Understanding HIPAA is an essential part of being compliant in the workplace. As an HR professional, you will come across sensitive information, including medical information. Read below to learn more about the industry standards relating to HIPAA so you can continue with confidence that you are doing things right.
HIPAA is an acronym for the Health Insurance Portability & Accountability Act. This act has to do with health information, insurance eligibility and other industry standards for health care. HIPAA applies to health care providers, business associates, health plan providers and health care clearinghouses. HIPAA guarantees certain rights for workers to receive health care plans. First, there can be no discrimination factored into plan eligibility. Second, health care plans must establish enrollment periods, and they must be guaranteed the opportunity to extend health care coverage (for example, if you change jobs). Probably most relevant to human resource professionals is the aspect of HIPAA that ensures privacy for medical information. In a simple sense, HIPAA establishes that only the people necessary to the current health cases get access to an individual's health records, unless permission is given to share the information elsewhere. For example, in cases of workers’ compensation, HR professionals may not share an employee’s health records with others in the company. All information must be kept in a safe location and only shared with those who are critical to the process (doctors, insurance providers, etc.)
History of HIPAA
The law was passed in 1996 under President Bill Cinton. At this time, there was much sentiment around the country about inequities with the health care registration process. HIPAA provided a way to help Americans secure their health care coverage more easily. Since then, HIPAA has branched out and required confidentiality of other personal information, such as email, names, medical ID numbers, etc. Most relevant to this is the idea that an employee’s personal information is private and should not be shared through inappropriate avenues.
The Privacy Rule and Security Rule
Shortly after HIPAA was signed, the US Department of Health and Human Services created the Privacy and Security Rules too. The Privacy Rule, which defines protected health information (PHI), became effective on April 14, 2001 (with a compliance date of April 14, 2003). The Security Rule was put into action to lay down safeguards for electronic protected health information; it was published in February 2003 with an effective compliance date of April 21, 2005.Let’s take a closer look at what each of these rules does.
Privacy Rule
The Privacy Rule of HIPAA gives individuals more privacy and control over their healthcare and defines what counts as protected health information.Protected health information (PHI) is individually identifiable information about the health status of an individual. PHI does not include information in educational or employment records. PHI is only information from which an individual can be identified.The Privacy Rule includes standards for individuals’ rights to understand and control their health information. It aims to protect the individual’s privacy while allowing the transfer of information needed to promote their healthcare.
Security Rule
The Security Rule of HIPAA necessitates administrative, physical and technical safeguards to regulate electronic protected health information, or ePHI. The rule requires companies to analyze their cybersecurity and implement appropriate measures to ensure the safety of health information. The Security Rule protects the confidentiality, integrity, and availability of ePHI for covered entities.
Why Is HIPAA Important?
It’s the law. Aside from the obvious nature of this point, it’s the truth. Following HIPAA regulations is not a matter of deciding if it’s right for you, it’s a matter of deciding if you want to be compliant or noncompliant.
Companies could be exposed to lawsuits if not HIPAA compliant. Information is one of the most important tools for business professionals. The misuse of it can be one of their biggest downfalls. If an HR employee were to leak, lose or mishandle medical information, it would expose the company to potential lawsuits, governmental investigations or fees.
Individuals deserve to have their information kept private. As an HR professional, you are a representative of the company. Conveying respect for individuals personal information will reassure employees that the company respects them.
Who Is Covered by HIPAA?
All those who are required to abide by HIPAA laws are called covered entities. All four covered entities are listed below:
Health care providers. This includes doctors, dentists, psychologists, nursing homes, pharmacies, etc.
Health plan providers. This includes health maintenance organizations, health insurance companies, government health institutions (such as medicare, medicaid, etc.) or employer sponsored health plans.
Health care clearinghouses. These include billing service companies, IT companies, software companies or any other companies that deal with health sensitive information.
Business associates. This is perhaps one of the most abstract of covered entities. Business associates are a person or organization that provides services to one of the other covered entities that involves protected health information. This could involve a billing service, claims processing, utilization review or more. Most companies are included in this entity, since they work in conjunction with health plan providers. As a general rule, it's safe to assume that your company needs to be HIPAA compliant.
What Information Is Protected Under HIPAA?
Originally, HIPPA only covered medical health information. In recent years, additional information has been added as protected under HIPAA. Below is a list of some examples of this information (the full list is too large to add to this article).
Diagnoses
Medical treatments
Prescriptions
Names
Email Addresses
Physical Addresses
Social Security Numbers
Photographic images
Medical records number
How Do I Ensure My Organization is HIPAA Compliant?
Making sure your organization is HIPAA compliant is a major responsibility that correlates directly with HR. While it’s true that individual choice by employees ultimately affects the company's compliance, the company should incorporate training and implement preventative procedures to remove chances of mishaps.
Understand Local and Federal Laws
Companies and HR professionals should start by learning and understanding the laws. Many companies have built-in training programs that cover HIPAA laws. States, such as California, may have additional HIPAA laws that aren’t explicitly listed in the Federal law, so it’s important to understand the local laws as well.
Store Medical Information in a Safe Place
In previous years, many companies would place medical information under lock and key, but with computers sometimes this is not possible. It’s recommended that these files are kept on password locked online folders or on encrypted thumb-drives.
Train Staff Properly
HIPAA violations often arise due to ignorance. Employees may simply not know about the laws and regulations, and need proper training. Taking time for training could prevent future violations. The government will not use ignorance as an excuse for violating HIPAA rules and may still enact strict punishments in such cases.
Topics
Chase Cragun, VP of Recruiting USU MHR
Chase carries HR experience in training, recruiting, labor and employee relations, team leadership, and as a generalist. He is always building and expanding on his skills as well as looking for ways to augment his network. When he can, he looks for ways to give back by mentoring new/upcoming HR professionals.
It’s important that employees or companies report these violations to their designated privacy officer. The privacy officer will then report the cases to the government as needed at HHS.gov. Likely an investigation will ensue, including a risk assessment about the type of information breached.
Generally, an employer may ask for a doctor's note if it is necessary for cases that involve sick leave, workers’ compensation, insurance or other health and wellness programs. An employer may also request a doctor's note to determine handling of an impairment for a requested accommodation.
Understanding HIPAA is an essential part of being compliant in the workplace. As an HR professional, you will come across sensitive information, including medical information. Read below to learn more about the industry standards relating to HIPAA so you can continue with confidence that you are doing things right.
HIPAA is an acronym for the Health Insurance Portability & Accountability Act. This act has to do with health information, insurance eligibility and other industry standards for health care. HIPAA applies to health care providers, business associates, health plan providers and health care clearinghouses. HIPAA guarantees certain rights for workers to receive health care plans. First, there can be no discrimination factored into plan eligibility. Second, health care plans must establish enrollment periods, and they must be guaranteed the opportunity to extend health care coverage (for example, if you change jobs). Probably most relevant to human resource professionals is the aspect of HIPAA that ensures privacy for medical information. In a simple sense, HIPAA establishes that only the people necessary to the current health cases get access to an individual's health records, unless permission is given to share the information elsewhere. For example, in cases of workers’ compensation, HR professionals may not share an employee’s health records with others in the company. All information must be kept in a safe location and only shared with those who are critical to the process (doctors, insurance providers, etc.)
History of HIPAA
The law was passed in 1996 under President Bill Cinton. At this time, there was much sentiment around the country about inequities with the health care registration process. HIPAA provided a way to help Americans secure their health care coverage more easily. Since then, HIPAA has branched out and required confidentiality of other personal information, such as email, names, medical ID numbers, etc. Most relevant to this is the idea that an employee’s personal information is private and should not be shared through inappropriate avenues.
The Privacy Rule and Security Rule
Shortly after HIPAA was signed, the US Department of Health and Human Services created the Privacy and Security Rules too. The Privacy Rule, which defines protected health information (PHI), became effective on April 14, 2001 (with a compliance date of April 14, 2003). The Security Rule was put into action to lay down safeguards for electronic protected health information; it was published in February 2003 with an effective compliance date of April 21, 2005.Let’s take a closer look at what each of these rules does.
Privacy Rule
The Privacy Rule of HIPAA gives individuals more privacy and control over their healthcare and defines what counts as protected health information.Protected health information (PHI) is individually identifiable information about the health status of an individual. PHI does not include information in educational or employment records. PHI is only information from which an individual can be identified.The Privacy Rule includes standards for individuals’ rights to understand and control their health information. It aims to protect the individual’s privacy while allowing the transfer of information needed to promote their healthcare.
Security Rule
The Security Rule of HIPAA necessitates administrative, physical and technical safeguards to regulate electronic protected health information, or ePHI. The rule requires companies to analyze their cybersecurity and implement appropriate measures to ensure the safety of health information. The Security Rule protects the confidentiality, integrity, and availability of ePHI for covered entities.
Why Is HIPAA Important?
It’s the law. Aside from the obvious nature of this point, it’s the truth. Following HIPAA regulations is not a matter of deciding if it’s right for you, it’s a matter of deciding if you want to be compliant or noncompliant.
Companies could be exposed to lawsuits if not HIPAA compliant. Information is one of the most important tools for business professionals. The misuse of it can be one of their biggest downfalls. If an HR employee were to leak, lose or mishandle medical information, it would expose the company to potential lawsuits, governmental investigations or fees.
Individuals deserve to have their information kept private. As an HR professional, you are a representative of the company. Conveying respect for individuals personal information will reassure employees that the company respects them.
Who Is Covered by HIPAA?
All those who are required to abide by HIPAA laws are called covered entities. All four covered entities are listed below:
Health care providers. This includes doctors, dentists, psychologists, nursing homes, pharmacies, etc.
Health plan providers. This includes health maintenance organizations, health insurance companies, government health institutions (such as medicare, medicaid, etc.) or employer sponsored health plans.
Health care clearinghouses. These include billing service companies, IT companies, software companies or any other companies that deal with health sensitive information.
Business associates. This is perhaps one of the most abstract of covered entities. Business associates are a person or organization that provides services to one of the other covered entities that involves protected health information. This could involve a billing service, claims processing, utilization review or more. Most companies are included in this entity, since they work in conjunction with health plan providers. As a general rule, it's safe to assume that your company needs to be HIPAA compliant.
What Information Is Protected Under HIPAA?
Originally, HIPPA only covered medical health information. In recent years, additional information has been added as protected under HIPAA. Below is a list of some examples of this information (the full list is too large to add to this article).
Diagnoses
Medical treatments
Prescriptions
Names
Email Addresses
Physical Addresses
Social Security Numbers
Photographic images
Medical records number
How Do I Ensure My Organization is HIPAA Compliant?
Making sure your organization is HIPAA compliant is a major responsibility that correlates directly with HR. While it’s true that individual choice by employees ultimately affects the company's compliance, the company should incorporate training and implement preventative procedures to remove chances of mishaps.
Understand Local and Federal Laws
Companies and HR professionals should start by learning and understanding the laws. Many companies have built-in training programs that cover HIPAA laws. States, such as California, may have additional HIPAA laws that aren’t explicitly listed in the Federal law, so it’s important to understand the local laws as well.
Store Medical Information in a Safe Place
In previous years, many companies would place medical information under lock and key, but with computers sometimes this is not possible. It’s recommended that these files are kept on password locked online folders or on encrypted thumb-drives.
Train Staff Properly
HIPAA violations often arise due to ignorance. Employees may simply not know about the laws and regulations, and need proper training. Taking time for training could prevent future violations. The government will not use ignorance as an excuse for violating HIPAA rules and may still enact strict punishments in such cases.
Topics
Chase Cragun, VP of Recruiting USU MHR
Chase carries HR experience in training, recruiting, labor and employee relations, team leadership, and as a generalist. He is always building and expanding on his skills as well as looking for ways to augment his network. When he can, he looks for ways to give back by mentoring new/upcoming HR professionals.
It’s important that employees or companies report these violations to their designated privacy officer. The privacy officer will then report the cases to the government as needed at HHS.gov. Likely an investigation will ensue, including a risk assessment about the type of information breached.
Generally, an employer may ask for a doctor's note if it is necessary for cases that involve sick leave, workers’ compensation, insurance or other health and wellness programs. An employer may also request a doctor's note to determine handling of an impairment for a requested accommodation.