HIPAA, or Health Insurance Portability and Accountability Act, consists of rules and regulations that protect the privacy of health records and dictates how such information can be used by health facilities or shared with third parties. Under the HIPAA Act, patients have the right to receive notification and view copies of their protected health information (PHI) if the latter is to be used or shared with an employer. In other words, the employer can only access the medical records or treatment information with the employee’s authorization.
Understanding the HIPAA Act of 1996
The HIPAA Act consists of five sections or titles that seek to create confidentiality systems within the healthcare facilities. This law also aims to keep patients’ health information private and secure. HIPPA’s rules aim to limit the use of PHI to those with the “need to know.” Similarly, it penalizes anyone who doesn’t comply with the regulations.
Title II of the HIPAA Act establishes procedures and policies for maintaining the privacy and security of protected health information. It also outlines possible offenses and creates criminal and civil penalties for violations. Under this title, the Department of Health and Human Services (HHS) is further given the mandate to enforce five rules, namely:
- Privacy Rule: This rule covers the use and disclosure of PHI by “covered entities.” The latter include health insurers, medical providers, healthcare clearinghouses, and employer-sponsored health plans.
- Transactions and Code Set Rule: This rule promotes the standardization of healthcare transactions. For instance, medical providers filing for reimbursements electronically must file their claims using a set of HIPAA standards.
- Security Rule: It complements the privacy rule, only that it’s limited to electronic PHI. This rule covers three security safeguards: physical, administrative, and technical. In other words, it ensures top-level security of protected health information. I.e., it requires covered entities to secure health IT infrastructure and physical addresses containing patients’ health records.
- Unique Identifiers Rule: This rule requires the HIPAA-covered entities completing electronic transactions to use only the National Provider Identifier (NPI) to identify healthcare providers in standard transactions.
- Enforcement Rule: The rule establishes procedures for investigating and hearing HIPAA violations as well as the civil money penalties.
For healthcare information to be considered protected, it should link a specific person to healthcare information such as name, telephone number, social security number, stress address, email address, etc.
The Right to Privacy and Access
Of all the HIPAA rules in the five titles, the privacy rule carries more weight and is of keen interest to both the employers and the covered entities. The privacy rule requires the covered entities to disclose the PHI to the patient/individual within 30 days from the date of request. The patient/employee also has the right to inspect the copy of the health records and have the mistakes corrected at any time.
Under the HIPAA privacy rule, use and disclosure are two different terms that are interpreted separately. The “use” of PHI means the information is used within a healthcare facility, while “disclosure” means the information is shared outside the healthcare facility. To use or disclose PHI, patients must give a signed consent.
When can an Employer Request the Employee’s PHI?
Under the HIPPA, an employer can request the employee to provide a doctor’s note related to workers’ compensation, sick leave, health insurance, or wellness program. While HIPAA doesn’t protect employment records, it does protect any records that contain health-related information. So, if the employer needs medical records from a physician, authorization has to come from the employee, and the records can only be used for the stated purpose.
Exceptions to Privacy Rule
Healthcare professionals can breach the privacy rules without the employee’s permission if the individual is involved in a child/elderly abuse case, a disaster such as infectious disease, injuries sustained in a crime, a stab or gunshot wound.
The goal of the HIPAA in the workplace is to ensure protected health information isn’t used or disclosed without the employees’ consent. It also provides that people who access such health records are legally allowed to know the information and that the data is used for the intended purpose.
While HIPAA applies to covered entities, other organizations such as schools, life insurers, and law enforcement agencies cannot obtain PHI directly. They must always receive employee authorization unless where certain exceptions apply.
As a business owner, manager, or supervisor, understanding the HIPPA rules ensures compliance regarding the employees’ protected health information. Since employees must be notified before their PHI is shared with the employer, they have the right to receive and review copies of their health records and suggest a correction if there’re any mistakes. Employees also have the right to grant or deny permission for that reason.
HIPAA violations by employers include using the health records for purposes other than those stated when seeking access, data hacking, or theft of confidential documents. Similarly, disclosing employees’ health records to third parties or improper disposal attracts penalties that can be severe, including fines of up to $250,000 plus compensations in the form of damages paid to victims. If you are an employee or employer facing HIPAA violation claims, you want to seek legal advice from a team of employment lawyers who will competently walk you through the legal resolution process.
This is a sponsored post
Digital Health Buzz! aims to be the destination of choice when it comes to what’s happening in the digital health world. We are not about news and views, but informative articles and thoughts to apply in your business.