Tighter patient privacy laws under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) took effect on April 14, 2003. The law requires all "covered entities" (i.e., healthcare providers, plans and clearinghouses) to ensure the privacy and security of Personal Health Information (PHI).

This includes any information that relates to an individual's physical and mental health, or to the provision or payment of healthcare. Employers that administer self-insured health plans are considered covered entities. Even an employer who operates a first-aid room staffed by health professionals can be considered covered under HIPAA, according to an article in the Association of Records Managers & Administrators Information Management Journal.

As with many similar regulations, it's not clear which organizations are directly affected by these new laws, says Marisa Serafini of Circadian Technologies, Inc. Still, employers who handle any personal health information, regardless of whether they are covered entities under HIPAA, should reevaluate their privacy practices and consider documenting their policies and procedures, she says.

Privacy training for all appropriate staff is recommended. Companies can potentially outsource their health plans' administrative functions, or allow the health plan insurance carrier to collect employees' personal health information, says Serafini.