What Does HIPAA Mean for Employers?

Handling employee health records may be routine for many human resources professionals, but watching out for potential HIPAA violations can feel like walking on eggshells. The Health Insurance Portability and Accountability Act of 1996 outlines required security and privacy protections for medical records, as well as any related disclosures.

Though a concern for healthcare and insurance professionals, HIPAA laws also apply to companies that receive, process, handle, or store medical records. Since employers have access to health-related records, such as workers’ compensation claims, human resources professionals must be familiar with HIPAA. That’s because HIPAA violations are serious. Complaints are investigated by the Office for Civil Rights at the U.S. Department of Health and Human Services, and violators can face thousands of dollars in fines and even prison time based on the severity and circumstances of an offense.

In fact, a record-setting $28.7 million in fines and settlements were handed down last year in 11 HIPAA violation cases. The previous record was set in 2016 when penalties for HIPAA violations hit $23.5 million.

All of this sounds scary, but you and your team can stay on top of things with the right training, tools, and safeguards. Resources about what constitutes HIPAA compliance are also helpful.

Who Is Covered by HIPAA, Anyway?

Without getting too technical, HIPAA covers specific industries and people, including healthcare practitioners and insurers as well as their “business associates.”

This broad classification generally applies to contractors, partners, or vendors who have access to protected health information—commonly abbreviated as PHI—while performing their work with or on behalf of a company explicitly covered by HIPAA.

The classification can even apply to “a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate,” according to the U.S. Department of Health and Human Services.

Is Your Team Covered by HIPAA to Begin With?

As daunting as HIPAA compliance may sound, there’s good news for some human resources professionals: there may be a chance that the federal law doesn’t apply to your company.

Exchanging medical-related information with a company covered by HIPAA, such as an insurer, doesn’t necessarily mean that the federal law applies to you.

Layna Cook Rush, a shareholder in Baker Donelson’s Louisiana office, said a business associate agreement, which determines when, how, and what kind of medical information can be shared, isn’t always needed even when payment, treatment, or healthcare operations information is exchanged.

“I see a lot of instances where there’s going to be a share of information and the first thought is, ‘Let’s enter into a business associate agreement,’ but I would caution to look at the circumstances and make sure that relationship is appropriate for your share of information,” Cook Rush said in a January 2019 L&E Health Care webinar.

“It may be that you don’t need a business associate agreement, and you certainly don’t want to make someone your business associate if they shouldn’t be,” she said.

HIPAA also excludes “employment records that a covered entity maintains in its capacity as an employer,” according to the U.S. Department of Health and Human Services.

If your company is covered by HIPAA, it’s important to use end-to-end software solutions that offer data encryption for electronic information, including HIPAA-compliant forms.

Be Cognizant of Other Privacy Laws

Many states have laws in place to safeguard personal information or personally identifiable information, such as a person’s full name, date of birth, and Social Security number, that can be used to commit identity theft. Even seemingly innocuous and well-intentioned activities can present opportunities to expose a person’s protected, confidential information. For instance, filming a commercial on company property may open the door to potential privacy violations if a person’s face is shown without their consent. In this case, you would need to get explicit consent from all employees, patients, or customers—likely through a media release form—before shooting the commercial.

Another example of a possible privacy violation is an office party where people take pictures of employees.

“With social media being so prevalent, we really need to be careful,” Cook Rush said in the L&E Health Care webinar. “I think that’s something that we need to hone in on, and make employees aware that sharing PHI can be more than just providing a record to someone when you shouldn’t have,” she said. Photos are a great way to memorialize an occasion, but personal, identifying information, such as account numbers on a whiteboard, Social Security numbers on files, or account numbers on a computer screen, shouldn’t be visible in the background. “It’s very important to have a social media policy and make sure your employees understand the severity and consequences of even accidentally sharing information,” Cook Rush said.


Regardless of whether your company is or isn’t covered by HIPAA, it doesn’t hurt to remind your team about safeguarding employee information.

The U.S. Department of Health and Human Services provides training guidance and materials on HIPAA, while the Office of the Inspector General—which is tasked with monitoring fraud and compliance oversight—has crafted a general roadmap that can help you stay on top of things.

Although HIPAA may not apply to your company, creating a plan to safeguard employee records, holding periodic training sessions, and being mindful of social media risks will help your team rest a little easier at night.

About the Author:

Darin Moriki is a content writer at JotForm, a popular online form builder based in San Francisco.