or ePHI
The Privacy Rule defines PHI as any health information that concerns the payment of healthcare, provision of healthcare or health status of an individual, which is held by a covered entity.
In the workplace, any employee health plans or medical records that are collected by the employer for the purposes of administering healthcare plans are PHI or ePHI information. Health information that is gathered but not intended for use in administering healthcare plans is not considered PHI or ePHI.
When an employee provides health information to document workers’ compensation or sick leave, the information is not considered PHI or ePHI. On the other hand, if you contact an employee’s healthcare provider, the information that the provider will give you falls under the Privacy Rule. Employment records do not fall under PHI or ePHI even they may include health-related information.
What HR should know about HIPAA
If your organization offers employees a covered health plan, it’s critical to determine whether you need to be HIPAA compliant.