Benefits, Hiring & Recruiting

HR’s Top HIPAA Compliance Misconceptions Dispelled

HIPAA has become synonymous with medical records privacy, for good reason. Enacted more than 20 years ago, it gives individuals the power to decide who has access to their health records and has forced major changes in the way health care providers, health plans and businesses handle records.

More formally called the Health Insurance Portability and Accountability Act, the law has had ripple effects outside of the medical providers it is intended to regulate—including inside countless HR departments across the country. There, many employers mistakenly believe they have no access to health records as part of a background check for prospective employees. They fall back on a widespread belief that HIPAA controls what they do, too.

Here’s where they are wrong: HIPAA doesn’t apply to most employers, except those that are “covered entities.” Failing to obtain appropriate medical information from prospective employees because of HIPAA confusion could cause an employer to make a bad hire or, worse, expose it to risks and potential liability if an employee has a medical condition that affects their ability to perform a job.

What Is a ‘Covered Entity’?

Three kinds of businesses are required by law to comply with HIPAA and face the consequences if they don’t. They are:

  • Health plans, which includes company health plans, Medicare, Medicaid, health insurance companies and HMOs,
  • Health care providers, including doctors, hospitals, pharmacies, psychologists and dentists, and
  • Health care information aggregators, who might gather medical records for processing, for instance.

If a business doesn’t fall into one of those categories, it’s impossible for it to violate HIPAA. The law gives the U.S. Department of Health and Human Services the regulatory authority to only crack down on those covered entities.

Of course, that doesn’t mean HR departments can sidle up to a buffet of health records as they check the backgrounds of job candidates. That’s because those candidates’ doctors, health providers and health plans are covered entities and are required, by HIPAA, to handle candidates’ medical information—including what is shared with current and potential employers—in accordance with the patients’ wishes and the law.

Getting the Data

There is, however, medical information that HR departments and employers are allowed to access, and those records can provide vital details during the hiring process. Here are three sources of health records accessible to employers:

Post-offer medical exams: To qualify, an exam must be paid for by the employer or the employer’s representative and seek information that is directly related to a candidate’s ability to perform the job they are seeking. If the exam falls within those parameters, the employer or the employer’s agent doesn’t need the candidate to sign a release form to access records from the exam.

An important caution: Employers can get into trouble when they seek a general physical instead of more targeted tests related to the duties of a specific job. For instance, there are very few conditions that might preclude a call center worker from doing his job. If a prospective employer ordered a general exam, it could turn up medical issues that have no bearing on the candidates’ ability to do the work for the job they are seeking.

In fact, a doctor or clinic may violate HIPAA if they divulge results from a general exam that’s conducted under the guise of a pre-employment checkup. What’s more, not every job requires a medical review. Post offer medical exams should generally be restricted to safety sensitive or heavy labor positions.

For instance, it’s usually not critical to know how much a call center employee can lift. But, for a firefighter or construction worker, who must carry and control heavy equipment, his or her physical ability will be vital to the job.

Employers that do need to conduct preemployment exams should also have a certified medical examiner who can evaluate the results and ensure they are correct. Our data indicates that about 10 percent of certified examiners make the wrong determination. A company’s own examiner can double check any conclusions.

Federal safety program-required exams: Confidentiality is not required when a job candidate undergoes an exam that is part of the medical review process to receive certification through a federal safety program. These include motor vehicle certifications for commercial truck drivers, medical certificates for most pilots, screenings for U.S. Department of Defense contractors and medical fitness exams for railway workers.

Federal rules require that doctors share with employers all of the details from those exams, including information that may disqualify the candidate for the job.

Drug screens: Drug screens can show a big return on investment when evaluating a job candidate. Their results also aren’t covered by HIPAA, but they could fall under stricter state regulations that govern medical confidentiality.

In the case of a drug screen that’s not required for certification in a federal safety program, medical review officers may not be able to name the specific medications that a job candidate is taking without a signed release from the candidate.

They can, however, signal that a drug screen has uncovered a potential safety concern that may require a further medical workup before a job offer is extended. If a safety concern is noted, employers can seek a medical release form from the prospective employee or send him to an occupational health doctor for a closer look.

Many HR departments shy away from seeking medical information during the background check process because they fear, incorrectly, that they’ll somehow violate HIPAA regulations. In reality, they may be missing out on crucial data that could make the difference between landing the perfect hire, or a problem one.

Dr. Todd Simo is Chief Medical Officer at HireRight.