HIPAA and workplace internet monitoring

I am not seeking legal advice. Seeking information on the subject only. This is inspired by - New Urban legend? Printer ‘black boxes’

As a manager at a big corporation, I’ve had to fire/layoff employees before. Usually on the morning of this sad event, the IT guys will place a hold on the employee’s (the one getting fired) laptop and every thing the employee copies or email is monitored. As it happened once, an employee getting fired had copied a huge number of files to their personal hard drive and I was asked by the HR/IT folks to check those files manually. Many of the copied files were medical bills / insurance claims etc. that the employee had submitted to the Insurance folks (company provided) for re-reimbursement / claim support. I felt like a creep going through these files.

Here are my questions :

Premise - employer does not have clearly established guidelines for employee medical data and electronic usage of the same.

Question 1 > What are the obligations of the IT department monitoring employee internet usage including email when it comes to medical usage ?

For example - can the IT department “know” that an employee has been reading up on AIDS or Pregnancy a lot in the last few weeks. Or can the IT department “know” that an employee submitted an insurance claim through work email for reimbursement on AIDS drugs ?

Question 2 > What are the obligations of the IT department to retain emails or documents of medical nature either on backups or email servers a> when the employee is employed b> when employee is terminated ?

I am not sure of the current state of case law, but I am of the impression you have no expectation of privacy on a computer or internet connection you do not own. Using your computer at work for personal medical things would not invoke HIPAA against your employer.

I’m no HIPAA expert, but I think it places restrictions on how health care workers can disclose your medical records. It doesn’t make your medical information somehow secret from everyone.

Here’s what the HHS website says:

I agree with you in principle but I have a few points of objections. Some of them are :

1> Announcements of Annual enrollment are sent to employees work email address and a link is sent for enrollment. Much of the official communication is directed to their email address.

2> The employer provided benefits site is presented as a permanent link on the employees homepage - and no warning is presented that this is not a private connection.

3> The employee’s work email address is the default login for many of the employer provided / selected insurance companies.

4> Many solicitations like sign up for the flu vaccine or join our seminar on quitting smoking etc. are sent to work email and its easy for the IT personnel to see who clicks on the signup links.
Are you saying that the employer has no responsibility of warning/protecting employee health records ?

If the employer is storing health and or claim information as part of doing business/matter of policy yes THOSE records would be protected. Storing personal files on a workstation not designated for such woul not.

things like work emails being used as logins can be a vulnerability, however it would also require an abuse of authority for an IT guy to use his access to a persons work email to facilitate accessing medical insurance claim information on a 3rd party system (say by requesting a password reset email)

It is staggering the amount of information the average IT person has access to but does not bother poking around in.

There is also a huge difference between having the ability and actually doing so.