Editorial: HIPAA Law and Employers

Because a lot of the text of the Health Insurance Portability and Accountability Act (HIPAA) relates to health insurance reforms, and because around 40% of employers operate self-insured health plans, a lot of content connects HIPAA law and employers. However, the most complex areas of HIPAA law for employers are the Administrative Simplification Regulations in Title II which include the Privacy, Security, and Breach Notification Rules. While these Rules are often considered as only being applicable to HIPAA covered entities, there are standards some employers who are not covered entities may have to comply with.

Exclusions From HIPAA Law and Employers

One potentially confusing area of the Administrative Simplification Regulations relates to employment records. This is because the definition of individually identifiable health information in §160.103 includes “information collected from an individual or created or received by a health care provider, health plan, employer, or health care clearinghouse.”

However, the definition of Protected Health Information (also in §160.103) excludes “employment records held by a Covered Entity in its role as an employer.”

This exclusion applies to individually identifiable health information an employer might receive and maintain in an employment record to explain – for example – the reason for a leave of absence due to sickness or an injury.

When is an Employer a HIPAA-Covered Entity?

Generally, an employer is a HIPAA Covered Entity when the employer is a health plan, a healthcare clearinghouse, or a healthcare provider that conducts electronic transactions for which the Department of Health and Human Services (HHS) has published standards. The standards for electronic transactions which qualify an employer as a HIPAA-Covered Entity appears in CFR 45 Part 2.

There are exceptions to this definition of a HIPAA Covered Entity, and it is possible for an employer who does not qualify as a Covered Entity to be “involved” in covered transactions if – for example – they act as an intermediary between an employee, a healthcare provider, and a health plan.

Additionally, an employer that self-administers a health plan with fewer than 50 participants is not considered to be a Covered Entity under HIPAA unless it qualifies as a healthcare provider.

Potential Privacy Issues with the Requirements

But what about other types of individually identifiable health information an employer might collect, create, or receive? For example, under §164.512, Covered Entities are allowed to disclose Protected Health Information to enable employers to comply with state and federal accident notification laws such as the Occupational Safety and Health Administration’s injury and illness recordkeeping and reporting requirements.

There is no requirement under HIPAA for employers to keep Protected Health Information of this nature secure (although state privacy and security laws may apply), and Covered Entities have no control over how it is further used or disclosed by the employer.

This raises potential privacy issues if an employer not subject to state privacy and security laws fails to secure the information.

A Solution to Address Potential Privacy Issues

Whether an employer qualifies as a Covered Entity or not, one way to address potential privacy issues for individually identifiable health information not protected by HIPAA is to adopt a model of “voluntary partial compliance”.

This involves implementing safeguards similar to those required by HIPAA to maintain the privacy and security of individually identifiable health information.

Visit our HIPAA Privacy Law article to learn more.

Non Compliance Is Not An Option

From the exclusions to guaranteed health plan renewability in Title I, to the conditions for deducting loan interest on life insurance plans in Title V, there are plenty of HIPAA laws for employers to comply with.

HIPAA laws are enforced by HHS Office of Civil Rights, the Centres for Medicare and Medicaid, and the Federal Trade Commission.

For organizations unfamiliar with these safeguards, a good place to start is by downloading the HIPAA Compliance Checklist via the forms on this page. Thereafter, if questions remain about how best to maintain the privacy and security of individually identifiable health information, it is recommended that employers seek advice from a HIPAA compliance professional.