Paubox blog: HIPAA compliant email made easy

Sharing patient information with employers using HIPAA compliant email

Written by Kirsten Peremore | October 01, 2024

While HIPAA does not apply in the workplace, healthcare providers are required to follow specific requirements when sharing patient information with employers. These requirements, especially the need for patient authorization ensure that information remains safe when shared with third parties like employers. 

 

How HIPAA governs sharing PHI with employers

HIPAA, specifically the Privacy Rule, does not generally apply to information relating to patient employment. This is because employers are not covered entities. Healthcare providers treating patients outside the workplace are however subject to HIPAA. For this reason, there are specific guidelines that must be adhered to before the patients protected health information (PHI) can be shared. 

One of the primary requirements is mentioned in HHS guidance, specifically statingif your employer asks your health care provider directly for information about you, your provider cannot give your employer the information without your authorization unless other laws require them to do so.While employers can request information like doctor's notes or other health information, they cannot gain access without the patient's permission. 

 

How to share patient information with employers using HIPAA compliant email 

Choose a HIPAA compliant email provider:

  • Select a HIPAA compliant email service that offers features like encryption, and audit logs and is willing to sign a business associate agreement (BAA).  

Obtain patient authorization: 

  • Before sharing any PHI with an employer, obtain authorization from the patient related to what can be shared, the purpose, and the duration of consent.

Limit the information shared: 

  • Only share the minimum necessary information that the employer needs to know. 

Train staff: 

  • Regularly train staff members on HIPAA regulations and secure email practices so that they understand the need to protect PHI and proper procedures. 

Document the process: 

  • Keep a record of all communications involving PHI shared with employers. 

FAQs

Can mandatory drug testing results be shared with employers? 

Yes, this can be shared with employee authorization or by requirement of the law. 

 

Is employee health information collected by medical staff working for their employer considered PHI? 

No. 

 

What is encryption? 

The process of converting data into a secure code to prevent unauthorized access. 
View full post