Share this article on:
The question “Does HIPAA Apply to Employers” is one that has provoked many different responses due to the complicated nature of the HIPAA Privacy Rule.
The HIPAA Privacy Rule is one of the most complicated pieces of legislation affecting the healthcare industry. Because of its objectives to standardize how individually identifiable personal information is protected across many different use case, the language of the HIPAA Privacy Rule is “non-specific” and therefore open to a number of interpretations.
Many attempts have been made to summarize the HIPAA Privacy Rule in a format that clearly outlines who is covered by the legislation and how it should be applied. Unfortunately, because of its complicated nature, most summaries fail to adequately answer the question how does HIPAA apply to employers? This article aims to answer that question as adequately as possible.
Let´s First Discuss HIPAA-Covered Transactions
The HIPAA Privacy Rule defines the eighteen elements of individually identifiable health information that required protecting from unauthorized disclosure and labels them as “Protected Health Information”. Many of these elements are information that would – for example – be provided to an employer’s HR Department when a new worker starts a job. So, under that summarized interpretation, the answer to the question “Does HIPAA Apply to Employers”, would be “yes”.
However, Protected Health Information is only covered by HIPAA when it is used to communicate information about an individual´s past, present or future medical condition, the provision of healthcare to an individual, or the payment for the provision of healthcare. Therefore, if a worker supplied their individually identifiable health information to an employer’s HR Department, and it was never used for any of these purposes, HIPAA no longer applies to employers.
Furthermore, one factor often overlooked in summaries of the HIPAA Privacy Rule is that, in order for a “Covered Entity” to be subject to the legislation, the purpose of creating, using, storing or sharing Protected Health Information has to be a HIPAA-covered transaction. HIPAA-covered transactions include (but are not limited to):
- A request to obtain payment from a healthcare provider to a health plan accompanied by supporting documentation.
- An inquiry from a healthcare provider to a health plan about the eligibility of an individual to receive treatment.
- A request to a health plan to refer an individual to another healthcare provider (and the health plan´s response).
- The transmission of either of the following from a health plan to a healthcare provider: (1) Explanation of benefits. (2) Remittance advice.
For further information about what qualifies as a HIPAA-covered transaction, please refer to 45 CFR Part 2, specifically §§ 162.1101 to 162.1801. With regard to the question “Does HIPAA apply to Employers who Conduct HIPAA-Covered Transactions”, this is addressed in the next section.
Does HIPAA Apply to Employers’ Self-Insured Health Plans?
Using the criteria described above for HIPAA-covered transactions, the only circumstances in which an employer may be involved in these types of transactions if they provide onsite clinics as an employee health benefit, provide a self-insured health plan for employees, or act as an intermediary between employees, healthcare providers and health plans.
Because an onsite clinic is an employee health benefit that is not “portable” (i.e. the benefit cannot be taken with an employee when he or she moves to a new job), it is exempt from the HIPAA Privacy Rule. Employers providing self-insured health plans are also exempt because HIPAA regards the employer and the health plan as two separate legal entities, even if the employer administers the self-insured health plan.
However, in order to administer a self-insured health plan, or act as an intermediary between employees, healthcare providers and health plans, the employer is subject to “partial compliance” and is required to provide a certification that Protected Health Information will be safeguarded as prescribed by the HIPAA Privacy Rule and not used for employment-related actions.
The certification is not unlike a Business Associate Agreement and it allows the self-insured health plan to share Protected Health Information with the employer, but only for the purposes of administering the health plan. Any other uses of the Protected Health Information would constitute an unauthorized disclosure and the employer would be subject to sanctions by the Department of Health & Human Services. Further information about employer certification can be found in 45 CFR 164.504(f).
Employers and Protected Health Information: Conclusion
The answer to the question “Does HIPAA Apply to Employers” is generally “no”. However there are circumstances in which employers are subject to HIPAA with regard to safeguarding the confidentiality, integrity and security of Protected Health Information. These circumstances may be few and far between; but, when they occur, it is important employers are aware of their compliance obligations.
HIPAA does not prevent an employer from announcing the birth of a child to the parent´s workplace colleagues, but it will likely apply if an employer administers a self-insured health plan or acts as an intermediary in a high-deductible, consumer-directed health plan. Companies still unsure about how HIPAA applies to Employers should seek professional advice relevant to their specific circumstances.