Blog

HIPAA Training for Human Resources

HIPAA
September 15, 2020
Human Resources employees often have access to PHI. How do you make sure those employees are compliant and will not get you into hot water with the OCR?

HIPAA Training for Human Resources

HIPAA, which stands for the Health Insurance Portability and Accountability Act, is a law that was passed to guarantee the security and privacy of protected health information (PHI) as it travels throughout the healthcare industry. There are standards and safeguards that are required through the law for all those who can access this type of personally identifiable information to follow. 

Most people know that doctors, nurses and other people working for medical practices have to comply with HIPAA, but what about the HR team within other organizations that have employee sponsored health plans? During the course of handling these health plans and benefits, HR employees often have access to PHI. In order to guarantee that all employees are aware of the security procedures and protocols, HIPAA training is required for all of these people, including Human Resources staff members.

What is PHI? 

According to HIPAA, those who have the potential to access protected health information throughout the course of their job must be trained in and comply with all the requirements. Since needing to follow the requirements of HIPAA is contingent on accessing PHI, we will define what that is so that HR employees will know whether or not they fall under HIPAA. 

Simply put, PHI is any medical information that could potentially identify an individual, that is created or used during the course of providing healthcare services. The HIPAA Privacy Rule lays out 18 identifiers for PHI. A few of those are: full or last names, dates relating to birthday or treatment day, social security numbers, medical record numbers and any photograph that can identify an individual. These are only a couple of the identifiers, and the rest of the PHI identifiers can be reviewed here.

HR and HIPAA

If you are working in Human Resources, especially within the medical industry, you will regularly access and use protected health information (PHI) during the course of your work day. Since you have access to this information through your job, you are required to understand and comply with HIPAA to ensure that each patient’s PHI is kept secure. A wide variety of organizations handle this type of data as a part of their necessary operations just as HR departments do. 

The main component of HR that leads to employees in that role having access to PHI is their work with and management of the organization’s sponsored health plans. While dealing with these insurance plans for all the employees, it is reasonable to assume that HR professionals would access PHI. The ability to view this private information is why HR professionals commonly need to be trained in HIPAA so that they can achieve compliance. 

How Often Should Training Take Place? 

Just like with HIPAA training for other departments, HR employees should be trained on HIPAA during their initial onboarding process and then be required to complete annual training each year after that. Beyond this, additional training may be needed if there are changes in the company’s policies and procedures relating to HIPAA or even if there are changes or additions to the law itself. 

Do Employment Records Count as PHI? 

One common question that HR teams may have about HIPAA is whether an employee’s general employment record counts as PHI and therefore must be protected to the same extent. The Privacy Rule does not pertain to employment records, therefore the information inside of this record is not considered PHI even if some of it is health related. Within the text of HIPAA, the Privacy Rule clearly lays out requirements and standards for how and when someone is able to access an employee’s PHI. However, these guidelines do not apply to an organization’s specific employment records that they create and utilize. 

Even if an employer is seeking an employee’s doctor’s note or some other direct information from a healthcare provider, the supervisor or any other staff member cannot access the health information needed to do so, unless they have received explicit consent from that employee. HR staff members can be very valuable in this situation by making all employees aware of their rights to the protection and security of their health information.


More from the Blog

GenixTec has achieved HIPAA Compliance with Accountable
Compliant Tools

GenixTec has achieved HIPAA Compliance with Accountable

HIPAA and Workforce Training
HIPAA

HIPAA and Workforce Training

Understanding HIPAA Certification
HIPAA

Understanding HIPAA Certification

Is Google Docs HIPAA Compliant?
Compliant Tools

Is Google Docs HIPAA Compliant?

Is Calendly HIPAA Compliant?
Compliant Tools

Is Calendly HIPAA Compliant?

Is Google Sheets HIPAA Compliant?

Is Google Sheets HIPAA Compliant?

Is iCloud HIPAA Compliant?
Compliant Tools

Is iCloud HIPAA Compliant?

President Biden Looks to Boost Cybersecurity at U.S. Ports
Data Security

President Biden Looks to Boost Cybersecurity at U.S. Ports

Get Started
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Ready to chat?

See how some of the fastest growing companies use Accountable to build trust through privacy and compliance.
Trusted by
Accountable Compliance Management Logo

We make it easy to get your own HIPAA Certification and build trust with your customers and patients.

Product
PlaybooksHow it worksProductPricingWatch DemoSeal of ComplianceGet Support
Solutions
HIPAAGDPR
Resources
BlogHIPAA TrainingHIPAA Risk AnalysisGDPR Risk Analysis
Company
AboutCareersSupportContact UsPrivacy CenterProduct Updates
Account
Sign InForgot Password

"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.

© 2024 Accountable HQ, Inc.
SitemapTerms of ServicePrivacy Policy