Lvl haus, Employee Compliance
Login
Request a demo

What Does HIPAA Compliance Mean?

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that sets national standards to protect the privacy and security of individuals’ health information.

HIPAA Regulations Apply To

  • Covered Entities: Healthcare providers, insurers, and healthcare clearinghouses.
  • Business Associates: Organizations that handle protected health information for covered entities.
    • Those within an organization who handle benefits administration

How Does HIPAA Impact Employers?

1. Understanding Protected Health Information (PHI)

Employers may encounter Protected Health Information (PHI) if they manage employee health benefits, wellness programs, or handle work-related injury claims.

PHI Includes:

  • Medical records, diagnoses, and treatments
  • Health insurance information
  • Social Security Numbers related to health benefits
  • Information about an employee’s physical or mental health

2. Employers as Covered Entities or Business Associates

If an employer provides self-insured health plans, the employer is responsible for maintaining HIPAA compliance as a covered entity.

Additionally, employers may act as business associates if they provide services to healthcare providers or insurers that involve access to PHI.

Key HIPAA Concerns for Employers

1. Employee Health Information Privacy

Access to any Protected Health Information (PHI) must be restricted to authorized personnel only. Employers are required to protect the privacy of employee health information accessed through:

  • Self-insured group health plans
  • Workers’ compensation claims
  • Wellness programs
  • Health screenings

Using or disclosing PHI for employment-related decisions, such as hiring or promotions, is prohibited under HIPAA.

2. Security of Electronic Health Information

The HIPAA Security Rule requires covered entities and business associates to safeguard electronic PHI (ePHI) through administrative, physical, and technical measures, including:

  • Encrypting sensitive data to prevent unauthorized access
  • Implementing access controls
    • i.e. passwords and user authentication
  • Conducting regular security risk assessments

3. Breach Notification Requirements

If there is a breach involving PHI, employers who are covered entities or business associates must notify:

Failure to comply with breach notification requirements can result in significant fines and legal consequences.

4. Wellness Programs and HIPAA

Many employers offer wellness programs to promote employee health and reduce healthcare costs.

However, if these programs are linked to a group health plan, they must comply with HIPAA’s privacy and security rules.

How Can Employers Ensure HIPAA Compliance?

Employers should Ensure

  • Any collected employee health data through wellness initiatives is kept confidential
  • All wellness program vendors comply with HIPAA if they access employee health information

The Best Way to Ensure HIPAA Compliance

  • Limit Access to PHI: Ensure only authorized personnel access health information. Avoid using it for HR or employment decisions.
  • Train Employees on HIPAA: Provide training on handling sensitive health information, especially for those managing health benefits or wellness programs.
  • Implement Security Measures: Protect electronic health information through encryption, access controls, and secure storage.
  • Develop Breach Response Plans: Establish procedures for responding to data breaches, including notifying affected employees and regulatory authorities.
  • Partner with Compliant Vendors: If using third-party vendors (i.e., benefits administrators), ensure they comply with HIPAA and sign a Business Associate Agreement (BAA).

Consequences of Non-Compliance for Employers

Non-compliance with HIPAA can lead to

  • Fines and Penalties: Civil penalties range from $100 to $50,000 per violation, with a maximum annual cap of $1.5 million.
    • Criminal charges can apply for willful neglect
    • Legal Action: Employees with compromised PHI may act against employers for negligence.
    • Reputational Damage: Breaches can harm employees’ trust in their employer, especially if health information is mishandled

    Was this helpful

    Additional Resources

    https://aspe.hhs.gov/reports/health-insurance-portability-accountability-act-1996

    https://www.hhs.gov/hipaa/for-professionals/index.html

    https://www.healthit.gov/topic/health-it-resources/guide-privacy-security-electronic-health-information

    https://www.hhs.gov/hipaa/for-professionals/faq/index.html

    Related Articles

    HIPAA Breach Employment Notification

    One Response

    1. Pingback: HIPAA Breach Employee Notification: Understanding Employer Obligations – Lvl Haus

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    jQuery(document).ready(function($) { $('#thumbs-up').click(function(e) {e.preventDefault(); $('input[name="response"]').val('yes'); $('.elementor-form').submit(); // Trigger form submission }); $('#thumbs-down').click(function(e) { e.preventDefault(); $('input[name="response"]').val('no'); $('.elementor-form').submit(); // Trigger form submission }); });