Privacy of employee health information
originally posted: 11/22/2006 reposted: 2/18/2011 This post has not been recently reviewed or revised by the author and may be out of date. If in doubt, please send a new question or ask for an update.
Q: When applying for health insurance and the insurance company wants information for any condition or treatment going back 10 years if you have a history of hepatitis C how should you fill this out if you do not want your new employer to find out.
A: Your employer is not allowed access to your medical information and may not view your application for health insurance. All employers, regardless of size or nature of the business are required to have a Privacy Officer whose role includes making sure that your health insurance applications (assuming this is a paper application) are delivered to the HIPAA compliant health insurance company in a sealed envelope (or alternate method designed to protect your privacy) without the risk of exposure to any employee in the company. Another role is to ensure that the contractors handling your health insurance records are also HIPAA compliant. In addition, your employer is required to provide you with a written privacy statement before offering health insurance application. If you did not get one, please ask the employer. If you have any doubts or concerns about your employer's privacy practices, you should bring them up immediately. If a satisfactory resolution is not immediately available, then contact your local Health and Human Services office. The penalties are severe for a small business employer who fails to follow the 17 minimum HIPAA requirements that collectively make up the medical privacy law. There are no exemptions for small employers. Fines start at $100 per day per violation. A small violation (like leaving an employee's health insurance application unsealed where another employee could see it or failing to have a Privacy Policy) would likely result in a fine up to a few thousand of dollars but a bigger problem (like leaking employee's medical information or firing an employee based on private health information) could cost up to $100,000 in fines plus the risk of criminal prosecution. The problem is that some of the smallest companies are simply not aware of federal privacy laws. Enforcement is getting tougher and these companies are unknowingly at risk for mishandling information from employees, customers and others. Any small business who is in doubt about compliance should take the time to do a minimal audit of this area. Professional benefits advisors like my own practice at FreedomBenefits.org1 can usually handle this issue in less than one hour telephone consultation. Compliance with HIPAA is not expensive, but non-compliance could easily bankrupt a small company. If you have any doubts or concerns about your employer's privacy practices, you should bring them up immediately. If a satisfactory resolution is not immediately available, then contact your local Health and Human Services office. The U.S. Department of Labor and the Department of Health and Human Services provide substantial guidance to employers to help small businesses avoid this problem. As a practical matter, most small companies completely avoid these problems by hiring a benefits adviser like Freedom Benefits' OnlineAdviser service who then implements Web-based security measures and handles health plan enrollments online in a private and secure manner. Although FreedomBenefits.org is not taking new clients at this time, a HIPAA evaluation and consultation may be available, subject to adviser availability, directly through the OnlineAdviser program. The fee is usually $150 for an evaluation, and if needed, $150 for implementation of a corrective HIPAA compliance program. This small investment is well worthwhile for any small employer that offers employee health benefits.
Summary
More resources:
small business benefit plans at FreedomBenefits.org