What Employers Need to Know about Healthcare and Privacy

As an employer, you are entrusted with a lot of personal information about your employees. This is especially true when it comes to their healthcare. You provide their health insurance plan, and you are the one who will need to obtain health information in case of a work-related injury, or if your employee requests medical leave or accommodation for a disability. All of this information is confidential, but many employers are unsure what their obligations are when it comes to protecting their employees’ privacy. The Health Insurance Portability and Accountability Act (HIPAA) is what regulates how private health information is treated, but you may be surprised to know that HIPAA doesn’t always apply to employee health information that is maintained by an employer.

What Is HIPAA?

The Health Insurance Portability and Accountability Act, or HIPAA, was established in 1996 as technology was advancing and medical records were beginning to be kept, accessed, and transferred digitally. HIPAA provides federal protection for personal health information, including medical records, conversations regarding medical treatment, and billing information related to a patient’s healthcare. 

yellow folder with confidential in the middle of it in red.

In the workplace, the main way that HIPAA is applied pertains to your employees’ right to privacy. The HIPAA right to privacy rule gives employees:

  • The right to authorize disclosure of their health records
  • The right to request or inspect a copy of their health records
  • The right to have mistakes corrected at any time

HIPAA rules surrounding employee health information are balanced, and they do not mean that you can never ask for or obtain any medical information about your employees – you just need to get it in the right way, and protect it once you have it. 

HIPAA specifically says that its rules apply to what are known as “covered entities,” which are insurance companies and healthcare providers, or any other organization that transmits medical records electronically. These “covered entities” need to be HIPAA compliant. For you, as an employer, HIPAA applies to your request for information from those covered entities. What this simply means is that an insurance company or healthcare provider cannot give you any health-related information about your employee without your employee’s express authorization. 

illustration of a hand writing on a piece of paper with a red cross in the corner.
HIPAA does not stop you from asking an employee for a doctor’s note.

Common HIPAA Misconceptions

HIPAA can seem complicated. You have obligations when it comes to protecting your employees’ healthcare information, but, unless you are a healthcare company or a healthcare provider, you aren’t technically subject to HIPAA. The law really just regulates how employees’ protected healthcare information maintained by a healthcare plan can be shared with employers.

There are some myths surrounding how HIPAA affects you as an employer that we can debunk for you right now. HIPAA does NOT:

  • Stop you from asking for a doctor’s note for an absence
  • Affect your ability to ask for information related to workers compensation claims, wellness programs, or administering your healthcare plan 
  • Apply to employment records – but if health information is contained in them, you’ll have to get authorization from your employee’s physician and state that you will only use the records for the intended purposes.
  • Cover all employee benefit information. For example, employee life insurance, disability and workers’ compensation, and wellness programs are generally not covered under HIPAA.


While there are many ways that employers are not subject to HIPAA, there are still certain HIPAA rules that employers need to pay special attention to in order to remain in compliance with the law. Examples of these include: 

laptop with a lock on the screen and stars around the lock.

  • Electronic security rule – This rule requires that you take all reasonable measures to physically, technically, and administratively safeguard your employees’ personal information. Businesses are expected to take steps to ensure privacy, protect against threats, make sure employees are in compliance, and protect against unauthorized uses or disclosures of information.
  • Breach notification rule – If your insurance company or a healthcare provider experiences a data breach, everyone affected needs to be notified. The same goes if it happens to your business.
  • Privacy and personal health information rule (PHI) – According to the Department of Health and Human Services, “The HIPAA Privacy Rule protects most ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral.” Again, this really only applies to “covered entities” – or insurance companies and providers. But these covered entities need to make clear to you how PHI may be used or shared, and you need to remain in compliance with those privacy policies.

Common Violations of HIPAA

illustration of people with the heads as tv screens, one with an eye, one with an ear and one with a mouth
Unauthorized access or disclosure of an employee’s health information is a direct violation of HIPAA.

Despite some of the technicalities of what HIPAA covers, if you’re in possession of health information about your employees, it’s a good idea to stay on the safe side and use best practice to remain compliant with the law. This mainly means keeping your employees’ data safe and secure, and always going through the proper channels to obtain medical information. To give you some idea of what you should be looking out for, the most common HIPAA violations for employers are as follows:

  • Hacking/data breachesIf you don’t have the proper security measures in place, your employees’ information, including their health information, could be at risk of being hacked.
  • Theft/lossSimilarly, devices storing sensitive information could also be stolen.
  • Unauthorized access/disclosureEven if you obtain an employee’s information in the correct way, you still have to make sure that it is kept safe and not disclosed to anyone other than you or other authorized parties.
  • Improper disposalProtected information needs to be disposed of properly – information could be illegally obtained if you don’t take reasonable measures such as shredding documents.

Being an employer means taking care of your employees in lots of different ways. If you offer them healthcare as one way of taking care of them, that’s great – but protecting their personal and private information needs to be another way that you look after them. The rules surrounding HIPAA may seem complicated on first look, but the most important thing to remember is that you need to safeguard any sensitive information entrusted to you. If you have any questions about how HIPAA affects your healthcare plan – or if you have any other questions about offering healthcare to your employees – EZ is here to help. Our knowledgeable agents can do everything from answer questions to provide fast, accurate quotes to sign you up for a great plan – and we’ll do it all for free. To get started with us, enter your zip code in the bar above. Or to speak with an agent directly, call 888-350-1890.

About The Author:
Cassandra Love

With over a decade of helpful content experience Cassandra has dedicated her career to making sure people have access to relevant, easy to understand, and valuable information. After realizing a huge knowledge gap Cassandra spent years researching and working with health insurance companies to create accessible guides and articles to walk anyone through every aspect of the insurance process.

Leave a Reply

Your email address will not be published. Required fields are marked *