Employee Health Records: Are They Covered Under HIPAA?
It seems like there’s another data breach announcement involving private health information (PHI) almost every day. These notifications almost always involve healthcare providers or related organizations like insurance companies. Occasionally, they will involve the Business Associates that handle PHI on behalf of these organizations. We almost never hear of a claim involving the accidental (or purposeful) release of PHI from the HR department of a private organization. Why is that?
The good news for employers is that their handling of PHI is usually not covered under HIPAA. There are some exceptions though. For more details, here’s a link to a post that does a decent job of explaining the fine print: HIPAA for HR.
Of course, that’s not necessarily good news for employees who are concerned about identity theft. Neither does it resolve the employer’s ethical requirements for protecting their employee’s personal information.
What’s the Worst That Could Happen?
If you’ve followed my posts, you know that I believe healthcare providers should pay close attention to HIPAA violations so they can better spot weaknesses in their own compliance. A recent HIPAA violation provides an interesting lesson for employers even if they aren’t covered under the HIPAA regulations.
In a recent case, a woman was fired from her job as office manager for a construction company. She was then hired by a local health care provider and subsequently by an insurance carrier. In her new roles, she accessed the medical records of employees at the construction company without permission and even sent the (very) personal records of the woman who replaced her to the company controller. She’s since pled guilty to one count of wrongful disclosure of health information with intent to cause harm, for which she faces a potential fine and jail time. If you’re interested, you can read more details about the case in this article in the HIPAA Journal.
So, what can employers learn from this?
In this situation, the construction company couldn’t really have done much to prevent the illegal PHI disclosure. As I understand the facts of the case, they were simply the recipient of the information, and the OCR’s case is against the former employee only. Her new roles gave her access to these accounts. And I also assume that they didn’t use the illegally obtained information that fell into their hands to inform their decision-making with regards to their new office manager.
Putting aside the illegal records disclosure, a construction company could have legal access to PHI. For example, if there is a worker’s comp claim, they would presumably have some of those medical records in their systems. While that doesn’t necessarily mean they are a “covered entity” under HIPAA, they need to protect that information because PHI can be used in all sorts of harmful ways. Data thieves will pay top dollar for healthcare information on the dark web because it often contains the details they need to steal someone’s identity. And as the case we cited shows, it doesn’t stop there.
Healthcare information can be used by vengeful people to cause harm to their intended victim. Presumably, in this case, there was something in the new employee’s healthcare records that the former employee assumed would hurt her employment status. If employers truly care about their employees, they will do everything they can to prevent this information from leaking out to those who are not authorized to see it.
Employers need to protect themselves against former employees. I hate to say it, but this includes those employees that you don’t think could do something like this in a million years.
You may think you have adequate protections in place, but consider this. The latest survey I’ve seen found that 13% of former employees could still access their former employers’ systems using their employee login credentials. Anecdotal evidence leads me to believe the problem might be a bit understated, especially among midsized companies whose IT departments are stretched thin.
Major Food Processor Turns to Connectria for a HIPAA-Compliant Environment
We frequently talk to organizations about HIPAA compliance even though they aren’t in healthcare. For example, we’re working with a major chicken processor. As their head of IT explains, “Cutting up chickens all day is hard work. We have a nurse on staff who helps our employees prevent repetitive use injuries. She also does first-line treatment of any injuries at our production facility.”
So, while not a healthcare provider, per se, this organization does provide healthcare services to its employees. The nurse is also authorized to communicate with doctors on behalf of patients and has patient records stored in the company systems. In conjunction with his legal team, their head of IT wisely decided their IT systems needed to be HIPAA compliant. (Arguably, they are a “covered entity” since their nurse provides actual healthcare services.)
Managing a food processing facility is challenging enough, and the IT department has its hands full. They lacked confidence in their ability to manage HIPAA compliance in-house in addition to everything else on their plate.
According to the head of IT, “Working with Connectria definitely took a lot off of my workload. I’m not constantly having to log into the server and trouble shoot. That’s not my specialty. I don’t have to worry as much about the compliance of my systems because Connectria’s there to help me keep an eye on things.”
An Ounce of Prevention
When it comes to the protection of PHI, an ounce of protection costs far less than a pound of cure. If you think you might have obligations under HIPAA or you just want to protect your employee’s privacy, reach out to us. We can help you assess your risk of exposure and craft a plan to help strengthen your defenses.