HIPAA (Health Insurance Portability and Accountability Act)
Federal law establishing privacy and security standards for protected health information (PHI), affecting how occupational health data is handled and shared.
Key Facts
- Federal law protecting individually identifiable health information (PHI)
- Privacy Rule and Security Rule govern PHI handling
- Applies to covered entities and their business associates
- Penalties range from $100 to $1.9 million per violation category
- Workplace drug test results have limited HIPAA coverage
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes national standards for protecting individually identifiable health information (Protected Health Information, or PHI). The Privacy Rule governs who can access PHI and under what circumstances; the Security Rule requires administrative, physical, and technical safeguards for electronic PHI. In occupational health, HIPAA applies to covered entities (clinics, labs, MROs) handling worker medical records. Notably, employment records — including DOT drug test results reported to the employer — are generally not considered PHI under HIPAA. However, medical records at the occupational health clinic or MRO office are covered. Business Associate Agreements (BAAs) must be in place between covered entities and any third party that handles PHI.
Related Services
Related Industries
Related Articles
Healthcare staffing teams often run the same race twice: once in the ATS and again in the VMS. Learn how VMS and ATS integrations can close the credentialing loop so identity, requirements, evidence, status, and expirations move between systems automatically.
Cybersecurity in Occupational HealthDiscover how HR and EHS leaders can defend occupational health data with NIST-backed cybersecurity, MFA, and HIPAA audit controls. Download our free guide!
Simplify Your Compliance
BlueHive manages occupational health services so you can focus on your workforce.