Does HIPAA apply to employers?

The complicated nature of healthcare legislation can make it hard to interpret when HIPAA does apply to employers. This is, in part, due to the vague nature of the language used in the HIPAA Privacy Rule, which lays out the standards needed to ensure the privacy of protected health information (PHI). To allow its application to a range of circumstances, the language used in the rule is non-specific, though this has the disadvantage of encouraging multiple different interpretations of its text. 

Under HIPAA, PHI is any health-related information that contains one of eighteen “identifiers” that connect it to the patient it relates to. Names, addresses, telephone numbers, photographs etc. are all considered identifiers, and the presence of any one of these identifiers is enough to classify data as PHI. 

However, these pieces of information are often used in different contexts – indeed, it would be unsurprising if a company’s Human Resources department didn’t already have much of this information. But that does not necessarily mean HIPAA applies to employers in this context. Crucially, data is only considered PHI if it is used to communicate information about an individual’s healthcare, be it their past, current, or future health, how their healthcare is provided, or how it is paid for. Therefore, even if an employer has access to health information that contains individual identifiers, unless it is used in one of these capacities, it is not PHI and therefore not covered by HIPAA. 

The HIPAA Privacy Rule also stipulates that Covered Entities must only be HIPAA-compliant if the creation, usage, sharing or storage of PHI is part of a HIPAA-covered transaction. HIPAA-covered transactions are those for which the Department of Health and Human Services have adopted standards (see 45 CFR 160.103), and include: 

  • Payment and remittance advice
  • Transmitting information on healthcare status 
  • Inquiries from a healthcare provider relating to an individual’s eligibility for treatment
  • Coordination of benefits 

Therefore, if an employer is involved in any kind of HIPAA-covered transaction, HIPAA rules apply. 

Common situations where employers may have access to healthcare data include: if employers provide onsite clinics for their employees, provide self-insured health plans or act as a go-between for employees, health plans and healthcare providers. 

Even then, however, it is not straightforward. Clinics are not “portable”; it is a benefit linked to a specific job, and cannot be carried between employers. These clinics are therefore exempt from the HIPAA Privacy Rule. Similarly, employers that provide self-insured health plans are not covered by HIPAA, as the employer and health plan are considered two separate legal entities. To act as an intermediary, however, or administer health plans, employers must provide a certificate to show that PHI will be protected by the Privacy Rule (“partial compliance”; see 45 CFR 164.504(f)). This also precludes any use of the data in employment-related activities. The PHI can only be used for the purposes of administering the health plan; any other use would be a breach of the HIPAA Privacy Rule. 

For those employed by medical institutions, services provided to members of the public are covered by HIPAA, while those provided to employees are not. This is because these services are non-portable. Services provided to students are covered by FERPA, which takes precedent over HIPAA. 

It may be surprising to hear that HIPAA only applies to employers under a limited scope of circumstances. Some situations that may initially appear to be HIPAA transactions are not. For example, doctors’ notes are considered part of an employee record, and are not PHI as they are not used in HIPAA-covered transactions. This does not mean that an employer is entitled to access an employee’s healthcare record; only those authorized by the patient can access that data.