In the healthcare industry, patient data is considered sensitive and, as such, is subject to certain privacy and security requirements to ensure it remains confidential. Some employers may find themselves handling this protected health information (PHI) and could be required under federal law to manage that data in a specific way. All employers need to understand the federal law known as HIPAA and how it applies (or doesn’t apply) to them.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes privacy standards by which healthcare organizations are required to protect sensitive patient information. Since its signing in 1996, HIPAA has been updated periodically to evolve alongside technology and has adapted to include cybersecurity standards required of all “covered entities” and their business associates.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule is the section of the law that specifically relates to the confidential handling and transmission of patient healthcare data. Measures in the Privacy Rule include an enumeration of individuals’ rights under the law, such as how they can control and access their own healthcare information.
Moreover, the Privacy Rule prescribes how healthcare organizations and other covered entities and business associates must handle protected health information. This includes requirements that govern both process and technology; not only must protected health information be handled properly, but it must also be stored securely.
“It requires you to protect and maintain the security of PHI, which is a defined term that deals generally with health information that can be identified and tied to a specific individual,” Paul Starkman, an employment attorney for Clark Hill, told us. “It deals with how the information must be protected in terms of encryption, password protection and things like that. It also deals with transmission … and it has some other requirements too in terms of disposing [of] PHI once it is no longer needed.”
Starkman said this includes information from paper files, digital files, machines and pieces of equipment that become outdated or are no longer in service.
“Those need to be disposed of in accordance with HIPAA guidelines,” he said.
Which types of employers does HIPAA apply to?
The stringent requirements set forth in HIPAA don’t apply to all employers — just those that fall into a particular category.
The term “covered entities” refers to organizations that must comply with the rules set out under HIPAA. Covered entities include doctors’ offices, hospitals, insurance companies, insurance plans and clearinghouses. The U.S. Department of Health and Human Services maintains a complete list of covered entities on its website.
“HIPAA is primarily going to apply to covered entities,” said Jarryd Rutter, an HR coach at Paychex. “That is where HIPAA is most impactful: for those industries and obligations, not only to customers but their employees.”
Rutter noted that Paychex does not give its clients legal advice and recommended that businesses consult with legal counsel if they are concerned about their HIPAA obligations.
HIPAA also applies to organizations that do business with covered entities and handle or process patients’ protected health information in some way. These organizations are known as “business associates” under the law and are also required to abide by HIPAA regulations.
“Sometimes we get pushback from a client we are helping because they are hesitant to send documents out of concern they are violating HIPAA when, in fact, they are not,” Rutter said. “A non-covered entity doesn’t have to be concerned with HIPAA; it’s really limited to if they offer health insurance plans and the handling of that health insurance info.”
Other employers are generally not covered by HIPAA and, therefore, are not required to abide by the strict privacy and security regulations included in the law. However, Rutter said, non-covered entities likely have some privacy and security obligations under other federal laws, such as the Americans with Disabilities Act (ADA) or the Family and Medical Leave Act (FMLA).
Whether you’re legally obligated to or not, it’s always wise to implement several levels of protection to safeguard sensitive employee information.
When does HIPAA apply to non-covered entities?
Although HIPAA doesn’t apply to most businesses, there is one unique circumstance under which employers should be aware of the law’s requirements. Employers that provide a self-funded health insurance plan are technically operating a covered entity: the health plan itself. This means the health insurance plan is subject to all of the requirements in HIPAA, while the primary business is not.
“Because that self-funded plan … is viewed as a covered entity, the health plan falls under HIPAA,” said Matt Fisher, partner at Mirick O’Connell and chair of the firm’s Health Law Group. “You end up having to wall off the information used for maintenance and operation of that plan. But, on the whole, HIPAA will really not apply to the general employer and employee relationship.”
Another common way employers come into contact with an employee’s PHI is through workers’ compensation claims, Fisher said. In these instances, clinical documentation from medical appointments might be required to support the workers’ compensation claim, and employers would need access to that information.
However, just because an employer can access this data does not necessarily mean HIPAA applies.
“Generally, the health information employers get through the employment relationship is not going to be covered by HIPAA,” Starkman said. “It may be covered by other state privacy laws.”
In the example of a workers’ compensation claim, HIPAA would govern the healthcare provider’s handling of protected health information and its release to the employer; the employee would be required to consent to this transmission of their healthcare data. Once that consent is given and the employer receives the information, HIPAA no longer applies. [Read related article: Guide to the Workers’ Compensation Claim Process]
What are examples of HIPAA violations?
HIPAA violations can be costly, so it is essential to avoid even unintentional violations. Civil penalties for HIPAA violations can exceed $50,000 per violation. Violations committed with malicious intent could result in criminal charges — in the most egregious cases, up to 10 years in prison and $250,000 in fines.
The first step in avoiding HIPAA violations is knowing some of the most common ones.
Unreported data breaches
Healthcare organizations are a major target for cybercriminals attempting to breach the networks and steal sensitive healthcare data. Covered entities must report data breaches to the individuals affected, the secretary of the Department of Health and Human Services and sometimes the media.
To avoid data breaches, ensure that you’re using highly rated antivirus software that is up-to-date and that all data is encrypted in storage and transmission. Update your software on all connected devices regularly to patch vulnerabilities hackers exploit. Decommission outdated devices and remove them from your network; dispose of them per HIPAA regulations.
If you are unsure whether your sensitive network information is protected, conduct a cybersecurity risk assessment on your company to see where potential weak points may occur.
Loss of devices
Any given hospital houses thousands of connected medical devices, all of which contain protected health information. The loss or theft of these devices could lead to the loss of sensitive data unless they are properly password-protected and encrypted in accordance with HIPAA. A failure to do so that results in a data breach is a HIPAA violation that could easily be avoided.
Employees who access data they do not need or are not authorized to access usually constitute a HIPAA violation. To avoid this problem, implement authorization systems that require employees to confirm their identities before accessing restricted information. Establish clear policies and procedures around authorizations and consequences for accessing information fraudulently.
Failure to encrypt data
Under HIPAA, all data must be encrypted. The law does not specify a precise standard, but the National Institute of Standards and Technology recommends Advanced Encryption Standard (AES) 128 at a minimum. Failure to encrypt devices, data in storage and data in transit likely constitutes a HIPAA violation. Avoid this by ensuring that all data in your network is encrypted to the highest possible standard.
Various laws govern how and for how long you must store employee data, including healthcare information. Check out our article on employee personnel files if you are interested in learning more about document storage and retention.
HIPAA compliance checklist
If you are a covered entity or a business associate of a covered entity, HIPAA regulations apply to you. To ensure you remain compliant, follow this helpful HIPAA compliance checklist from HIPAA Journal:
- Identify which audits apply to your organization.
- Conduct those audits internally, then analyze the results and determine corrective measures.
- Implement the corrective measures and document them. Review compliance annually.
- Appoint a HIPAA compliance officer. Alternatively, appoint dedicated privacy and security officers.
- Task the HIPAA compliance officer(s) with training all employees on HIPAA obligations.
- Document HIPAA training and staff member completion of the training program.
- Perform annual due diligence assessments on any business associates to ensure HIPAA compliance.
- Establish processes for reporting breaches and notifying the Department of Health and Human Services Office for Civil Rights.
Following this checklist and establishing a clear set of policies and procedures regarding HIPAA compliance can put your organization in a better position to meet the strict privacy and security requirements included in the law.
Skye Schooley contributed to this article. Source interviews were conducted for a previous version of this article.