The Health Insurance Portability and Accountability Act (“HIPAA”) is a critical piece of legislation designed to protect the privacy and security of individuals’ health information. However, despite its importance, there are several common misconceptions surrounding HIPAA compliance in the workplace.
Under HIPAA, “covered entities” are prohibited from making unauthorized disclosures of an individual’s Protected Health Information (“PHI”). Some employees believe that if their employer requests medical information, or discloses their health information, this would constitute a HIPAA violation. Generally speaking, this is not correct. Under the ADA, there are circumstances when an employer may lawfully request an employee’s health information – e.g., in order to verify that an employee needs disability accommodation or that an employee qualifies for FMLA leave. Similarly, if an employer outside of the medical field shares or otherwise publicizes their employee’s medical information, this generally would not constitute a violation of HIPAA. This is because employers typically don’t fall under HIPAA’s definition of “covered entity,” which includes health plans, health care clearinghouses, and health care providers.
However, this does not mean that employers are free to disclose their employee’s medical information, as this could still violate the Americans with Disabilities Act (“ADA”), which protects against the unnecessary sharing of employee medical information. It is important to distinguish between HIPAA and the ADA as the two acts are not one in the same.
Employers who provide medical services may qualify as a covered entity under HIPAA, and therefore they must handle the confidential health information of their employees with care.
Here are a few ways in which medical employers may inadvertently violate HIPAA:
- Accessing Employee Health Information Without Authorization: If an employer has access to employee health information, either through health insurance plans or workplace wellness programs, accessing this information without proper authorization can be a violation. Employers should ensure that only authorized personnel have access to employees’ health data.
- Improper Disclosure of Health Information: If an employer discloses an employee’s health information to unauthorized individuals or third parties without the employee’s explicit consent, HIPAA could be violated. This includes sharing information with colleagues who do not have a legitimate need for this information.
- Inadequate Safeguards and Security Measures: Employers who collect and store health information must implement reasonable safeguards to protect the confidentiality and integrity of that information. Failing to have proper security measures in place, such as encryption or secure storage, can lead to HIPAA violations.
- Insufficient Employee Training: Employers are responsible for training their employees who handle health information about HIPAA regulations. If employees are not adequately trained in the proper handling and safeguarding of health data, it could result in unintentional violations.
- Lack of Written Policies and Procedures: Employers should have written policies and procedures in place to ensure compliance with HIPAA regulations. The absence of such policies or failure to follow established procedures can contribute to inadvertent HIPAA violations.
- Retaliation Against Whistleblowers: If an employer takes adverse action against an employee who reports a HIPAA violation within the organization (whistleblower), it could lead to legal consequences. HIPAA protects individuals who report violations from retaliation.
It’s essential for employers to understand their responsibilities under HIPAA and, if applicable, to have clear policies and procedures in place to prevent unintentional violations. Employers should also provide regular training to employees who handle health information and take appropriate steps to safeguard sensitive data. If an employer is unsure about their obligations under HIPAA, Thatcher Zavaro & Mani can advise on how to keep your employees’ confidential health information safe.
If you believe your HIPAA rights have been violated by your employer, you must consult with an expert employment attorney to discuss your rights. Contact Thatcher Zavaro & Mani at 301-441-1400 to schedule a consultation appointment today. www.ThatcherLaw.com.
Follow us on: