Thought Leadership in Action

Human resources departments have many duties, and a key one is safeguarding employees’ personal data. Regulations change often; for example, tighter restrictions on employee data under the Patient Protection and Affordable Care Act (PPACA) have changed how employers manage employee data under the Health Insurance Portability and Accountability Act (HIPAA).

What are some of the rules and regulations HR must follow when it comes to employees’ personal data?

There are several federal laws that oversee the handling of employees’ health and medical information. These include:

The Health Insurance Portability and Accountability Act

While HIPAA generally applies only to “covered entities” such as health care providers, it also applies to self-insured and fully insured employer plans, with some exceptions. Even if an employer contracts out much of the plan’s administration, the plan itself falls under HIPAA rules.

Enforcement and compliance of HIPAA rules on employers vary widely depending on size, plan details and other variables, and companies that have questions or concerns should check with vendor partners, plan administrators or their own lawyers.

“Overall many HR departments still struggle with staying HIPAA compliant,” says Monica Hinchey, vice president of client relations and HIPAA privacy officer at Benefit Express. “This is becoming more and more difficult as technology and requirements change.”

In addition, PPACA rules state that employers are no longer required to issue HIPAA certificates of certifiable coverage after 2014.

The Americans with Disabilities Act

Information HR has regarding accommodations the employer needs to make under the ADA must be kept secure.

The Genetic Information Nondiscrimination Act

As with the ADA, personal health information that HR possesses under GINA has strict security controls.

The Family and Medical Leave Act

This law mandates time off for certain health and family issues.

Workers’ Compensation

Any health information HR possesses because of handling workers’ compensation claims must remain secure.

Other Security Considerations

The rules may vary under each law. Under the ADA, for example, employees’ medical or benefits records must be kept separate from their employment or personnel files. Medical records may include insurance enrollment forms as well as any forms needed for core or voluntary health benefits, information gathered from medical exams, drug test or physical results, medical leave information, ADA records and so on. There may be state laws or regulations to follow too.

And while technology can help you keep track of information, it also can cause difficulties. “Outside of worrying about secure email and how to send protected health information electronically from your desk, professionals are now struggling with how to secure information with smartphones and tablets being used everywhere and by different people within the HR department,” Hinchey says. “Keeping track of who has access to what, how they access it and how they are securing it has become a daunting but necessary task."

More employers are considering outsourcing benefits administration to manage compliance filings and other paperwork. A study by ADP says that ensuring compliance is one of the most significant factors driving the outsourcing of benefits administration.

The study also says employers interested in outsourcing benefits administration should do their due diligence to determine potential vendor partners’ ability to comply with laws and regulations and to quickly and accurately update their policies and practices when there are changes in laws and regulations. Whether it’s because of PPACA or other regulations, rules regarding data handling can change quickly, so it’s vital that your vendor partner is able to stay informed and current.

It’s also important to understand that if the employer accesses, creates or receives protected health information while working with a covered entity, that creates a business associate relationship under the HIPAA Final Omnibus Rule and makes the employer subject to HIPAA rules. Vendor partners will ask employers to enter into a Business Associate Agreement if this is the case, and employers again should consult with counsel on the best plan of action.