When it comes to the issue of privacy concerning employees and their health care benefits, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is one of the most misunderstood and miscommunicated laws for both employers and employees alike.
“HIPAA can seem unclear, and when coupled with an employer’s health care plan, it can further create confusion and frustration for employers, HR managers and employees,” says Keith Kartman, client advisor at JRG Advisors.
Smart Business spoke with Kartman about what employers need to understand regarding privacy laws and health benefits.
What is HIPAA?
The HIPAA Privacy Rule, as outlined by the U.S. Department of Health and Human Services, establishes national standards to protect medical records and personal health information. It applies to health plans, health care clearinghouses and health care providers that conduct certain health care transactions electronically. Specifically, the rule requires appropriate safeguards to protect personal health information privacy, and sites limits and conditions on the uses and disclosures that may be made with this information without patient authorization.
In addition, the rule provides for patients’ rights concerning their health information, including the right to examine and obtain a copy of their health records, and to request corrections. The types of patient health care information that must be disclosed to be considered ‘protected’ by HIPAA includes date of birth, full name, diagnosis and medical record number.
How does HIPAA affect employee benefits?
As an employer, you are considered a health plan if you pay for a portion of the cost of medical care. If you pay for a portion of an employee’s health plan or have a self-funded medical insurance plan, you fall under the HIPAA Privacy Rule and compliance.
HIPAA mandates how a health plan or covered health care providers disclose protected health information to an employer, including managers or supervisors. As an employer, you have access to health care information that falls under HIPAA, such as benefit enrollment, benefit changes, the Family and Medical Leave Act of 1993 (FMLA) and any wellness program information. Conversely, employees who pay for a portion of the total cost of an employee health insurance plan are also required to comply with HIPAA.
Under HIPAA, employees must first provide authorization to health care providers before they can disclose any health care related information to an employer. This is why employees must complete Family Medical Leave Forms authorizing the release of their health care information before granting them FMLA leave.
Under HIPAA, how are employers required to protect an employee’s health information?
Employers are required to protect sensitive health care information and changes to benefit paperwork and any associated plan changes that include any information that comes from an electronic health record.
Employers are also required to protect Flexible Spending Account (FSA) and wellness program information. This means program administrators and other involved employees are provided with HIPAA training to ensure employee health care information is protected.
Occupational Health Records concerning employee physicals, workers’ compensation or workplace injury under the Occupational Safety and Health Administration are also required to be protected under HIPAA. This information should be stored in a secure location. As an employer, you should provide on-going HIPAA training to any and all employees who may have access to sensitive employee health information.
Lastly, employers are required to display HIPAA privacy laws in the workplace and notify employees of any company-specific privacy policies. As an employer, you should have a clearly defined privacy violation policy that outlines the process for notification and investigation of any potential privacy violations.
HIPAA laws regulating the privacy of protected health information are complicated and ever-evolving, so employers need to stay up to date on the latest developments and seek the guidance of knowledgeable benefits professionals or their legal counsel to ensure compliance.