Newsletter Sign-Up | Connect | Careers

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that was enacted to ensure protection of individuals’ protected health information (PHI) and requires employers to protect employee medical records as confidential. HIPAA includes regulations that cover how employers must protect employees’ medical privacy rights and the privacy of their health information. In general, HIPAA protects individuals from the unauthorized use or disclosure of any protected health information. 

Applications for HIPAA

The HIPAA Privacy Rule only applies to Covered Entities, which are defined as:

  • A health plan

  • A health care clearinghouse

  • A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. Generally, these transactions concern billing and payment for services or insurance coverage. 

For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities. 

Covered entities can be institutions, organizations, or persons.

How HIPAA affects employers

Employers providing health coverage to their employees through a health insurance policy will generally not be responsible for HIPAA compliance because the insurance company (the health plan) is the covered entity and will be required to comply with HIPAA.  

Most of the information contained in personnel files and records is not classified as protected health information (PHI). The regulations state that PHI excludes individually identifiable health information in employment records held by a covered entity in its role as an employer. This means that even the information kept in employment records by health care institutions is generally not governed by HIPAA.

In terms of workers’ compensation claims the rule recognizes that employers, along with their workers’ compensation insurers and claims administrators, have a legitimate need to access detailed medical records in order to efficiently administer the workers’ compensation system. In many cases, the privacy rule allows covered entities to disclose treatment information without violating HIPAA.

Even though not necessarily classified as PHI, when asking your employees to provide any medical information — be it to administer leave, fringe benefits, or workers’ compensation — it is best to get a properly drafted release and consent from the employee. This helps create and maintain employee trust so they know their personal information is being handled with care.