In your role, you have access to plenty of sensitive information. Your colleagues are trusting you to keep it safe. But what does the law say about privacy rights?
One of the most highly protected types of information is health-related data. Some HR records only contain scattered pieces of health information in employees' employment records, like sick notes and workers' compensation claims. Others small businesses that use a self-insured method to pay for employees' medical expenses have much more information.
How much of this information is protected by HIPAA, Health Insurance Portability and Accountability? The information below will help you abide by HIPAA compliance laws.
What information do you need to protect to comply with HIPAA? Here's what every small business needs to know.
As it applies to a typical company's HR practices, HIPAA does not cover general employment records. While employment records could contain some health information by happenstance, they don't qualify for HIPAA. The more crucial consideration, however, is how your employee health plans function.
At many companies, the HR department contracts a health insurance company to provide health benefits. In this case, the HIPAA liability falls to the insurance company.
On the other hand, let's say you pay employees' medical expenses as a "self-insured" plan. In this case, your company is functioning as an insurance company in a way. These records are protected by HIPAA, so HIPAA compliance needs to be a priority.
One situation in which you may receive medical information is when employees take sick days. Let's say your company has a policy that an employee needs a doctor's note for a paid sick day.
In this case, the employee needs to get the note from their physician. As the HR representative, you can't contact the physician to request the note directly.
Your request itself isn't a HIPAA violation. However, the doctor would violate HIPAA if they give you the information. While you aren't liable by law, you don't want to initiate a HIPAA violation and lose your colleagues' trust.
Many small businesses, often the designated HR representative or admin, designate a HIPAA compliance officer. This person is thoroughly informed about HIPAA, and they're responsible for guiding the rest of the company's compliance.
While you can have a HIPAA compliance officer, you need to educate the rest of your leadership team thoroughly as well. No matter how rarely you think an employee would be in a position to compromise confidential information, it can happen.
Have a well-documented training course every organizational leader has to complete. You should also have some type of written documentation or certificate to place in an employee's file when he/she has completed the training.
On top of the law's basics, educate your employees about how to avoid the risks of social engineering. HIPAA-breaking social engineering involves manipulating people into giving out employees' medical information.
For instance, someone may call your office and say they're a new employee and they can't get into the health plan management software. Without thinking, your staff gives them the log-in information. Provide staff members with training about how to avoid these situations and detect fraud.
Employee onboarding shouldn't be the only time your HR administrator hears about HIPAA, though. Consider having refresher courses every once in a while to remind employees about the main points. You could also give employees a quiz from time to time to see if they still have all the knowledge they need.
One of the most common HIPAA violations is neglecting to protect against a data breach. Most people think of HIPAA violations as giving information to the wrong people. However, leaving the information vulnerable for the wrong people to take is just as bad.
When you're hiring for your IT team, look for candidates who understand the importance of security. Even if you aren't planning to add new personnel, make sure your IT team has safeguards in place for employees' health plan information.
If you're like many companies, you contract with a health insurance company for your employees' health plans. Most small businesses take it for granted that these insurance companies will protect their employees' health information. However, this isn't an assumption you should make.
Instead, review your health plan contracts and make sure you stipulate that the insurance company will follow HIPAA laws. Ensure that the language is all up-to-date.
As explained above, the information in your HR files is not always protected under HIPAA. Still, this doesn't mean you should be lax with your security. There are other legalities that you must take into consideration when maintaining your medical records; such as the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA).
- Title I of the ADA states that information obtained by an employer about an employee or applicant's medical condition or history must be collected on separate forms, kept in separate medical files, and be treated as a 'confidential medical record.
- Also, if an employer receives genetic information obtained under one of GINA's limited exceptions, they must also keep this information separate from personnel files and treat it as a confidential medical record. This information may be maintained in the same file as all other medical information.
If you lose your colleagues' trust, you could open the door to a variety of other issues. It's a good idea to protect their health information even if it isn't protected by HIPAA.
HIPAA compliance can be a tricky law to understand. It's an obvious concern for medical offices and health insurance providers. However, it should also be a consideration for any company that handles employees' health information.
Protecting your colleagues' information is about more than doing the minimum required by law. It's also a way to maintain trust within your organization and to protect your company's integrity as a whole.
Privacy protection is just one of the major roles you play as a small business with professional employment practices. For more tips on how to keep your HR department running smoothly, check out our human resources blog.
Disclaimer: HR Branches provides general information about Human Resources. Please note that the information provided, while reliable, is not legal advice. Please seek legal assistance, or assistance from State, Federal, or International governmental resources, to make sure your legal interpretation and decisions are correct for your location and circumstances. The purpose of this information is for guidance, ideas, and assistance on general HR matters.
Join our mailing list to receive the latest news and updates from our team and a FREE gift! We are HR so privacy is how we roll, your information will not be shared.
Enter your details below to download your 2023 Employer Compliance Checklist.