Compliance is a paramount concern for small business owners, especially when it comes to handling sensitive data. This data includes proprietary business information, customer records, and, notably, employee health information. Ensuring the security of this information is vital, not only for preserving a company’s reputation but also for adhering to regulatory requirements. In this article, we will explore the critical aspects of managing employee health information, dispelling misconceptions about HIPAA, and providing guidance on staying compliant.
Understanding HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law designed to safeguard patient privacy concerning medical records and information. HIPAA governs how healthcare providers and covered entities handle protected health information (PHI). Its primary objectives include enhancing health insurance portability, preserving patient privacy, and notifying patients of any security breaches that could compromise their medical data.
HIPAA encompasses five rules, with the Privacy Rule and the Security Rule being the most widely recognized. The Privacy Rule establishes national standards for protecting individuals’ medical records and PHI. Meanwhile, the Security Rule outlines requirements for safeguarding electronic PHI through administrative, physical, and technical safeguards.
Does HIPAA Apply to Employment Records?
One common misconception is that HIPAA applies universally to anyone handling health information. This is not entirely accurate. HIPAA’s scope is limited to specific entities, including:
- Healthcare Service Providers: Any healthcare provider that electronically transmits health information for claims processing, benefit inquiries, or referral authorizations must comply with HIPAA.
- Health Plans: Organizations offering or covering medical care, such as health, dental, vision, and prescription drug insurance companies, fall under HIPAA regulations. Limited exceptions apply to small employer-administered group health plans.
- Business Associates: Individuals or organizations that use identifiable health information to perform services for covered entities, such as claims processing or data analysis, must comply with HIPAA.
Generally, employers, even if they collect and store health-related personal information, are not subject to HIPAA regulations. However, they are bound by other legal responsibilities when managing employee health information.
Properly Storing Employee Medical Information
While employers may not be subject to HIPAA, they still have legal obligations regarding the storage of employee medical data. The Americans with Disabilities Act (ADA) mandates that employee medical records and information be kept separate from general personnel files. Employers must maintain confidentiality when handling any provided employee medical information.
During the ongoing pandemic, employers have been collecting more health-related information than usual, such as vaccination records, health test results, or doctor’s notes for illness verification. It is imperative to store these documents securely and in an ADA-compliant manner.
Examples of employee medical information that should be stored separately include:
- Physical examination reports for pre-employment screenings or workplace injuries.
- Disability benefit records.
- Immunization records.
- Doctor’s notes.
- Family and Medical Leave Act (FMLA) documentation.
- Information related to Americans with Disabilities Act (ADA) reasonable accommodation requests.
- Health insurance enrollment records.
- Referrals from employee assistance programs.
- Worker’s compensation claims documents.
Access to these documents should be restricted to employees with a legitimate business need, such as benefits staff, human resources personnel, or the employee’s direct supervisor when necessary.
Requesting Health Information as an Employer
Employers do have the authority to request health information in specific situations. They may ask for a doctor’s note or other medical documentation to process sick leave or workers’ compensation claims. Additionally, employers can request health information when administering employee wellness programs, flexible spending accounts (FSAs), or health insurance benefits.
However, employers should refrain from directly contacting healthcare providers for employee health information. Healthcare providers cannot disclose such information without the employee’s authorization unless other laws mandate disclosure. In most cases, employers should request medical documentation from employees and have them coordinate with their healthcare providers. Any HIPAA-related concerns or violations would be attributed to the healthcare provider, not the employer.
Employers should exercise caution when requesting medical information and maintain clear and consistent policies. For example, having a policy that requires a doctor’s note for absences lasting three or more consecutive days is generally acceptable. However, inconsistency in enforcing such policies among employees can lead to issues.
It’s essential to focus on the specific information needed for time off or accommodations rather than delving into the specifics of an employee’s medical condition. This approach minimizes the risk of discrimination claims and respects employees’ privacy.
Proper Disposal of Employment Records and Health Information
Maintaining a substantial backlog of sensitive employee information can be a liability. Employers must adhere to federal laws governing HR record retention, which often include guidelines for health-related documentation. Retention schedules and requirements vary based on the type of records and typically range from 3 to 6 years. It is essential to also consider state-specific laws, as some states have more stringent retention requirements.
Managing paper files can be challenging, especially when dealing with private health information. Employers may find it beneficial to implement electronic record-keeping systems to ensure compliance with retention schedules and secure disposal practices. Transitioning to electronic records can simplify the process, as electronic documents can be securely deleted when they are no longer needed, reducing the risk of data breaches.
In conclusion, while HIPAA may not universally apply to employers, managing employee health information remains a critical aspect of business operations. Employers must adhere to legal obligations, maintain confidentiality, and implement proper record-keeping and disposal procedures. By doing so, businesses can mitigate risks, protect employee privacy, and maintain compliance with relevant laws and regulations.