HIPAA, which stands for the Health Insurance Portability and Accountability Act, is a law that was passed to guarantee the security and privacy of protected health information (PHI) as it travels throughout the healthcare industry. There are standards and safeguards that are required through the law for all those who can access this type of personally identifiable information to follow.
Most people know that doctors, nurses and other people working for medical practices have to comply with HIPAA, but what about the HR team within other organizations that have employee sponsored health plans? During the course of handling these health plans and benefits, HR employees often have access to PHI. In order to guarantee that all employees are aware of the security procedures and protocols, HIPAA training is required for all of these people, including Human Resources staff members.
What is PHI?
According to HIPAA, those who have the potential to access protected health information throughout the course of their job must be trained in and comply with all the requirements. Since needing to follow the requirements of HIPAA is contingent on accessing PHI, we will define what that is so that HR employees will know whether or not they fall under HIPAA.
Simply put, PHI is any medical information that could potentially identify an individual, that is created or used during the course of providing healthcare services. The HIPAA Privacy Rule lays out 18 identifiers for PHI. A few of those are: full or last names, dates relating to birthday or treatment day, social security numbers, medical record numbers and any photograph that can identify an individual. These are only a couple of the identifiers, although a complete list of PHI Identifiers can be reviewed here.
HR and HIPAA
If you are working in Human Resources, especially within the medical industry, you will regularly access and use protected health information (PHI) during the course of your work day. Since you have access to this information through your job, you are required to understand and comply with HIPAA to ensure that each patient’s PHI is kept secure. A wide variety of organizations handle this type of data as a part of their necessary operations just as HR departments do.
The main component of HR that leads to employees in that role having access to PHI is their work with and management of the organization’s sponsored health plans. While dealing with these insurance plans for all of the employees, it is reasonable to assume that HR professionals would access PHI. The ability to view this private health information is why HR professionals commonly need to be trained in HIPAA so that they can achieve compliance.
How Often Should Training Take Place?
Just like with HIPAA training for other departments, HR employees should be trained on HIPAA during their initial onboarding process and then be required to complete annual training each year after that. Beyond this, additional training may be needed if there are changes in the company’s policies and procedures relating to HIPAA or even if there are changes or additions to the law itself.
Do Employment Records Count as PHI?
One common question that HR teams may have about HIPAA is whether an employee’s general employment record counts as PHI and therefore must be protected to the same extent. The Privacy Rule does not pertain to employment records, therefore the information inside of this record is not considered PHI even if some of it is health related. Within the text of HIPAA, the Privacy Rule clearly lays out requirements and standards for how and when someone is able to access an employee’s PHI. However, these guidelines do not apply to an organization’s specific employment records that they create and utilize.
Even if an employer is seeking an employee’s doctor’s note or some other direct information from a healthcare provider, the supervisor or any other staff member cannot access the health information needed to do so, unless they have received explicit consent from that employee. HR staff members can be very valuable in this situation by making all employees aware of their rights to the protection and security of their health information.