Laws Require Businesses to Protect Employee Medical Data

State and federal laws require organizations such as businesses to respect and protect as confidential any health or medical information to which it might become privy. As a business owner, you risk financial loss if you fail to comply with these laws. The governing federal law is the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

If your business provides health care or you provide services to this industry, personal health data may come into your possession as a part of your business. In this case, you will certainly be well aware of the laws to which you must comply. The rest of us may only come into contact with privileged information in relation to the health care benefits offered to employees as employer. To be sure, many small businesses don’t provide health care benefits and don’t ever hold or possess employee health data. Similarly, millions of businesses provide health care benefits but outsource all the work and simply pay the bills. If this is you, you have little risk. Even so, every business owner should understand the essence of the laws so if data of this type comes into your possession you will be aware of the obligation and risk. Additionally, it is recommended that all medical information or health care related documentation be maintained by the employer in separate and confidential files.  Specifically, keep all medical and health related information separate from personnel files.

Protected Health Information Defined:

Under HIPAA, protected health information (PHI) includes all medical records and other individually identifiable health information. Generally speaking, PHI is general health care information including medical condition, illness or propensity for disease.

Is Your Business Governed by HIPAA?  Are you at Risk?

Generally speaking, HIPAA governs all “covered entities” and “business associates” of covered entities.  HIPAA has specific definitions for “covered entities,” most of which are health care providers, insurance carriers, clearinghouses or other related entities.  A covered entity will generally provide their vendors with “business associate agreements” that define the duties and obligations with respect to the handling of PHI.

As to smaller businesses that are not “business associates” of “covered entities”, but may still be governed by HIPAA, there is an exclusion for companies with less than 50 people enrolled in their health plan. However, the language of the law is not clear and stipulations remain open for interpretation regarding this exclusion. Ask your attorney to provide you with an opinion as to what, if any, state and federal laws you must comply regarding the privacy of health and medical information.

If your organization is found to have violated HIPAA, you’ll face civil and criminal penalties. The civil and criminal penalties apply to actions by the federal government. HIPAA does not provide individuals with private cause of action under HIPAA. As such, an employee or former employee can’t file a civil action under HIPAA. One may, however, file other claims involving the improper disclosure of personal health information including actions based on invasion of privacy, slander, negligent/intentional infliction of emotional distress, or a state law claim relating to state privacy laws.

The following health insurance experts generously contributed their expertise to this article series:

• Dale Bresee and Diane Stallcup of Henderson Benefits Group, Mr. Bresee can be reached at dale.bresee@GoHenderson.com
• Stuart K. Hawley, president of The Hawley Group, Inc. Mr. Hawley can be reached at Stuart@thehawleygroup.com