HIPAA Regulates Handling Employee Health Info

Posted on Friday, May 24, 2019

It's been awhile since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) guidelines for medical privacy standards became effective, essentially affecting most employers who offer group health plans. And although the regulations were issued to protect employees' private health and medical information, they are causing quite a stir among employers.

Summary of the Rules

No Consent Necessary: 

To obtain medical information for the purpose of carrying out treatment, payment, or health care operations.
To disclose protected information for the purpose of collecting unpaid balances for medical services, even if patient consent has been revoked.
To provide work-related health information necessary to comply with Workers' Compensation programs.
When required by other laws, state, federal, or tribal, or local, or for the purpose of law enforcement or judicial proceedings.
To facilitate organ transplant.
To report abuse, neglect, or domestic violence.
To assist in public health investigations.
In some instances of health research.

Consent Required:

To obtain medical information from treating physicians for coordination of benefits activities.

HIPAA advocates say that the regulations are needed to prevent discrimination in the workplace when people have access to employee health information and use it for purposes other than administering the group plan. Yet, many employers remain confused and say the guidelines don't offer much practical advice for complying.

The Requirements

Under HIPAA, employee health plans are not required to obtain patient consent to use or disclose protected health information in order to carry out treatment, payment, or related health care operations (see right-hand box). For other use of employee health information, however, HIPAA calls for an employee release or consent to be obtained.

Plans may now need a specific patient authorization to obtain medical information from physicians for plan coordination of benefits activities. Therefore, many larger businesses may want to consider having one person responsible to oversee the release of applicable employee health data and assist with the necessary patient authorizations when medical care is needed. 

Adding to the confusion is the fact that the guidelines enable health providers to disclose protected medical information for health plans to obtain payment, even if patient consent has been revoked. While this may seem in direct conflict, it is justified as a means to an important end -- collection of an unpaid balance incurred for medical services rendered.

However, while health plans are mentioned in the HIPAA guidelines, employers are not. Yet, because the HIPAA privacy rule regulates health plans, employers who sponsor these plans - particularly those who self-insure -- are, in effect, required to comply.

Who Administers the Privacy Regulations?

HIPAA clearly states the Department of Health and Human Services does not have the authority to regulate employers. Instead, group health plans with fewer than 50 participants are self-administered. Thus, liability and the obligation to comply with the privacy rule would rest on the legal shoulders of the group health plan and not the employer. 

Even so, it is in the best interest of employers to take certain steps:

Tracking all protected health information exchanges conducted, both internally and externally.
Determine what is permissible and what requires authorization.
List jobs which involve handling employee health information.
Build the necessary firewalls between personnel who deal with this protected data to administer the group health plan and personnel who need the information for different purposes, such as Workers' Compensation.

In summary, if your company employs a large number of people, or is self-insured, you may want to consider appointing a chief privacy officer. You may also want to develop training materials on the rules and set up sanctions to be used when the rules are violated.

Posted in Tax Topics For Individuals

Disclaimer: The information contained in Dulin, Ward & DeWald’s blog is provided for general educational purposes only and should not be construed as financial or legal advice on any subject matter. Before taking any action based on this information, we strongly encourage you to consult competent legal, accounting or other professional advice about your specific situation. Questions on blog posts may be submitted to your DWD representative.

"Bruner Dental has been with DWD for well over 15 years. The entire team at DWD has been helpful in many ways. From simple questions day to day, to audits, payroll needs, and much more; they…"

Rondell Nelson

Bruner Dental