HIPAA generally does not apply to employment information but can apply to protected health information (PHI) in very narrow instances. When applicable, it requires specific best practices to ensure patient data remains protected.
Does HIPAA apply to past employment?
According to HHS guidance on HIPAA and employers, “The Privacy Rule does not protect your employment records, even if the information in those records is health-related. In most cases, the Privacy Rule does not apply to the actions of an employer.”
HIPAA focuses on protecting your medical records and other personal health information, but it doesn’t cover everything. For instance, when it comes to your past employment health information, HIPAA generally doesn't apply. This is because the legislation handled how health plans or healthcare providers handle your PHI, not your employer. This means that any health related information in your employment records, like the medical exams you might have taken when you first got the job or sick leave records, isn't safeguarded by HIPAA.
The main idea here is that your employment records, even if they contain health information, are considered part of your employer's business records. Therefore, they are governed by other laws and regulations, not by HIPAA.
There are however rare fringe instances of HIPAA overlapping in the case of an employee switching jobs in a few specific situations, especially when the transition involves health plans or healthcare services:
- If an individual is enrolled in their employer's group health plan and they change jobs, HIPAA's rules on portability ensure that their health coverage can continue during periods of unemployment or new employment. This could involve transferring their health information between insurers to maintain coverage without a break.
- When an individual leaves a job and chooses to continue their health coverage under Consolidated Omnibus Budget Reconciliation Act (COBRA), HIPAA ensures that their PHI remains protected under the same privacy standards as it was when they were actively employed.
- HIPAA limits the extent to which new employer health plans can exclude coverage based on pre-existing conditions. This means a new employer's health plan cannot use an employee's past medical history, which includes PHI, to deny or limit coverage unfairly. In such cases, the transfer and use of their PHI would still be protected under HIPAA.
- If a new employer offers a wellness program that involves health assessments or biometric screenings, HIPAA rules may govern how this health information is collected, used, and protected, particularly if the program is part of a group health plan.
See also: HIPAA and workplace wellness programs
Best practices when sharing PHI from past employment
- Before sharing any PHI, determine the legal basis for doing so. This may involve obtaining explicit patient consent or ensuring that the sharing is permissible under HIPAA for reasons such as treatment, payment, or healthcare operations.
- Ensure that all transmissions of PHI, whether digital or physical, are conducted over secure channels. One of these channels is HIPAA compliant email or HIPAA compliant text messaging.
- When healthcare professionals leave a workplace, it is necessary to have clear agreements in place regarding the handling of any PHI they have access to.
- Only the minimum necessary PHI required to accomplish the intended purpose should be disclosed. This principle limits the scope of information shared to what is absolutely necessary, reducing the risk of unauthorized access to sensitive information.
- When sharing PHI is necessary, have all involved parties sign NDAs to legally bind them to confidentiality obligations. This provides a layer of legal protection and clearly sets the expectations for privacy.
- Implement role-based access controls (RBAC) in your information systems to ensure that only authorized individuals have access to PHI.
See also: How to train healthcare staff on HIPAA compliance
FAQs
What is RBAC?
Role-Based Access Control, is a method of restricting network access based on the roles of individual users within an organization.
What is PHI?
Protected health information, refers to any information in a medical record that can be used to identify an individual and that was created, used, or disclosed in the course of providing a healthcare service, such as diagnosis or treatment.
Which law applies in an employment situation?
In employment situations involving health information, HIPAA applies, regulating how medical information about employees can be shared and used by employers.