Does HIPAA Apply to Employers?

What is HIPAA? 

The Health Insurance Portability and Accountability Act is a U.S. law passed in 1996 that requires you to protect sensitive employee health information. 

As part of human resource management, you can access sensitive information about employee healthcare and insurance purposes, but you must ensure the privacy and security of personal medical data.

What is HIPAA in simple terms: 

Making a company HIPAA-compliant means following two major rules: 

• Privacy Rule: This rule gives patients rights regarding their Protected Health Information (PHI), such as the right to access their records and request restrictions on specific uses and disclosures.
• Security Rule: Implementing appropriate administrative, physical, and technical safeguards to secure ePHI.

What are the goals of HIPAA law?

The law mandates you to:

• Safeguard your employees' personal health information (PHI).
• Prevent unauthorized access or data breaches.
• Support employees in maintaining health insurance coverage during job changes.
• Standardize electronic healthcare transactions for compliance.
• Avoid penalties by adhering to regulations.

Who Does HIPAA Apply To?

HIPAA applies to groups of Covered Entities and Business Associates. 

Covered entities handle data directly, while business associates assist with operations. Moreover, HIPAA security and privacy regulations apply to both—protecting PHI and reporting breaches or unauthorized access immediately.

Covered entities

Covered entities are organizations directly involved in healthcare services, billing, or insurance. 

Examples of such covered entities: 

• Healthcare Providers: Doctors, hospitals, clinics, dentists, pharmacies, and psychologists.
• Health Plans: Insurance companies, HMOs, employer-sponsored health plans, and government programs like Medicare and Medicaid.
• Healthcare Clearinghouses: Companies that process health information, such as billing services and data management firms.

If you sponsor a self-insured health plan, you are likely a covered entity. HIPAA applies to you then, and you may be responsible for the following: 

• Provide patients access to their records and allow corrections.
• Limit sharing of information without patient consent.
• Safeguard patient health information and report data breaches to affected individuals and government authorities.
• Educate staff on handling PHI securely and responding to incidents.

Business associates

Business associates are third-party vendors or partners that handle or process PHI on behalf of covered entities.

Examples of Business Associates:

• IT Service Providers: Companies managing data storage, cloud computing, or cybersecurity.
• Billing and Coding Services: Firms processing payments or insurance claims.
• Legal and Accounting Firms: Professionals who access PHI for audits, compliance checks, or legal advice.
• Marketing Agencies: Teams working on campaigns that may involve patient information.

You may be considered a business associate if you handle PHI on behalf of a covered entity. In this case, you must comply with this act to protect PHI and be responsible to: 

• Sign a Business Associate Agreement (BAA) to confirm compliance.
• Implement security measures like encryption and firewalls.
• Report breaches or unauthorized access immediately.

When Does HIPAA Apply to Employers?

The most direct answer to whether this act applies to employers is NO. 

However, you must comply with the rules when handling PHI, especially when processing employee health plans and benefits administration.

HIPAA-covered transactions

The transactions covered by this act refer to electronic exchanges of healthcare information that follow administrative standards. 

The first step toward security rule compliance is to safeguard and protect transactions covered by the act:

Self-Insured health plans

When managing a self-insured health plan, you must comply with the Act’s Privacy, Security, and Breach Notification Rules to protect employees' health information. 

This includes:

Does HIPAA apply to employers offering full-insured health plans?

Your compliance requirements remain the same for self-insured and full-insured health plans:

When Does HIPAA Not Apply?

• General Employment Records—HIPAA does not cover records related to sick leave, disability forms, or workplace injury reports unless linked to a health plan.‍
• Drug Testing Results—Results collected directly for workplace safety programs are not protected under HIPAA.

What Does Partial Compliance Mean for Employers?

There is no defined concept of partial compliance within the HIPAA rules. It attempts to meet some but not all of the HIPAA compliance requirements. This usually happens when: 

• You might be tempted to think that HIPAA doesn't fully apply to you because you only handle a small amount of employee health information. This is a dangerous assumption.
• Even limited exposure to PHI carries significant risks. You might implement some security measures, such as password protection, but neglect others, leaving critical vulnerabilities open or overlooking crucial safeguards.

Employer certification requirements

It is voluntary to obtain employer certification for HIPAA compliance. However, certification requirements for HIPAA for two major categories—covered entities and business associates—involve: 

• Selecting a Security & Privacy Officer 
• Establishing privacy policies
• Establishing security procedures to protect PHI
• Establishing Business Associate Agreements with vendors.

Common HIPAA Violations by Employers

You risk violating HIPAA rules if you fail to properly protect sensitive health data when offering self-insured health plans. Common violations you should be aware of include:

• Failing to store PHI securely or not encrypting electronic PHI (ePHI) could expose sensitive data.
• Sharing PHI without consent or discussing it publicly could lead to violations.
• Not having clear security policies or insufficient employee training on PHI protection puts you at risk.
• If you encounter a PHI breach, you must report it within the required time frame, or you could be penalized.
• Using third-party vendors without signed BAAs means they aren't bound to HIPAA, which can cause issues.
• Failing to keep proper records of your HIPAA compliance efforts can lead to trouble during audits.
• Sending PHI via unencrypted email or insecure methods is against HIPAA regulations.
• Retaining or disposing of PHI improperly, such as not securely destroying records, is a violation.

Top 3 examples of HIPAA violations

Here’s a table summarizing the top 3 examples of HIPAA violations by employers:

Common misconceptions about who must comply with HIPAA

Here’s a summary of the seven common HIPAA misconceptions by employers: 

1. HIPAA regulates employers: HIPAA does not regulate employers as a whole. It applies to covered entities. You’ll be affected by HIPAA only if you handle PHI when acting as a business associate for your group health plan or other relevant roles.
2. HIPAA covers all health information you receive: Not all health information you receive is subject to HIPAA. Only health information related to your group health plan is considered PHI.
3. Health information from an employee's healthcare provider is always PHI: If you receive health information from an employee’s healthcare provider for employment-related reasons (such as medical inquiries or ADA accommodations), that information is no longer considered PHI once it’s in your possession.
4. You don’t have to comply with HIPAA if you have fully insured medical coverage:
   If you have a fully insured health plan, you need not comply with HIPAA's privacy rules unless you assist employees with claims or access individual health information. Self-funded plans, however, are always subject to HIPAA.
5. Under H, you cannot provide employees’ health information about workers' compensation claims: However, you can disclose it to resolve compensation claims or comply with workplace safety laws.
6. HIPAA preempts state privacy laws: While it is federal, it does not always override state laws.
7. Employees can sue you for a HIPAA violation: Employees cannot sue you directly for HIPAA violations.
   

Preventing employer HIPAA violations

You can follow the below tips to stay HIPAA compliant and avoid common pitfalls:

• Create clear, comprehensive policies and procedures around HIPAA compliance.
• Implement role-based access controls to PHI. 
• Regularly review and update access permissions to identify potential breaches or misuse of sensitive information.
• Protect PHI by using encryption both when it is stored and transmitted.
• Develop a response plan for data breaches or HIPAA violations.
• Ensure all third-party vendors or business associates that handle PHI follow HIPAA-compliant processes at the workplace.
• HIPAA and workplace regulations can evolve. Therefore, it is important to regularly check for updates from the Department of Health and Human Services (HHS).

How to Make a Company HIPAA Compliant

Here’s a step-by-step to help you achieve compliance: 

Step1: Conducting a compliance assessment

https://www.skuad.io/blog/labor-laws-for-remote-employees-everything-you-need-to-know

The first step is to assess whether the HIPAA security rule applies to which of the following—a covered entity or a business associate. Further, you can consider taking the following actions: 

• Review your role: Are you providing health care services, managing group health plans, or working with providers and insurers?
• Assess your obligations: If you handle PHI in any capacity, you are subject to HIPAA rules, even if you are not a direct health care provider. Determine compliance for remote employees. 
• Scope of compliance: Understand the specific regulations that apply to your role, such as the Privacy, Security, or Breach Notification Rule.

Step 2: Training and awareness for employees

HIPAA compliance starts with your team. You can consider taking the following actions: 

• Ensure all employees, particularly those handling PHI, undergo HIPAA training. The training should include an overview of HIPAA, an explanation of what constitutes PHI, the potential risks of non-compliance, and tips on preventing security breaches.
• Since regulations and technology evolve, provide continuous training and refreshers on privacy and security practices.
• Ensure employees understand their responsibilities when handling PHI, including who to contact if they suspect a violation or breach.

Hope this answers the question - ‘what to do HIPAA for employees?’

Step 3: Implementing security measures

The security rule mandates that covered entities and business associates implement security measures to protect PHI from unauthorized access, alteration, or destruction. You can consider taking the following actions:

• Ensure the security of all physical or electronic systems used to store or transmit PHI. This may involve implementing encrypted databases, secure email systems, and strong password protocols.
• Encryption protects PHI at rest (stored data) and in transit (data sent over networks). This helps prevent unauthorized access and data breaches.
• Implement role-based access controls, ensuring only authorized personnel can access PHI. Regularly audit access logs to track who is accessing sensitive information and identify any potential risks.
• Ensure that paper records containing PHI are securely stored and that physical access to your organization’s computers and servers is restricted to authorized personnel.

Step 4: Establish policies and procedures

Develop clear, written policies and procedures that govern how your organization handles PHI, from collection to disposal. You can consider taking the following actions:

• Define how PHI will be collected, used, shared, and protected. Ensure that employees understand and consistently follow these policies.
• Create guidelines on maintaining PHI's confidentiality, integrity, and availability.
• Establish a plan for responding to potential HIPAA violations or data breaches. This should include reporting protocols, investigation procedures, and corrective actions.

Step 5: Monitor compliance and audit regularly

Regular monitoring and audits are essential for ensuring continued compliance with HIPAA regulations. You can consider taking the following actions:

• Conduct periodic audits of your organization’s PHI handling practices and security measures.
• Assess potential risks to PHI and implement strategies to mitigate those risks.
• Keep records of your compliance efforts, including training programs, security measures, and audits, to demonstrate your commitment to HIPAA.

Step 6: Maintain business associate agreements

If you work with third-party vendors or contractors who have access to PHI, you must have a Business Associate Agreement (BAA) in place. This legally binding contract ensures that your business associates comply with HIPAA regulations and protect PHI appropriately.

HIPAA and the Workplace

You need to understand the broader implications of HIPAA in your workplace, especially when it interacts with other regulations like OSHA, FMLA & ADA, and the Privacy Act: 

1. OSHA: While OSHA requires you to document workplace injuries, you must also set up systems to protect any health data you collect according to HIPAA's privacy rules. 
2. FMLA & ADA: These laws may require you to collect medical information to handle leave requests or accommodate employees. Even though such information is outside HIPAA compliance, you must protect such information.
3. The Privacy Act: The Privacy Act governs personal data in federal records, adding an extra layer of compliance you must adhere to.

You must carefully navigate HIPAA and the workplace regulations to ensure compliance with each one while protecting employee health information.

HIPAA vs. other data privacy laws

Here’s a comparison of HIPAA and other data privacy laws, such as the California Privacy Rights Act (CPRA), to help clarify your responsibilities as an employer:

HIPAA and remote work

To ensure HIPAA compliance in remote work scenarios, you should implement the following measures:

• Use secure VPNs and encourage employees to connect to encrypted Wi-Fi networks.
• Encrypt company devices and ensure encrypted communication for sharing PHI.
• Provide employee training on security protocols, remote work policies, and recognizing phishing attempts.
• Track employee access to PHI and conduct regular audits to detect unauthorized access, with a clear response plan for any security incidents.

How Skuad Ensures Global Compliance

HIPAA applies to employers primarily when they manage group health plans or handle protected health information (PHI) related to employees. 

If your organization is involved in self-insured health plans or acts as a business associate, you must comply with HIPAA's Privacy and Security Rules, which safeguard PHI. Even if your company has fully insured plans, compliance is still necessary if you access PHI for administrative purposes. This could create HR management challenges, leading to a compliance burden. 

Fortunately, there are specialized HR solutions like Skuad. Our employer-of-record platform streamlines hiring, paying, and managing employees across multiple regions while companies comply with HIPAA’s privacy and security standards and other legal requirements. 

With Skuad’s expertise, your organization can confidently navigate the complexities of global employment while safeguarding sensitive health information.

‍Book your demo today to match your use case.

FAQs

1) What is a HIPAA violation by an employer?

HIPAA violation by an employer amounts to accessing, sharing, or deleting Protected Health Information of employees. Additionally, limiting employees' access to their PHI when offering self-insured health plans amounts to HIPAA violations by an employer.  

2) How does HIPAA apply to HR?

HIPAA applies to HR policies regarding the control and limitation of access to sensitive health-related information and the reporting of any breach to individuals and respective authorities.  

3) Can my employer talk about my medical condition with other employees?

No, an employer cannot discuss a medical condition with another employer without explicit permission from the aggrieved employee. If found to have violated this policy, employees can sue for breach of privacy rules. 

4) Who does HIPAA not apply to?

HIPAA does not apply to:

1. Employers, unless they manage group health plans or act as business associates.
2. Life insurers
3. Workers' compensation carriers
4. Schools and school districts
5. Many personal health information holders, such as family members or friends
6. Fitness centers or gyms
7. Internet-based health information platforms that are not involved in electronic healthcare transactions

5) Are employers exempt from HIPAA?

Yes, employers are exempt from HIPAA unless they manage group health plans or act as business associates. 

6) Is it a HIPAA violation for an employer to call your doctor?

Employers can generally call an employee's doctor in emergencies. However, HIPAA protects the security and privacy of employee health information, and violating it can result in hefty fines and penalties.