When does HIPAA apply to employers, and how should they ensure compliance? This guide answers common employer questions about HIPAA obligations.
In the healthcare industry, patient data is considered sensitive and, as such, is subject to certain privacy and security requirements to ensure it remains confidential. Some employers may find themselves handling this protected health information (PHI) and could be required under federal law to handle that data in a specific way. It is important for all employers to understand the federal law known as HIPAA and how it applies (or doesn't apply) to them.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes privacy standards by which healthcare organizations are required to protect sensitive patient information. Since it was signed in 1996, HIPAA has been updated periodically to evolve alongside technology, adapting to include cybersecurity standards required of all "covered entities" and their business associates.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule is the section of the law that specifically relates to the confidential handling and transmission of patient healthcare data. Measures in the Privacy Rule include an enumeration of individuals' rights under the law, such as how they can control and access their own healthcare information.
Moreover, the Privacy Rule prescribes how healthcare organizations and other covered entities and business associates must handle protected health information. This includes requirements governing both process and technology; not only must protected health information be handled properly, but it must also be stored securely.
"It requires you to protect and maintain the security of PHI, which is a defined term that deals generally with health information that can be identified and tied to a specific individual," Paul Starkman, an employment attorney for Clark Hill, told businesss.com. "It deals with how the information must be protected in terms of encryption, password protection and things like that. It also deals with transmission … and it has some other requirements too in terms of disposing [of] PHI once it is no longer needed."
Starkman said this includes information from paper files, digital files and machines and equipment that become outdated or are no longer in service.
"Those need to be disposed of in accordance with HIPAA guidelines," he said.
Which types of businesses does HIPAA apply to?
The stringent requirements included in HIPAA don't apply to all employers – just those that fall into a certain category.
The term "covered entities" refers to organizations that are required to comply with the rules set out under HIPAA. Covered entities include doctors' offices, hospitals, insurance companies, insurance plans and clearinghouses. The U.S. Department of Health and Human Services maintains a full list of covered entities on its website.
"HIPAA is primarily going to apply to covered entities," said Jarryd Rutter, an HR coach at Paychex. "That is where HIPAA is most impactful: for those industries and obligations, not only to customers but their employees."
Rutter noted that Paychex does not give its clients legal advice and recommended that businesses consult with legal counsel if they are concerned about their HIPAA obligations.
HIPAA also applies to organizations that do business with covered entities and handle or process patients' protected health information in some way. These organizations are known as "business associates" under the law and are also required to abide by HIPAA regulations.
"Sometimes we get pushback from a client we are helping because they are hesitant to send documents out of concern they are violating HIPAA when, in fact, they are not," Rutter said. "A non-covered entity doesn't have to be concerned with HIPAA; it's really limited to if they offer health insurance plans and the handling of that health insurance info."
Other employers are generally not covered by HIPAA and, therefore, are not required to abide by the strict privacy and security regulations included in the law. However, Rutter said, non-covered entities likely have some privacy and security obligations under other federal laws, such as the Americans with Disabilities Act (ADA) or the Family and Medical Leave Act (FMLA). [Read related article: How the FMLA Applies to Your Small Business]
When does HIPAA apply to non-covered entities?
Although HIPAA doesn't apply to most businesses, there is one unique circumstance in which employers should be aware of the law's requirements. Employers that provide a self-funded health insurance plan are technically operating a covered entity: the health plan itself. This means the health insurance plan is subject to all of the requirements in HIPAA, while the primary business is not.
"Because that self-funded plan … is viewed as a covered entity, the health plan falls under HIPAA," said Matt Fisher, healthcare attorney at Mirick O'Connell. "You end up having to wall off the information used for maintenance and operation of that plan. But, on the whole, HIPAA will really not apply to the general employer and employee relationship."
Another common way employers come into contact with an employee's PHI is through workers' compensation claims, Fisher said. In these instances, clinical documentation from medical appointments might be required to support the workers' compensation claim, and employers would need access to that information.
However, just because an employer has access to this data, it does not necessarily mean HIPAA applies.
"Generally, the health information employers get through the employment relationship is not going to be covered by HIPAA," Starkman said. "It may be covered by other state privacy laws."
In the example of a workers' compensation claim, HIPAA would govern the healthcare provider's handling of protected health information and its release to the employer; the employee would be required to consent to this transmission of their healthcare data. Once that consent is given and the information is received by the employer, however, HIPAA no longer applies.
What are examples of HIPAA violations?
HIPAA violations can be costly, so it is important to avoid even unintentional violations. Civil penalties for HIPAA violations can exceed $50,000 per violation. Violations committed with malicious intent could result in criminal charges – in the most egregious cases, up to 10 years in prison and $250,000 in fines.
The first step in avoiding HIPAA violations is knowing some of the most common ones.
Unreported data breaches
Healthcare organizations are a major target for cybercriminals attempting to breach the networks and steal sensitive healthcare data. Covered entities must report data breaches to the individuals affected, the secretary of the Department of Health and Human Services and sometimes the media.
To avoid data breaches, ensure that your antivirus software is up-to-date and that all data is encrypted in storage and transmission. Update your software on all connected devices regularly to patch vulnerabilities exploited by hackers. Decommission outdated devices and remove them from your network; dispose of them per HIPAA regulations. Loss of devices
There are thousands of connected medical devices in any given hospital, all of which contain protected health information. The loss or theft of these devices could lead to the loss of sensitive data unless they are properly password-protected and encrypted in accordance with HIPAA. A failure to do so that results in a data breach is a HIPAA violation that could be easily avoided.
Employees accessing data they do not need or are not authorized to access usually constitutes a HIPAA violation. To avoid this problem, implement authorization systems that require employees to confirm their identities before accessing restricted information. Establish clear policies and procedures around authorizations and consequences for accessing information fraudulently.
Failure to encrypt data
Under HIPAA, all data must be encrypted. The law does not specify a precise standard, but the National Institute of Standards and Technology recommends Advanced Encryption Standard (AES) 128 at a minimum. Failure to encrypt devices, data in storage and data in transit likely constitutes a HIPAA violation. Avoid this by ensuring that all data in your network is encrypted to the highest possible standard.
HIPAA compliance for employers
If you are a covered entity or a business associate of a covered entity, HIPAA regulations apply to you. To ensure you remain compliant, follow this useful HIPAA compliance checklist from HIPAA Journal:
- Identify which audits apply to your organization.
- Conduct those audits internally; then analyze the results and determine corrective measures.
- Implement the corrective measures and document them. Review compliance annually.
- Appoint a HIPAA compliance officer. Alternatively, appoint dedicated privacy and security officers.
- Task the HIPAA compliance officer(s) with training all employees on HIPAA obligations.
- Document HIPAA training and staff member completion of the training program.
- Annually perform due diligence assessments on any business associates to ensure HIPAA compliance.
- Establish processes for reporting breaches and notifying the Department of Health and Human Services Office for Civil Rights.
Following this checklist and establishing a clear set of policies and procedures regarding HIPAA compliance can put your organization in a better position to meet the strict privacy and security requirements included in the law.
Employer HIPAA responsibilities and COVID-19
Although HIPAA applies only to covered entities and business associates, the law offers a good list of guidelines for other employers to follow as they implement employee COVID-19 testing and monitor employees for symptoms.
For example, many employers are requiring COVID-19 tests or on-site temperature checks for employees coming to work. Although HIPAA does not apply, handling or recording that type of health information is risky territory, so it behooves employers to adhere to HIPAA-like steps and to document their activities carefully.
"Most employers are really not specifically covered by HIPAA, but it provides best practices that employers generally tend to follow when keeping PHI about employees," Starkman said. "It should be kept under lock and key, in separate folders from personnel files.
"If you're [a non-covered entity] with employee health information, you're covered by different laws," Starkman added. "Primarily, the ADA has rules regarding how employers need to keep the medical information of employees. They tend to track the HIPAA requirements in terms of keeping files and computer documents under lock and key and in a secure manner."
Rutter said employers should turn to the ADA and the Equal Employment Opportunity Commission for guidance on handling employee information related to the COVID-19 pandemic. He said there are three steps every business should take when implementing COVID-19 testing and monitoring procedures:
- Document all policies and procedures.
- Restrict access to employee information to trained employees.
- Establish protocols in the event of a data breach or unauthorized access.
"Even non-covered entities should do this," Rutter said. "Taking proactive steps is key for any employer."