Does HIPAA Apply to Employers?

HIPAA applies to employers in certain circumstances and, although HIPAA does not protect individually identifiable health information maintained by a covered entity in its role as an employer,  it is important for employers to understand what these circumstances are to avoid HIPAA violations. Employers also need  to ensure that their workforces understand whether or not health data collected and maintained by their employer is protected by the HIPAA Privacy Rule.

You can use our HIPAA Checklist For Employers to view your compliance requirements and avoid HIPAA violations.

The HIPAA Privacy Rule is one of the most complicated pieces of legislation affecting the healthcare and health insurance industries. Because of its objectives to standardize how individually identifiable personal information is protected across many different use cases, the language of the HIPAA Privacy Rule is “non-specific” and open to a number of interpretations.

Many attempts have been made to summarize the HIPAA Privacy Rule in a format that clearly outlines who is covered by the legislation and how it should be applied.

Because of its complicated nature, most summaries fail to adequately answer the question how does HIPAA apply to employers? This article aims to answer that question as adequately as possible.

Let´s First Discuss HIPAA-Covered Transactions

The HIPAA Privacy Rule defines what constitutes individually identifiable health information and how it should be protected from unauthorized uses and disclosures.

It is often the case that a new employee may disclose some elements of protected health information – for example to an employer’s HR Department – when the new employee commences with the new employer.  So, under that summarized interpretation, the answer to the question “Does HIPAA Apply to Employers”, would be “yes”.

However, Protected Health Information is only covered by HIPAA when it is used to communicate information about an individual´s past, present or future medical condition, the provision of healthcare to an individual, or the payment for the provision of healthcare. If a worker supplied their individually identifiable health information to an employer’s HR Department, and it was never used for any of these purposes, HIPAA does not apply to employers in this scenario.

One factor sometimes overlooked in summaries of the HIPAA Privacy Rule is that, in order for a “covered entity” to be subject to the regulations, the purpose of creating, using, storing or sharing Protected Health Information has to be a HIPAA-covered transaction. HIPAA-covered transactions include (but are not limited to):

• A request to obtain payment from a healthcare provider to a health plan accompanied by supporting documentation.
• An inquiry from a healthcare provider to a health plan about the eligibility of an individual to receive treatment.
• A request to a health plan to refer an individual to another healthcare provider (and the health plan´s response).
• The transmission of either of the following from a health plan to a healthcare provider: (1) Explanation of benefits. (2) Remittance advice.

For further information about what qualifies as a HIPAA-covered transaction, please refer to 45 CFR Part 2, specifically §§ 162.1101 to 162.1801. With regard to the question “Does HIPAA apply to Employers who Conduct HIPAA-Covered Transactions”, this is addressed in the next section.

Does HIPAA Apply to Employers’ Self-Insured Health Plans?

Using the criteria described above for HIPAA-covered transactions, the only circumstances in which an employer may be involved in these types of transactions if they provide onsite clinics as an employee health benefit, provide a self-insured health plan for employees, or act as an intermediary between employees, healthcare providers, and health plans.

Because an onsite clinic is an employee health benefit that is not “portable” (i.e. the benefit cannot be taken with an employee when they move to a new job), it is exempt from the Privacy Rule. Employers providing self-insured health plans are also exempt because HIPAA regards the employer and the health plan as two separate legal entities, even if the employer administers the self-insured health plan.

However, in order to administer a self-insured health plan, or act as an intermediary between employees, healthcare providers and health plans, the employer is subject to “partial compliance” and is required to provide a certification that Protected Health Information will be safeguarded as prescribed by the HIPAA Privacy Rule and not used for employment-related actions.

The certification is not unlike a Business Associate Agreement and it allows the self-insured health plan to share Protected Health Information with the employer, but only for the purposes of administering the health plan. Any other uses of the Protected Health Information would constitute an unauthorized disclosure and the employer would be subject to sanctions by the Department of Health & Human Services. Further information about employer certification can be found in 45 CFR 164.504(f).

What HIPAA Means to Employers

What HIPAA means to employers generally is that they do not have to implement measures to protect the privacy of individually identifiable health information in accordance with the Privacy and Security Rules, nor notify employees and HHS´ Office for Civil Rights in the event of a data breach. However, HIPAA is not the only legislation that relates to the privacy and security of employee data.

Other federal laws such as the Fair Credit Reporting Act and Fair and Accurate Credit Transaction Act govern what employers can do with certain types of employee data, while state laws such as the California Privacy Rights Act grants employees rights over what data is maintained about them similar to the patients´ right provisions of the HIPAA Privacy Rule.

Employers and Protected Health Information: Conclusion

The answer to the question “Does HIPAA Apply to Employers” is generally “no”. However there are circumstances in which employers are subject to HIPAA with regard to safeguarding the confidentiality, integrity and security of Protected Health Information. These circumstances may be few and far between; but, when they occur, it is important employers are aware of their compliance obligations.

In most cases, HIPAA does not prevent an employer from announcing the birth of a child to the parent´s workplace colleagues, but it will likely apply if an employer administers a self-insured health plan or acts as an intermediary in a high-deductible, consumer-directed health plan. Companies still unsure about how HIPAA applies to employers should seek professional advice relevant to their specific circumstances.

Does HIPAA Apply to Employers? FAQs

If I give my employer a doctor’s note to prove I was sick, does HIPAA apply to the doctor’s note?

If you give your employer a doctor’s note to prove you were sick, HIPAA does not apply to the doctor’s note, even if you work for a covered entity or business associate. This is because the doctor’s note will not be used for a HIPAA-covered transaction. The doctor’s note is considered to be part of your employment record, like any other personal information you might provide to your employer.

If an employer phones a hospital to enquire about the wellbeing of an employee, is the information provided by the hospital covered by HIPAA?

If an employer phones a hospital to enquire about the wellbeing of an employee, the information provided by the hospital is not covered by HIPAA once it has been disclosed to the employer. by the hospital provided. However, before any information is disclosed to an employer by a hospital, the hospital must obtain the employee´s consent to disclose PHI. A disclosure to an employer without consent – other than permissible disclosures for workers’ comp purposes and to comply with OSHA –  is a violation of HIPAA.

Does HIPAA apply to employers in medical teaching institutions?

HIPAA can apply to employers in medical teaching institutions depending on the nature of medical services provided by the institution. If medical services are only available to employees and students, the institution is not a HIPAA covered entity because the provision of medical services to employees is not portable and the provision of medical services to students is covered by FERPA.

If medical services are available to the public, the institution is a hybrid entity required to comply with HIPAA for the medical services provided to members of the public, but not for non-portable medical services provided to employees or for FERPA-covered medical services provided to students. Further information about hybrid entities can be found in this HHS article.

If an employer is a federal agency, does HIPAA or the Privacy Act apply?

If an employer is a federal agency that qualifies as a covered entity and engages in HIPAA-covered transactions, HIPAA preempts the Privacy Act. In most other circumstances, federal agencies have to comply with the Privacy Act – the exceptions being when state or local laws offer greater protections to health information than HIPAA or the Privacy Act.

Does HIPAA apply to employers that are business associates of a covered entity?

HIPAA does not apply to employers that are business associates of a covered entity if a business associate in its role as an employer maintains employee healthcare data that is not used for HIPAA-covered transactions. In such cases, the business associate is not subject to HIPAA in respect of employee data – but still subject to HIPAA in respect of any ePHI received from the covered entity with whom the employer has a Business Associate Agreement.

Can an employer ask about medical conditions under HIPAA?

An employer can ask about medical conditions under HIPAA because employers – in their role of employers – are not covered entities. In the Privacy Rule there is nothing preventing an employer asking an employee about medical conditions that would violate HIPAA. However, if an employer asks a covered entity to disclose information about an employee´s medical condition, HIPAA only permits the disclosure under certain circumstances or with the consent of the employee.

When does HIPAA apply to employers?

HIPAA applies to employers when they create, maintain, or transmit Protected Health Information in connection with a HIPAA-covered transaction. This is a rare occurrence, and usually only happens when the employer administers a self-insured health plan. In such circumstances, the Protected Health Information created, maintained, or transmitted by the self-insured health plan should be kept separate from other employee data – which is not subject to the Privacy and Security Rules.

Is a new employee’s health information disclosed to an HR department protected by HIPAA?

A new employee’s health information disclosed to an HR department is not protected by HIPAA unless the information will be disclosed in a HIPAA-covered transaction by an employer who qualifies as a HIPAA covered entity. This is an extremely rare event – even if the new employee’s role is with a healthcare facility – because employers do not ordinarily qualify as HIPAA covered entities in their role as an employer.

What does “partial compliance” mean for employers in the context of HIPAA?

What partial compliance means in the context of HIPAA is that, if an employer administers a self-insured health plan or acts as an intermediary between employees, healthcare providers, and health plans, the employer is required to safeguard the PHI they have access to in their role as an administer or intermediary and certify that PHI will be protected as prescribed by the HIPAA Privacy Rule and not used for employment-related actions.

Can an employer announce the birth of a child to a parent’s workplace colleagues without violating HIPAA?

An employer can announce the birth of a child to a parent’s workplace colleagues without violating HIPAA unless the employer administers a self-insured health plan or acts as an intermediary between the parent and a health plan and learns of the birth in their role as an administrator or intermediary. In such circumstances, it would be necessary to obtain the parent’s consent to avoid violating HIPAA.

What is a HIPAA-covered transaction?

A HIPAA-covered transaction is any transaction that the Department of Health and Human Services has developed standards for in Part 162 of the HIPAA Administrative Simplification Regulations. Most HIPAA-covered transactions relate to eligibility checks for treatment, authorizations for treatment, billing, and remittances – transactions that rarely apply to employers in their role as employers.

If an employer qualifies as a partial entity, what is the first step to take to avoid HIPAA violations?

If an employer qualifies as a partial entity, the first step to take to avoid HIPAA violations is to understand what information collected, maintained, or transmitted by the employer is protected by the Privacy Rule. Thereafter, the employer must implement safeguards to protect the privacy of individually identifiable health information and to ensure the confidentiality, integrity, and availability of electronic PHI.