Understanding HIPAA in the Workplace vs. the Medical Setting

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that created national standards to protect sensitive patient health information. Originally designed to safeguard medical information and ensure privacy in healthcare settings, HIPAA also has implications for the workplace. For nonprofit HR professionals, understanding how HIPAA differs in application between medical and workplace settings is essential for compliance, as employees may have concerns about their health information in both realms. This guide unpacks what HIPAA means in the workplace versus a healthcare environment and how HR professionals can navigate it effectively.

1. HIPAA’s Core Purpose and Applicability

In Medical Settings: HIPAA was established to secure individuals’ medical information in the healthcare industry. In medical settings, HIPAA’s Privacy Rule protects “Protected Health Information” (PHI) by setting strict limits on who can access, share, and use a patient’s data. Healthcare providers, insurance companies, and healthcare clearinghouses are the primary entities required to adhere to HIPAA’s standards.

In Workplace Settings: In the workplace, HIPAA does not usually apply in the same direct manner. Employers are not generally covered entities under HIPAA. This means that, contrary to common misconception, not every piece of health information shared in the workplace is protected by HIPAA. However, confidentiality considerations around employee health information remain under other federal and state privacy laws, such as the Americans with Disabilities Act (ADA) and the Family and Medical Leave Act (FMLA).

2. Differences in Protected Information

Medical Settings: HIPAA protections are extensive, covering all forms of PHI, including medical history, diagnoses, treatment plans, and insurance information. Any identifiable information held by covered entities or business associates falls under HIPAA’s scope, whether it’s electronic, written, or oral.

Workplace Settings: In the workplace, only certain health-related information might be indirectly affected by HIPAA—usually when the employer handles health data through a group health plan or receives information from healthcare providers. For instance, if an employee’s health information is disclosed to the employer through their health plan, HIPAA applies only to the health plan, not to the employer. However, HR is advised to manage this data confidentially, as information like medical leave requests or reasonable accommodation requests could contain sensitive health information protected by ADA or FMLA rather than HIPAA.

3. Role of HR in Handling Health Information

Medical Setting HIPAA Compliance Requirements: In healthcare, compliance officers maintain HIPAA standards, ensuring policies are in place for safeguarding patient health data. These roles include providing training on data security and enforcing guidelines on information sharing, storage, and access.

HR Responsibilities: For HR, the role shifts to ensuring the confidentiality of health-related information and understanding where HIPAA does or doesn’t apply. HR professionals should:

• Familiarize themselves with privacy laws like ADA, FMLA, and the Genetic Information Nondiscrimination Act (GINA), which often apply more directly than HIPAA.
• Manage sensitive health information received during leave requests, workers’ compensation claims, or disability accommodations with confidentiality.
• Avoid unnecessary access to or sharing of employee health information, even if HIPAA doesn’t apply directly.
• Develop clear policies for maintaining the confidentiality of employee health information.

4. Practical Steps for HR to Ensure Compliance

While HIPAA might not govern most workplace health information directly, HR professionals can take proactive steps to build trust and protect employee privacy:

• Clarify Employee Health Information Handling Policies: Explain to your employees which laws protect their health information at work. Clarifying that while HIPAA doesn’t apply to employers in the same way as it does to healthcare providers, other laws do provide protections.
• Maintain Confidential Records: Keep employee health information, including FMLA and ADA accommodation documentation, separate from regular personnel files. Limit access to only those who need it for specific business purposes.
• Educate Staff: Train managers and HR staff on the distinctions between HIPAA, ADA, FMLA, and other relevant laws, creating guidelines that reinforce how to properly handle health information.
• Ensure Compliance with Group Health Plans: If your nonprofit offers group health plans, ensure those plans meet HIPAA requirements. Work closely with your plan administrator to safeguard employee health information.

5. Managing Employee Expectations

Because HIPAA is often misunderstood, employees may believe it provides more workplace protections than it does. HR can help manage employee expectations by:

• Communicating clearly about what laws protect their information.
• Providing reassurance that, even if HIPAA doesn’t apply, their information is treated with respect and confidentiality.
• Addressing questions or concerns proactively to help employees feel confident in how their information is handled.

For nonprofit HR professionals, understanding HIPAA’s limitations in the workplace and knowing which laws protect employee health information is important. While HIPAA’s direct applications are largely limited to the healthcare industry and health plans, maintaining a high standard of confidentiality is key for building trust with employees and ensuring that sensitive information is handled responsibly. By developing clear policies, educating staff, and communicating openly, HR teams can effectively protect employee health information within the workplace.

If you have any questions regarding HIPPA in the workplace or other HR questions or concerns, please contact us at HRServices@501c.com or (800) 358-2163.

About Us

For more than 40 years, 501(c) Services has been a leader in offering solutions for unemployment costs, claims management, and HR support to nonprofit organizations. Two of our most popular programs are the 501(c) Agencies Trust and 501(c) HR Services. We understand the importance of compliance and accuracy and are committed to providing our clients with customized plans that fit their needs.

Contact us today to see if your organization could benefit from our services.

Are you already working with us and need assistance with an HR or unemployment issue? Contact us here.

The information contained in this article is not a substitute for legal advice or counsel and has been pulled from multiple sources.

(Images by DC Studio and Celsopupo)