If you’re reading this blog, chances are that the company you work for works with HIPAA in some type of way. If not, while the content within this post might not apply to you, it’s still good information to know!
HIPAA is short for the Health Insurance Portability and Accountability Act of 1996. It’s a federal law that protects sensitive patient information within the healthcare industry.
HIPAA’s requirements prevent the sharing or disclosing of protected health information, or PHI, without a patient’s consent.
There are 3 main rules within HIPAA:
HIPAA Privacy Rule
HIPAA Security Rule
HIPAA Breach Notification Rule
Each law has a different purpose and response plan when dealing with PHI or protected health information.
These are important laws that companies working with PHI should follow to avoid costly fines, lawsuits, and jail time.
So on to the question that this blog is all about. Do HIPAA laws apply to employers?
There isn’t 1 answer to this question. It depends on the situation you’re in.
Table of Contents
Covered Entities
To put it into simple terms, any company that handles protected health information in any way has an obligation to follow HIPAA laws even if you aren’t working in the healthcare industry.
There are 3 categories, or what HIPAA calls covered entities, that need to follow HIPAA laws.
These 3 categories are:
Health plans
Healthcare clearinghouses
Healthcare providers
If an employer doesn’t fall under any of these categories then HIPAA does not apply.
If an employer does fall under one of these categories, HIPAA laws apply to the protected health information that the company acquires in its capacity as a covered entity. It’s not the PHI of their own employees.
So if an employer is a covered entity, they must follow HIPAA laws for the external PHI they receive.
Take Etactics for example. Part of our service offering is a clearinghouse service, which makes us a covered entity. Due to the fact that we specialize in medical billing, we work with PHI for patients from our client’s healthcare practices. For this reason, we take our online K2 Akademy training to ensure that we are compliant with HIPAA laws.
We are not doing this to protect our employees’ PHI but for the PHI of our clients’ patients.
This doesn’t mean that when it comes to employees’ protected health information we throw all the safety precautions out the window.
As an employer even when HIPAA doesn’t apply, there’s still an obligation to protect the confidentiality of the employee health information given access to.
It’s important to note that HIPAA laws do apply to an employer’s request for health information from a covered entity for an employee. With employee authorization, this information is shared unless it’s required by law. If not authorized by the employee, information may not be shared with human resources or employers.
The word protected health information or PHI is being used quite a lot. Let’s make sure we understand what exactly it is as well as what classifies PHI.
Business Associates
Another classification of organizations that falls within the scope of HIPAA compliance is known as business associates.
Simply put, these organizations are those that WORK with, have access to, or maintain the PHI on behalf of a covered entity. In other words, they’re organizations that help covered entities with their operations.
Not all vendors of a covered entity fall under the classification of a business associate. Luckily for your organization’s window cleaning service.
But a vendor who designs, prints and mails patient statements on behalf of a healthcare provider would definitely fall under this category. Since this is another service offering that we provide at Etactics, we technically land under the category of a business associate as well.
Protected Health Information
Protected health information is any information in medical records that can identify an individual receiving a healthcare offer or service through treatment, payment, operations, medical records, and more.
It’s sometimes referred to as personal health information.
ePHI is the same as PHI except it’s in an electronic format. Any encrypted information in an electronic device is ePHI.
3 HIPAA Safeguards
There are 3 big HIPAA safeguards. These laws are always changing or being modified.
For employers and employees alike, it’s important to stay on top of HIPAA training in order to familiarize yourself with these laws. Let’s go into a little more detail on each one.
The Privacy Rule
The Security Rule
The Breach Notification Rule
HIPAA Privacy Rule
The HIPAA Privacy Rule provides a set of components for covered entities to follow so that PHI and ePHI for healthcare treatments, payments and other business operations can be safely used and disclosed.
One component that applies is the minimum necessary standard. This only refers to accessing PHI for appropriate business or medical purposes to the least amount necessary.
Under the HIPAA Privacy Rule, patients and or their representatives are able to access their medical records with the requirement of a request for access and disclosure within 30 days by a covered entity.
HIPAA Security Rule
The HIPAA Security Rule sets the standards for protecting electronic health information.
Any type of health information that a covered entity creates, receives, or sends for a patient that is identifiable is what they must reasonably protect from anticipated threats, hazards, and prohibited uses or disclosures.
HIPAA Breach Notification Rule
In the event that a breach of PHI occurs, the Breach Notification Rule initiates a set of parameters that organizations must follow once aware.
The Breach Notification rule only requires notifications of breaches for PHI that aren’t secured; but, any breach that happens to PHI is able to occur due to the fact that it wasn’t secured.
Violations and Fines
HIPAA violations happen frequently. The U.S. Department of Health and Human Services reports that 342,032 privacy rule complaints have been filed in 2023.
In 2018, records of 500 or more healthcare data breaches were being reported once a day.
While violations occur both big and small, small issues are the most common fines.
Examples of small violations could look like an employee losing or misusing an electronic device with unencrypted patient information or communicating with a patient through unencrypted means.
A HIPAA violation in the workplace setting is any action that results in the improper disclosure of a patient’s protected health information. This can be carried out by an employer or employee. This includes accessing, using, disclosing, or selling PHI without authorization.
Sometimes the employer or employee may not even be aware that they are violating HIPAA laws. This is yet another reason why company training is beneficial.
HIPAA violations can get quite pricey and can also carry criminal charges resulting in jail time. Penalties are dependent on the variety of negligence within each case. Violations are classified as either reasonable cause or willful neglect.
Reasonable cause ranges from $100 to $50,000 depending on the incident at hand. These violations do not involve any jail time.
Willful neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges. The highest penalty in records is $1.5 million per year due to violations of identical provisions.
Real-World Example
We’ve talked a lot about HIPAA violations and the different fines that come along with them for both employers and employees. Here is a real-world example of a HIPAA violation that took place in 2019 with a small dental practice known as Elite Dental Associates. This is the Yelp scandal.
The Office of Civil Rights, or OCR, received a complaint from an individual that Elite had responded to a social media review by disclosing a patient’s last name and details of their protected health information on the social networking site known as Yelp.
Through Yelp users rate and write reviews for establishments based upon their experience and service.
After further assessment of the complaint, the Office for Civil Rights found that Elite had disclosed the PHI of many patients in response to patient reviews on the Elite Yelp page.
The Office for Civil Rights discovered that Elite did not have a policy and procedure for disclosure of protected health information. Nor did they have a Notice of Privacy Practices that complied with the HIPAA Privacy Rule.
Due to Elite’s size and their willingness to comply, the settlement came out to be $10,000 which is still low for these circumstances.
Elite also put into place a 2-year corrective action plan monitored by the Office of Civil Rights for compliance with HIPAA rules.
This scenario is the perfect example of how an employer can break HIPAA laws. It does not have to do with the PHI of their own employees, but the PHI of their patients is being broadcasted and put out into the public eye without their consent.
Social media is widely used in this day and age. This means that there are many newer outlets for people to connect and share information on. There are other stories similar to this Yelp scandal where patient PHI can easily spread like wildfire.
Making sure both employees and employers are HIPAA compliant in social media use is something to take into consideration as well.
Conclusion
While an employer working for a covered entity may not have to follow HIPAA laws about their own employees, they are responsible for the PHI of patients that they get through partnerships and working alongside healthcare practices.
In some circumstances, the employer is held responsible for keeping their own employees’ PHI safe and secure if they are given access to it. Most of the time, that is up to the employee to grant access to their employer even if they are a member of the covered entity the company works with.
It all comes full circle. We all would like our private information to stay that way. Implementing HIPAA laws aids us in doing that. While it may be frustrating at times to work with, it is well worth it in the long run for patients, doctors, employers, and employees alike.
If you work for a company that is a covered entity, then it is essential that you ensure your practices are HIPAA compliant. How do you do that you may ask? HIPAA laws do change, so investing in annual company training will take that extra bit of weight off your shoulders.