Does HIPAA Apply to Employers?
The question “Does HIPAA Apply to Employers” is one that has provoked many different responses due to the complicated nature of the HIPAA Privacy Rule.
The HIPAA Privacy Rule is one of the most complicated pieces of legislation affecting the healthcare and health insurance industries. Because of its objectives to standardize how individually identifiable personal information is protected across many different use cases, the language of the HIPAA Privacy Rule is “non-specific” and therefore open to a number of interpretations.
Many attempts have been made to summarize the HIPAA Privacy Rule in a format that clearly outlines who is covered by the legislation and how it should be applied. Unfortunately, because of its complicated nature, most summaries fail to adequately answer the question how does HIPAA apply to employers? This article aims to answer that question as adequately as possible.
Let´s First Discuss HIPAA-Covered Transactions
The HIPAA Privacy Rule defines the eighteen elements of individually identifiable health information that required protecting from unauthorized disclosure and labels them as “Protected Health Information”. Many of these elements are information that would – for example – be provided to an employer’s HR Department when a new worker starts a job. So, under that summarized interpretation, the answer to the question “Does HIPAA Apply to Employers”, would be “yes”.
However, Protected Health Information is only covered by HIPAA when it is used to communicate information about an individual´s past, present or future medical condition, the provision of healthcare to an individual, or the payment for the provision of healthcare. Therefore, if a worker supplied their individually identifiable health information to an employer’s HR Department, and it was never used for any of these purposes, HIPAA no longer applies to employers.
Furthermore, one factor often overlooked in summaries of the HIPAA Privacy Rule is that, in order for a “Covered Entity” to be subject to the legislation, the purpose of creating, using, storing or sharing Protected Health Information has to be a HIPAA-covered transaction. HIPAA-covered transactions include (but are not limited to):
- A request to obtain payment from a healthcare provider to a health plan accompanied by supporting documentation.
- An inquiry from a healthcare provider to a health plan about the eligibility of an individual to receive treatment.
- A request to a health plan to refer an individual to another healthcare provider (and the health plan´s response).
- The transmission of either of the following from a health plan to a healthcare provider: (1) Explanation of benefits. (2) Remittance advice.
For further information about what qualifies as a HIPAA-covered transaction, please refer to 45 CFR Part 2, specifically §§ 162.1101 to 162.1801. With regard to the question “Does HIPAA apply to Employers who Conduct HIPAA-Covered Transactions”, this is addressed in the next section.
Does HIPAA Apply to Employers’ Self-Insured Health Plans?
Using the criteria described above for HIPAA-covered transactions, the only circumstances in which an employer may be involved in these types of transactions if they provide onsite clinics as an employee health benefit, provide a self-insured health plan for employees, or act as an intermediary between employees, healthcare providers and health plans.
Because an onsite clinic is an employee health benefit that is not “portable” (i.e. the benefit cannot be taken with an employee when he or she moves to a new job), it is exempt from the HIPAA Privacy Rule. Employers providing self-insured health plans are also exempt because HIPAA regards the employer and the health plan as two separate legal entities, even if the employer administers the self-insured health plan.
However, in order to administer a self-insured health plan, or act as an intermediary between employees, healthcare providers and health plans, the employer is subject to “partial compliance” and is required to provide a certification that Protected Health Information will be safeguarded as prescribed by the HIPAA Privacy Rule and not used for employment-related actions.
The certification is not unlike a Business Associate Agreement and it allows the self-insured health plan to share Protected Health Information with the employer, but only for the purposes of administering the health plan. Any other uses of the Protected Health Information would constitute an unauthorized disclosure and the employer would be subject to sanctions by the Department of Health & Human Services. Further information about employer certification can be found in 45 CFR 164.504(f).
Employers and Protected Health Information: Conclusion
The answer to the question “Does HIPAA Apply to Employers” is generally “no”. However there are circumstances in which employers are subject to HIPAA with regard to safeguarding the confidentiality, integrity and security of Protected Health Information. These circumstances may be few and far between; but, when they occur, it is important employers are aware of their compliance obligations.
HIPAA does not prevent an employer from announcing the birth of a child to the parent´s workplace colleagues, but it will likely apply if an employer administers a self-insured health plan or acts as an intermediary in a high-deductible, consumer-directed health plan. Companies still unsure about how HIPAA applies to Employers should seek professional advice relevant to their specific circumstances.
Does HIPAA Apply to Employers? FAQs
If I give my employer a doctor´s note to prove I was sick, does HIPAA apply to the doctor´s note?
HIPAA does not apply to the doctor´s note – even if you work for a Covered Entity or Business Associate – because the doctor´s note will not be used for a HIPAA-covered transaction. The doctor´s note is considered to be part of your employment record, like any other personal information you might provide to your employer.
If an employer phones a hospital to enquire about the wellbeing of an employee, is any information provided by the hospital covered by HIPAA?
Any information disclosed by a hospital is not covered by HIPAA unless it is disclosed to another Covered Entity or Business Associate for a HIPAA-covered transaction. However, before any information is disclosed to an employer by a hospital, the hospital must obtain the employee´s consent to disclose PHI. A disclosure to an employer without authorization is a violation of HIPAA.
Does HIPAA apply to employers in medical teaching institutions?
This depends on the nature of medical services provided by the institution. If medical services are only available to employees and students, the institution is not a HIPAA Covered Entity because the provision of medical services to employees is not portable (see above) and the provision of medical services to students is covered by FERPA – which preempts HIPAA.
If medical services are available to the public, the institution is a hybrid entity required to comply with HIPAA for the medical services provided to members of the public, but not for non-portable medical services provided to employees or for FERPA-covered medical services provided to students. Further information about hybrid entities can be found in this HHS article.
If an employer is a federal agency, does HIPAA or the Privacy Act apply?
In the few circumstances in which a federal agency qualifies as a Covered Entity and engages in HIPAA-covered transactions, HIPAA preempts the Privacy Act. In most other circumstances, federal agencies have to comply with the Privacy Act – the exceptions being when state or local laws offer greater protections to health information than HIPAA or the Privacy Act.
Does HIPAA apply to employers that are Business Associates of a Covered Entity?
If an employer is a Business Associate of a Covered Entity, the same principles apply as if the Business Associate was a Covered Entity. Therefore, if a Business Associate maintains employee healthcare data that is not used for HIPAA-covered transactions, the Business Associate is not subject to HIPAA in respect of employee data – but still subject to HIPAA in respect of any ePHI received from the Covered Entity with whom the employer has a Business Associate Agreement.