Table of Contents

Table of Contents

Take care of your people and protect your business

Understanding HIPAA is an essential part of being compliant in the workplace. As an HR professional, you will come across sensitive information, including medical information. Read below to learn more about the industry standards relating to HIPAA so you can continue with confidence that you are doing things right.

What Is HIPAA?

HIPAA is an acronym for the Health Insurance Portability & Accountability Act. This act has to do with health information, insurance eligibility and other industry standards for health care. HIPAA applies to health care providers, business associates, health plan providers and health care clearinghouses.

HIPAA guarantees certain rights for workers to receive health care plans. First, there can be no discrimination factored into plan eligibility. Second, health care plans must establish enrollment periods, and they must be guaranteed the opportunity to extend health care coverage (for example, if you change jobs).

Probably most relevant to human resource professionals is the aspect of HIPAA that insures privacy for medical information. In a simple sense, HIPAA establishes that only the people necessary to the current health cases get access to an individual’s health records, unless permission is given to share the information elsewhere.

For example, in cases of workers’ compensation, HR professionals may not share an employee’s health records with others in the company. All information must be kept in a safe location and only shared with those who are critical to the process (doctors, insurance providers, etc.)

History of HIPAA

The law was passed in 1996 under President Bill Cinton. At this time, there was much sentiment around the country about inequities with the health care registration process. HIPAA provided a way to help Americans secure their health care coverage more easily.

Since then, HIPAA has branched out and required confidentiality of other personal information, such as (email, names, medical ID number, etc). Most relevant to this is the idea that an employee’s personal information is private and should not be shared to inappropriate avenues.

Why Is HIPAA Important?

  • It’s the law. Aside from the obvious nature of this point, it’s the truth. Following HIPAA regulations is not a matter of deciding if it’s right for you, it’s a matter of deciding if you want to be compliant or noncompliant.
  • Companies could be exposed to lawsuits if not HIPAA compliant. Information is one of the most important tools for business professionals. The misuse of it can be one of their biggest downfalls. If an HR employee were to leak, lose or mishandle medical information, it would expose the company to potential lawsuits, governmental investigations or fees.
  • Individuals deserve to have their information kept private. As an HR professional, you are a representative of the company. Conveying respect for individuals personal information will reassure employees that the company respects them.

Who Is Covered by HIPAA?

All those who are required to abide by HIPAA laws are called covered entities. All four covered entities are listed below:

  • Health care providers. This includes doctors, dentists, psychologists, nursing homes, pharmacies, etc.
  • Health plan providers. This includes health maintenance organizations, health insurance companies, government health institutions (such as medicare, medicaid, etc.) or employer sponsored health plans.
  • Health care clearinghouses. These include billing service companies, IT companies, software companies or any other companies that deal with health sensitive information.
  • Business associates. This is perhaps one of the most abstract of covered entities. Business associates are a person or organization that provides services to one of the other covered entities that involves protected health information. This could involve a billing service, claims processing, utilization review or more. Most companies are included in this entity, since they work in conjunction with health plan providers. As a general rule, it’s safe to assume that your company needs to be HIPAA compliant.

What Information Is Protected Under HIPAA?

Originally, HIPPA only covered medical health information. In recent years, additional information has been added as protected under HIPAA. Below is a list of some examples of this information (the full list is too large to add to this article).

  • Diagnoses
  • Medical treatments
  • Prescriptions
  • Names
  • Email Addresses
  • Physical Addresses
  • Social Security Numbers
  • Photographic images
  • Medical records number

How Do I Ensure My Organization is HIPAA Compliant?

Making sure your organization is HIPAA compliant is a major responsibility that correlates directly with HR. While it’s true that individual choice by employees ultimately affects the company’s compliance, the company should incorporate training and implement preventative procedures to remove chances of mishaps.

Understand Local and Federal Laws

Companies and HR professionals should start by learning and understanding the laws. Many companies have built-in training programs that cover HIPAA laws. States, such as California, may have additional HIPAA laws that aren’t explicitly listed in the Federal law, so it’s important to understand the local laws as well.

Store Medical Information in a Safe Place

In previous years, many companies would place medical information under lock and key, but with computers sometimes this is not possible. It’s recommended that these files are kept on password locked online folders or on encrypted thumb-drives.

Train Staff Properly

HIPAA violations often arise due to ignorance. Employees may simply not know about the laws and regulations, and need proper training. Taking time for training could prevent future violations. The government will not use ignorance as an excuse for violating HIPAA rules and may still enact strict punishments in such cases.

Take care of your people and protect your business

Track essential employee data, digitize your manual HR processes, and improve your employee experience with Eddy People.

Questions You’ve Asked Us About HIPAA

It’s important that employees or companies report these violations to their designated privacy officer. The privacy officer will then report the cases to the government as needed at HHS.gov. Likely an investigation will ensue, including a risk assessment about the type of information breached.

Generally, an employer may ask for a doctor’s note if it is necessary for cases that involve sick leave, workers’ compensation, insurance or other health and wellness programs. An employer may also request a doctor’s note to determine handling of an impairment for a requested accommodation.

Chase carries HR experience in training, recruiting, labor and employee relations, team leadership, and as a generalist. He is always building and expanding on his skills as well as looking for ways to augment his network. When he can, he looks for ways to give back by mentoring new/upcoming HR professionals.

Want to contribute to our HR Encyclopedia?

Posts You Might Like

Easier HR for local businesses

With Eddy’s all-in-one HR Suite you can hire, onboard, manage, and pay employees with one easy-to-use platform. No headache required.

Ready to see a live demo?

Scroll to Top

Submit a Question