Protecting Employee Health Information

Barbara Weltman The Health Insurance Portability and Accountability Act, commonly called HIPAA, was created to maintain the privacy of a person’s medical information, was created to maintain the privacy of a person’s medical information. It was enacted in 1996 but did not take effect in some instances until April 14, 2004. Now that it’s here, be sure to understand how it can affect you. If you violate HIPAA, civil penalties can run to $100 per violation (up to $25,000 per person, per year). And criminal penalties can be imposed.

Employment records
Employment records maintained by an employer are exempt from HIPAA. This is so even though your records may note an employee’s use of sick days, drug screening results or disability insurance eligibility.

Employers can ask employees to authorize disclosure of their medical records. Employers (except in a few states, including California) are not required to establish procedures to ensure confidentiality of employee medical records.

Payroll deductions
If you offer health plans requiring employees to pay some or all of the premiums through payroll deductions, must you use HIPAA protections? Believe it or not, it appears that all companies must do so, regardless of the number of employees; there is no size threshold below which companies are exempt from this HIPAA requirement.

Since the payroll deduction relates to the payment of health coverage and identifies the individual being covered, it is viewed as protected health information. As such, HIPAA privacy requirements apply.

Blood drives and flu shots
HIPAA is no bar to an employer sponsoring blood drives or offering to pay for flu shots for employees. The only caution is that no personal medical information can be transmitted to the employer.

This caution does not prevent you from knowing how many employees utilized the programs. For example, you can receive a list of the number of employees who donated blood. You can’t be given access to their names or other health information.

If you conduct these services on your premises, take steps to ensure employee privacy. For example, use screens or booths for collecting blood or giving shots.

  • Talk with your insurance agent or go to http://privacy.med.miami.edu/index.htm
  • Purchase a HIPAA Privacy Answer Kit (www.gneil.com/info/compliancehipaa/default.asp) cost: $49.95.

    Print page