HIPAA is the Health Insurance Portability and Accountability Act of 1996. HIPAA’s most important aspect for consumers and employees is its privacy protection. HIPAA protects your medical records and other personal data from unauthorized disclosure by covered entities. Although employers may not count as covered entities the rules applying to covered entities affects them.
The health information covered by HIPAA includes information that relates to you specifically and protects you from unauthorized disclosure whether it is in electronic, paper or oral format. It protects: health care claims; documentation of doctor visits and notes by doctors and their staff; health care payments; coordination of health care benefits; claim status; enrollment and unenrollment in health plans; eligibility for health plans; premium payments; referrals; reports of injury and claim records.
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. The statute addressed several problems that arose during the 1980s and 1990s with access to health insurance and how health information was used by health care providers and health insurance carriers. One issue addressed by HIPAA is the ability for workers to obtain health insurance after leaving a job. Once upon a time if you left a job it was much harder to get coverage at a new employer or a private policy. HIPAA made it easier to move jobs and find new coverage. (An issue made even easier with the Affordable Care Act.)
HIPAA Privacy Rule
The best known HIPAA provision is the privacy rule which limits how specific entities with access to personal health information can use the information and how they must protect your information from theft and fraud. HIPAA identifies Protected Health Information (PHI) and limits its use to providing health care and a limited number of related purposes. HIPAA prevents regulated entities from using your protected health information for unrelated purposes, like selling it to marketers, and requires them to take serious steps to protect your information from accidental disclosure.
Not all entities and people are regulated by the HIPAA privacy rule. HIPAA only applies to covered entities only. Covered entities include:
- Healthcare providers
- Health plans
- Healthcare clearinghouses
- Business associates of other covered entities
Basically entities that provide healthcare or pay for your healthcare are covered by the privacy rule. Importantly, this does not include employers. (See below.) Other entities, like employers, may acquire protected health information but are not regulated by the privacy rule.
Violations of HIPAA may result in both civil and criminal penalties.
HIPAA and your employment
HIPAA typically recognizes health care providers, insurance providers and health care information clearinghouses as covered entities. Employers are typically not covered entities unless they happen to fall into the HIPAA definition of a covered entity and possess personal health information for their employees beyond standard employment information. The Texas state law that mirrors HIPAA specifically excludes employers as covered entities except when using the protected medical information for marketing purposes.
Employers may nevertheless come in contact with this information. If your employer offers health insurance or other medical plans they will be aware of at least some protected information, such as premium payments, eligibility, enrollment and similar information. Additionally, if you file a worker’s compensation claim your employer will most likely obtain medical records to review your claim. Employers can also require documentation from a physician for some FMLA leave reasons or ADA accommodations. Additional laws and regulations may require or permit employer access to some records.
HIPAA is often brought up while discussing COVID-19 rules in the workplace. Many employers require information about vaccine status or test results and may enforce a mask mandate at work. HIPAA generally does not apply to covid-19 rules in the workplace but other laws may affect your employer’s rules and what information they may require from you. These are separate and complex legal questions. HIPAA does not prevent your employer from requesting this information even if your employer is a covered entity in other circumstances. (HIPAA may limit how your employer uses your personal health information once it acquires the information if it is a covered entity or business associate.)
Employment lawyers in Texas
Your employer cannot use protected medical information against you when it violates other state or federal laws. There are various anti-discrimination, insurance and labor laws that protect your medical conditions from use as the basis for adverse action in the workplace. If you believe your employer is violating your rights, contact an attorney immediately to discuss your situation. Employment law attorneys represent clients in employment law cases ranging from employment discrimination to FMLA to overtime pay. In any of these cases your medical information may become part of the lawsuit. It is important to protect this information.