Since HIPAA did not make the employer/plan sponsor a covered entity, it allows circumstances where an employer could have multiple sets of information on an employee that can be treated differently.

For example: a Nurse that works for a Hospital and takes the medical insurance as an participant and also uses the Hospital for medical care will have three sets of data at the Hospital.

  • Her medical information is PHI (protected health information)
  • Her health insurance application contains PHI
  • Her employment information contains most of the same information as the first two but is not considered PHI.

We feel that this discrepancy leaves too much room for error. How do you treat the same information differently? How do you explain to an HR employee that it must be protected in this circumstance and not in that? If a question arises and personal information is allowed out, what was the source of it? And what if this employee needs a FMLA leave due to a medical situation and the employer requires medical information from her doctor to document the need, is that PHI? The doctor will treat is as such, but the law does not require the employer to do so.

Our HIPAA tool for employers approaches this issue the same. We think all the information should be protected. And feel that employees should be expected and trained to protect it.