HIPAA, or Health Insurance Portability and Accountability Act, laws don't apply only to health care organizations — they also apply to small businesses that aren't in the health care industry. A small business administers health insurance plans, as well as other health-related benefits and information about employee health conditions, which the business must secure according to HIPAA guidelines.
Securing Medical Records
Records containing information about employees’ health need to be secured not only from access outside of the company, but also from unauthorized users inside the company. Only certain employees within the organization who deal directly with health-related policies need to access the information, which should be protected by a special password or locked in a secured drawer or filing cabinet. When transferring these records, employees must follow company policies to ensure the information isn't lost or intercepted by another party. Employees who handle health-related information must also maintain a log that details any release or transfer of information.
Any employees in the organization who handle health-related information — such as medical insurance policy information, a company wellness program or flexible health spending account — need to receive proper training about HIPAA and how to handle health-related information. If you fail to properly train such employees, who in turn disclose information about another employee’s health, you may be found liable for the disclosure and may then be sued by the employee whose information was compromised.
Under no condition may a manager disclose to other employees in an organization the details of a person's medical absence from the company, unless the employee consents first. This means that when an employee falls ill or needs to undergo medical treatment, you may pass around a card or other materials to give to the employee who isn't well, but you can't disclose the reason for the employee’s absence to everyone else.
Not only do you need to follow HIPAA laws on a daily basis within your organization, but you also must document the policies your organization has adopted to ensure compliance with the laws. These documents need to detail how employees who have access to health information are to secure the information, under what circumstances health information should be disclosed, and consequences for an employee violating the organization’s HIPAA policies. All employees should have a copy of these written policies, especially those who have access to health information.
- Hemera Technologies/AbleStock.com/Getty Images