The Issue: Must an employer safeguard documents containing employee protected health information (PHI) in any special way?

The Solution: Yes. An employer must adopt privacy policies or procedures related to employee PHI. These policies should include controls over who has access to the documents (physically and electronically). 

Analysis: Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), employers must prevent the unauthorized disclosure of protected health information (PHI). This will primarily affect those employers that sponsor self-insured health plans, cafeteria plans with a flexible health spending account component, offer on-site health clinics, and/or that offer significant hands-on help to employees in connection with their group health plans (e.g., handling benefit claims). 

Employers subject to the HIPAA privacy rules should have written privacy procedures in effect that safeguard all documents with PHI. This includes the administration of the PHI (e.g., who needs access to such information to administer the health plan, entering into business associate agreements with any third-parties who might handle, and training employees who may handle, PHI as part of their duties). The written privacy procedures should also address other safeguards of PHI (whether in paper or electronic form) including physical safeguards (e.g., workstation use/security) as well as technical safeguards (e.g., person authentication and transmission security).