HIPAA and the HR Function
The Health Insurance Portability and Accountability Act creates extensive obligations for protecting health information. While HIPAA is often associated with healthcare providers, employers who sponsor group health plans have significant responsibilities under the law. HR professionals administering these plans must understand HIPAA requirements to avoid violations that carry penalties up to $1.5 million per violation category annually.
Complicating matters, not all health information that HR encounters falls under HIPAA. The law's scope depends on the source and use of information, creating distinctions that require careful analysis. Employment records maintained for non-health purposes—even records containing health details like disability accommodations or workers' compensation—generally fall outside HIPAA, though they may be protected by other laws like the ADA.
Understanding Protected Health Information
HIPAA protects "protected health information" (PHI)—individually identifiable health information transmitted or maintained by covered entities or business associates. For employer-sponsored health plans, PHI includes any information that identifies an individual and relates to their health condition, healthcare, or payment for healthcare.
Examples of PHI in employment contexts include: enrollment forms indicating coverage elections, claims information received from health plans, medical certifications for FMLA leave when processed through employer health plan functions, and wellness program participation data. Information becomes PHI based on how the employer receives and uses it, not merely because it contains health details.
Plan Administration vs. Employment Functions
The critical distinction lies between plan administration functions—where HIPAA applies—and employment functions—where it generally does not. When HR staff perform plan administration activities like processing enrollments, resolving claims issues, or managing plan amendments, they act in a capacity covered by HIPAA. When the same staff perform employment functions like evaluating accommodation requests or processing workers' compensation claims, different rules apply.
This distinction creates practical challenges. The same HR professional may receive health information in both capacities, sometimes in the same conversation. Organizations must establish clear protocols distinguishing plan administration activities and ensure information received in plan contexts does not improperly influence employment decisions.
The Firewall Requirement
HIPAA requires that PHI disclosed to employers by health plans be used only for plan administration purposes. This creates what is effectively a "firewall" between plan administration functions and employment functions. Implementing this firewall involves several elements.
Plan documents must include provisions limiting PHI use to plan administration and identifying employees authorized to access PHI. These authorized individuals must receive HIPAA training and certify that they will not use PHI for employment-related decisions. Organizations must implement physical, technical, and administrative safeguards ensuring that PHI remains within plan administration functions.
Minimum Necessary Standard
Even within plan administration, HIPAA's "minimum necessary" standard requires limiting PHI access to what is needed for specific purposes. An employee processing enrollment changes needs different information than one investigating a claim appeal. Access rights should align with job functions rather than providing blanket access to all PHI.
The minimum necessary standard does not apply to disclosures to healthcare providers for treatment purposes or to disclosures authorized by the individual. But for internal plan administration activities, organizations should implement controls ensuring employees access only PHI necessary for their specific tasks.
Notice and Authorization Requirements
Group health plans must provide participants with Notice of Privacy Practices explaining how PHI may be used and disclosed, individual rights regarding their PHI, and plan duties to protect PHI. This notice must be provided at enrollment and upon request, with reminders at least every three years of availability.
Many PHI uses and disclosures require individual authorization beyond what the Notice of Privacy Practices covers. Authorizations must be specific about information to be disclosed, purposes of disclosure, expiration date, and right to revoke. Marketing uses of PHI require authorization, as do most disclosures to employers for employment purposes.
Individual Rights
HIPAA grants individuals extensive rights regarding their PHI that HR departments must be prepared to honor. Individuals have the right to access their PHI, request amendments to inaccurate information, receive an accounting of certain disclosures, request restrictions on uses and disclosures, and request confidential communications through alternative means or locations.
Plans must establish processes for receiving and responding to these requests within required timeframes—generally 30 days for access requests with a possible 30-day extension. Denials must be in writing with reasons and appeal processes explained. Failure to honor rights requests can result in complaints to the Department of Health and Human Services Office for Civil Rights.
Security Requirements
The HIPAA Security Rule establishes requirements for protecting electronic PHI. While the Privacy Rule governs PHI uses and disclosures regardless of format, the Security Rule specifically addresses administrative, physical, and technical safeguards for electronic information.
Administrative Safeguards
Required administrative safeguards include conducting risk assessments, implementing policies and procedures, designating security officers, providing workforce training, and establishing incident response procedures. Organizations must evaluate threats to ePHI, implement appropriate measures, and document compliance efforts.
Risk assessment deserves particular attention. Organizations must identify where ePHI is created, stored, and transmitted; evaluate threats and vulnerabilities; assess current security measures; determine risk levels; and implement additional protections where needed. Risk assessments should be repeated periodically and after significant changes to systems or processes.
Physical and Technical Safeguards
Physical safeguards address facility access, workstation security, and device controls. Technical safeguards include access controls, audit controls, integrity controls, and transmission security. The specific measures required depend on organizational size, complexity, and risk environment—the Security Rule is flexible but requires documentation of decisions.
Encryption merits specific mention. While the Security Rule does not mandate encryption, unencrypted ePHI that is lost or stolen is presumed breached, triggering notification requirements. Encryption provides a safe harbor from breach notification—organizations that encrypt ePHI and lose encrypted devices or files need not notify individuals or regulators if the encryption key was not compromised.
Breach Notification
When breaches of unsecured PHI occur, HIPAA requires notification to affected individuals, the Department of Health and Human Services, and in some cases, media outlets. The notification obligations vary based on breach size but apply regardless of whether harm actually results.
A "breach" is defined as unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. Exceptions exist for unintentional access by workforce members acting in good faith, inadvertent disclosures between authorized persons, and situations where unauthorized recipients would not reasonably retain the information.
When breaches occur, organizations must conduct risk assessments considering the nature and extent of PHI involved, the unauthorized person who used or received the information, whether PHI was actually acquired or viewed, and the extent to which risk has been mitigated. Unless the risk assessment demonstrates low probability that PHI was compromised, breach notification is required.
Notification Requirements
Individual notification must occur without unreasonable delay, no later than 60 days after breach discovery. Notifications must describe the breach, types of information involved, steps individuals should take, mitigation steps the organization is taking, and contact information for questions.
For breaches affecting 500 or more individuals, organizations must also notify prominent media outlets in affected states and report to HHS within 60 days. Smaller breaches may be reported to HHS annually. All breaches should be documented regardless of size.
Business Associates
Organizations that use vendors to perform plan administration functions involving PHI must establish Business Associate Agreements. These contracts must include provisions limiting how business associates may use and disclose PHI, requiring appropriate safeguards, requiring breach notification, and permitting agreement termination for violations.
Common business associates for group health plans include third-party administrators, pharmacy benefit managers, wellness program vendors, and benefits consultants. Before sharing PHI with any vendor, confirm that appropriate agreements are in place. Business associate breaches can result in liability for covered entities that failed to exercise proper oversight.
Training and Documentation
HIPAA requires workforce training on policies and procedures relevant to job functions. Training must occur for new workforce members and when material changes occur. While annual training is not explicitly required, it represents best practice for maintaining awareness and demonstrating compliance efforts.
Documentation requirements extend throughout the HIPAA rules. Policies and procedures, risk assessments, training records, authorization forms, breach response activities, and business associate agreements must all be maintained for at least six years from creation or when last in effect, whichever is later. This documentation proves essential during investigations or audits.
Integrating HIPAA Compliance
Effective HIPAA compliance integrates with broader HR operations rather than existing as a separate compliance silo. Privacy and security considerations should be embedded in system implementations, vendor selections, process designs, and employee training. Regular audits ensure that procedures remain compliant as operations evolve.
Coordination with legal counsel proves important given HIPAA's complexity and significant penalties for violations. While day-to-day compliance should not require constant legal involvement, counsel should review policies, assist with breach response, and advise on novel situations where requirements are unclear.
