6 Things Small Businesses Need to Know About HIPAA Compliance

Aug 01, 2018

6 Things Small Businesses Need to Know About HIPAA Compliance

If your small business deals with sensitive patient/client information, then you're going to want your staff to be well versed in HIPAA laws and regulations. Here are 6 things you need to know about HIPPA compliance and your team.


In your role, you have access to plenty of sensitive information. Your colleagues are trusting you to keep it safe. But what does the law say about privacy rights?

One of the most highly protected types of information is health-related data. Some HR records only contain scattered pieces of health information in employees' employment records, like sick notes and workers' compensation claims. Others small businesses that use a self-insured method to pay for employees' medical expenses have much more information.

How much of this information is protected by HIPAA, Health Insurance Portability and Accountability? The information below will help you abide by HIPAA compliance laws.

What Small Businesses Need to Know About HIPAA Compliance

What information do you need to protect to comply with HIPAA? Here's what every small business needs to know.

1. What is Protected By HIPAA Laws

As it applies to a typical company's HR practices, HIPAA does not cover general employment records. While employment records could contain some health information by happenstance, they don't qualify for HIPAA. The more crucial consideration, however, is how your employee health plans function.

At many companies, the HR department contracts a health insurance company to provide health benefits. In this case, the HIPAA liability falls to the insurance company.

On the other hand, let's say you pay employees' medical expenses as a "self-insured" plan. In this case, your company is functioning as an insurance company in a way. These records are protected by HIPAA, so HIPAA compliance needs to be a priority.

2. Only Employees Can Provide Sick Notices

One situation in which you may receive medical information is when employees take sick days. Let's say your company has a policy that an employee needs a doctor's note for a paid sick day.

In this case, the employee needs to get the note from their physician. As the HR representative, you can't contact the physician to request the note directly.

Your request itself isn't a HIPAA violation. However, the doctor would violate HIPAA if they give you the information. While you aren't liable by law, you don't want to initiate a HIPAA violation and lose your colleagues' trust.

3. HIPAA Training is Necessary for Every HR Representative

Many small businesses, often the designated HR representative or admin, designate a HIPAA compliance officer. This person is thoroughly informed about HIPAA, and they're responsible for guiding the rest of the company's compliance.

While you can have a HIPAA compliance officer, you need to educate the rest of your leadership team thoroughly as well. No matter how rarely you think an employee would be in a position to compromise confidential information, it can happen.

Have a well-documented training course every organizational leader has to complete. You should also have some type of written documentation or certificate to place in an employee's file when he/she has completed the training.

Social Engineering Training

On top of the law's basics, educate your employees about how to avoid the risks of social engineering. HIPAA-breaking social engineering involves manipulating people into giving out employees' medical information.

For instance, someone may call your office and say they're a new employee and they can't get into the health plan management software. Without thinking, your staff gives them the log-in information. Provide staff members with training about how to avoid these situations and detect fraud.

Continued Training

Employee onboarding shouldn't be the only time your HR administrator hears about HIPAA, though. Consider having refresher courses every once in a while to remind employees about the main points. You could also give employees a quiz from time to time to see if they still have all the knowledge they need.

4. HIPAA Compliance Needs to Be a Focus for Your IT Department

One of the most common HIPAA violations is neglecting to protect against a data breach. Most people think of HIPAA violations as giving information to the wrong people. However, leaving the information vulnerable for the wrong people to take is just as bad.

When you're hiring for your IT team, look for candidates who understand the importance of security. Even if you aren't planning to add new personnel, make sure your IT team has safeguards in place for employees' health plan information.

5. You Should Review Your Health Plan Documents

If you're like many companies, you contract with a health insurance company for your employees' health plans. Most small businesses take it for granted that these insurance companies will protect their employees' health information. However, this isn't an assumption you should make.

Instead, review your health plan contracts and make sure you stipulate that the insurance company will follow HIPAA laws. Ensure that the language is all up-to-date.

6. Don't Take Security Lightly for Non-Protected Health Information

As explained above, the information in your HR files is not always protected under HIPAA. Still, this doesn't mean you should be lax with your security. There are other legalities that you must take into consideration when maintaining your medical records; such as the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA).

- Title I of the ADA states that information obtained by an employer about an employee or applicant's medical condition or history must be collected on separate forms, kept in separate medical files, and be treated as a 'confidential medical record.

- Also, if an employer receives genetic information obtained under one of GINA's limited exceptions, they must also keep this information separate from personnel files and treat it as a confidential medical record. This information may be maintained in the same file as all other medical information.

If you lose your colleagues' trust, you could open the door to a variety of other issues. It's a good idea to protect their health information even if it isn't protected by HIPAA.

Keeping Your HR Practices HIPAA-Compliant

HIPAA compliance can be a tricky law to understand. It's an obvious concern for medical offices and health insurance providers. However, it should also be a consideration for any company that handles employees' health information.

Protecting your colleagues' information is about more than doing the minimum required by law. It's also a way to maintain trust within your organization and to protect your company's integrity as a whole.

Privacy protection is just one of the major roles you play as a small business with professional employment practices. For more tips on how to keep your HR department running smoothly, check out our human resources blog.


Disclaimer: HR Branches provides general information about Human Resources. Please note that the information provided, while reliable, is not legal advice. Please seek legal assistance, or assistance from State, Federal, or International governmental resources, to make sure your legal interpretation and decisions are correct for your location and circumstances. The purpose of this information is for guidance, ideas, and assistance on general HR matters.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team and a FREE gift! We are HR so privacy is how we roll, your information will not be shared.



50% Complete


Download Your 2023-2024 Colorado Employment Law Checklist

Don't navigate employment law compliance blindfolded in 2023. Grab your free checklist today!
*Required Fields
Note: It is our responsibility to protect your privacy and we guarantee that your data will be completely confidential.