The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires employers to protect employee medical records as confidential. HIPAA includes regulations that cover how employers must protect employees’ medical privacy rights and the privacy of their health information.
Overall, according to the US Department of Labor: HIPAA "provides rights and protections for participants and beneficiaries in group health plans. HIPAA includes protections for coverage under group health plans that limit exclusions for preexisting conditions; prohibit discrimination against employees and dependents based on their health status; and allow a special opportunity to enroll in a new plan to individuals in certain circumstances. HIPAA may also give you a right to purchase individual coverage if you have no group health plan coverage available, and have exhausted COBRA or other continuation coverage."
In general, the HIPAA Privacy Rule provides federal protection for personal health information that is held by covered entities. HIPAA gives patients rights with respect to their personal health related information. But, the HIPAA privacy rule also permits the disclosure of personal health information that is needed for patient care and other important purposes.
HIPAA, additionally, requires that employer-sponsored health plans are portable and non-discriminatory, but HIPAA does not require an employer to offer an employee health care plan. HIPAA covers the electronic disclosure of employees’ medical information. HIPAA also requires employers to cover employees’ and their dependents’ pre-existing health conditions under certain circumstances.
HIPAA is a hodge-podge of laws that are difficult to interpret and understand. Employers need to be aware of the medical privacy requirements. Employers also need to inquire and make certain that their employee health plan is compliant with HIPAA regulations.
Additional Employer Responsibilities Under HIPAA
- Employers must put in place security rule compliance policies and procedures.
- Medical records should be stored separately and apart from other business and personnel records, to ensure their confidentiality and limited access.
- Employers (or their providers) must update plan documents and business associate agreements to comply with the security rules. All programs that deal with employee health information such as flexible spending plans, wellness programs, or employer self-insured options must be HIPAA compliant.
- Comply with state privacy laws that may be even stricter.
- Employees must be notified every time there is a substantive change in their plan that may affect medical privacy. Additionally, if the employer's state makes substantive changes, new privacy amendments may be necessary.
- Employers must notify employees of their privacy rights with a notice, then update the notice, redistribute the notice, or point to it every three years starting by April 14, 2006 for large plans and April 14, 2007 for small plans.
- Employers must train any employee who has contact with medical records in appropriate HIPAA compliance.
- Employers are required to investigate any privacy complaint that they receive. Consequently, employers may want to have a written policy for responding to and investigating any privacy complaint that they receive. Employers should put the results of their investigation in writing.
- Employers need to discipline any employee who disregards or disobeys HIPAA privacy requirements.
Components of HIPAA and changes to the original HIPAA legislation have gone into effect several times since 1996, including in 2003, 2005, 2006, and 2007. Consequently, I have provided an overview of employer responsibilities. But, I strongly recommend consultation with an attorney because of the changing HIPAA landscape, including changes signed into law by President Barack Obama on February 17, 2009 in the American Recovery and Reinvestment Act of 2009 (ARRA). That Act significantly expanded HIPAA’s privacy and security regulations.
Consult with an attorney to make certain that your workplace medical privacy practices, all health-related activities that you sponsor, your health-care plans, your employee notification requirements, your employee training, and your complaint investigation procedures are HIPAA compliant and current.
Additional HIPAA compliance information: Employers and Health Information in the Workplace - U.S. Department of Health & Human Services
Submit a policy for the Sample Policy Directory.
Disclaimer – Please Note:
Susan Heathfield makes every effort to offer accurate, common-sense, ethical Human Resources management, employer, and workplace advice both on this website, and linked to from this website, but she is not an attorney, and the content on the site, while authoritative, is not guaranteed for accuracy and legality, and is not to be construed as legal advice.
The site has a world-wide audience and employment laws and regulations vary from state to state and country to country, so the site cannot be definitive on all of them for your workplace. When in doubt, always seek legal counsel or assistance from State, Federal, or International governmental resources, to make certain your legal interpretation and decisions are correct. The information on this site is for guidance, ideas, and assistance only.