How HIPAA and Other Health Privacy Laws Work Together to Protect Employee Health Information

How HIPAA and Other Health Privacy Laws Work Together to Protect Employee Health Information

With technology always changing, it's important for employers to learn how to protect employee information.

Protecting patient and employee health information has become more complex. Technology is, and likely always will be, a fundamental part of the healthcare system. While computers make it easier for teams to manage records, any online document could fall victim to a cyberattack.

In the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) ensures patient confidentiality. For employers, it’s unclear whether HIPAA laws apply to their employee health records or what types of medical information are considered “confidential.”

To protect the health and safety of your employees, you must abide by American privacy laws, which may or may not include HIPAA, while also following a few security-based best practices.

What is HIPAA, and Does it Apply to Non-Healthcare Employers?

HIPAA is a set of national standards for the protection of health information. These standards apply to covered entities, which include health plans, healthcare clearinghouses and healthcare providers who electronically transmit medical information (unless it’s for employer use).

Non-healthcare employers do not have to abide by HIPAA law, but most states use HIPAA as a standard for identity theft protection laws or cybersecurity laws, so you aren’t out of the woods.

For example, The Oregon Consumer Identity Theft Protection Act places standards for how employers should handle employee medical information. These include implementing server safeguards to protect the confidentiality of a person’s information and reporting data breaches.

What Health Document Privacy Laws do Apply to All Employers?

Even in instances where HIPAA doesn’t apply, employers still have a legal obligation to protect their employee’s health records. The Americans with Disabilities Act and Genetic Information Nondiscrimination Act are two important laws that govern health information and data privacy.

With both laws, employers are allowed to request information about a person's disability or genetics if it directly impacts the employer or the employee's job duties. Employers aren’t allowed to ask specifics regarding their medical treatment unless it may require prompt first aid.

How does Employee Health Information Privacy Benefit Workers?

It makes sense why your employees wouldn’t want any of their private information being leaked, but improved cybersecurity practices can actually benefit you and your workers in several ways.

HIPAA Compliance Directly Benefits All of Us. While HIPAA doesn’t always apply to employee health information maintained by an employer, it does apply to an employer’s request for health information from a covered entity (i.e., a doctor). 

That means a covered entity cannot disclose protected health information unless an employee gives consent (or is otherwise allowed by the law). This information cannot be shared with HR or an employee manager without your expressed consent, preferably given in writing.

With HIPAA laws in place, employers can’t look up health information they could possibly use against employees. This cuts down on discrimination, improving overall employee wellness.

Privacy Software Helps Automate Workflows. Digital privacy software that supports the safe storage of medical information reduces the risk of identity theft. Too many employers keep confidential records inside an unencrypted folder on their desktops. Not only is this unsafe, but it also affects the trust your employees have in you.

While the healthcare industry would use electronic health records or EHR software for human services, other industries would stick with human resource or occupational health software. HR software can store all types of records safely and securely, so long as it’s updated frequently.

When you protect health records with automation software, you offer peace of mind. This is especially true if HR encrypts all files and locks out unauthorized users from the system.

Incident Response Processes are Commonplace. Healthcare or identity fraud can leave long-lasting impacts on your employees. They may be unable to receive low-cost medical attention, reading their quality of life and ability to work.

When you stress the importance of data protection, you empower your workers to spot data breaches. But for them to do this, they need to know what security risks are out there. A study by Verizon found that human error causes 82 percent of all breaches, so a strong server isn’t enough. 

Although employees are the most likely culprit for data leaks, employers still have to educate employees when it comes to cybersecurity best practices. Your due diligence will improve your employee’s ability to respond to an attack before it occurs or to report it when it happens.

How Should Employers Protect Employee Health Information?

As stated, employers have to protect their employee’s medical information, so it isn’t a matter of “if.” Employers should adopt the following best practices to prevent or reduce data breaches.

Limit and Track Access to Electronically-Stored Information. Businesses should strictly limit access to medical information to employees that need it. While you’re at it, develop a system that internally tracks when medical information stored by HR is accessed. You should also train and retrain HR employees regularly to ensure compliance.

Restrict Employees From Sharing Information Over Email. Sharing medical information over email is a bad idea. Not only is email an unsecured channel, but it can also lead to incomplete reports. Be sure to prohibit external and internal requests for medical information over email. You should only exchange information in-person or by phone.

Don’t Store Any Unnecessary Medical Information or Data. Medical data should not be stored for an indefinite period. Unless there’s a good reason why HR should retain certain medical information, it should be destroyed when it’s no longer needed. For this step, follow HIPAA or your state’s privacy law standards for the deletion of health records.

Encourage Employees to Report Suspected Breaches. Your employee may accidentally click on a link or provide information to someone they thought was a fellow coworker. This should be treated as a mistake, not a fireable offense. If your employees are afraid of getting in trouble, they won’t report a breach, or worse, cover it up.

Use HIPAA as a Basis for Your Privacy Policy. Most employers don’t have to follow HIPAA law, but you should use it as a basis for your privacy policy. The HIPAA act is one of the most sophisticated privacy laws in the United States, so you only benefit from using it. Remember to review it often, as HIPAA laws change every few years.

Product Showcase

  • Safety Knives

    The Safety Knife Company has developed a quality range of safety knives for all industries. Designed so that fingers cannot get to the blades, these knives will safely cut through cardboard, tape, strapping, shrink or plastic wrap or a variety of other packing materials. Because these knives have no exposed blades and only cut cardboard deep, they will not only protect employees against lacerations but they will also save product. The Metal Detectable versions have revolutionary metal detectable polypropylene knife bodies specifically for the food and pharmaceutical industries. This material can be detected and rejected by typical detection machines and is X-ray visible. Read More

  • Preventative Heat Safety

    Dehydration and heat exposure impair physical and cognitive performance. Proper hydration boosts heat stress resilience, but hydration needs are highly individualized and hard to predict across a workforce. Connected Hydration® empowers industrial athletes to stay safe through behavioral interventions, informed by sports science, and equips safety teams with critical insights to anticipate high-risk situations and adapt to evolving environmental factors. Curious about applying the latest in sports science based hydration strategies for industrial athletes? Stop by booth #1112 at AIHA or schedule a free demo today at https://epcr.cc/demo. Read More

  • EMSL Analytical, Inc. - Air Sampling Supplies & Testing Labs

    EMSL Analytical, Inc. operates laboratories throughout the United States and Canada. EMSL is a nationally recognized and locally focused provider specializing in fast laboratory results for Asbestos, Mold, Silica, Lead & Metals, Bacteria, Legionella, USP , Combustion By-Products, VOC’s, Radon, PCB’s, Formaldehyde, METH/Fentanyl, Identification of Dust & Unknowns. Sampling Pumps, Cassettes, Media & Supplies available. Reach us at 1-800.220.3675 Read More

Featured

Artificial Intelligence