How HIPAA and Other Health Privacy Laws Work Together to Protect Employee Health Information -- Occupational Health & Safety

How HIPAA and Other Health Privacy Laws Work Together to Protect Employee Health Information

With technology always changing, it's important for employers to learn how to protect employee information.

By Rupert Jones
Nov 22, 2022

Protecting patient and employee health information has become more complex. Technology is, and likely always will be, a fundamental part of the healthcare system. While computers make it easier for teams to manage records, any online document could fall victim to a cyberattack.

In the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) ensures patient confidentiality. For employers, it’s unclear whether HIPAA laws apply to their employee health records or what types of medical information are considered “confidential.”

To protect the health and safety of your employees, you must abide by American privacy laws, which may or may not include HIPAA, while also following a few security-based best practices.

What is HIPAA, and Does it Apply to Non-Healthcare Employers?

HIPAA is a set of national standards for the protection of health information. These standards apply to covered entities, which include health plans, healthcare clearinghouses and healthcare providers who electronically transmit medical information (unless it’s for employer use).

Non-healthcare employers do not have to abide by HIPAA law, but most states use HIPAA as a standard for identity theft protection laws or cybersecurity laws, so you aren’t out of the woods.

For example, The Oregon Consumer Identity Theft Protection Act places standards for how employers should handle employee medical information. These include implementing server safeguards to protect the confidentiality of a person’s information and reporting data breaches.

What Health Document Privacy Laws do Apply to All Employers?

Even in instances where HIPAA doesn’t apply, employers still have a legal obligation to protect their employee’s health records. The Americans with Disabilities Act and Genetic Information Nondiscrimination Act are two important laws that govern health information and data privacy.

With both laws, employers are allowed to request information about a person's disability or genetics if it directly impacts the employer or the employee's job duties. Employers aren’t allowed to ask specifics regarding their medical treatment unless it may require prompt first aid.

How does Employee Health Information Privacy Benefit Workers?

It makes sense why your employees wouldn’t want any of their private information being leaked, but improved cybersecurity practices can actually benefit you and your workers in several ways.

HIPAA Compliance Directly Benefits All of Us. While HIPAA doesn’t always apply to employee health information maintained by an employer, it does apply to an employer’s request for health information from a covered entity (i.e., a doctor).

That means a covered entity cannot disclose protected health information unless an employee gives consent (or is otherwise allowed by the law). This information cannot be shared with HR or an employee manager without your expressed consent, preferably given in writing.

With HIPAA laws in place, employers can’t look up health information they could possibly use against employees. This cuts down on discrimination, improving overall employee wellness.

Privacy Software Helps Automate Workflows. Digital privacy software that supports the safe storage of medical information reduces the risk of identity theft. Too many employers keep confidential records inside an unencrypted folder on their desktops. Not only is this unsafe, but it also affects the trust your employees have in you.

While the healthcare industry would use electronic health records or EHR software for human services, other industries would stick with human resource or occupational health software. HR software can store all types of records safely and securely, so long as it’s updated frequently.

When you protect health records with automation software, you offer peace of mind. This is especially true if HR encrypts all files and locks out unauthorized users from the system.

Incident Response Processes are Commonplace. Healthcare or identity fraud can leave long-lasting impacts on your employees. They may be unable to receive low-cost medical attention, reading their quality of life and ability to work.

When you stress the importance of data protection, you empower your workers to spot data breaches. But for them to do this, they need to know what security risks are out there. A study by Verizon found that human error causes 82 percent of all breaches, so a strong server isn’t enough.

Although employees are the most likely culprit for data leaks, employers still have to educate employees when it comes to cybersecurity best practices. Your due diligence will improve your employee’s ability to respond to an attack before it occurs or to report it when it happens.

How Should Employers Protect Employee Health Information?

As stated, employers have to protect their employee’s medical information, so it isn’t a matter of “if.” Employers should adopt the following best practices to prevent or reduce data breaches.

Limit and Track Access to Electronically-Stored Information. Businesses should strictly limit access to medical information to employees that need it. While you’re at it, develop a system that internally tracks when medical information stored by HR is accessed. You should also train and retrain HR employees regularly to ensure compliance.

Restrict Employees From Sharing Information Over Email. Sharing medical information over email is a bad idea. Not only is email an unsecured channel, but it can also lead to incomplete reports. Be sure to prohibit external and internal requests for medical information over email. You should only exchange information in-person or by phone.

Don’t Store Any Unnecessary Medical Information or Data. Medical data should not be stored for an indefinite period. Unless there’s a good reason why HR should retain certain medical information, it should be destroyed when it’s no longer needed. For this step, follow HIPAA or your state’s privacy law standards for the deletion of health records.

Encourage Employees to Report Suspected Breaches. Your employee may accidentally click on a link or provide information to someone they thought was a fellow coworker. This should be treated as a mistake, not a fireable offense. If your employees are afraid of getting in trouble, they won’t report a breach, or worse, cover it up.

Use HIPAA as a Basis for Your Privacy Policy. Most employers don’t have to follow HIPAA law, but you should use it as a basis for your privacy policy. The HIPAA act is one of the most sophisticated privacy laws in the United States, so you only benefit from using it. Remember to review it often, as HIPAA laws change every few years.

Product Showcase

SlateSafety BAND V2

SlateSafety's BAND V2 is the most rugged, easy-to-use connected safety wearable to help keep your workforce safe and help prevent heat stress. Worn on the upper arm, this smart PPE device works in tandem with the SlateSafety V2 system and the optional BEACON V2 environmental monitor. It includes comprehensive, enterprise-grade software that provides configurable alert thresholds, real-time alerts, data, and insights into your safety program's performance all while ensuring your data is secure and protected. Try it free for 30 days. 3

Featured

Helping Lone Workers Shed the Invisibility Cloak

Satellite messaging and GPS technologies help lone workers overcome challenges of invisibility, providing transformative benefits for safety and coordination across industries. Read Now
Heat Exposure May Lead to Inflammation and Weaken Immunity, Preliminary Research Finds

Recent research links short-term heat exposure to increased inflammation and weakened immunity, particularly affecting outdoor workers. Read Now
- Heat Stress & Thirst Quenchers
DOL Grants Pennsylvania $2.9 Million to Combat Opioid Crisis

The latest National Health Emergency Dislocated Worker Grant has an approved funding threshold of over $8.7 million. Read Now
- Wellness
NIOSH, Partners Lead Fifth Annual National Stand-Down to Prevent Struck-By Incidents

The virtual event kicks off National Work Zone Awareness Week, which runs from April 15-19, 2024. Read Now
- Construction Safety
Safety Training: How to Prepare Workers for Confined Spaces While Working Alone

Effective safety training strategies are essential for prioritizing worker safety in confined spaces, particularly for those working alone. Read Now
- Confined Spaces

Webinars

Superior Glove

Rethinking Hand Safety Revised: Quick Tips and Nudge Theory Insights Apr 16, 2024
J. J. Keller & Associates Inc.

OSHA Training for General Industry: Reviewing the Elements for Select Topics Apr 17, 2024
BIS Safety Software Inc.

Boosting Efficiency While Cutting Costs: Learn to Leverage Online Worker Orientations May 01, 2024
Martor® USA, Bilco, Honeywell Safety Products, Lift-All®, Bradley Corp., SafetyIQ, Skillsoft, National Fire Protection Association, Vector Solutions, iLobby

Facility Safety - Elevating Safety in Warehouse, Distribution Center and High Injury-Rate Retail Establishments: A Risk-Based Prioritized Approach May 02, 2024
Superior Glove

How Nudge Theory Can Reduce Hand Injuries: A Nudge Led Approach to Hand Safety May 08, 2024
Camfil Air Pollution Control (APC), Donaldson, Nilfisk, EMSL Analytical, Inc.

Eliminating Electrostatic Hazards to prevent Dust Explosion: Case Studies and Strategies May 09, 2024

All Webinars

White Papers

All White Papers