How HIPAA and Other Health Privacy Laws Work Together to Protect Employee Health Information

With technology always changing, it's important for employers to learn how to protect employee information.

• By Rupert Jones
• Nov 22, 2022

Protecting patient and employee health information has become more complex. Technology is, and likely always will be, a fundamental part of the healthcare system. While computers make it easier for teams to manage records, any online document could fall victim to a cyberattack.

In the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) ensures patient confidentiality. For employers, it’s unclear whether HIPAA laws apply to their employee health records or what types of medical information are considered “confidential.”

To protect the health and safety of your employees, you must abide by American privacy laws, which may or may not include HIPAA, while also following a few security-based best practices.

What is HIPAA, and Does it Apply to Non-Healthcare Employers?

HIPAA is a set of national standards for the protection of health information. These standards apply to covered entities, which include health plans, healthcare clearinghouses and healthcare providers who electronically transmit medical information (unless it’s for employer use).

Non-healthcare employers do not have to abide by HIPAA law, but most states use HIPAA as a standard for identity theft protection laws or cybersecurity laws, so you aren’t out of the woods.

For example, The Oregon Consumer Identity Theft Protection Act places standards for how employers should handle employee medical information. These include implementing server safeguards to protect the confidentiality of a person’s information and reporting data breaches.

What Health Document Privacy Laws do Apply to All Employers?

Even in instances where HIPAA doesn’t apply, employers still have a legal obligation to protect their employee’s health records. The Americans with Disabilities Act and Genetic Information Nondiscrimination Act are two important laws that govern health information and data privacy.

With both laws, employers are allowed to request information about a person's disability or genetics if it directly impacts the employer or the employee's job duties. Employers aren’t allowed to ask specifics regarding their medical treatment unless it may require prompt first aid.

How does Employee Health Information Privacy Benefit Workers?

It makes sense why your employees wouldn’t want any of their private information being leaked, but improved cybersecurity practices can actually benefit you and your workers in several ways.

HIPAA Compliance Directly Benefits All of Us. While HIPAA doesn’t always apply to employee health information maintained by an employer, it does apply to an employer’s request for health information from a covered entity (i.e., a doctor). 

That means a covered entity cannot disclose protected health information unless an employee gives consent (or is otherwise allowed by the law). This information cannot be shared with HR or an employee manager without your expressed consent, preferably given in writing.

With HIPAA laws in place, employers can’t look up health information they could possibly use against employees. This cuts down on discrimination, improving overall employee wellness.

Privacy Software Helps Automate Workflows. Digital privacy software that supports the safe storage of medical information reduces the risk of identity theft. Too many employers keep confidential records inside an unencrypted folder on their desktops. Not only is this unsafe, but it also affects the trust your employees have in you.

While the healthcare industry would use electronic health records or EHR software for human services, other industries would stick with human resource or occupational health software. HR software can store all types of records safely and securely, so long as it’s updated frequently.

When you protect health records with automation software, you offer peace of mind. This is especially true if HR encrypts all files and locks out unauthorized users from the system.

Incident Response Processes are Commonplace. Healthcare or identity fraud can leave long-lasting impacts on your employees. They may be unable to receive low-cost medical attention, reading their quality of life and ability to work.

When you stress the importance of data protection, you empower your workers to spot data breaches. But for them to do this, they need to know what security risks are out there. A study by Verizon found that human error causes 82 percent of all breaches, so a strong server isn’t enough. 

Although employees are the most likely culprit for data leaks, employers still have to educate employees when it comes to cybersecurity best practices. Your due diligence will improve your employee’s ability to respond to an attack before it occurs or to report it when it happens.

How Should Employers Protect Employee Health Information?

As stated, employers have to protect their employee’s medical information, so it isn’t a matter of “if.” Employers should adopt the following best practices to prevent or reduce data breaches.

Limit and Track Access to Electronically-Stored Information. Businesses should strictly limit access to medical information to employees that need it. While you’re at it, develop a system that internally tracks when medical information stored by HR is accessed. You should also train and retrain HR employees regularly to ensure compliance.

Restrict Employees From Sharing Information Over Email. Sharing medical information over email is a bad idea. Not only is email an unsecured channel, but it can also lead to incomplete reports. Be sure to prohibit external and internal requests for medical information over email. You should only exchange information in-person or by phone.

Don’t Store Any Unnecessary Medical Information or Data. Medical data should not be stored for an indefinite period. Unless there’s a good reason why HR should retain certain medical information, it should be destroyed when it’s no longer needed. For this step, follow HIPAA or your state’s privacy law standards for the deletion of health records.

Encourage Employees to Report Suspected Breaches. Your employee may accidentally click on a link or provide information to someone they thought was a fellow coworker. This should be treated as a mistake, not a fireable offense. If your employees are afraid of getting in trouble, they won’t report a breach, or worse, cover it up.

Use HIPAA as a Basis for Your Privacy Policy. Most employers don’t have to follow HIPAA law, but you should use it as a basis for your privacy policy. The HIPAA act is one of the most sophisticated privacy laws in the United States, so you only benefit from using it. Remember to review it often, as HIPAA laws change every few years.