Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that was enacted to ensure protection of individuals’ protected health information (PHI) and requires employers to protect employee medical records as confidential. HIPAA includes regulations that cover how employers must protect employees’ medical privacy rights and the privacy of their health information. In general, HIPAA protects individuals from the unauthorized use or disclosure of any protected health information.

Applications for HIPAA

The HIPAA Privacy Rule only applies to Covered Entities, which are defined as:

  • A health plan

  • A health care clearinghouse

  • A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. Generally, these transactions concern billing and payment for services or insurance coverage.

For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities.

Covered entities can be institutions, organizations, or persons.

How HIPAA affects employers

Employers providing health coverage to their employees through a health insurance policy will generally not be responsible for HIPAA compliance because the insurance company (the health plan) is the covered entity and will be required to comply with HIPAA.

Most of the information contained in personnel files and records is not classified as protected health information (PHI). The regulations state that PHI excludes individually identifiable health information in employment records held by a covered entity in its role as an employer. This means that even the information kept in employment records by health care institutions is generally not governed by HIPAA.

In terms of workers’ compensation claims the rule recognizes that employers, along with their workers’ compensation insurers and claims administrators, have a legitimate need to access detailed medical records in order to efficiently administer the workers’ compensation system. In many cases, the privacy rule allows covered entities to disclose treatment information without violating HIPAA.

Even though not necessarily classified as PHI, when asking your employees to provide any medical information — be it to administer leave, fringe benefits, or workers’ compensation — it is best to get a properly drafted release and consent from the employee. This helps create and maintain employee trust so they know their personal information is being handled with care.

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. The most well-known provision of HIPAA is the portion that set national standards for health privacy. It gives patients more control over who is able to access and share their health information.

What rights do patients have?

Under HIPAA, patients have the right to:

  • Right to access their health information
  • Request a copy. Should arrive within 30 days.
  • Restrict who your health information is given to
  • Monitor or change how information is used and shared
  • Be notified of a breach of health information no later than 60 days after the discovery of the breach

Who are the health organizations or entities that must comply with HIPAA?

Health care providers that must comply with HIPAA privacy standards include, but are not limited to:

  • Doctors
  • Nurses
  • Insurers
  • Hospitals
  • Nursing homes
  • Clinics
  • Psychologists
  • Dentists
  • Pharmacies
  • Chiropractors

What information does HIPAA protect?

Referred to as protected health information (PHI), any health information that explicitly identifies or could identify an individual should not be shared or transmitted. Health information transmitted electronically, via paper, orally or recorded in any other form or medium.

When is health information allowed to be shared?

Health information can be shared in certain circumstances, like when it is in the interest of your health (i.e. your doctor consulting with a specialist/another doctor to get an accurate diagnosis) or with your friends or family upon your consent. If you are incapacitated or in an emergency situation, health care providers can share relevant information with the appropriate people.

For more on HIPAA, click here.