Asking the question “Does HIPAA Apply to Employers” leads to a number of different answers as a result of the complicated nature of the HIPAA Privacy Rule.
The HIPAA Privacy Rule is one of the most complex legislative acts impacting the healthcare sector. As the objectives to standardize how individually identifiable personal information is protected across many different use case, the wording of the HIPAA Privacy Rule is “non-specific” and therefore open to a range of interpretations.
Many efforts have been made to simplify the HIPAA Privacy Rule in a format that clearly outlines who is covered by the legislation and how it should be applied. Sadly, because of its complex nature, most summaries do not adequately answer the question how does HIPAA impact employers? This article aims to answer that question as adequately as possible.
HIPAA-Covered Transactions
The HIPAA Privacy Rule outlines the 18 parts of individually identifiable health information that required safeguarding from unauthorized disclosure and labels them as “Protected Health Information”. Many of these elements are information that would – for example – be given to an employer’s HR Department when a new worker begins in a role. So, under that summarized interpretation, the answer to the question “Does HIPAA Apply to Employers”, would be “yes”.
However, Protected Health Information is only included under by HIPAA when it is used to share information about an individual’s past, present or future medical condition, the provision of healthcare to a person, or the payment for the provision of healthcare. Therefore, if a worker handed over their individually identifiable health information to an employer’s HR Department, and it was never used for any of these aims, HIPAA no longer applies to employers.
Additionally, one factor often missed in summaries of the HIPAA Privacy Rule is that, in order for a “Covered Entity” to be subject to the legislation, the purpose of creating, using, storing or sharing Protected Health Information has to be a HIPAA-covered transaction. HIPAA-covered transactions include (but are not kept to):
- A request to be sent payment from a healthcare supplier to a health plan accompanied by associated documentation.
- An inquiry from a healthcare supplier to a health plan about the eligibility of a person to receive treatment.
- A request to a health plan to send an individual to another healthcare provider (and the health plan’s reaction).
- The sending of either of the following from a health plan to a healthcare supplier: (1) Explanation of benefits. (2) Remittance advice.
For additional details in relation to about what a HIPAA-covered transaction is, look over 45 CFR Part 2, specifically §§ 162.1101 to 162.1801. With regard to the question “Does HIPAA apply to Employers who Conduct HIPAA-Covered Transactions”, this is addressed in the next paragraph.
Is HIPAA Used for Employers’ Self-Insured Health Plans?
Using the criteria listed above for HIPAA-covered transactions, the only times when an employer may be involved in these sorts of transactions if they provide onsite clinics as an employee health benefit, provide a self-insured health plan for employees, or act as an intermediary between staff, healthcare providers and health plans.
As an onsite clinic is an employee health benefit that is not “portable” (i.e. the benefit cannot be taken with an employee when he or she moves to a new job), it is not included in the HIPAA Privacy Rule. Employers providing self-insured health plans are also exempt because HIPAA regards the employer and the health plan as two separate legal groups, even if the employer administers the self-insured health plan.
However, in order to manage a self-insured health plan, or act as an intermediary between staff, healthcare providers and health plans, the employer is subject to “partial compliance” and is required to provide a certification that Protected Health Information will be secured as prescribed by the HIPAA Privacy Rule and not used for employment-related tasks.
The certification is not so different to a Business Associate Agreement and it allows the self-insured health plan to share Protected Health Information with the employer, but only for the aims of administering the health plan. Any other uses of the Protected Health Information would be thought of an unauthorized disclosure and the employer would be subject to sanctions by the Department of Health & Human Services. Additional information about employer certification can be located in 45 CFR 164.504(f).
Employers and Protected Health Information: Summary
The answer to the question “Does HIPAA Apply to Employers” is often “no”. However there are times when employers are subject to HIPAA with regard to safeguarding the confidentiality, integrity and security of Protected Health Information. These times may be very rare; but, when they take place, it is important employers are aware of their compliance obligations.
HIPAA does not stop an employer from revealing the birth of a child to the parent´s workplace colleagues, but it will likely apply if an employer manages a self-insured health plan or acts as an intermediary in a high-deductible, consumer-directed health plan. Companies still unsure about how HIPAA applies to Employers should seek professional advice in relation to their specific circumstances.