HIPAA laws aren’t for the weak and the meek. When you start handling sensitive patient data, it’s time to take heed to government regulations.
HIPAA laws mostly come into play when it comes to healthcare providers. But the relationship between HIPAA law and employers has become more and more important as organizations go digital.
Take a look at how HIPAA laws might impact your operations strategy.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 is all about keeping information safe. When you visit the doctor, you want to be sure there are protections in place to hide private information about your health.
To help you stay protected, the government audits healthcare providers to examine how their storing patient records and who gets access. Patients can’t change health information like they can a credit card.
Once a hacker finds sensitive details, that’s the end of the story. HIPAA ensures organizations are always putting patient privacy first.
So, what does this have to do with employers? HIPAA law and employers have a very unusual relationship.
Unlike healthcare providers, employers don’t have clear-cut HIPAA instructions which can make handling sensitive patient information somewhat tricky.
HIPAA Law and Employers
Most people will tell you that you don’t have to follow HIPAA regulations as an employer. This is a gross overstatement of the facts.
While you’re not obligated to follow certain HIPAA compliance rules, that doesn’t completely let you off the hook. There are still many privacy regulations in place to protect the information of your employees.
But you won’t be penalized for things like how you store employee health information. This means being able to save on heavy IT costs and the potential for major fines.
Poor file management is one of the top considerations in HIPAA compliance. Employers can decide how to maintain records whether digitally or in person.
Employers can also decide who gets to see the information. This is a major step away from how healthcare providers manage patient data.
They’ve got to keep your information under lock and key while an employer can simply share information without consent. There are a few exceptions to this rule, however.
Employer Requested Health Information
One thing that can impact an employer’s HIPAA compliance is requesting health records from a third party. If you ask for an employee’s health data from, say, an emergency room visit, that information is protected.
You can’t simply share those records with third parties and the people with access should be limited. You’ll find it’s probably best to keep the information contained to those who need to know for legal reasons like your worker’s compensation department.
Ask your insurance agents how best to circulate the employee’s information to avoid any trouble. The hospital where you got the records is a considered a ‘covered entity’ which means they are subject to HIPAA laws.
If they’re fined for your breach in using their patient’s data, they might in turn sue you for negligence and you’ll be at risk of penalty for breaking compliance. Know your hipaa facts so you don’t fall short when it comes to health communication under stress.
If at all possible, try not to handle employee data yourself so you’re not at risk of any violation.
Do Employers Have Any Responsibility?
Employers don’t get off easy without any responsibility under HIPAA laws. Most regulations around privacy assume employers already have protections in place to limit the risk of lawsuits.
For example, employees are protected by regulations like the Americans with Disabilities Act. Employers can’t take any disability-related medical info and just file it anywhere.
It needs to be placed separately from the employee’s personnel file as a matter of confidentiality. The only people who can access the file would be supervisors or other people who need to know about the employee’s work limitations.
The file can also be accessed in the event the employee needs first aid or some other form of emergency treatment. Government officials audit organizations to make sure these rules are being met so that employee information is protected.
This isn’t HIPAA, but it’s another way to keep employee health information private. Employees won’t have to fear discrimination based on work limitations when their health data isn’t a part of their personnel file.
There are other regulations in place like GINA, the Genetic Information Nondiscrimination Act which means genetic information shouldn’t be shared in a personnel file either. These documents are supposed to be treated like confidential information that needs protection unless there’s a ‘need to know.’
There is a wide range of myths about HIPAA law and employers. For example, employers can require a doctor’s note for an absence.
But that request does make the employer responsible for protecting the information they receive in the note. This makes many employers think twice about putting that kind of information in their hands.
It opens them up to a potential lawsuit if the information ever gets leaked. It may not be worth the effort to request official medical information on employees who miss work due to illness.
How to Remain Compliant as an Employer
HIPAA law and employers have a very unique relationship. Most of the compliance rules aren’t direct, but all still prevent you from being too fast and loose with sensitive information.
It’s a good idea to simply follow the same guidelines as healthcare providers to make sure you aren’t risking a data leak. For more information and tips, visit our blog for updates.