HIPAA and Employee Privacy Protections

HIPAA and Employee Privacy Protections: A Comprehensive Guide for aPHR Exam Preparation

Why HIPAA and Employee Privacy Protections Matter

The Health Insurance Portability and Accountability Act (HIPAA) is one of the most significant federal laws affecting how organizations handle employee health information. For HR professionals, understanding HIPAA is not just a legal necessity—it is fundamental to building trust with employees, avoiding costly penalties, and ensuring organizational compliance. HIPAA violations can result in fines ranging from $100 to $50,000 per violation (with an annual maximum of $1.5 million per violation category), and in severe cases, criminal prosecution. As an HR professional preparing for the aPHR exam, mastering HIPAA is essential because it intersects with benefits administration, record-keeping, employee relations, and risk management.

What is HIPAA?

HIPAA was enacted in 1996 and has two primary objectives:

1. Portability: Ensuring that employees can maintain health insurance coverage when they change or lose jobs.
2. Accountability: Establishing standards for the protection of individually identifiable health information, known as Protected Health Information (PHI).

HIPAA applies to covered entities, which include:
- Health plans (including employer-sponsored group health plans)
- Healthcare providers who transmit health information electronically
- Healthcare clearinghouses

It also applies to business associates—third-party vendors and service providers that handle PHI on behalf of covered entities.

Key Components of HIPAA Relevant to HR

1. The Privacy Rule
The HIPAA Privacy Rule establishes national standards for the protection of PHI. It governs how covered entities may use and disclose individually identifiable health information. Key provisions include:

- Minimum Necessary Standard: Covered entities must make reasonable efforts to limit the use and disclosure of PHI to the minimum amount necessary to accomplish the intended purpose.
- Individual Rights: Employees have the right to access their own health records, request corrections, and obtain an accounting of disclosures.
- Notice of Privacy Practices: Covered entities must provide individuals with a notice explaining how their PHI may be used and disclosed.
- Authorization Requirements: Most uses and disclosures of PHI beyond treatment, payment, and healthcare operations require written authorization from the individual.

2. The Security Rule
The HIPAA Security Rule applies specifically to electronic Protected Health Information (ePHI). It requires covered entities and business associates to implement:

- Administrative Safeguards: Policies and procedures to manage the selection, development, implementation, and maintenance of security measures. This includes workforce training, access management, and security incident procedures.
- Physical Safeguards: Measures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. This includes facility access controls and workstation security.
- Technical Safeguards: Technology and related policies to protect ePHI and control access. This includes access controls, audit controls, integrity controls, and transmission security.

3. The Breach Notification Rule
When a breach of unsecured PHI occurs, covered entities must:
- Notify affected individuals without unreasonable delay and no later than 60 days after discovery of the breach
- Notify the Department of Health and Human Services (HHS)
- If the breach affects 500 or more individuals, notify prominent media outlets serving the state or jurisdiction

4. Title I – Health Insurance Portability
Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose jobs. Key provisions include:
- Limiting exclusions for pre-existing conditions
- Prohibiting discrimination based on health status
- Guaranteeing renewability of health coverage
- Providing credit for prior health coverage (portability)

How HIPAA Works in the Workplace

Employer-Sponsored Health Plans
When an employer sponsors a group health plan, that plan is a covered entity under HIPAA. The employer itself is generally not a covered entity, but the group health plan is. This creates an important distinction:

- The group health plan must comply with HIPAA's Privacy and Security Rules.
- The employer may receive PHI from the health plan only if the plan documents are amended to establish permitted uses and disclosures, and the employer certifies that it will safeguard the information.
- HR professionals who handle enrollment, claims issues, or benefits administration may have access to PHI and must be trained on HIPAA requirements.

Separation of PHI from Employment Records
One of the most critical concepts for HR professionals is the firewall between health plan information and employment decisions:

- Employers cannot use PHI obtained from the group health plan to make employment decisions (hiring, firing, promotions, etc.).
- Health information obtained through other means (such as FMLA certifications, workers' compensation claims, or ADA-related inquiries) is governed by those respective laws, not HIPAA directly. However, best practice dictates keeping all medical information separate from general personnel files.
- PHI must be stored separately and access must be limited to authorized individuals only.

Business Associate Agreements (BAAs)
When employers use third-party administrators, benefits consultants, payroll providers, or other vendors who may access PHI, they must execute Business Associate Agreements. These contracts require the business associate to:
- Safeguard PHI appropriately
- Report breaches
- Return or destroy PHI when the contract ends
- Allow HHS to audit their compliance

HIPAA and Other Employment Laws

It is important to understand how HIPAA interacts with other federal laws:

- ADA (Americans with Disabilities Act): The ADA restricts what medical information employers can request and requires confidentiality of medical records. While ADA and HIPAA both protect medical information, they do so through different mechanisms. ADA applies to the employer directly; HIPAA applies to the health plan.
- FMLA (Family and Medical Leave Act): Medical certifications obtained under FMLA are protected by FMLA's own confidentiality requirements, not HIPAA. However, if the information also flows through the group health plan, HIPAA applies to that channel.
- GINA (Genetic Information Nondiscrimination Act): GINA prohibits the use of genetic information in employment decisions and restricts the acquisition and disclosure of genetic information. HIPAA also protects genetic information as PHI.
- Workers' Compensation: HIPAA permits disclosure of PHI for workers' compensation purposes to the extent authorized by state workers' compensation laws.

Common HIPAA Violations in the Workplace

HR professionals should be aware of common violations:
- Sharing employee health information with managers or coworkers who do not need to know
- Failing to secure physical or electronic health records
- Not executing Business Associate Agreements with vendors
- Using PHI from the health plan for employment decisions
- Failing to provide proper breach notification
- Not training employees who handle PHI
- Improperly disposing of documents containing PHI

Employee Rights Under HIPAA

Employees covered by a HIPAA-compliant health plan have several important rights:

- Right to Access: Employees can request and obtain copies of their PHI held by the health plan.
- Right to Amend: Employees can request corrections to inaccurate or incomplete PHI.
- Right to an Accounting of Disclosures: Employees can request a list of certain disclosures of their PHI made by the health plan.
- Right to Request Restrictions: Employees can request limitations on how their PHI is used or disclosed (though the covered entity is not always required to agree).
- Right to Confidential Communications: Employees can request that the health plan communicate with them through alternative means or at alternative locations.
- Right to a Notice of Privacy Practices: Employees must receive a clear explanation of how their PHI may be used.

Enforcement and Penalties

HIPAA is enforced by the Office for Civil Rights (OCR) within the Department of Health and Human Services. Penalties are tiered:

- Tier 1: Lack of knowledge — $100 to $50,000 per violation
- Tier 2: Reasonable cause (not willful neglect) — $1,000 to $50,000 per violation
- Tier 3: Willful neglect, corrected within 30 days — $10,000 to $50,000 per violation
- Tier 4: Willful neglect, not corrected — $50,000 per violation
- Annual maximum: $1.5 million per violation category
- Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years for intentional violations

How to Answer Exam Questions on HIPAA and Employee Privacy Protections

When approaching aPHR exam questions on this topic, use the following framework:

1. Identify the covered entity: Is the question about the employer, the group health plan, a healthcare provider, or a business associate? Remember that the employer itself is generally not a covered entity—the group health plan is.

2. Determine what type of information is involved: Is it PHI from the health plan, or medical information obtained through another channel (ADA, FMLA, workers' compensation)? This determines which law applies.

3. Apply the minimum necessary standard: When a question involves disclosure of PHI, always consider whether the disclosure is limited to the minimum amount necessary.

4. Consider the purpose of the disclosure: Is it for treatment, payment, healthcare operations, or another purpose? Disclosures beyond the core purposes generally require authorization.

5. Look for separation of functions: Questions may test whether you understand that health plan information cannot be used for employment decisions.

6. Check for proper safeguards: Questions about security will test your knowledge of administrative, physical, and technical safeguards.

Exam Tips: Answering Questions on HIPAA and Employee Privacy Protections

Tip 1: Know the Distinction Between the Employer and the Health Plan
This is the most commonly tested concept. The employer is generally not a covered entity under HIPAA. The employer-sponsored group health plan is. When a question asks about HIPAA obligations, focus on the health plan's responsibilities, not the employer's general HR functions.

Tip 2: Remember That HIPAA Does Not Cover All Employee Medical Information
A very common trap in exam questions is assuming HIPAA applies to all medical information an employer possesses. HIPAA specifically governs PHI held by covered entities. Medical information obtained through ADA accommodations, FMLA leave requests, or pre-employment physicals is governed by those respective laws. If a question presents a scenario involving FMLA medical certification, the answer likely involves FMLA confidentiality rules, not HIPAA.

Tip 3: The Minimum Necessary Rule is a Favorite Test Topic
When answering questions about disclosures, always gravitate toward the answer that limits the information shared to what is strictly necessary. If an answer choice involves sharing more information than needed, it is likely wrong.

Tip 4: Breach Notification Timelines Are Testable
Remember the 60-day notification requirement. If a question asks about breach response, the correct answer will involve prompt notification to affected individuals, HHS, and (if applicable) the media—all within the prescribed timeframes.

Tip 5: Business Associate Agreements Are Essential
Any time a question involves a third-party vendor handling PHI, look for the answer that includes executing a Business Associate Agreement. Without a BAA, sharing PHI with a vendor is a violation.

Tip 6: Understand the Three Categories of Safeguards
For Security Rule questions, remember the three categories: administrative, physical, and technical. Be able to classify examples into the correct category. For instance, employee training is administrative, locked file cabinets are physical, and encryption is technical.

Tip 7: Employees Cannot Be Terminated or Disciplined for Filing HIPAA Complaints
HIPAA includes anti-retaliation provisions. If a question describes a scenario where an employee is disciplined after filing a HIPAA complaint, the correct answer will identify this as retaliation and a violation.

Tip 8: Distinguish Between Portability (Title I) and Privacy (Title II)
Title I deals with insurance portability—pre-existing condition limitations, continuation of coverage, and non-discrimination. Title II deals with privacy and security of health information. Exam questions may test whether you can distinguish between these two aspects of HIPAA.

Tip 9: Use Process of Elimination
If you encounter a difficult HIPAA question, eliminate answers that:
- Allow unrestricted sharing of PHI
- Permit use of health plan information for employment decisions
- Ignore the need for Business Associate Agreements
- Suggest HIPAA applies to all medical information regardless of source
- Violate the minimum necessary standard

Tip 10: Connect HIPAA to Broader Compliance and Risk Management
The aPHR exam tests HIPAA within the broader context of compliance and risk management. Understand that HIPAA compliance is part of an organization's overall risk mitigation strategy. Questions may integrate HIPAA with other compliance topics, so be prepared to evaluate scenarios holistically.

Summary of Key Points for Exam Success

- HIPAA protects Protected Health Information (PHI) held by covered entities (health plans, healthcare providers, clearinghouses) and their business associates
- The employer is generally not a covered entity; the group health plan is
- The Privacy Rule governs use and disclosure of PHI; the Security Rule governs ePHI safeguards
- The minimum necessary standard limits disclosures to what is needed
- Business Associate Agreements are required for third-party vendors handling PHI
- PHI from the health plan cannot be used for employment decisions
- Medical records must be stored separately from personnel files
- Breach notification must occur within 60 days of discovery
- Enforcement is handled by the Office for Civil Rights (OCR) within HHS
- HIPAA does not cover all employee medical information—other laws (ADA, FMLA, GINA) have their own confidentiality provisions

By thoroughly understanding these concepts and applying the exam tips above, you will be well-prepared to answer any HIPAA-related questions on the aPHR exam with confidence.