Tony Novak profile picture
  "AskTony" column archive        


Most Popular

AskTony Archive

This Web site contains a compilation of more than a thousand consumer finance  columns written by Tony Novak from the 1980s through 2006, updated and reformatted for maximum usefulness today.  New material was added after 2010.

Content is the opinion of the author and does not represent the position of any other person or entity. Information is from sources believed to be reliable but cannot be guaranteed.

The author is paid for product endorsements and has an ownership or other financial interest in the businesses related to the topics covered.

New questions

Submit consumer finance questions at and health insurance questions at

Sponsored by: Insurance Exchange - your source of valuable information on state and federal health reform benefits.

Core Health Insurance - America's favorite mini-med insurance  with affordable premiums, freedom to choose providers, optional PPO discounts and guaranteed eligibility regardless of medical conditions.

Please support the Web sites that make publication of AskTony services possible.

Privacy of employee health information

originally posted: 11/22/2006  reposted: 2/18/2011 This post has not been recently reviewed or revised by the author and may be out of date. If in doubt, please send a new question or ask for an update.

Q: When applying for health insurance and the insurance company wants information for any condition or treatment going back 10 years if you have a history of hepatitis C how should you fill this out if you do not want your new employer to find out.

A: Your employer is not allowed access to your medical information and may not view your application for health insurance. All employers, regardless of size or nature of the business are required to have a Privacy Officer whose role includes making sure that your health insurance applications (assuming this is a paper application) are delivered to the HIPAA compliant health insurance company in a sealed envelope (or alternate method designed to protect your privacy) without the risk of exposure to any employee in the company. Another role is to ensure that the contractors handling your health insurance records are also HIPAA compliant. In addition, your employer is required to provide you with a written privacy statement before offering health insurance application. If you did not get one, please ask the employer. If you have any doubts or concerns about your employer's privacy practices, you should bring them up immediately. If a satisfactory resolution is not immediately available, then contact your local Health and Human Services office. The penalties are severe for a small business employer who fails to follow the 17 minimum HIPAA requirements that collectively make up the medical privacy law. There are no exemptions for small employers. Fines start at $100 per day per violation. A small violation (like leaving an employee's health insurance application unsealed where another employee could see it or failing to have a Privacy Policy) would likely result in a fine up to a few thousand of dollars but a bigger problem (like leaking employee's medical information or firing an employee based on private health information) could cost up to $100,000 in fines plus the risk of criminal prosecution. The problem is that some of the smallest companies are simply not aware of federal privacy laws. Enforcement is getting tougher and these companies are unknowingly at risk for mishandling information from employees, customers and others. Any small business who is in doubt about compliance should take the time to do a minimal audit of this area. Professional benefits advisors like my own practice at FreedomBenefits.org1 can usually handle this issue in less than one hour telephone consultation. Compliance with HIPAA is not expensive, but non-compliance could easily bankrupt a small company. If you have any doubts or concerns about your employer's privacy practices, you should bring them up immediately. If a satisfactory resolution is not immediately available, then contact your local Health and Human Services office. The U.S. Department of Labor and the Department of Health and Human Services provide substantial guidance to employers to help small businesses avoid this problem. As a practical matter, most small companies completely avoid these problems by hiring a benefits adviser like Freedom Benefits' OnlineAdviser service who then implements Web-based security measures and handles health plan enrollments online in a private and secure manner. Although is not taking new clients at this time, a HIPAA evaluation and consultation may be available, subject to adviser availability, directly through the OnlineAdviser program. The fee is usually $150 for an evaluation, and if needed, $150 for implementation of a corrective HIPAA compliance program. This small investment is well worthwhile for any small employer that offers employee health benefits.


More resources:

small business benefit plans at